14 Aug, 2006
1 commit
-
Neither of {arp,ip,ip6}_tables cleans up behind itself when something goes
wrong during initialization.Noticed by Rennie deGraaf
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
04 Jul, 2006
1 commit
-
Add and use poison defines in net/.
Signed-off-by: Randy Dunlap
Signed-off-by: David S. Miller
01 Jul, 2006
1 commit
-
Signed-off-by: Jörn Engel
Signed-off-by: Adrian Bunk
30 Jun, 2006
2 commits
-
This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
the security framework by extending security_netlink_recv to include a required
capability parameter and converting all direct usage of eff_caps outside
of the lsm modules to use the interface. It also updates the SELinux
implementation of the security_netlink_send and security_netlink_recv
hooks to take advantage of the sid in the netlink_skb_params struct.
This also enables SELinux to perform auditing of netlink capability checks.
Please apply, for 2.6.18 if possible.Signed-off-by: Darrel Goeddel
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: David S. Miller -
When xt_register_table fails the error is not properly propagated back.
Based on patch by Lepton Wu .Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
18 Jun, 2006
3 commits
-
I found a few more spots where pskb_trim_rcsum could be used but were not.
This patch changes them to use it.Also, sk_filter can get paged skb data. Therefore we must use pskb_trim
instead of skb_trim.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
None of the existing helpers expects to get called for related ICMP
packets and some even drop them if they can't parse them.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
19 May, 2006
2 commits
-
Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.Signed-off-by: Solar Designer
Signed-off-by: Kirill Korotaev
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The prefix argument for nf_log_packet is a format specifier,
so don't pass the user defined string directly to it.Signed-off-by: Philip Craig
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
17 May, 2006
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
25 Apr, 2006
1 commit
-
The introduction of x_tables broke comefrom debugging, remove it from
ip6_tables as well (ip_tables already got removed).Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Apr, 2006
1 commit
-
for_each_cpu() actually iterates across all possible CPUs. We've had mistakes
in the past where people were using for_each_cpu() where they should have been
iterating across only online or present CPUs. This is inefficient and
possibly buggy.We're renaming for_each_cpu() to for_each_possible_cpu() to avoid this in the
future.This patch replaces for_each_cpu with for_each_possible_cpu under /net
Signed-off-by: KAMEZAWA Hiroyuki
Acked-by: "David S. Miller"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
10 Apr, 2006
3 commits
-
Besides removing lots of duplicate code, all converted users benefit
from improved HW checksum error handling. Tested with and without HW
checksums in almost all combinations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Fix section mismatch warnings caused by netfilter's init_or_cleanup
functions used in many places by splitting the init from the cleanup
parts.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Clean up hook registration by makeing use of the new mass registration and
unregistration helpers.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Apr, 2006
2 commits
-
This unifies ipt_multiport and ip6t_multiport to xt_multiport.
As a result, this addes support for inversion and port range match
to IPv6 packets.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This unifies ipt_esp and ip6t_esp to xt_esp. Please note that now
a user program needs to specify IPPROTO_ESP as protocol to use esp match
with IPv6. This means that ip6tables requires '-p esp' like iptables.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Mar, 2006
1 commit
-
Every netfilter module uses `init' for its module_init() function and
`fini' or `cleanup' for its module_exit() function.Problem is, this creates uninformative initcall_debug output and makes
ctags rather useless.So go through and rename them all to $(filename)_init and
$(filename)_fini.Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
23 Mar, 2006
2 commits
-
x_tables matches and targets that require nf_conntrack_ipv[4|6] to work
don't have enough information to load on demand these modules. This
patch introduces the following changes to solve this issue:o nf_ct_l3proto_try_module_get: try to load the layer 3 connection
tracker module and increases the refcount.
o nf_ct_l3proto_module put: drop the refcount of the module.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Set the family field in xt_[matches|targets] registered.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
21 Mar, 2006
10 commits
-
Semaphore to mutex conversion.
The conversion was generated via scripts, and the result was validated
automatically via a script as well.Signed-off-by: Ingo Molnar
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Semaphore to mutex conversion.
The conversion was generated via scripts, and the result was validated
automatically via a script as well.Signed-off-by: Arjan van de Ven
Signed-off-by: Ingo Molnar
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Replace netfilter's ip6_masked_addrcmp by a more efficient version
in include/net/ipv6.h to make it usable without module dependencies.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This allows to make decisions based on the revision (and address family
with a follow-up patch) at runtime.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch moves all helper related data fields of 'struct nf_conn'
into a separate structure 'struct nf_conn_help'. This new structure
is only present in conntrack entries for which we actually have a
helper loaded.Also, this patch cleans up the nf_conntrack 'features' mechanism to
resemble what the original idea was: Just glue the feature-specific
data structures at the end of 'struct nf_conn', and explicitly
re-calculate the pointer to it when needed rather than keeping
pointers around.Saves 20 bytes per conntrack on my x86_64 box. A non-helped conntrack
is 276 bytes. We still need to save another 20 bytes in order to fit
into to target of 256bytes.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
08 Mar, 2006
1 commit
-
The size of the skb carrying the netlink message is not
equivalent to the length of the actual netlink message
due to padding. ip_queue matches the length of the payload
against the original packet size to determine if packet
mangling is desired, due to the above wrong assumption
arbitary packets may not be mangled depening on their
original size.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
28 Feb, 2006
1 commit
-
The nfnetlink_log infrastructure changes broke compatiblity of the LOG
targets. They currently use whatever log backend was registered first,
which means that if ipt_ULOG was loaded first, no messages will be printed
to the ring buffer anymore.Restore compatiblity by using the old log functions by default and only use
the nf_log backend if the user explicitly said so.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Feb, 2006
1 commit
-
TCP RSTs generated by the REJECT target should be associated with the
conntrack of the original TCP packet. Since the conntrack entry is
usually not is the hash tables, it must be manually attached.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
05 Feb, 2006
4 commits
-
The IPv4 and IPv6 version of the policy match are identical besides address
comparison and the data structure used for userspace communication. Unify
the data structures to break compatiblity now (before it is released), so
we can port it to x_tables in 2.6.17.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Fix two bugs in ip6t_policy address matching:
- misorder arguments to ip6_masked_addrcmp, mask must be the second argument
- inversion incorrectly applied to the entire expression instead of just
the address comparisonSigned-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user(). In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above. Either is
sufficient to overwrite arbitrary amounts of kernel memory.I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...Found by Solar Designer during security audit of OpenVZ.org
Signed-Off-By: Kirill Korotaev
Signed-Off-By: Solar Designer
Signed-off-by: Patrck McHardy
Signed-off-by: David S. Miller
17 Jan, 2006
2 commits
-
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
These are replaced with x_tables matches and no longer exist.
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller