25 Jun, 2019
1 commit
-
Resolve conflict between d2912cb15bdd ("treewide: Replace GPLv2
boilerplate/reference with SPDX - rule 500") removing the GPL disclaimer
and fe03d4745675 ("Update my email address") which updates Jozsef
Kadlecsik's email.Signed-off-by: Pablo Neira Ayuso
22 Jun, 2019
1 commit
-
Minor SPDX change conflict.
Signed-off-by: David S. Miller
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
17 Jun, 2019
1 commit
-
Reject flags that are not supported with EINVAL.
Signed-off-by: Pablo Neira Ayuso
01 Jun, 2019
1 commit
-
The XT_OWNER_SUPPL_GROUPS flag causes GIDs specified with XT_OWNER_GID
to be also checked in the supplementary groups of a process.f_cred->group_info cannot be modified during its lifetime and f_cred
holds a reference to it so it's safe to use.Signed-off-by: Lukasz Pawelczyk
Signed-off-by: Pablo Neira Ayuso
28 Jun, 2018
1 commit
-
Netfilter assumes that if the socket is present in the skb, then
it can be used because that reference is cleaned up while the skb
is crossing netns.We want to change that to preserve the socket reference in a future
patch, so this is a preparation updating netfilter to check if the
socket netns matches before use it.Signed-off-by: Flavio Leitner
Acked-by: Florian Westphal
Signed-off-by: David S. Miller
02 Mar, 2017
1 commit
-
Add #include dependencies to all .c files rely on sched.h
doing that for them.Note that even if the count where we need to add extra headers seems high,
it's still a net win, because is included in over
2,200 files ...Acked-by: Linus Torvalds
Cc: Mike Galbraith
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar
03 Nov, 2016
1 commit
-
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.Signed-off-by: Pablo Neira Ayuso
23 Jun, 2016
1 commit
-
Making this work is a little tricky as it really isn't kosher to
change the xt_owner_match_info in a check function.Without changing xt_owner_match_info we need to know the user
namespace the uids and gids are specified in. In the common case
net->user_ns == current_user_ns(). Verify net->user_ns ==
current_user_ns() in owner_check so we can later assume it in
owner_mt.In owner_check also verify that all of the uids and gids specified are
in net->user_ns and that the expected min/max relationship exists
between the uids and gids in xt_owner_match_info.In owner_mt get the network namespace from the outgoing socket, as this
must be the same network namespace as the netfilter rules, and use that
network namespace to find the user namespace the uids and gids in
xt_match_owner_info are encoded in. Then convert from their encoded
from into the kernel internal format for uids and gids and perform the
owner match.Similar to ping_group_range, this code does not try to detect
noncontiguous UID/GID ranges.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Kevin Cernekee
Signed-off-by: Pablo Neira Ayuso
09 Nov, 2015
1 commit
-
SYNACK packets might be attached to a request socket,
xt_owner wants to gte the listener in this case.Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
15 Aug, 2012
1 commit
-
- Only allow adding matches from the initial user namespace
- Add the appropriate conversion functions to handle matches
against sockets in other user namespaces.Cc: Jan Engelhardt
Cc: Patrick McHardy
Cc: Pablo Neira Ayuso
Acked-by: David S. Miller
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman
12 May, 2010
2 commits
-
In future, layer-3 matches will be an xt module of their own, and
need to set the fragoff and thoff fields. Adding more pointers would
needlessy increase memory requirements (esp. so for 64-bit, where
pointers are wider).Signed-off-by: Jan Engelhardt
-
Signed-off-by: Jan Engelhardt
10 Aug, 2009
1 commit
-
Superseded by xt_owner v1 (v2.6.24-2388-g0265ab4).
Signed-off-by: Jan Engelhardt
14 Nov, 2008
1 commit
-
Attach creds to file structs and discard f_uid/f_gid.
file_operations::open() methods (such as hppfs_open()) should use file->f_cred
rather than current_cred(). At the moment file->f_cred will be current_cred()
at this point.Signed-off-by: David Howells
Reviewed-by: James Morris
Signed-off-by: James Morris
08 Oct, 2008
4 commits
-
Lots of extensions are completely family-independent, so squash some code.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
This patch does this for match extensions' checkentry functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
The function signatures for Xtables extensions have grown over time.
It involves a lot of typing/replication, and also a bit of stack space
even if they are not used. Realize an NFWS2008 idea and pack them into
structs. The skb remains outside of the struct so gcc can continue to
apply its optimizations.This patch does this for match extensions' match functions.
A few ambiguities have also been addressed. The "offset" parameter for
example has been renamed to "fragoff" (there are so many different
offsets already) and "protoff" to "thoff" (there is more than just one
protocol here, so clarify).Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
01 Feb, 2008
1 commit
-
Add support for ranges to the new revision. This doesn't affect
compatibility since the new revision was not released yet.Signed-off-by: Jan Engelhardt
Signed-off-by: David S. Miller
29 Jan, 2008
2 commits
-
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
xt_owner merges ipt_owner and ip6t_owner, and adds a flag to match
on socket (non-)existence.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller