Eric Lee / smarc-fsl-linux-kernel

09 Nov, 2016

1 commit

fb9c9649a netfilter: connmark: ignore skbs with magic untracked conntrack objects ... Browse Code »

The (percpu) untracked conntrack entries can end up with nonzero connmarks.

The 'untracked' conntrack objects are merely a way to distinguish INVALID
(i.e. protocol connection tracker says payload doesn't meet some
requirements or packet was never seen by the connection tracking code)
from packets that are intentionally not tracked (some icmpv6 types such as
neigh solicitation, or by using 'iptables -j CT --notrack' option).

Untracked conntrack objects are implementation detail, we might as well use
invalid magic address instead to tell INVALID and UNTRACKED apart.

Check skb->nfct for untracked dummy and behave as if skb->nfct is NULL.

Reported-by: XU Tianwen
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso

Florian Westphal
2016-11-09 06:53:36 +0800

07 Dec, 2013

1 commit

e664eabd1 netfilter: Fix FSF address in file headers ... Browse Code »

Several files refer to an old address for the Free Software Foundation
in the file header comment. Resolve by replacing the address with
the URL so that we do not have to keep
updating the header comments anytime the address changes.

CC: netfilter@vger.kernel.org
CC: Pablo Neira Ayuso
CC: Patrick McHardy
CC: Jozsef Kadlecsik
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller

Jeff Kirsher
2013-12-07 01:37:57 +0800

12 May, 2010

2 commits

62fc80510 netfilter: xtables: deconstify struct xt_action_param for matches ... Browse Code »

In future, layer-3 matches will be an xt module of their own, and
need to set the fragoff and thoff fields. Adding more pointers would
needlessy increase memory requirements (esp. so for 64-bit, where
pointers are wider).

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-05-12 00:33:37 +0800
4b560b447 netfilter: xtables: substitute temporary defines by final name ... Browse Code »

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-05-12 00:31:17 +0800

25 Mar, 2010

5 commits

f95c74e33 netfilter: xtables: shorten up return clause ... Browse Code »

The return value of nf_ct_l3proto_get can directly be returned even in
the case of success.

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-25 23:56:09 +0800
4a5a5c73b netfilter: xtables: slightly better error reporting ... Browse Code »

When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-25 23:56:09 +0800
bd414ee60 netfilter: xtables: change matches to return error code ... Browse Code »

The following semantic patch does part of the transformation:
//
@ rule1 @
struct xt_match ops;
identifier check;
@@
ops.checkentry = check;

@@
identifier rule1.check;
@@
check(...) { }

@@
identifier rule1.check;
@@
check(...) { }
//

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-25 23:55:24 +0800
135367b8f netfilter: xtables: change xt_target.checkentry return type ... Browse Code »

Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.

//
@@
type bool;
identifier check, par;
@@
-bool check
+int check
(struct xt_tgchk_param *par) { ... }
//

Minus the change it does to xt_ct_find_proto.

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-25 23:04:33 +0800
b0f38452f netfilter: xtables: change xt_match.checkentry return type ... Browse Code »

Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.

This semantic patch may not be too precise (checking for functions
that use xt_mtchk_param rather than functions referenced by
xt_match.checkentry), but reviewed, it produced the intended result.

//
@@
type bool;
identifier check, par;
@@
-bool check
+int check
(struct xt_mtchk_param *par) { ... }
//

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-25 23:03:13 +0800

18 Mar, 2010

1 commit

8bee4bad0 netfilter: xt extensions: use pr_<level> ... Browse Code »

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-18 21:20:07 +0800

17 Mar, 2010

2 commits

408ffaa4a netfilter: update my email address ... Browse Code »

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-17 22:53:10 +0800
b8f00ba27 netfilter: xtables: merge xt_CONNMARK into xt_connmark ... Browse Code »

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2010-03-17 22:48:36 +0800

10 Aug, 2009

1 commit

84899a2b9 netfilter: xtables: remove xt_connmark v0 ... Browse Code »

Superseded by xt_connmark v1 (v2.6.24-2919-g96e3227).

Signed-off-by: Jan Engelhardt

Jan Engelhardt
2009-08-10 18:25:12 +0800

08 Oct, 2008

5 commits

92f3b2b1b netfilter: xtables: cut down on static data for family-independent extensions ... Browse Code »

Using ->family in struct xt_*_param, multiple struct xt_{match,target}
can be squashed together.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy

Jan Engelhardt
2008-10-08 17:35:20 +0800
6be3d8598 netfilter: xtables: move extension arguments into compound structure (3/6) ... Browse Code »

This patch does this for match extensions' destroy functions.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy

Jan Engelhardt
2008-10-08 17:35:19 +0800
9b4fce7a3 netfilter: xtables: move extension arguments into compound structure (2/6) ... Browse Code »

This patch does this for match extensions' checkentry functions.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy

Jan Engelhardt
2008-10-08 17:35:18 +0800
f7108a20d netfilter: xtables: move extension arguments into compound structure (1/6) ... Browse Code »

The function signatures for Xtables extensions have grown over time.
It involves a lot of typing/replication, and also a bit of stack space
even if they are not used. Realize an NFWS2008 idea and pack them into
structs. The skb remains outside of the struct so gcc can continue to
apply its optimizations.

This patch does this for match extensions' match functions.

A few ambiguities have also been addressed. The "offset" parameter for
example has been renamed to "fragoff" (there are so many different
offsets already) and "protoff" to "thoff" (there is more than just one
protocol here, so clarify).

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy

Jan Engelhardt
2008-10-08 17:35:18 +0800
ee999d8b9 netfilter: x_tables: use NFPROTO_* in extensions ... Browse Code »

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy

Jan Engelhardt
2008-10-08 17:35:01 +0800

29 Jan, 2008

5 commits

2ae15b64e [NETFILTER]: Update modules' descriptions ... Browse Code »

Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2008-01-29 07:02:26 +0800
96e322726 [NETFILTER]: xt_connmark match, revision 1 ... Browse Code »

Introduces the xt_connmark match revision 1. It uses fixed types,
eventually obsoleting revision 0 some day (uses nonfixed types).
(Unfixed types like "unsigned long" do not play well with mixed
user-/kernelspace "bitness", e.g. 32/64, as is common on SPARC64,
and need extra compat code.)

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2008-01-29 07:02:21 +0800
df54aae02 [NETFILTER]: x_tables: use %u format specifiers ... Browse Code »

Use %u format specifiers as ->family is unsigned.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2008-01-29 06:59:07 +0800
34f4c4295 [NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets ... Browse Code »

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2008-01-29 06:58:37 +0800
d3c5ee6d5 [NETFILTER]: x_tables: consistent and unique symbol names ... Browse Code »

Give all Netfilter modules consistent and unique symbol names.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2008-01-29 06:55:53 +0800

20 Oct, 2007

1 commit

3a4fa0a25 Fix misspellings of "system", "controller", "interrupt" and "necessary". ... Browse Code »

Fix the various misspellings of "system", controller", "interrupt" and
"[un]necessary".

Signed-off-by: Robert P. J. Day
Signed-off-by: Adrian Bunk

Robert P. J. Day
2007-10-20 05:10:43 +0800

12 Oct, 2007

1 commit

73aaf9355 [NETFILTER]: x_tables: add missing ip6t_modulename aliases ... Browse Code »

The patch will add MODULE_ALIAS("ip6t_") where missing,
otherwise you will get

ip6tables: No chain/target/match by that name

when xt_ is not already loaded.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2007-10-12 05:36:40 +0800

11 Jul, 2007

6 commits

9f15c5302 [NETFILTER]: x_tables: mark matches and targets __read_mostly ... Browse Code »

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2007-07-11 13:17:15 +0800
7c4e36bc1 [NETFILTER]: Remove redundant parentheses/braces ... Browse Code »

Removes redundant parentheses and braces (And add one pair in a
xt_tcpudp.c macro).

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2007-07-11 13:17:11 +0800
a47362a22 [NETFILTER]: add some consts, remove some casts ... Browse Code »

Make a number of variables const and/or remove unneeded casts.

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2007-07-11 13:17:01 +0800
ccb79bdce [NETFILTER]: x_tables: switch xt_match->checkentry to bool ... Browse Code »

Switch the return type of match functions to boolean

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2007-07-11 13:16:58 +0800
1d93a9cba [NETFILTER]: x_tables: switch xt_match->match to bool ... Browse Code »

Switch the return type of match functions to boolean

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2007-07-11 13:16:57 +0800
cff533ac1 [NETFILTER]: x_tables: switch hotdrop to bool ... Browse Code »

Switch the "hotdrop" variables to boolean

Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Jan Engelhardt
2007-07-11 13:16:56 +0800

26 Apr, 2007

1 commit

587aa6416 [NETFILTER]: Remove IPv4 only connection tracking/NAT ... Browse Code »

Remove the obsolete IPv4 only connection tracking/NAT as scheduled in
feature-removal-schedule.

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2007-04-26 13:25:34 +0800

14 Dec, 2006

1 commit

fe0b9294c [NETFILTER]: x_tables: error if ip_conntrack is asked to handle IPv6 packets ... Browse Code »

To do that, this makes nf_ct_l3proto_try_module_{get,put} compatible
functions. As a result we can remove '#ifdef' surrounds and direct call of
need_conntrack().

Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Yasuyuki Kozakai
2006-12-14 08:48:20 +0800

16 Oct, 2006

1 commit

f64ad5bb0 [NETFILTER]: fix cut-and-paste error in exit functions ... Browse Code »

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2006-10-16 14:14:06 +0800

23 Sep, 2006

3 commits

f1eda0538 [NETFILTER]: xt_connmark: add compat conversion functions ... Browse Code »

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2006-09-23 06:20:04 +0800
efa741656 [NETFILTER]: x_tables: remove unused size argument to check/destroy functions ... Browse Code »

The size is verified by x_tables and isn't needed by the modules anymore.

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2006-09-23 05:55:34 +0800
4470bbc74 [NETFILTER]: x_tables: make use of mass registation helpers ... Browse Code »

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2006-09-23 05:55:32 +0800

18 Jun, 2006

1 commit

3e72b2fe5 [NETFILTER]: x_tables: remove some unnecessary casts ... Browse Code »

Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Patrick McHardy
2006-06-18 12:28:45 +0800

29 Mar, 2006

1 commit

65b4b4e81 [NETFILTER]: Rename init functions. ... Browse Code »

Every netfilter module uses `init' for its module_init() function and
`fini' or `cleanup' for its module_exit() function.

Problem is, this creates uninformative initcall_debug output and makes
ctags rather useless.

So go through and rename them all to $(filename)_init and
$(filename)_fini.

Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller

Andrew Morton
2006-03-29 09:02:48 +0800

23 Mar, 2006

1 commit

b9f78f9fc [NETFILTER]: nf_conntrack: support for layer 3 protocol load on demand ... Browse Code »

x_tables matches and targets that require nf_conntrack_ipv[4|6] to work
don't have enough information to load on demand these modules. This
patch introduces the following changes to solve this issue:

o nf_ct_l3proto_try_module_get: try to load the layer 3 connection
tracker module and increases the refcount.
o nf_ct_l3proto_module put: drop the refcount of the module.

Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller

Pablo Neira Ayuso
2006-03-23 05:56:08 +0800