summaryrefslogtreecommitdiffstats
path: root/net/netfilter
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'master' of ↵David S. Miller2010-03-252-2/+4
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
| * netfilter: xt_hashlimit: IPV6 bugfixEric Dumazet2010-03-251-0/+1
| | | | | | | | | | | | | | | | A missing break statement in hashlimit_ipv6_mask(), and masks between /64 and /95 are not working at all... Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netfilter: xt_hashlimit: dl_seq_stop() fixEric Dumazet2010-03-251-1/+2
| | | | | | | | | | | | | | | | If dl_seq_start() memory allocation fails, we crash later in dl_seq_stop(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * netfilter: xt_recent: fix regression in rules using a zero hit_countPatrick McHardy2010-03-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 8ccb92ad (netfilter: xt_recent: fix false match) fixed supposedly false matches in rules using a zero hit_count. As it turns out there is nothing false about these matches and people are actually using entries with a hit_count of zero to make rules dependant on addresses inserted manually through /proc. Since this slipped past the eyes of three reviewers, instead of reverting the commit in question, this patch explicitly checks for a hit_count of zero to make the intentions more clear. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Tested-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: ctnetlink: fix reliable event delivery if message building failsPablo Neira Ayuso2010-03-202-3/+5
|/ | | | | | | | | This patch fixes a bug that allows to lose events when reliable event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR and NETLINK_RECV_NO_ENOBUFS socket options are set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'for-next' into for-linusJiri Kosina2010-03-082-3/+3
|\ | | | | | | | | | | | | | | | | Conflicts: Documentation/filesystems/proc.txt arch/arm/mach-u300/include/mach/debug-macro.S drivers/net/qlge/qlge_ethtool.c drivers/net/qlge/qlge_main.c drivers/net/typhoon.c
| * tree-wide: Assorted spelling fixesDaniel Mack2010-02-092-3/+3
| | | | | | | | | | | | | | | | | | | | | | In particular, several occurances of funny versions of 'success', 'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address', 'beginning', 'desirable', 'separate' and 'necessary' are fixed. Signed-off-by: Daniel Mack <daniel@caiaq.de> Cc: Joe Perches <joe@perches.com> Cc: Junio C Hamano <gitster@pobox.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
* | Merge branch 'master' of ↵David S. Miller2010-02-262-24/+22
|\ \ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
| * | netfilter: nfnetlink_log: fix silly refcount leakAlexey Dobriyan2010-02-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Quick fix for memory/module refcount leak. Reference count of listener instance never reaches 0. Start/stop of ulogd2 is enough to trigger this bug! Now, refcounting there looks very fishy in particular this code: if (!try_module_get(THIS_MODULE)) { ... and creation of listener instance with refcount 2, so it may very well be ripped and redone. :-) Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | IPVS: ip_vs_lblcr: use list headASimon Horman2010-02-261-23/+21
| | | | | | | | | | | | | | | | | | | | | Use list_head rather than a custom list implementation. Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | Merge branch 'master' of ↵David S. Miller2010-02-242-6/+10
|\| | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
| * | netfilter: xtables: replace XT_MATCH_ITERATE macroJan Engelhardt2010-02-241-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | The macro is replaced by a list.h-like foreach loop. This makes the code more inspectable. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | netfilter: xt_recent: fix false matchTim Gardner2010-02-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | A rule with a zero hit_count will always match. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | netfilter: xt_recent: fix buffer overflowTim Gardner2010-02-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | e->index overflows e->stamps[] every ip_pkt_list_tot packets. Consider the case when ip_pkt_list_tot==1; the first packet received is stored in e->stamps[0] and e->index is initialized to 1. The next received packet timestamp is then stored at e->stamps[1] in recent_entry_update(), a buffer overflow because the maximum e->stamps[] index is 0. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | Merge branch 'master' of ↵David S. Miller2010-02-192-12/+12
|\| | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
| * | netfilter: nf_queue: fix NF_STOLEN skb leakEric Dumazet2010-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 3bc38712e3a6e059 (handle NF_STOP and unknown verdicts in nf_reinject) was a partial fix to packet leaks. If user asks NF_STOLEN status, we must free the skb as well. Reported-by: Afi Gjermund <afigjermund@gmail.com> Signed-off-by: Eric DUmazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | netfilter: ctnetlink: fix creation of conntrack with helpersPablo Neira Ayuso2010-02-191-11/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a bug that triggers an assertion if you create a conntrack entry with a helper and netfilter debugging is enabled. Basically, we hit the assertion because the confirmation flag is set before the conntrack extensions are added. To fix this, we move the extension addition before the aforementioned flag is set. This patch also removes the possibility of setting a helper for existing conntracks. This operation would also trigger the assertion since we are not allowed to add new extensions for existing conntracks. We know noone that could benefit from this operation sanely. Thanks to Eric Dumazet for initial posting a preliminary patch to address this issue. Reported-by: David Ramblewski <David.Ramblewski@atosorigin.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | ipv6: drop unused "dev" arg of icmpv6_send()Alexey Dobriyan2010-02-182-8/+7
|/ / | | | | | | | | | | | | Dunno, what was the idea, it wasn't used for a long time. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipvs: SCTP Trasport Loadbalancing SupportVenkata Mohan Reddy2010-02-187-11/+1264
| | | | | | | | | | | | | | | | | | | | | | Enhance IPVS to load balance SCTP transport protocol packets. This is done based on the SCTP rfc 4960. All possible control chunks have been taken care. The state machine used in this code looks some what lengthy. I tried to make the state machine easy to understand. Signed-off-by: Venkata Mohan Reddy Koppula <mohanreddykv@gmail.com> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | xt_hashlimit: fix lockingEric Dumazet2010-02-171-4/+0
| | | | | | | | | | | | | | | | | | | | Commit 2eff25c18c3d332d3c4dd98f2ac9b7114e9771b0 (netfilter: xt_hashlimit: fix race condition and simplify locking) added a mutex deadlock : htable_create() is called with hashlimit_mutex already locked Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netfilter: CONFIG_COMPAT: allow delta to exceed 32767Florian Westphal2010-02-151-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | with 32 bit userland and 64 bit kernels, it is unlikely but possible that insertion of new rules fails even tough there are only about 2000 iptables rules. This happens because the compat delta is using a short int. Easily reproducible via "iptables -m limit" ; after about 2050 rules inserting new ones fails with -ELOOP. Note that compat_delta included 2 bytes of padding on x86_64, so structure size remains the same. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: ctnetlink: add zone supportPatrick McHardy2010-02-151-19/+73
| | | | | | | | | | | | Parse and dump the conntrack zone in ctnetlink. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack: add support for "conntrack zones"Patrick McHardy2010-02-1510-54/+147
| | | | | | | | | | | | | | | | | | | | | | | | | | Normally, each connection needs a unique identity. Conntrack zones allow to specify a numerical zone using the CT target, connections in different zones can use the same identity. Example: iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1 iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1 Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack: pass template to l4proto ->error() handlerPatrick McHardy2010-02-155-7/+9
| | | | | | | | | | | | | | The error handlers might need the template to get the conntrack zone introduced in the next patches to perform a conntrack lookup. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: xtables: constify args in compat copying functionsJan Engelhardt2010-02-153-8/+8
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | netfilter: xtables: print details on size mismatchJan Engelhardt2010-02-151-2/+6
| | | | | | | | | | | | | | Print which revision has been used and which size are which (kernel/user) for easier debugging. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | netfilter: xt_recent: inform user when hitcount is too largeJan Engelhardt2010-02-151-2/+6
| | | | | | | | | | | | | | | | | | It is one of these things that iptables cannot catch and which can cause "Invalid argument" to be printed. Without a hint in dmesg, it is not going to be helpful. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: don't use INIT_RCU_HEAD()Alexey Dobriyan2010-02-123-3/+0
| | | | | | | | | | | | | | | | call_rcu() will unconditionally reinitialize RCU head anyway. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack_sip: add T.38 FAX supportPatrick McHardy2010-02-111-5/+23
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_nat_sip: add TCP supportPatrick McHardy2010-02-111-0/+10
| | | | | | | | | | | | Add support for mangling TCP SIP packets. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack_sip: add TCP supportPatrick McHardy2010-02-111-29/+176
| | | | | | | | | | | | | | | | | | | | Add TCP support, which is mandated by RFC3261 for all SIP elements. SIP over TCP is similar to UDP, except that messages are delimited by Content-Length: headers and multiple messages may appear in one packet. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack_sip: pass data offset to NAT functionsPatrick McHardy2010-02-111-38/+44
| | | | | | | | | | | | | | | | | | | | When using TCP multiple SIP messages might be present in a single packet. A following patch will parse them by setting the dptr to the beginning of each message. The NAT helper needs to reload the dptr value after mangling the packet however, so it needs to know the offset of the message to the beginning of the packet. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack_sip: fix ct_sip_parse_request() REGISTER request parsingPatrick McHardy2010-02-111-3/+4
| | | | | | | | | | | | | | | | | | | | When requests are parsed, the "sip:" part of the SIP URI should be skipped. Usually this doesn't matter because address parsing skips forward until after the username part, but in case REGISTER requests it doesn't contain a username and the address can not be parsed. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: nf_conntrack: show helper and class in /proc/net/nf_conntrack_expectPatrick McHardy2010-02-112-0/+12
| | | | | | | | | | | | | | Make the output a bit more informative by showing the helper an expectation belongs to and the expectation class. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | netfilter: ctnetlink: dump expectation helper namePatrick McHardy2010-02-111-0/+4
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge branch 'master' of git://dev.medozas.de/linuxPatrick McHardy2010-02-102-1/+92
|\ \
| * | netfilter: xtables: generate initial table on-demandJan Engelhardt2010-02-102-1/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The static initial tables are pretty large, and after the net namespace has been instantiated, they just hang around for nothing. This commit removes them and creates tables on-demand at runtime when needed. Size shrinks by 7735 bytes (x86_64). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * | netfilter: xtables: use xt_table for hook instantiationJan Engelhardt2010-02-101-0/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The respective xt_table structures already have most of the metadata needed for hook setup. Add a 'priority' field to struct xt_table so that xt_hook_link() can be called with a reduced number of arguments. So should we be having more tables in the future, it comes at no static cost (only runtime, as before) - space saved: 6807373->6806555. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | netfilter: ctnetlink: add missing netlink attribute policiesPatrick McHardy2010-02-101-5/+36
| | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | netfilter: xtables: symmetric COMPAT_XT_ALIGN definitionAlexey Dobriyan2010-02-101-2/+2
|/ / | | | | | | | | | | | | | | | | Rewrite COMPAT_XT_ALIGN in terms of dummy structure hack. Compat counters logically have nothing to do with it. Use ALIGN() macro while I'm at it for same types. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | Merge branch 'master' of /repos/git/net-next-2.6Patrick McHardy2010-02-1010-87/+99
|\ \ | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | netfilter: nf_conntrack: fix hash resizing with namespacesPatrick McHardy2010-02-085-31/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As noticed by Jon Masters <jonathan@jonmasters.org>, the conntrack hash size is global and not per namespace, but modifiable at runtime through /sys/module/nf_conntrack/hashsize. Changing the hash size will only resize the hash in the current namespace however, so other namespaces will use an invalid hash size. This can cause crashes when enlarging the hashsize, or false negative lookups when shrinking it. Move the hash size into the per-namespace data and only use the global hash size to initialize the per-namespace value when instanciating a new namespace. Additionally restrict hash resizing to init_net for now as other namespaces are not handled currently. Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | netfilter: nf_conntrack: restrict runtime expect hashsize modificationsAlexey Dobriyan2010-02-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expectation hashtable size was simply glued to a variable with no code to rehash expectations, so it was a bug to allow writing to it. Make "expect_hashsize" readonly. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | netfilter: nf_conntrack: per netns nf_conntrack_cachepEric Dumazet2010-02-081-16/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nf_conntrack_cachep is currently shared by all netns instances, but because of SLAB_DESTROY_BY_RCU special semantics, this is wrong. If we use a shared slab cache, one object can instantly flight between one hash table (netns ONE) to another one (netns TWO), and concurrent reader (doing a lookup in netns ONE, 'finding' an object of netns TWO) can be fooled without notice, because no RCU grace period has to be observed between object freeing and its reuse. We dont have this problem with UDP/TCP slab caches because TCP/UDP hashtables are global to the machine (and each object has a pointer to its netns). If we use per netns conntrack hash tables, we also *must* use per netns conntrack slab caches, to guarantee an object can not escape from one namespace to another one. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> [Patrick: added unique slab name allocation] Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | netfilter: nf_conntrack: fix memory corruption with multiple namespacesPatrick McHardy2010-02-081-12/+12
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As discovered by Jon Masters <jonathan@jonmasters.org>, the "untracked" conntrack, which is located in the data section, might be accidentally freed when a new namespace is instantiated while the untracked conntrack is attached to a skb because the reference count it re-initialized. The best fix would be to use a seperate untracked conntrack per namespace since it includes a namespace pointer. Unfortunately this is not possible without larger changes since the namespace is not easily available everywhere we need it. For now move the untracked conntrack initialization to the init_net setup function to make sure the reference count is not re-initialized and handle cleanup in the init_net cleanup function to make sure namespaces can exit properly while the untracked conntrack is in use in other namespaces. Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'master' of ↵David S. Miller2010-02-022-2/+3
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
| | * netfilter: ctnetlink: fix expectation mask dumpPatrick McHardy2010-01-261-1/+2
| | | | | | | | | | | | | | | | | | | | | The protocol number is not initialized, so userspace can't interpret the layer 4 data properly. Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * netfilter: nf_conntrack_sip: fix off-by-one in compact header parsingPatrick McHardy2010-01-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | In a string like "v:SIP/2.0..." it was checking for !isalpha('S') when it meant to be inspecting the ':'. Patch by Greg Alexander <greqcs@galexander.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2010-01-124-25/+25
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (56 commits) sky2: Fix oops in sky2_xmit_frame() after TX timeout Documentation/3c509: document ethtool support af_packet: Don't use skb after dev_queue_xmit() vxge: use pci_dma_mapping_error to test return value netfilter: ebtables: enforce CAP_NET_ADMIN e1000e: fix and commonize code for setting the receive address registers e1000e: e1000e_enable_tx_pkt_filtering() returns wrong value e1000e: perform 10/100 adaptive IFS only on parts that support it e1000e: don't accumulate PHY statistics on PHY read failure e1000e: call pci_save_state() after pci_restore_state() netxen: update version to 4.0.72 netxen: fix set mac addr netxen: fix smatch warning netxen: fix tx ring memory leak tcp: update the netstamp_needed counter when cloning sockets TI DaVinci EMAC: Handle emac module clock correctly. dmfe/tulip: Let dmfe handle DM910x except for SPARC on-board chips ixgbe: Fix compiler warning about variable being used uninitialized netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq() mv643xx_eth: don't include cache padding in rx desc buffer size ... Fix trivial conflict in drivers/scsi/cxgb3i/cxgb3i_offload.c
| | * netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()Patrick McHardy2010-01-071-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As noticed by Dan Carpenter <error27@gmail.com>, update_nl_seq() currently contains an out of bounds read of the seq_aft_nl array when looking for the oldest sequence number position. Fix it to only compare valid positions. Cc: stable@kernel.org Signed-off-by: Patrick McHardy <kaber@trash.net>