提交 · 6709dbbb1978abe039ea4b76c364bf003bf40de5 · gsplhtlxg / clone-Linux

09 2月, 2007 1 次提交

[NETFILTER]: {ip,ip6}_tables: remove x_tables wrapper functions · 6709dbbb

由 Jan Engelhardt 提交于 2月 07, 2007

Use the x_tables functions directly to make it better visible which
parts are shared between ip_tables and ip6_tables.
Signed-off-by: NJan Engelhardt <jengelh@gmx.de>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

6709dbbb

25 10月, 2006 1 次提交

[NETFILTER]: Fix ip6_tables extension header bypass bug · 6d381634

由 Patrick McHardy 提交于 10月 24, 2006

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header matches.

When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.

With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

6d381634

23 9月, 2006 1 次提交

[NETFILTER]: x_tables: remove unused size argument to check/destroy functions · efa74165

由 Patrick McHardy 提交于 8月 22, 2006

The size is verified by x_tables and isn't needed by the modules anymore.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

efa74165

29 3月, 2006 1 次提交

[NETFILTER]: Rename init functions. · 65b4b4e8

由 Andrew Morton 提交于 3月 28, 2006

Every netfilter module uses `init' for its module_init() function and
`fini' or `cleanup' for its module_exit() function.

Problem is, this creates uninformative initcall_debug output and makes
ctags rather useless.

So go through and rename them all to $(filename)_init and
$(filename)_fini.
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

65b4b4e8

21 3月, 2006 2 次提交
- P
  [NETFILTER]: x_tables: add xt_{match,target} arguments to match/target functions · c4986734
  由 Patrick McHardy 提交于 3月 20, 2006
```
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  c4986734
- P
  [NETFILTER]: Convert ip6_tables matches/targets to centralized error checking · 7f939713
  由 Patrick McHardy 提交于 3月 20, 2006
```
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
```
  7f939713
17 1月, 2006 1 次提交

[NETFILTER] ip6tables: whitespace and indent cosmetic cleanup · f0daaa65

由 Yasuyuki Kozakai 提交于 1月 17, 2006

Signed-off-by: NYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: NHarald Welte <laforge@netfilter.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

f0daaa65

13 1月, 2006 1 次提交

[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables · 2e4e6a17

由 Harald Welte 提交于 1月 12, 2006

This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: NHarald Welte <laforge@netfilter.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

2e4e6a17

06 1月, 2006 1 次提交

[NETFILTER]: make ipv6_find_hdr() find transport protocol header · b777e0ce

由 Patrick McHardy 提交于 1月 05, 2006

The original ipv6_find_hdr() finds the specified header in IPv6 packets.
This makes it possible to get transport header so that we can kill similar
loop in ip6_match_packet().
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

b777e0ce

20 9月, 2005 1 次提交

[NETFILTER] ip6tables: remove duplicate code · e674d0f3

由 Yasuyuki Kozakai 提交于 9月 19, 2005

Some IPv6 matches have very similar loops to find IPv6 extension header
and we can unify them. This patch introduces ipv6_find_hdr() to do it.
I just checked that it can find the target headers in the packet which has
dst,hbh,rt,frag,ah,esp headers.
Signed-off-by: NYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: NHarald Welte <laforge@netfilter.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

e674d0f3

17 4月, 2005 1 次提交

Linux-2.6.12-rc2 · 1da177e4

由 Linus Torvalds 提交于 4月 16, 2005

Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!

1da177e4