1. 20 5月, 2015 1 次提交
  2. 19 5月, 2015 2 次提交
  3. 18 5月, 2015 7 次提交
  4. 16 5月, 2015 1 次提交
    • P
      netfilter: x_tables: add context to know if extension runs from nft_compat · 55917a21
      Pablo Neira Ayuso 提交于
      Currently, we have four xtables extensions that cannot be used from the
      xt over nft compat layer. The problem is that they need real access to
      the full blown xt_entry to validate that the rule comes with the right
      dependencies. This check was introduced to overcome the lack of
      sufficient userspace dependency validation in iptables.
      
      To resolve this problem, this patch introduces a new field to the
      xt_tgchk_param structure that tell us if the extension is run from
      nft_compat context.
      
      The three affected extensions are:
      
      1) CLUSTERIP, this target has been superseded by xt_cluster. So just
         bail out by returning -EINVAL.
      
      2) TCPMSS. Relax the checking when used from nft_compat. If used with
         the wrong configuration, it will corrupt !syn packets by adding TCP
         MSS option.
      
      3) ebt_stp. Relax the check to make sure it uses the reserved
         destination MAC address for STP.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: NArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      55917a21
  5. 15 5月, 2015 4 次提交
    • B
      mdio-gpio: Propagate mii_bus.phy_ignore_ta_mask · ef7f3a5c
      Bert Vermeulen 提交于
      This also changes mii_bus.phy_mask to u32 for consistency.
      Signed-off-by: NBert Vermeulen <bert@biot.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ef7f3a5c
    • D
      test_bpf: add tests related to BPF_MAXINSNS · a4afd37b
      Daniel Borkmann 提交于
      Couple of torture test cases related to the bug fixed in 0b59d880
      ("ARM: net: delegate filter to kernel interpreter when imm_offset()
      return value can't fit into 12bits.").
      
      I've added a helper to allocate and fill the insn space. Output on
      x86_64 from my laptop:
      
      test_bpf: #233 BPF_MAXINSNS: Maximum possible literals jited:0 7 PASS
      test_bpf: #234 BPF_MAXINSNS: Single literal jited:0 8 PASS
      test_bpf: #235 BPF_MAXINSNS: Run/add until end jited:0 11553 PASS
      test_bpf: #236 BPF_MAXINSNS: Too many instructions PASS
      test_bpf: #237 BPF_MAXINSNS: Very long jump jited:0 9 PASS
      test_bpf: #238 BPF_MAXINSNS: Ctx heavy transformations jited:0 20329 20398 PASS
      test_bpf: #239 BPF_MAXINSNS: Call heavy transformations jited:0 32178 32475 PASS
      test_bpf: #240 BPF_MAXINSNS: Jump heavy test jited:0 10518 PASS
      
      test_bpf: #233 BPF_MAXINSNS: Maximum possible literals jited:1 4 PASS
      test_bpf: #234 BPF_MAXINSNS: Single literal jited:1 4 PASS
      test_bpf: #235 BPF_MAXINSNS: Run/add until end jited:1 1625 PASS
      test_bpf: #236 BPF_MAXINSNS: Too many instructions PASS
      test_bpf: #237 BPF_MAXINSNS: Very long jump jited:1 8 PASS
      test_bpf: #238 BPF_MAXINSNS: Ctx heavy transformations jited:1 3301 3174 PASS
      test_bpf: #239 BPF_MAXINSNS: Call heavy transformations jited:1 24107 23491 PASS
      test_bpf: #240 BPF_MAXINSNS: Jump heavy test jited:1 8651 PASS
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@plumgrid.com>
      Cc: Nicolas Schichan <nschichan@freebox.fr>
      Acked-by: NAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a4afd37b
    • E
      tcp: syncookies: extend validity range · 264ea103
      Eric Dumazet 提交于
      Now we allow storing more request socks per listener, we might
      hit syncookie mode less often and hit following bug in our stack :
      
      When we send a burst of syncookies, then exit this mode,
      tcp_synq_no_recent_overflow() can return false if the ACK packets coming
      from clients are coming three seconds after the end of syncookie
      episode.
      
      This is a way too strong requirement and conflicts with rest of
      syncookie code which allows ACK to be aged up to 2 minutes.
      
      Perfectly valid ACK packets are dropped just because clients might be
      in a crowded wifi environment or on another planet.
      
      So let's fix this, and also change tcp_synq_overflow() to not
      dirty a cache line for every syncookie we send, as we are under attack.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      264ea103
    • F
      net: phy: Add phy_ignore_ta_mask to account for broken turn-around · 922f2dd1
      Florian Fainelli 提交于
      Some PHY devices/switches will not release the turn-around line as they
      should do at the end of a MDIO transaction. To help with such
      situations, allow MDIO bus drivers to be made aware of such
      restrictions.
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      922f2dd1
  6. 14 5月, 2015 25 次提交