1. 01 10月, 2014 10 次提交
  2. 30 9月, 2014 25 次提交
  3. 29 9月, 2014 5 次提交
    • F
      netfilter: conntrack: disable generic tracking for known protocols · db29a950
      Florian Westphal 提交于
      Given following iptables ruleset:
      
      -P FORWARD DROP
      -A FORWARD -m sctp --dport 9 -j ACCEPT
      -A FORWARD -p tcp --dport 80 -j ACCEPT
      -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
      
      One would assume that this allows SCTP on port 9 and TCP on port 80.
      Unfortunately, if the SCTP conntrack module is not loaded, this allows
      *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
      which we think is a security issue.
      
      This is because on the first SCTP packet on port 9, we create a dummy
      "generic l4" conntrack entry without any port information (since
      conntrack doesn't know how to extract this information).
      
      All subsequent packets that are unknown will then be in established
      state since they will fallback to proto_generic and will match the
      'generic' entry.
      
      Our originally proposed version [1] completely disabled generic protocol
      tracking, but Jozsef suggests to not track protocols for which a more
      suitable helper is available, hence we now mitigate the issue for in
      tree known ct protocol helpers only, so that at least NAT and direction
      information will still be preserved for others.
      
       [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
      
      Joint work with Daniel Borkmann.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Acked-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      db29a950
    • A
      netfilter: nf_tables: store and dump set policy · 9363dc4b
      Arturo Borrero 提交于
      We want to know in which cases the user explicitly sets the policy
      options. In that case, we also want to dump back the info.
      Signed-off-by: NArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      9363dc4b
    • D
      Merge branch 'qca7000_spi' · 842abe08
      David S. Miller 提交于
      Stefan Wahren says:
      
      ====================
      add Qualcomm QCA7000 ethernet driver
      
      This patch series adds support for the Qualcomm QCA7000 Homeplug GreenPHY.
      The QCA7000 is serial-to-powerline bridge with two interfaces: UART and SPI.
      These patches handles only the last one, with an Ethernet over SPI protocol
      driver.
      
      This driver based on the Qualcomm code [1], but contains a lot of changes
      since last year:
      
      * devicetree support
      * DebugFS support
      * ethtool support
      * better error handling
      * performance improvements
      * code cleanup
      * some bugfixes
      
      The code has been tested only on Freescale i.MX28 boards, but should work
      on other platforms.
      
      [1] - https://github.com/IoE/qca7000
      
      Changes in V3:
      - Use ether_addr_copy instead of memcpy
      - Remove qcaspi_set_mac_address
      - Improve DT parsing
      - replace OF_GPIO dependancy with OF
      - fix compile error caused by SET_ETHTOOL_OPS
      - fix possible endless loop when spi read fails
      - fix DT documentation
      - fix coding style
      - fix sparse warnings
      
      Changes in V2:
      - replace in DT the SPI intr GPIO with pure interrupt
      - make legacy mode a boolean DT property and remove it as module parameter
      - make burst length a module parameter instead of DT property
      - make pluggable a module parameter instead of DT property
      - improve DT documentation
      - replace debugFS register dump with ethtool function
      - replace debugFS stats with ethtool function
      - implement function to get ring parameter via ethtool
      - implement function to set TX ring count via ethtool
      - fix TX ring state in debugFS
      - optimize tx ring flush
      - add byte limit for TX ring to avoid bufferbloat
      - fix TX queue full and write buffer miss counter
      - fix SPI clk speed module parameter
      - fix possible packet loss
      - fix possible race during transmit
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      842abe08
    • S
      net: qualcomm: new Ethernet over SPI driver for QCA7000 · 291ab06e
      Stefan Wahren 提交于
      This patch adds the Ethernet over SPI driver for the
      Qualcomm QCA7000 HomePlug GreenPHY.
      Signed-off-by: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      291ab06e
    • S
      Documentation: add Device tree bindings for QCA7000 · 7d50df8f
      Stefan Wahren 提交于
      This patch adds the Device tree bindings for the
      Ethernet over SPI protocol driver of the Qualcomm
      QCA7000 HomePlug GreenPHY.
      Signed-off-by: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7d50df8f