- 20 3月, 2018 8 次提交
-
-
由 Jack Ma 提交于
This patch introduces a new feature that allows bitshifting (left and right) operations to co-operate with existing iptables options. Reviewed-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NJack Ma <jack.ma@alliedtelesis.co.nz> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Taehee Yoo 提交于
xtables uses ADD_COUNTER macro to increase packet and byte count. ebtables also can use this. Signed-off-by: NTaehee Yoo <ap420073@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Gustavo A. R. Silva 提交于
In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we can end up having segfaults that are hard to debug. Also, fixed as part of the directive to remove all VLAs from the kernel: https://lkml.org/lkml/2018/3/7/621Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Gustavo A. R. Silva 提交于
In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we can end up having segfaults that are hard to debug. Also, fixed as part of the directive to remove all VLAs from the kernel: https://lkml.org/lkml/2018/3/7/621Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Gustavo A. R. Silva 提交于
In preparation to enabling -Wvla, remove VLA and replace it with dynamic memory allocation. >From a security viewpoint, the use of Variable Length Arrays can be a vector for stack overflow attacks. Also, in general, as the code evolves it is easy to lose track of how big a VLA can get. Thus, we can end up having segfaults that are hard to debug. Also, fixed as part of the directive to remove all VLAs from the kernel: https://lkml.org/lkml/2018/3/7/621 While at it, remove likely() notation which is not necessary from the control plane code. Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Pablo Neira Ayuso 提交于
All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to have strict datatypes. This is causing problems with sets and concatenations given the specific length of these keys is not known. Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Acked-by: NFlorian Westphal <fw@strlen.de>
-
由 Yi-Hung Wei 提交于
Currently, nf_conncount_count() counts the number of connections that matches key and inserts a conntrack 'tuple' with the same key into the accounting data structure. This patch supports another use case that only counts the number of connections where 'tuple' is not provided. Therefore, proper changes are made on nf_conncount_count() to support the case where 'tuple' is NULL. This could be useful for querying statistics or debugging purpose. Signed-off-by: NYi-Hung Wei <yihung.wei@gmail.com> Acked-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Yi-Hung Wei 提交于
Remove parameter 'family' in nf_conncount_count() and count_tree(). It is because the parameter is not useful after commit 625c5561 ("netfilter: connlimit: split xt_connlimit into front and backend"). Signed-off-by: NYi-Hung Wei <yihung.wei@gmail.com> Acked-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 14 3月, 2018 2 次提交
-
-
由 Gustavo A. R. Silva 提交于
Assign true or false to boolean variables instead of an integer value. This issue was detected with the help of Coccinelle. Signed-off-by: NGustavo A. R. Silva <garsilva@embeddedor.com> Signed-off-by: NSimon Horman <horms@verge.net.au> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
I placed the helpers within CONFIG_COMPAT section, move them outside. Fixes: 472ebdcd ("netfilter: x_tables: check error target size too") Fixes: 07a9da51 ("netfilter: x_tables: check standard verdicts in core") Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 06 3月, 2018 28 次提交
-
-
由 Geert Uytterhoeven 提交于
Signed-off-by: NGeert Uytterhoeven <geert+renesas@glider.be> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Cong Wang 提交于
As suggested by Eric, we need to make the xt_rateest hash table and its lock per netns to reduce lock contentions. Cc: Florian Westphal <fw@strlen.de> Cc: Eric Dumazet <edumazet@google.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com> Reviewed-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Harmless from kernel point of view, but again iptables assumes that this is true when decoding ruleset coming from kernel. If a (syzkaller generated) ruleset doesn't have the underflow/policy stored as the last rule in the base chain, then iptables will abort() because it doesn't find the chain policy. libiptc assumes that the policy is the last rule in the basechain, which is only true for iptables-generated rulesets. Unfortunately this needs code duplication -- the functions need the struct layout of the rule head, but that is different for ip/ip6/arptables. NB: pr_warn could be pr_debug but in case this break rulesets somehow its useful to know why blob was rejected. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
no need to bother even trying to allocating huge compat offset arrays, such ruleset is rejected later on anyway becaus we refuse to allocate overly large rule blobs. However, compat translation happens before blob allocation, so we should add a check there too. This is supposed to help with fuzzing by avoiding oom-killer. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
should have no impact, function still always returns 0. This patch is only to ease review. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
allows to have size checks in a single spot. This is supposed to reduce oom situations when fuzz-testing xtables. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This is a very conservative limit (134217728 rules), but good enough to not trigger frequent oom from syzkaller. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Arbitrary limit, however, this still allows huge rulesets (> 1 million rules). This helps with automated fuzzer as it prevents oom-killer invocation. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Harmless from kernel point of view, but iptables assumes that this is true when decoding a ruleset. iptables walks the dumped blob from kernel, and, for each entry that creates a new chain it prints out rule/chain information. Base chains (hook entry points) are thus only shown when they appear in the rule blob. One base chain that is referenced multiple times in hook blob is then only printed once. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Allow followup patch to change on location instead of three. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Check that userspace ERROR target (custom user-defined chains) match expected format, and the chain name is null terminated. This is irrelevant for kernel, but iptables itself relies on sane input when it dumps rules from kernel. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Userspace must provide a valid verdict to the standard target. The verdict can be either a jump (signed int > 0), or a return code. Allowed return codes are either RETURN (pop from stack), NF_ACCEPT, DROP and QUEUE (latter is allowed for legacy reasons). Jump offsets (verdict > 0) are checked in more detail later on when loop-detection is performed. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Xin Long 提交于
Now it's doing cleanup_entry for oldinfo under the xt_table lock, but it's not really necessary. After the replacement job is done in xt_replace_table, oldinfo is not used elsewhere any more, and it can be freed without xt_table lock safely. The important thing is that rtnl_lock is called in some xt_target destroy, which means rtnl_lock, a big lock is used in xt_table lock, a smaller one. It usually could be the reason why a dead lock may happen. Besides, all xt_target/match checkentry is called out of xt_table lock. It's better also to move all cleanup_entry calling out of xt_table lock, just as do_replace_finish does for ebtables. Signed-off-by: NXin Long <lucien.xin@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Gustavo A. R. Silva 提交于
Return statements in functions returning bool should use true/false instead of 1/0. This issue was detected with the help of Coccinelle. Signed-off-by: NGustavo A. R. Silva <garsilva@embeddedor.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Taehee Yoo 提交于
parameter protoff in nf_conntrack_broadcast_help is not used anywhere. Signed-off-by: NTaehee Yoo <ap420073@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Taehee Yoo 提交于
If use the ipv6_addr_is_multicast instead of xt_cluster_ipv6_is_multicast, then we can reduce code size. Signed-off-by: NTaehee Yoo <ap420073@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Taehee Yoo 提交于
parameter skb in nfnl_acct_overquota is not used anywhere. Signed-off-by: NTaehee Yoo <ap420073@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 kbuild test robot 提交于
Fixes: 3ecbfd65 ("netfilter: nf_tables: allocate handle and delete objects via handle") Signed-off-by: NFengguang Wu <fengguang.wu@intel.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 David S. Miller 提交于
Antoine Tenart says: ==================== net: mvpp2: jumbo frames support This series enable jumbo frames support in the Marvell PPv2 driver. The first 2 patches rework the buffer management, then two patches prepare for the final patch which adds the jumbo frames support into the driver. This is based on top of net-next, and was tested on a mcbin. Thanks! Antoine Since v1: - Improved the Tx FIFO initialization comment. - Improved the pool sanity check in mvpp2_bm_pool_use(). - Fixed pool related comments. - Cosmetic fixes (used BIT() whenever possible). ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Stefan Chulski 提交于
This patch adds the support for jumbo frames in the Marvell PPv2 driver. A third buffer pool is added with 10KB buffers, which is used if the MTU is higher than 1518B for packets larger than 1518B. Please note only the port 0 supports hardware checksum offload due to the Tx FIFO size limitation. Signed-off-by: NStefan Chulski <stefanc@marvell.com> [Antoine: cosmetic cleanup, commit message] Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Antoine Tenart 提交于
This patch adds the NETIF_F_IPV6_CSUM to the driver's features to enable UDP/TCP checksum over IPv6. No extra configuration of the engine is needed on top of the IPv4 counterpart, which already is in the features list (NETIF_F_IP_CSUM). Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Yan Markman 提交于
This patch sets the Tx FIFO data size on port 0 to 10kB. This prepares the PPv2 driver for the Jumbo frame support addition as the hardware will need big enough Tx FIFO buffers when dealing with frames going through an interface with an MTU of 9000. Signed-off-by: NYan Markman <ymarkman@marvell.com> [Antoine: commit message, small reworks.] Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Stefan Chulski 提交于
The buffer free routine is updated to release only given a number of buffers, and the destroy routine now checks the actual number of buffers in the (BPPI and BPPE) HW counters before draining the pools. This change helps getting jumbo frames support. Signed-off-by: NStefan Chulski <stefanc@marvell.com> [Antoine: cosmetic cleanup, commit message] Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Stefan Chulski 提交于
This patch configures the buffer manager long pool for all ports part of the same CP. Long pool separation between ports is redundant since there are no performance improvement when different pools are used. Signed-off-by: NStefan Chulski <stefanc@marvell.com> [Antoine: cosmetic cleanup, commit message] Signed-off-by: NAntoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jonathan Neuschäfer 提交于
This fixes the following kernel-doc warning: ./include/net/dst.h:366: warning: Function parameter or member 'net' not described in 'skb_tunnel_rx' Fixes: ea23192e ("tunnels: harmonize cleanup done on skb on rx path") Signed-off-by: NJonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jonathan Neuschäfer 提交于
The other dst_cache_{get,set}_ip{4,6} functions, and the doc comment for dst_cache_set_ip6 use 'saddr' for their source address parameter. Rename the parameter to increase consistency. This fixes the following kernel-doc warnings: ./include/net/dst_cache.h:58: warning: Function parameter or member 'addr' not described in 'dst_cache_set_ip6' ./include/net/dst_cache.h:58: warning: Excess function parameter 'saddr' description in 'dst_cache_set_ip6' Fixes: 911362c7 ("net: add dst_cache support") Signed-off-by: NJonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jonathan Neuschäfer 提交于
Signed-off-by: NJonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 05 3月, 2018 2 次提交
-
-
由 David S. Miller 提交于
Kirill Tkhai says: ==================== Converting pernet_operations (part #4) this series continues to review and to convert pernet_operations to make them possible to be executed in parallel for several net namespaces in the same time. The patches touch mostly netfilter, also there are small number of changes in other places. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Kirill Tkhai 提交于
These pernet_operations register and unregister sysctl. nf_conntrack_l4proto_gre4->init_net is simple memory initializer. Also, exit method removes gre keymap_list, which is per-net. This looks safe to be executed in parallel with other pernet_operations. Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-