1. 22 5月, 2008 1 次提交
  2. 05 5月, 2008 2 次提交
  3. 03 5月, 2008 2 次提交
  4. 29 4月, 2008 2 次提交
  5. 14 4月, 2008 3 次提交
  6. 26 3月, 2008 2 次提交
  7. 21 3月, 2008 1 次提交
  8. 06 3月, 2008 2 次提交
  9. 24 2月, 2008 1 次提交
  10. 20 2月, 2008 1 次提交
  11. 01 2月, 2008 4 次提交
  12. 29 1月, 2008 13 次提交
  13. 25 1月, 2008 3 次提交
  14. 21 1月, 2008 1 次提交
    • P
      [NETFILTER]: bridge-netfilter: fix net_device refcnt leaks · 2dc2f207
      Patrick McHardy 提交于
      When packets are flood-forwarded to multiple output devices, the
      bridge-netfilter code reuses skb->nf_bridge for each clone to store
      the bridge port. When queueing packets using NFQUEUE netfilter takes
      a reference to skb->nf_bridge->physoutdev, which is overwritten
      when the packet is forwarded to the second port. This causes
      refcount unterflows for the first device and refcount leaks for all
      others. Additionally this provides incorrect data to the iptables
      physdev match.
      
      Unshare skb->nf_bridge by copying it if it is shared before assigning
      the physoutdev device.
      
      Reported, tested and based on initial patch by
      Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2dc2f207
  15. 12 1月, 2008 1 次提交
    • P
      [NETFILTER]: bridge: fix double POST_ROUTING invocation · 2948d2eb
      Patrick McHardy 提交于
      The bridge code incorrectly causes two POST_ROUTING hook invocations
      for DNATed packets that end up on the same bridge device. This
      happens because packets with a changed destination address are passed
      to dst_output() to make them go through the neighbour output function
      again to build a new destination MAC address, before they will continue
      through the IP hooks simulated by bridge netfilter.
      
      The resulting hook order is:
       PREROUTING	(bridge netfilter)
       POSTROUTING	(dst_output -> ip_output)
       FORWARD	(bridge netfilter)
       POSTROUTING	(bridge netfilter)
      
      The deferred hooks used to abort the first POST_ROUTING invocation,
      but since the only thing bridge netfilter actually really wants is
      a new MAC address, we can avoid going through the IP stack completely
      by simply calling the neighbour output function directly.
      
      Tested, reported and lots of data provided by: Damien Thebault <damien.thebault@gmail.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2948d2eb
  16. 17 12月, 2007 1 次提交