- 13 4月, 2010 2 次提交
-
-
由 Zhitong Wang 提交于
Fix some coding styles and remove moduleparam.h Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Alexey Dobriyan 提交于
XT_ALIGN() was rewritten through ALIGN() by commit 42107f50 "netfilter: xtables: symmetric COMPAT_XT_ALIGN definition". ALIGN() is not exported in userspace headers, which created compile problem for tc(8) and will create problem for iptables(8). We can't export generic looking name ALIGN() but we can export less generic __ALIGN_KERNEL() (suggested by Ben Hutchings). Google knows nothing about __ALIGN_KERNEL(). COMPAT_XT_ALIGN() changed for symmetry. Reported-by: NAndreas Henriksson <andreas@fatal.se> Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 09 4月, 2010 2 次提交
-
-
由 Adam Nielsen 提交于
Add reference counting to the netfilter LED target, to fix errors when multiple rules point to the same target ("LED trigger already exists"). Signed-off-by: NAdam Nielsen <a.nielsen@shikadi.net> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Patrick McHardy 提交于
The CONFIG_PROVE_RCU option discovered a few invalid uses of rcu_dereference() in netfilter. In all these cases, the code code intends to check whether a pointer is already assigned when performing registration or whether the assigned pointer matches when performing unregistration. The entire registration/ unregistration is protected by a mutex, so we don't need the rcu_dereference() calls. Reported-by: NValdis Kletnieks <Valdis.Kletnieks@vt.edu> Tested-by: NValdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 08 4月, 2010 4 次提交
-
-
由 Herbert Xu 提交于
As we will set ip_summed to CHECKSUM_NONE when necessary in nfqnl_mangle, there is no need to zap CHECKSUM_COMPLETE in nfqnl_build_packet_message. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Herbert Xu 提交于
As we will set ip_summed to CHECKSUM_NONE when necessary in ipq_mangle_ipv6, there is no need to zap CHECKSUM_COMPLETE in ipq_build_packet_message. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Herbert Xu 提交于
While doing yet another audit on ip_summed I noticed ip_queue calling skb_checksum_help unnecessarily. As we will set ip_summed to CHECKSUM_NONE when necessary in ipq_mangle_ipv4, there is no need to zap CHECKSUM_COMPLETE in ipq_build_packet_message. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Patrick McHardy 提交于
When protocols use very long names, the sprintf calls might overflow the on-stack buffer. No protocol in the kernel does this however. Print the protocol name in the pr_debug statement directly to avoid this. Based on patch by Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Acked-by: NSimon Horman <horms@verge.net.au> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 01 4月, 2010 3 次提交
-
-
由 Eric Dumazet 提交于
xt_hashlimit uses a central lock per hash table and suffers from contention on some workloads. (Multiqueue NIC or if RPS is enabled) After RCU conversion, central lock is only used when a writer wants to add or delete an entry. For 'readers', updating an existing entry, they use an individual lock per entry. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Eric Dumazet 提交于
If clusterip_seq_start() memory allocation fails, we crash later in clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jiri Pirko 提交于
Message size should be dependent on the presence of an accounting extension, not on CONFIG_NF_CT_ACCT definition. Signed-off-by: NJiri Pirko <jpirko@redhat.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 26 3月, 2010 4 次提交
-
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Superseded by xt_string revision 1 (linux v2.6.26-rc8-1127-g4ad3f261, iptables 1.4.2-rc1). Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Superseded by xt_multiport revision 1 (introduction already predates linux.git). Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Superseded by xt_hashlimit revision 1 (linux v2.6.24-6212-g09e410de, iptables 1.4.1-rc1). Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 25 3月, 2010 17 次提交
-
-
由 Jan Engelhardt 提交于
The return value of nf_ct_l3proto_get can directly be returned even in the case of success. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
When extended status codes are available, such as ENOMEM on failed allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing them up to userspace seems like a good idea compared to just always EINVAL. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Part of the transition of done by this semantic patch: // <smpl> @ rule1 @ struct xt_target ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
The following semantic patch does part of the transformation: // <smpl> @ rule1 @ struct xt_match ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_tgchk_param *par) { ... } // </smpl> Minus the change it does to xt_ct_find_proto. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. This semantic patch may not be too precise (checking for functions that use xt_mtchk_param rather than functions referenced by xt_match.checkentry), but reviewed, it produced the intended result. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_mtchk_param *par) { ... } // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
As I'm changing the return values soon, I want to have a clear visual path. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Semantic patch: // <smpl> @@ @@ IP_VS_XMIT( -PF_INET6, +NFPROTO_IPV6, ...) @@ @@ IP_VS_XMIT( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
The semantic patch used was: // <smpl> @@ @@ NF_HOOK( -PF_DECnet, +NFPROTO_DECNET, ...) // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
The semantic patch that was used: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_THRESH |nf_hook )( -PF_INET6, +NFPROTO_IPV6, ...) // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
The semantic patch that was used: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_COND |nf_hook )( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
The first argument to NF_HOOK* is an nfproto since quite some time. Commit v2.6.27-2457-gfdc9314c was the first to practically start using the new names. Do that now for the remaining NF_HOOK calls. The semantic patch used was: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_THRESH )( -PF_BRIDGE, +NFPROTO_BRIDGE, ...) @@ @@ NF_HOOK( -PF_INET6, +NFPROTO_IPV6, ...) @@ @@ NF_HOOK( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Supplement to 1159683e. Downgrade the log level to INFO for most checkentry messages as they are, IMO, just an extra information to the -EINVAL code that is returned as part of a parameter "constraint violation". Leave errors to real errors, such as being unable to create a LED trigger. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Supplement to aa5fa318. The semantic patch for this change is: // <smpl> @@ struct xt_target_param *par; @@ -par->target->family +par->family @@ struct xt_tgchk_param *par; @@ -par->target->family +par->family @@ struct xt_tgdtor_param *par; @@ -par->target->family +par->family // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 19 3月, 2010 2 次提交
-
-
由 Zhitong Wang 提交于
Remove unused headers in net/ipv4/netfilter/nf_nat_h323.c Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Zhitong Wang 提交于
Remove unused headers in net/ipv6/netfilter/ip6t_LOG.c Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 18 3月, 2010 6 次提交
-
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
ENOMEM is a very obvious error code (cf. EINVAL), so I think we do not really need a warning message. Not to mention that if the allocation fails, the user is most likely going to get a stack trace from slab already. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
This will save one full padding chunk (8 bytes on x86_64) per target. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
This member is taking up a "long" per match, yet is only used by one module out of the roughly 90 modules, ip6t_hbh. ip6t_hbh can be restructured a little to accomodate for the lack of the .data member. This variant uses checking the par->match address, which should avoid having to add two extra functions, including calls, i.e. (hbh_mt6: call hbhdst_mt6(skb, par, NEXTHDR_OPT), dst_mt6: call hbhdst_mt6(skb, par, NEXTHDR_DEST)) Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-