1. 26 9月, 2016 8 次提交
    • R
      net: smc91x: take into account register shift · 876a55b8
      Robert Jarzmik 提交于
      This aligns smc91x with its cousin, namely smc911x.c.
      This also allows the driver to run also in a device-tree based lubbock
      board build, on which it was tested.
      Signed-off-by: NRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      876a55b8
    • C
      cxgb4: fix -ve error check on a signed iq · 1cb1860d
      Colin Ian King 提交于
      iq is unsigned, so the error check for iq < 0 has no effect so errors
      can slip past this check.  Fix this by making iq signed and also
      get_filter_steerq return a signed int so a -ve error can be returned.
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1cb1860d
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · bce3414e
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter updates for net-next
      
      The following patchset contains Netfilter updates for your net-next
      tree, they are:
      
      1) Consolidate GRE protocol tracker using new GRE protocol definitions,
         patches from Gao Feng.
      
      2) Properly parse continuation lines in SIP helper, update allowed
         characters in Call-ID header and allow tabs in SIP headers as
         specified by RFC3261, from Marco Angaroni.
      
      3) Remove useless code in FTP conntrack helper, also from Gao Feng.
      
      4) Add number generation expression for nf_tables, with random and
         incremental generators. This also includes specific offset to add
         to the result, patches from Laura Garcia Liebana. Liping Zhang
         follows with a fix to avoid a race in this new expression.
      
      5) Fix new quota expression inversion logic, added in the previous
         pull request.
      
      6) Missing validation of queue configuration in nft_queue, patch
         from Liping Zhang.
      
      7) Remove unused ctl_table_path, as part of the deprecation of the
         ip_conntrack sysctl interface coming in the previous batch.
         Again from Liping Zhang.
      
      8) Add offset attribute to nft_hash expression, so we can generate
         any output from a specific base offset. Moreover, check for
         possible overflow, patches from Laura Garcia.
      
      9) Allow to invert dynamic set insertion from packet path, to check
         for overflows in case the set is full.
      
      10) Revisit nft_set_pktinfo*() logic from nf_tables to ensure
          proper initialization of layer 4 protocol. Consolidate pktinfo
          structure initialization for bridge and netdev families.
      
      11) Do not inconditionally drop IPv6 packets that we cannot parse
          transport protocol for ip6 and inet families, let the user decide
          on this via ruleset policy.
      
      12) Get rid of gotos in __nf_ct_try_assign_helper().
      
      13) Check for return value in register_netdevice_notifier() and
          nft_register_chain_type(), patches from Gao Feng.
      
      14) Get rid of CONFIG_IP6_NF_IPTABLES dependency in nf_queue
          infrastructure that is common to nf_tables, from Liping Zhang.
      
      15) Disable 'found' and 'searched' stats that are updates from the
          packet hotpath, not very useful these days.
      
      16) Validate maximum value of u32 netlink attributes in nf_tables,
          this introduces nft_parse_u32_check(). From Laura Garcia.
      
      17) Add missing code to integrate nft_queue with maps, patch from
          Liping Zhang. This also includes missing support ranges in
          nft_queue bridge family.
      
      18) Fix check in nft_payload_fast_eval() that ensure that we don't
          go over the skbuff data boundary, from Liping Zhang.
      
      19) Check if transport protocol is set from nf_tables tracing and
          payload expression. Again from Liping Zhang.
      
      20) Use net_get_random_once() whenever possible, from Gao Feng.
      
      21) Replace hardcoded value by sizeof() in xt_helper, from Gao Feng.
      
      22) Remove superfluous check for found element in nft_lookup.
      
      23) Simplify TCPMSS logic to check for minimum MTU, from Gao Feng.
      
      24) Replace double linked list by single linked list in Netfilter
          core hook infrastructure, patchset from Aaron Conole. This
          includes several patches to prepare this update.
      
      25) Fix wrong sequence adjustment of TCP RST with no ACK, from
          Gao Feng.
      
      26) Relax check for direction attribute in nft_ct for layer 3 and 4
          protocol fields, from Liping Zhang.
      
      27) Add new revision for hashlimit to support higher pps of upto 1
          million, from Vishwanath Pai.
      
      28) Evict stale entries in nf_conntrack when reading entries from
          /proc/net/nf_conntrack, from Florian Westphal.
      
      29) Fix transparent match for IPv6 request sockets, from Krisztian
          Kovacs.
      
      30) Add new range expression for nf_tables.
      
      31) Add missing code to support for flags in nft_log. Expose NF_LOG_*
          flags via uapi and use it from the generic logging infrastructure,
          instead of using xt specific definitions, from Liping Zhang.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bce3414e
    • P
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next · f20fbc07
      Pablo Neira Ayuso 提交于
      Conflicts:
      	net/netfilter/core.c
      	net/netfilter/nf_tables_netdev.c
      
      Resolve two conflicts before pull request for David's net-next tree:
      
      1) Between c73c2484 ("netfilter: nf_tables_netdev: remove redundant
         ip_hdr assignment") from the net tree and commit ddc8b602
         ("netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()").
      
      2) Between e8bffe0c ("net: Add _nf_(un)register_hooks symbols") and
         Aaron Conole's patches to replace list_head with single linked list.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      f20fbc07
    • L
      netfilter: nf_log: get rid of XT_LOG_* macros · 8cb2a7d5
      Liping Zhang 提交于
      nf_log is used by both nftables and iptables, so use XT_LOG_XXX macros
      here is not appropriate. Replace them with NF_LOG_XXX.
      Signed-off-by: NLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      8cb2a7d5
    • L
      netfilter: nft_log: complete NFTA_LOG_FLAGS attr support · ff107d27
      Liping Zhang 提交于
      NFTA_LOG_FLAGS attribute is already supported, but the related
      NF_LOG_XXX flags are not exposed to the userspace. So we cannot
      explicitly enable log flags to log uid, tcp sequence, ip options
      and so on, i.e. such rule "nft add rule filter output log uid"
      is not supported yet.
      
      So move NF_LOG_XXX macro definitions to the uapi/../nf_log.h. In
      order to keep consistent with other modules, change NF_LOG_MASK to
      refer to all supported log flags. On the other hand, add a new
      NF_LOG_DEFAULT_MASK to refer to the original default log flags.
      
      Finally, if user specify the unsupported log flags or NFTA_LOG_GROUP
      and NFTA_LOG_FLAGS are set at the same time, report EINVAL to the
      userspace.
      Signed-off-by: NLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ff107d27
    • P
      netfilter: nf_tables: add range expression · 0f3cd9b3
      Pablo Neira Ayuso 提交于
      Inverse ranges != [a,b] are not currently possible because rules are
      composites of && operations, and we need to express this:
      
      	data < a || data > b
      
      This patch adds a new range expression. Positive ranges can be already
      through two cmp expressions:
      
      	cmp(sreg, data, >=)
      	cmp(sreg, data, <=)
      
      This new range expression provides an alternative way to express this.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      0f3cd9b3
    • K
      netfilter: xt_socket: fix transparent match for IPv6 request sockets · 7a682575
      KOVACS Krisztian 提交于
      The introduction of TCP_NEW_SYN_RECV state, and the addition of request
      sockets to the ehash table seems to have broken the --transparent option
      of the socket match for IPv6 (around commit a9407000).
      
      Now that the socket lookup finds the TCP_NEW_SYN_RECV socket instead of the
      listener, the --transparent option tries to match on the no_srccheck flag
      of the request socket.
      
      Unfortunately, that flag was only set for IPv4 sockets in tcp_v4_init_req()
      by copying the transparent flag of the listener socket. This effectively
      causes '-m socket --transparent' not match on the ACK packet sent by the
      client in a TCP handshake.
      
      Based on the suggestion from Eric Dumazet, this change moves the code
      initializing no_srccheck to tcp_conn_request(), rendering the above
      scenario working again.
      
      Fixes: a9407000 ("netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV support")
      Signed-off-by: NAlex Badics <alex.badics@balabit.com>
      Signed-off-by: NKOVACS Krisztian <hidden@balabit.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      7a682575
  2. 25 9月, 2016 32 次提交