summaryrefslogtreecommitdiffstats
path: root/net/netfilter
Commit message (Collapse)AuthorAgeFilesLines
* cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits: netRusty Russell2008-12-291-2/+2
| | | | | | | | | | | | | | In future all cpumask ops will only be valid (in general) for bit numbers < nr_cpu_ids. So use that instead of NR_CPUS in iterators and other comparisons. This is always safe: no cpu number can be >= nr_cpu_ids, and nr_cpu_ids is initialized to NR_CPUS at boot. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Mike Travis <travis@sgi.com> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
* IPVS: Make "no destination available" message more consistent between schedulersSimon Horman2008-12-299-10/+24
| | | | | | Acked-by: Graeme Fowler <graeme@graemef.net> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6Linus Torvalds2008-12-2849-492/+632
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1429 commits) net: Allow dependancies of FDDI & Tokenring to be modular. igb: Fix build warning when DCA is disabled. net: Fix warning fallout from recent NAPI interface changes. gro: Fix potential use after free sfc: If AN is enabled, always read speed/duplex from the AN advertising bits sfc: When disabling the NIC, close the device rather than unregistering it sfc: SFT9001: Add cable diagnostics sfc: Add support for multiple PHY self-tests sfc: Merge top-level functions for self-tests sfc: Clean up PHY mode management in loopback self-test sfc: Fix unreliable link detection in some loopback modes sfc: Generate unique names for per-NIC workqueues 802.3ad: use standard ethhdr instead of ad_header 802.3ad: generalize out mac address initializer 802.3ad: initialize ports LACPDU from const initializer 802.3ad: remove typedef around ad_system 802.3ad: turn ports is_individual into a bool 802.3ad: turn ports is_enabled into a bool 802.3ad: make ntt bool ixgbe: Fix set_ringparam in ixgbe to use the same memory pools. ... Fixed trivial IPv4/6 address printing conflicts in fs/cifs/connect.c due to the conversion to %pI (in this networking merge) and the addition of doing IPv6 addresses (from the earlier merge of CIFS).
| * Merge branch 'master' of ↵David S. Miller2008-12-151-1/+1
| |\ | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/e1000e/ich8lan.c
| * | nf/dccp: merge errorpathsIlpo Järvinen2008-12-141-7/+9
| | | | | | | | | | | | | | | Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | netfilter: xt_NFLOG is dependant of nfnetlink_logEric Leblond2008-12-101-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The patch "don't call nf_log_packet in NFLOG module" make xt_NFLOG dependant of nfnetlink_log. This patch forces the dependencies to fix compilation in case only xt_NFLOG compilation was asked and modifies the help message accordingly to the change. Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | Merge branch 'master' of ↵David S. Miller2008-11-2819-114/+289
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 Conflicts: net/netfilter/nf_conntrack_netlink.c
| | * | netfilter: fix warning in net/netfilter/nf_conntrack_ftp.cIngo Molnar2008-11-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this warning: net/netfilter/nf_conntrack_ftp.c: In function 'help': net/netfilter/nf_conntrack_ftp.c:360: warning: 'matchoff' may be used uninitialized in this function net/netfilter/nf_conntrack_ftp.c:360: warning: 'matchlen' may be used uninitialized in this function triggers because GCC does not recognize the (correct) error flow between find_pattern(), 'found', 'matchoff' and 'matchlen'. Annotate it. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: nf_conntrack_ftp: change "partial ..." message to pr_debug()Patrick McHardy2008-11-241-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The message triggers when sending non-FTP data on port 21 or with certain clients that use multiple syscalls to send the command. Change to pr_debug() since users have been complaining. Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: nf_conntrack_proto_sctp: avoid bogus warningPatrick McHardy2008-11-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | net/netfilter/nf_conntrack_proto_sctp.c: In function 'sctp_packet': net/netfilter/nf_conntrack_proto_sctp.c:376: warning: array subscript is above array bounds gcc doesn't realize that do_basic_checks() guarantees that there is at least one valid chunk and thus new_state is never SCTP_CONNTRACK_MAX after the loop. Initialize to SCTP_CONNTRACK_NONE to avoid the warning. Based on patch by Wu Fengguang <wfg@linux.intel.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: nf_conntrack_proto_gre: spread __exitAlexey Dobriyan2008-11-201-1/+1
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: xt_recent: don't save proc dirsAlexey Dobriyan2008-11-201-11/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Not needed, since creation and removal are done by name. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: nf_conntrack: fix warning and prototype mismatchPatrick McHardy2008-11-181-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | net/netfilter/nf_conntrack_core.c:46:1: warning: symbol 'nfnetlink_parse_nat_setup_hook' was not declared. Should it be static? Including the proper header also revealed an incorrect prototype. Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: nfnetlink_log: fix warning and prototype mismatchPatrick McHardy2008-11-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | net/netfilter/nfnetlink_log.c:537:1: warning: symbol 'nfulnl_log_packet' was not declared. Should it be static? Including the proper header also revealed an incorrect prototype. Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: ctnetlink: deliver events for conntracks changed from userspacePablo Neira Ayuso2008-11-184-29/+141
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As for now, the creation and update of conntracks via ctnetlink do not propagate an event to userspace. This can result in inconsistent situations if several userspace processes modify the connection tracking table by means of ctnetlink at the same time. Specifically, using the conntrack command line tool and conntrackd at the same time can trigger unconsistencies. This patch also modifies the event cache infrastructure to pass the process PID and the ECHO flag to nfnetlink_send() to report back to userspace if the process that triggered the change needs so. Based on a suggestion from Patrick McHardy. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: ctnetlink: helper modules load-on-demand supportPablo Neira Ayuso2008-11-183-37/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds module loading for helpers via ctnetlink. * Creation path: We support explicit and implicit helper assignation. For the explicit case, we try to load the module. If the module is correctly loaded and the helper is present, we return EAGAIN to re-start the creation. Otherwise, we return EOPNOTSUPP. * Update path: release the spin lock, load the module and check. If it is present, then return EAGAIN to re-start the update. This patch provides a refactorized function to lookup-and-set the connection tracking helper. The function removes the exported symbol __nf_ct_helper_find as it has not clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: nf_conntrack: connection tracking helper name persistent aliasesPablo Neira Ayuso2008-11-179-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a way to provide generic and persistent aliases for the connection tracking helpers. This next patch requires this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: ctnetlink: get rid of module refcounting in ctnetlinkPablo Neira Ayuso2008-11-171-20/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch replaces the unnecessary module refcounting with the read-side locks. With this patch, all the dump and fill_info function are called under the RCU read lock. Based on a patch from Fabian Hugelshofer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: ctnetlink: use EOPNOTSUPP instead of EINVAL if the conntrack has ↵Pablo Neira Ayuso2008-11-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | no helper This patch changes the return value if the conntrack has no helper assigned. Instead of EINVAL, which is reserved for malformed messages, it returns EOPNOTSUPP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: ctnetlink: use nf_conntrack_get instead of atomic_incPablo Neira Ayuso2008-11-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Use nf_conntrack_get instead of the direct call to atomic_inc. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| | * | netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module.Eric Leblond2008-11-042-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch modifies xt_NFLOG to suppress the call to nf_log_packet() function. The call of this wrapper in xt_NFLOG was causing NFLOG to use the first initialized module. Thus, if ipt_ULOG is loaded before nfnetlink_log all NFLOG rules are treated as plain LOG rules. Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | | Merge branch 'master' of ↵David S. Miller2008-11-262-5/+4
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/hp-plus.c drivers/net/wireless/ath5k/base.c drivers/net/wireless/ath9k/recv.c net/wireless/reg.c
| * \ \ \ Merge branch 'master' of ↵David S. Miller2008-11-111-1/+2
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/message/fusion/mptlan.c drivers/net/sfc/ethtool.c net/mac80211/debugfs_sta.c
| * | | | | ipvs: oldlen, newlen should be be16, not be32Harvey Harrison2008-11-062-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Noticed by sparse: net/netfilter/ipvs/ip_vs_proto_tcp.c:195:6: warning: incorrect type in argument 5 (different base types) net/netfilter/ipvs/ip_vs_proto_tcp.c:195:6: expected restricted __be16 [usertype] oldlen net/netfilter/ipvs/ip_vs_proto_tcp.c:195:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_tcp.c:196:6: warning: incorrect type in argument 6 (different base types) net/netfilter/ipvs/ip_vs_proto_tcp.c:196:6: expected restricted __be16 [usertype] newlen net/netfilter/ipvs/ip_vs_proto_tcp.c:196:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_tcp.c:270:6: warning: incorrect type in argument 5 (different base types) net/netfilter/ipvs/ip_vs_proto_tcp.c:270:6: expected restricted __be16 [usertype] oldlen net/netfilter/ipvs/ip_vs_proto_tcp.c:270:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_tcp.c:271:6: warning: incorrect type in argument 6 (different base types) net/netfilter/ipvs/ip_vs_proto_tcp.c:271:6: expected restricted __be16 [usertype] newlen net/netfilter/ipvs/ip_vs_proto_tcp.c:271:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_udp.c:206:6: warning: incorrect type in argument 5 (different base types) net/netfilter/ipvs/ip_vs_proto_udp.c:206:6: expected restricted __be16 [usertype] oldlen net/netfilter/ipvs/ip_vs_proto_udp.c:206:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_udp.c:207:6: warning: incorrect type in argument 6 (different base types) net/netfilter/ipvs/ip_vs_proto_udp.c:207:6: expected restricted __be16 [usertype] newlen net/netfilter/ipvs/ip_vs_proto_udp.c:207:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_udp.c:282:6: warning: incorrect type in argument 5 (different base types) net/netfilter/ipvs/ip_vs_proto_udp.c:282:6: expected restricted __be16 [usertype] oldlen net/netfilter/ipvs/ip_vs_proto_udp.c:282:6: got restricted __be32 [usertype] <noident> net/netfilter/ipvs/ip_vs_proto_udp.c:283:6: warning: incorrect type in argument 6 (different base types) net/netfilter/ipvs/ip_vs_proto_udp.c:283:6: expected restricted __be16 [usertype] newlen net/netfilter/ipvs/ip_vs_proto_udp.c:283:6: got restricted __be32 [usertype] <noident> Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | Merge branch 'master' of ↵David S. Miller2008-11-062-0/+8
| |\ \ \ \ \ | | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/ath5k/base.c net/8021q/vlan_core.c
| * | | | | net: '&' reduxAlexey Dobriyan2008-11-0310-81/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I want to compile out proc_* and sysctl_* handlers totally and stub them to NULL depending on config options, however usage of & will prevent this, since taking adress of NULL pointer will break compilation. So, drop & in front of every ->proc_handler and every ->strategy handler, it was never needed in fact. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | IPVS: Remove supports_ipv6 scheduler flagJulius Volz2008-11-0311-48/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove the 'supports_ipv6' scheduler flag since all schedulers now support IPv6. Signed-off-by: Julius Volz <julius.volz@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | IPVS: Add IPv6 support to LBLC/LBLCR schedulersJulius Volz2008-11-032-61/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add IPv6 support to LBLC and LBLCR schedulers. These were the last schedulers without IPv6 support, but we might want to keep the supports_ipv6 flag in the case of future schedulers without IPv6 support. Signed-off-by: Julius Volz <julius.volz@gmail.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | IPVS: Add IPv6 support to SH and DH schedulersJulius Volz2008-11-022-18/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add IPv6 support to SH and DH schedulers. I hope this simple IPv6 address hashing is good enough. The 128 bit are just XORed into 32 before hashing them like an IPv4 address. Signed-off-by: Julius Volz <julius.volz@gmail.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | net: replace NIPQUAD() in net/netfilter/Harvey Harrison2008-10-3116-108/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u can be replaced with %pI4 Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | Merge branch 'master' of ↵David S. Miller2008-10-311-2/+2
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/p54/p54common.c
| * | | | | | net: replace %p6 with %pI6Harvey Harrison2008-10-2910-19/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | | | netfilter: replace uses of NIP6_FMT with %p6Harvey Harrison2008-10-2810-64/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | | | | Merge branch 'next' into for-linusJames Morris2008-12-252-10/+11
|\ \ \ \ \ \ \ | |_|_|_|_|_|/ |/| | | | | |
| * | | | | | Merge branch 'master' into nextJames Morris2008-12-042-5/+4
| |\ \ \ \ \ \ | | | |_|_|_|/ | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: fs/nfsd/nfs4recover.c Manually fixed above to use new creds API functions, e.g. nfs4_save_creds(). Signed-off-by: James Morris <jmorris@namei.org>
| * | | | | | Merge branch 'master' into nextJames Morris2008-11-143-1/+10
| |\ \ \ \ \ \ | | | |_|_|_|/ | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: security/keys/internal.h security/keys/process_keys.c security/keys/request_key.c Fixed conflicts above by using the non 'tsk' versions. Signed-off-by: James Morris <jmorris@namei.org>
| * | | | | | CRED: Use creds in file structsDavid Howells2008-11-142-10/+11
| | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Attach creds to file structs and discard f_uid/f_gid. file_operations::open() methods (such as hppfs_open()) should use file->f_cred rather than current_cred(). At the moment file->f_cred will be current_cred() at this point. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
* | | | | | tproxy: fixe a possible read from an invalid location in the socket matchBalazs Scheidler2008-12-071-1/+1
| |_|/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TIME_WAIT sockets need to be handled specially, and the socket match casted inet_timewait_sock instances to inet_sock, which are not compatible. Handle this special case by checking sk->sk_state. Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | | netfilter: ctnetlink: fix GFP_KERNEL allocation under spinlockPatrick McHardy2008-11-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous fix for the conntrack creation race (netfilter: ctnetlink: fix conntrack creation race) missed a GFP_KERNEL allocation that is now performed while holding a spinlock. Switch to GFP_ATOMIC. Reported-and-tested-by: Zoltan Borbely <bozo@andrews.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | | netfilter: ctnetlink: fix conntrack creation racePatrick McHardy2008-11-242-4/+3
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conntrack creation through ctnetlink has two races: - the timer may expire and free the conntrack concurrently, causing an invalid memory access when attempting to put it in the hash tables - an identical conntrack entry may be created in the packet processing path in the time between the lookup and hash insertion Hold the conntrack lock between the lookup and insertion to avoid this. Reported-by: Zoltan Borbely <bozo@andrews.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | netfilter: payload_len is be16, add size of struct rather than size of pointerHarvey Harrison2008-11-101-1/+2
| |_|/ |/| | | | | | | | | | | | | | | | | | | | payload_len is a be16 value, not cpu_endian, also the size of a ponter to a struct ipv6hdr was being added, not the size of the struct itself. Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | netfilter: netns ct: walk netns list under RTNLAlexey Dobriyan2008-11-052-0/+8
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | netns list (just list) is under RTNL. But helper and proto unregistration happen during rmmod when RTNL is not held, and that's how it was tested: modprobe/rmmod vs clone(CLONE_NEWNET)/exit. BUG: unable to handle kernel paging request at 0000000000100100 <=== IP: [<ffffffffa009890f>] nf_conntrack_l4proto_unregister+0x96/0xae [nf_conntrack] PGD 15e300067 PUD 15e1d8067 PMD 0 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC last sysfs file: /sys/kernel/uevent_seqnum CPU 0 Modules linked in: nf_conntrack_proto_sctp(-) nf_conntrack_proto_dccp(-) af_packet iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 sr_mod cdrom [last unloaded: nf_conntrack_proto_sctp] Pid: 16758, comm: rmmod Not tainted 2.6.28-rc2-netns-xfrm #3 RIP: 0010:[<ffffffffa009890f>] [<ffffffffa009890f>] nf_conntrack_l4proto_unregister+0x96/0xae [nf_conntrack] RSP: 0018:ffff88015dc1fec8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 00000000001000f8 RCX: 0000000000000000 RDX: ffffffffa009575c RSI: 0000000000000003 RDI: ffffffffa00956b5 RBP: ffff88015dc1fed8 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88015dc1fe48 R12: ffffffffa0458f60 R13: 0000000000000880 R14: 00007fff4c361d30 R15: 0000000000000880 FS: 00007f624435a6f0(0000) GS:ffffffff80521580(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000100100 CR3: 0000000168969000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process rmmod (pid: 16758, threadinfo ffff88015dc1e000, task ffff880179864218) Stack: ffffffffa0459100 0000000000000000 ffff88015dc1fee8 ffffffffa0457934 ffff88015dc1ff78 ffffffff80253fef 746e6e6f635f666e 6f72705f6b636172 00707463735f6f74 ffffffff8024cb30 00000000023b8010 0000000000000000 Call Trace: [<ffffffffa0457934>] nf_conntrack_proto_sctp_fini+0x10/0x1e [nf_conntrack_proto_sctp] [<ffffffff80253fef>] sys_delete_module+0x19f/0x1fe [<ffffffff8024cb30>] ? trace_hardirqs_on_caller+0xf0/0x114 [<ffffffff803ea9b2>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff8020b52b>] system_call_fastpath+0x16/0x1b Code: 13 35 e0 e8 c4 6c 1a e0 48 8b 1d 6d c6 46 e0 eb 16 48 89 df 4c 89 e2 48 c7 c6 fc 85 09 a0 e8 61 cd ff ff 48 8b 5b 08 48 83 eb 08 <48> 8b 43 08 0f 18 08 48 8d 43 08 48 3d 60 4f 50 80 75 d3 5b 41 RIP [<ffffffffa009890f>] nf_conntrack_l4proto_unregister+0x96/0xae [nf_conntrack] RSP <ffff88015dc1fec8> CR2: 0000000000100100 ---[ end trace bde8ac82debf7192 ]--- Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* / netfilter: nf_conntrack_proto_gre: switch to register_pernet_gen_subsys()Alexey Dobriyan2008-10-301-2/+2
|/ | | | | | | | | | | | | | | | register_pernet_gen_device() can't be used is nf_conntrack_pptp module is also used (compiled in or loaded). Right now, proto_gre_net_exit() is called before nf_conntrack_pptp_net_exit(). The former shutdowns and frees GRE piece of netns, however the latter absolutely needs it to flush keymap. Oops is inevitable. Switch to shiny new register_pernet_gen_subsys() to get correct ordering in netns ops list. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2008-10-206-13/+14
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: netfilter: replace old NF_ARP calls with NFPROTO_ARP netfilter: fix compilation error with NAT=n netfilter: xt_recent: use proc_create_data() netfilter: snmp nat leaks memory in case of failure netfilter: xt_iprange: fix range inversion match netfilter: netns: use NFPROTO_NUMPROTO instead of NUMPROTO for tables array netfilter: ctnetlink: remove obsolete NAT dependency from Kconfig pkt_sched: sch_generic: Fix oops in sch_teql dccp: Port redirection support for DCCP tcp: Fix IPv6 fallout from 'Port redirection support for TCP' netdev: change name dropping error codes ipvs: Update CONFIG_IP_VS_IPV6 description and help text
| * netfilter: replace old NF_ARP calls with NFPROTO_ARPJan Engelhardt2008-10-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | (Supplements: ee999d8b9573df1b547aacdc6d79f86eb79c25cd) NFPROTO_ARP actually has a different value from NF_ARP, so ensure all callers use the new value so that packets _do_ get delivered to the registered hooks. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * netfilter: fix compilation error with NAT=nPablo Neira Ayuso2008-10-201-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the compilation of ctnetlink when the NAT support is not enabled. /home/benh/kernels/linux-powerpc/net/netfilter/nf_conntrack_netlink.c:819: warning: enum nf_nat_manip_type\u2019 declared inside parameter list /home/benh/kernels/linux-powerpc/net/netfilter/nf_conntrack_netlink.c:819: warning: its scope is only this definition or declaration, which is probably not what you want Reported-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reported by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * netfilter: xt_recent: use proc_create_data()Alexey Dobriyan2008-10-201-6/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes a crash in recent_seq_start: BUG: unable to handle kernel NULL pointer dereference at 0000000000000100 IP: [<ffffffffa002119c>] recent_seq_start+0x4c/0x90 [xt_recent] PGD 17d33c067 PUD 107afe067 PMD 0 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: ipt_LOG xt_recent af_packet iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 xt_tcpudp iptable_filter ip_tables x_tables ext2 nls_utf8 fuse sr_mod cdrom [last unloaded: ntfs] Pid: 32373, comm: cat Not tainted 2.6.27-04ab591808565f968d4406f6435090ad671ebdab #6 RIP: 0010:[<ffffffffa002119c>] [<ffffffffa002119c>] recent_seq_start+0x4c/0x90 [xt_recent] RSP: 0018:ffff88015fed7e28 EFLAGS: 00010246 ... Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * netfilter: xt_iprange: fix range inversion matchAlexey Dobriyan2008-10-201-4/+4
| | | | | | | | | | | | | | | | | | Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1! Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Acked-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * netfilter: ctnetlink: remove obsolete NAT dependency from KconfigPatrick McHardy2008-10-201-1/+0
| | | | | | | | | | | | | | | | Now that ctnetlink doesn't have any NAT module depenencies anymore, we can also remove them from Kconfig. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * ipvs: Update CONFIG_IP_VS_IPV6 description and help textJulius Volz2008-10-191-1/+3
| | | | | | | | | | | | | | | | | | | | This adds a URL to further info to the CONFIG_IP_VS_IPV6 Kconfig help text. Also, I think it should be ok to remove the "DANGEROUS" label in the description line at this point to get people to try it out and find all the bugs ;) It's still marked as experimental, of course. Signed-off-by: Julius Volz <juliusv@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>