summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: xt_TEE: resolve oif using netdevice notifiersPatrick McHardy2010-04-202-23/+83
| | | | | | | | | Replace the runtime oif name resolving by netdevice notifier based resolving. When an oif is given, a netdevice notifier is registered to resolve the name on NETDEV_REGISTER or NETDEV_CHANGE and unresolve it again on NETDEV_UNREGISTER or NETDEV_CHANGE to a different name. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xtables: remove old comments about reentrancyJan Engelhardt2010-04-194-10/+0
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xt_TEE: have cloned packet travel through Xtables tooJan Engelhardt2010-04-193-24/+18
| | | | | | | | Since Xtables is now reentrant/nestable, the cloned packet can also go through Xtables and be subject to rules itself. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xtables: make ip_tables reentrantJan Engelhardt2010-04-195-66/+145
| | | | | | | | | | | | | | | | | | | | | Currently, the table traverser stores return addresses in the ruleset itself (struct ip6t_entry->comefrom). This has a well-known drawback: the jumpstack is overwritten on reentry, making it necessary for targets to return absolute verdicts. Also, the ruleset (which might be heavy memory-wise) needs to be replicated for each CPU that can possibly invoke ip6t_do_table. This patch decouples the jumpstack from struct ip6t_entry and instead puts it into xt_table_info. Not being restricted by 'comefrom' anymore, we can set up a stack as needed. By default, there is room allocated for two entries into the traverser. arp_tables is not touched though, because there is just one/two modules and further patches seek to collapse the table traverser anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xtables: inclusion of xt_TEEJan Engelhardt2010-04-197-0/+276
| | | | | | | | | | xt_TEE can be used to clone and reroute a packet. This can for example be used to copy traffic at a router for logging purposes to another dedicated machine. References: http://www.gossamer-threads.com/lists/iptables/devel/68781 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipt_LOG/ip6t_LOG: use more appropriate log level as defaultPatrick McHardy2010-04-152-2/+2
| | | | | | | | Use KERN_NOTICE instead of KERN_EMERG by default. This only affects kernel internal logging (like conntrack), user-specified logging rules contain a seperate log level. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipv6: move xfrm_lookup at end of ip6_route_me_harderUlrich Weber2010-04-151-14/+11
| | | | | | | | xfrm_lookup should be called after ip6_route_output skb_dst_set, otherwise skb_dst_set of xfrm_lookup is pointless Signed-off-by: Ulrich Weber <uweber@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: bridge-netfilter: Fix MAC header handling with IP DNATBart De Schuymer2010-04-153-26/+83
| | | | | | | | | | | | | | | | | | | | | | - fix IP DNAT on vlan- or pppoe-encapsulated traffic: The functions neigh_hh_output() or dst->neighbour->output() overwrite the complete Ethernet header, although we only need the destination MAC address. For encapsulated packets, they ended up overwriting the encapsulating header. The new code copies the Ethernet source MAC address and protocol number before calling dst->neighbour->output(). The Ethernet source MAC and protocol number are copied back in place in br_nf_pre_routing_finish_bridge_slow(). This also makes the IP DNAT more transparent because in the old scheme the source MAC of the bridge was copied into the source address in the Ethernet header. We also let skb->protocol equal ETH_P_IP resp. ETH_P_IPV6 during the execution of the PF_INET resp. PF_INET6 hooks. - Speed up IP DNAT by calling neigh_hh_bridge() instead of neigh_hh_output(): if dst->hh is available, we already know the MAC address so we can just copy it. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: bridge-netfilter: simplify IP DNATBart De Schuymer2010-04-153-100/+40
| | | | | | | | | | Remove br_netfilter.c::br_nf_local_out(). The function br_nf_local_out() was needed because the PF_BRIDGE::LOCAL_OUT hook could be called when IP DNAT happens on to-be-bridged traffic. The new scheme eliminates this mess. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipv6: add IPSKB_REROUTED exclusion to NF_HOOK/POSTROUTING invocationJan Engelhardt2010-04-132-2/+4
| | | | | | | | | | | | Similar to how IPv4's ip_output.c works, have ip6_output also check the IPSKB_REROUTED flag. It will be set from xt_TEE for cloned packets since Xtables can currently only deal with a single packet in flight at a time. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Acked-by: David S. Miller <davem@davemloft.net> [Patrick: changed to use an IP6SKB value instead of IPSKB] Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipv6: move POSTROUTING invocation before fragmentationJan Engelhardt2010-04-131-26/+23
| | | | | | | | | | | | | | Patrick McHardy notes: "We used to invoke IPv4 POST_ROUTING after fragmentation as well just to defragment the packets in conntrack immediately afterwards, but that got changed during the netfilter-ipsec integration. Ideally IPv6 would behave like IPv4." This patch makes it so. Sending an oversized frame (e.g. `ping6 -s64000 -c1 ::1`) will now show up in POSTROUTING as a single skb rather than multiple ones. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Restore __ALIGN_MASK()Alexey Dobriyan2010-04-131-0/+1
| | | | | | | Fix lib/bitmap.c compile failure due to __ALIGN_KERNEL changes. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: bridge-netfilter: update a comment in br_forward.c about ↵Bart De Schuymer2010-04-131-1/+1
| | | | | | | | | ip_fragment() ip_refrag isn't used anymore in the bridge-netfilter code Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: bridge-netfilter: cleanup br_netfilter.cBart De Schuymer2010-04-131-56/+2
| | | | | | | | | | | bridge-netfilter: cleanup br_netfilter.c - remove some of the graffiti at the head of br_netfilter.c - remove __br_dnat_complain() - remove KERN_INFO messages when CONFIG_NETFILTER_DEBUG is defined Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: fix some coding styles and remove moduleparam.hZhitong Wang2010-04-133-5/+1
| | | | | | | Fix some coding styles and remove moduleparam.h Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xtables: make XT_ALIGN() usable in exported headers by exporting ↵Alexey Dobriyan2010-04-132-5/+6
| | | | | | | | | | | | | | | | | | | __ALIGN_KERNEL() XT_ALIGN() was rewritten through ALIGN() by commit 42107f5009da223daa800d6da6904d77297ae829 "netfilter: xtables: symmetric COMPAT_XT_ALIGN definition". ALIGN() is not exported in userspace headers, which created compile problem for tc(8) and will create problem for iptables(8). We can't export generic looking name ALIGN() but we can export less generic __ALIGN_KERNEL() (suggested by Ben Hutchings). Google knows nothing about __ALIGN_KERNEL(). COMPAT_XT_ALIGN() changed for symmetry. Reported-by: Andreas Henriksson <andreas@fatal.se> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xt_LED: add refcounts to LED targetAdam Nielsen2010-04-091-6/+63
| | | | | | | | Add reference counting to the netfilter LED target, to fix errors when multiple rules point to the same target ("LED trigger already exists"). Signed-off-by: Adam Nielsen <a.nielsen@shikadi.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: remove invalid rcu_dereference() callsPatrick McHardy2010-04-092-20/+6
| | | | | | | | | | | | | | The CONFIG_PROVE_RCU option discovered a few invalid uses of rcu_dereference() in netfilter. In all these cases, the code code intends to check whether a pointer is already assigned when performing registration or whether the assigned pointer matches when performing unregistration. The entire registration/ unregistration is protected by a mutex, so we don't need the rcu_dereference() calls. Reported-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Tested-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: only do skb_checksum_help on CHECKSUM_PARTIAL in nfnetlink_queueHerbert Xu2010-04-081-2/+1
| | | | | | | | | As we will set ip_summed to CHECKSUM_NONE when necessary in nfqnl_mangle, there is no need to zap CHECKSUM_COMPLETE in nfqnl_build_packet_message. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: only do skb_checksum_help on CHECKSUM_PARTIAL in ip6_queueHerbert Xu2010-04-081-2/+1
| | | | | | | | | As we will set ip_summed to CHECKSUM_NONE when necessary in ipq_mangle_ipv6, there is no need to zap CHECKSUM_COMPLETE in ipq_build_packet_message. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: only do skb_checksum_help on CHECKSUM_PARTIAL in ip_queueHerbert Xu2010-04-081-2/+1
| | | | | | | | | | While doing yet another audit on ip_summed I noticed ip_queue calling skb_checksum_help unnecessarily. As we will set ip_summed to CHECKSUM_NONE when necessary in ipq_mangle_ipv4, there is no need to zap CHECKSUM_COMPLETE in ipq_build_packet_message. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* IPVS: fix potential stack overflow with overly long protocol namesPatrick McHardy2010-04-082-24/+18
| | | | | | | | | | | | When protocols use very long names, the sprintf calls might overflow the on-stack buffer. No protocol in the kernel does this however. Print the protocol name in the pr_debug statement directly to avoid this. Based on patch by Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xt_hashlimit: RCU conversionEric Dumazet2010-04-011-23/+47
| | | | | | | | | | | | | | xt_hashlimit uses a central lock per hash table and suffers from contention on some workloads. (Multiqueue NIC or if RPS is enabled) After RCU conversion, central lock is only used when a writer wants to add or delete an entry. For 'readers', updating an existing entry, they use an individual lock per entry. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: CLUSTERIP: clusterip_seq_stop() fixEric Dumazet2010-04-011-1/+2
| | | | | | | | If clusterip_seq_start() memory allocation fails, we crash later in clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ctnetlink: compute message size properlyJiri Pirko2010-04-011-5/+12
| | | | | | | | Message size should be dependent on the presence of an accounting extension, not on CONFIG_NF_CT_ACCT definition. Signed-off-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xtables: merge registration structure to NFPROTO_UNSPECJan Engelhardt2010-03-251-21/+10
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: remove xt_string revision 0Jan Engelhardt2010-03-252-36/+19
| | | | | | | Superseded by xt_string revision 1 (linux v2.6.26-rc8-1127-g4ad3f26, iptables 1.4.2-rc1). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: remove xt_multiport revision 0Jan Engelhardt2010-03-251-77/+0
| | | | | | | Superseded by xt_multiport revision 1 (introduction already predates linux.git). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: remove xt_hashlimit revision 0Jan Engelhardt2010-03-251-221/+0
| | | | | | | Superseded by xt_hashlimit revision 1 (linux v2.6.24-6212-g09e410d, iptables 1.4.1-rc1). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: shorten up return clauseJan Engelhardt2010-03-256-30/+14
| | | | | | | The return value of nf_ct_l3proto_get can directly be returned even in the case of success. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: slightly better error reportingJan Engelhardt2010-03-2525-61/+107
| | | | | | | | | When extended status codes are available, such as ENOMEM on failed allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing them up to userspace seems like a good idea compared to just always EINVAL. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: change targets to return error codeJan Engelhardt2010-03-2531-111/+116
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Part of the transition of done by this semantic patch: // <smpl> @ rule1 @ struct xt_target ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: change matches to return error codeJan Engelhardt2010-03-2544-156/+162
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following semantic patch does part of the transformation: // <smpl> @ rule1 @ struct xt_match ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: change xt_target.checkentry return typeJan Engelhardt2010-03-2533-37/+37
| | | | | | | | | | | | | | | | | | | | Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_tgchk_param *par) { ... } // </smpl> Minus the change it does to xt_ct_find_proto. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: change xt_match.checkentry return typeJan Engelhardt2010-03-2545-50/+50
| | | | | | | | | | | | | | | | | | | | | | Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. This semantic patch may not be too precise (checking for functions that use xt_mtchk_param rather than functions referenced by xt_match.checkentry), but reviewed, it produced the intended result. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_mtchk_param *par) { ... } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: untangle spaghetti if clauses in checkentryJan Engelhardt2010-03-252-11/+19
| | | | | | | As I'm changing the return values soon, I want to have a clear visual path. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: ipvs: use NFPROTO values for NF_HOOK invocationJan Engelhardt2010-03-251-8/+8
| | | | | | | | | | | | | | | | | | | | | Semantic patch: // <smpl> @@ @@ IP_VS_XMIT( -PF_INET6, +NFPROTO_IPV6, ...) @@ @@ IP_VS_XMIT( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: decnet: use NFPROTO values for NF_HOOK invocationJan Engelhardt2010-03-253-12/+28
| | | | | | | | | | | | | | The semantic patch used was: // <smpl> @@ @@ NF_HOOK( -PF_DECnet, +NFPROTO_DECNET, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: ipv6: use NFPROTO values for NF_HOOK invocationJan Engelhardt2010-03-259-21/+21
| | | | | | | | | | | | | | | | | The semantic patch that was used: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_THRESH |nf_hook )( -PF_INET6, +NFPROTO_IPV6, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: ipv4: use NFPROTO values for NF_HOOK invocationJan Engelhardt2010-03-257-18/+18
| | | | | | | | | | | | | | | | | The semantic patch that was used: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_COND |nf_hook )( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: bridge: use NFPROTO values for NF_HOOK invocationJan Engelhardt2010-03-255-17/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The first argument to NF_HOOK* is an nfproto since quite some time. Commit v2.6.27-2457-gfdc9314 was the first to practically start using the new names. Do that now for the remaining NF_HOOK calls. The semantic patch used was: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_THRESH )( -PF_BRIDGE, +NFPROTO_BRIDGE, ...) @@ @@ NF_HOOK( -PF_INET6, +NFPROTO_IPV6, ...) @@ @@ NF_HOOK( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xt_recent: allow changing ip_list_[ug]id at runtimeJan Engelhardt2010-03-251-4/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: consolidate code into xt_request_find_matchJan Engelhardt2010-03-255-24/+30
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: make use of xt_request_find_targetJan Engelhardt2010-03-256-52/+29
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xt extensions: use pr_<level> (2)Jan Engelhardt2010-03-2531-185/+151
| | | | | | | | | | | Supplement to 1159683ef48469de71dc26f0ee1a9c30d131cf89. Downgrade the log level to INFO for most checkentry messages as they are, IMO, just an extra information to the -EINVAL code that is returned as part of a parameter "constraint violation". Leave errors to real errors, such as being unable to create a LED trigger. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: make use of caller family rather than target familyJan Engelhardt2010-03-252-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | Supplement to aa5fa3185791aac71c9172d4fda3e8729164b5d1. The semantic patch for this change is: // <smpl> @@ struct xt_target_param *par; @@ -par->target->family +par->family @@ struct xt_tgchk_param *par; @@ -par->target->family +par->family @@ struct xt_tgdtor_param *par; @@ -par->target->family +par->family // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: remove unused headers in net/ipv4/netfilter/nf_nat_h323.cZhitong Wang2010-03-191-1/+0
| | | | | | | Remove unused headers in net/ipv4/netfilter/nf_nat_h323.c Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: remove unused headers in net/ipv6/netfilter/ip6t_LOG.cZhitong Wang2010-03-191-1/+0
| | | | | | | Remove unused headers in net/ipv6/netfilter/ip6t_LOG.c Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: xt extensions: use pr_<level>Jan Engelhardt2010-03-1821-107/+88
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* netfilter: xtables: replace custom duprintf with pr_debugJan Engelhardt2010-03-187-79/+41
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>