linux-stable.git/include/linux/netfilter/nfnetlink.h, branch v3.2.16 Linux kernel stable tree netfilter: nfnetlink: add RCU in nfnetlink_rcv_msg() 2011-07-18T14:08:07+00:00 Eric Dumazet eric.dumazet@gmail.com 2011-07-18T14:08:07+00:00 6b75e3e8d664a9a1b99d31a7f4976ae70d1d090a Goal of this patch is to permit nfnetlink providers not mandate nfnl_mutex being held while nfnetlink_rcv_msg() calls them. If struct nfnl_callback contains a non NULL call_rcu(), then nfnetlink_rcv_msg() will use it instead of call() field, holding rcu_read_lock instead of nfnl_mutex Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Florian Westphal <fw@strlen.de> CC: Eric Leblond <eric@regit.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Goal of this patch is to permit nfnetlink providers not mandate
nfnl_mutex being held while nfnetlink_rcv_msg() calls them.

If struct nfnl_callback contains a non NULL call_rcu(), then
nfnetlink_rcv_msg() will use it instead of call() field, holding
rcu_read_lock instead of nfnl_mutex

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Florian Westphal <fw@strlen.de>
CC: Eric Leblond <eric@regit.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros 2011-02-01T14:20:14+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-02-01T14:20:14+00:00 f703651ef870bd6b94ddc98ae07488b7d3fd9335 The patch adds the NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros to the vanilla kernel. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The patch adds the NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros to the
vanilla kernel.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ctnetlink: fix reliable event delivery if message building fails 2010-03-20T21:29:03+00:00 Pablo Neira Ayuso pablo@netfilter.org 2010-03-16T13:30:21+00:00 37b7ef7203240b3aba577bb1ff6765fe15225976 This patch fixes a bug that allows to lose events when reliable event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR and NETLINK_RECV_NO_ENOBUFS socket options are set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch fixes a bug that allows to lose events when reliable
event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR
and NETLINK_RECV_NO_ENOBUFS socket options are set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: nfnetlink: netns support 2010-01-13T15:02:14+00:00 Alexey Dobriyan adobriyan@gmail.com 2010-01-13T15:02:14+00:00 cd8c20b650f49354722b8cc1f03320b004815a0a Make nfnl socket per-petns. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Make nfnl socket per-petns.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
net: cleanup include/linux 2009-11-04T17:50:58+00:00 Eric Dumazet eric.dumazet@gmail.com 2009-11-04T17:50:58+00:00 d94d9fee9fa4e66a0b91640a694b8b10177075b3 This cleanup patch puts struct/union/enum opening braces, in first line to ease grep games. struct something { becomes : struct something { Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
This cleanup patch puts struct/union/enum opening braces,
in first line to ease grep games.

struct something
{

becomes :

struct something {

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: nfnetlink: constify message attributes and headers 2009-08-25T14:07:58+00:00 Patrick McHardy kaber@trash.net 2009-08-25T14:07:58+00:00 3993832464dd4e14a4c926583a11f0fa92c1f0f0 Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: passive OS fingerprint xtables match 2009-06-08T15:01:51+00:00 Evgeniy Polyakov zbr@ioremap.net 2009-06-08T15:01:51+00:00 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 Passive OS fingerprinting netfilter module allows to passively detect remote OS and perform various netfilter actions based on that knowledge. This module compares some data (WS, MSS, options and it's order, ttl, df and others) from packets with SYN bit set with dynamically loaded OS fingerprints. Fingerprint matching rules can be downloaded from OpenBSD source tree or found in archive and loaded via netfilter netlink subsystem into the kernel via special util found in archive. Archive contains library file (also attached), which was shipped with iptables extensions some time ago (at least when ipt_osf existed in patch-o-matic). Following changes were made in this release: * added NLM_F_CREATE/NLM_F_EXCL checks * dropped _rcu list traversing helpers in the protected add/remove calls * dropped unneded structures, debug prints, obscure comment and check Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os or can be found in archive Example usage: -d switch removes fingerprints Please consider for inclusion. Thank you. Passive OS fingerprint homepage (archives, examples): http://www.ioremap.net/projects/osf Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Passive OS fingerprinting netfilter module allows to passively detect
remote OS and perform various netfilter actions based on that knowledge.
This module compares some data (WS, MSS, options and it's order, ttl, df
and others) from packets with SYN bit set with dynamically loaded OS
fingerprints.

Fingerprint matching rules can be downloaded from OpenBSD source tree
or found in archive and loaded via netfilter netlink subsystem into
the kernel via special util found in archive.

Archive contains library file (also attached), which was shipped
with iptables extensions some time ago (at least when ipt_osf existed
in patch-o-matic).

Following changes were made in this release:
 * added NLM_F_CREATE/NLM_F_EXCL checks
 * dropped _rcu list traversing helpers in the protected add/remove calls
 * dropped unneded structures, debug prints, obscure comment and check

Fingerprints can be downloaded from
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
or can be found in archive

Example usage:
-d switch removes fingerprints

Please consider for inclusion.
Thank you.

Passive OS fingerprint homepage (archives, examples):
http://www.ioremap.net/projects/osf

Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: conntrack: replace notify chain by function pointer 2009-06-03T08:32:06+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-06-03T08:32:06+00:00 e34d5c1a4f9919a81b4ea4591d7383245f35cb8e This patch removes the notify chain infrastructure and replace it by a simple function pointer. This issue has been mentioned in the mailing list several times: the use of the notify chain adds too much overhead for something that is only used by ctnetlink. This patch also changes nfnetlink_send(). It seems that gfp_any() returns GFP_KERNEL for user-context request, like those via ctnetlink, inside the RCU read-side section which is not valid. Using GFP_KERNEL is also evil since netlink may schedule(), this leads to "scheduling while atomic" bug reports. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch removes the notify chain infrastructure and replace it
by a simple function pointer. This issue has been mentioned in the
mailing list several times: the use of the notify chain adds
too much overhead for something that is only used by ctnetlink.

This patch also changes nfnetlink_send(). It seems that gfp_any()
returns GFP_KERNEL for user-context request, like those via
ctnetlink, inside the RCU read-side section which is not valid.
Using GFP_KERNEL is also evil since netlink may schedule(),
this leads to "scheduling while atomic" bug reports.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge branch 'header-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-03-26T23:11:41+00:00 Linus Torvalds torvalds@linux-foundation.org 2009-03-26T23:11:41+00:00 ba1eb95cf3cc666769afe42eaa15a3a34ae82f94 * 'header-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (50 commits) x86: headers cleanup - setup.h emu101k1.h: fix duplicate include of <linux/types.h> compiler-gcc4: conditionalize #error on __KERNEL__ remove __KERNEL_STRICT_NAMES make netfilter use strict integer types make drm headers use strict integer types make MTD headers use strict integer types make most exported headers use strict integer types make exported headers use strict posix types unconditionally include asm/types.h from linux/types.h make linux/types.h as assembly safe Neither asm/types.h nor linux/types.h is required for arch/ia64/include/asm/fpu.h headers_check fix cleanup: linux/reiserfs_fs.h headers_check fix cleanup: linux/nubus.h headers_check fix cleanup: linux/coda_psdev.h headers_check fix: x86, setup.h headers_check fix: x86, prctl.h headers_check fix: linux/reinserfs_fs.h headers_check fix: linux/socket.h headers_check fix: linux/nubus.h ... Manually fix trivial conflicts in: include/linux/netfilter/xt_limit.h include/linux/netfilter/xt_statistic.h 
* 'header-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (50 commits)
  x86: headers cleanup - setup.h
  emu101k1.h: fix duplicate include of <linux/types.h>
  compiler-gcc4: conditionalize #error on __KERNEL__
  remove __KERNEL_STRICT_NAMES
  make netfilter use strict integer types
  make drm headers use strict integer types
  make MTD headers use strict integer types
  make most exported headers use strict integer types
  make exported headers use strict posix types
  unconditionally include asm/types.h from linux/types.h
  make linux/types.h as assembly safe
  Neither asm/types.h nor linux/types.h is required for arch/ia64/include/asm/fpu.h
  headers_check fix cleanup: linux/reiserfs_fs.h
  headers_check fix cleanup: linux/nubus.h
  headers_check fix cleanup: linux/coda_psdev.h
  headers_check fix: x86, setup.h
  headers_check fix: x86, prctl.h
  headers_check fix: linux/reinserfs_fs.h
  headers_check fix: linux/socket.h
  headers_check fix: linux/nubus.h
  ...

Manually fix trivial conflicts in:
	include/linux/netfilter/xt_limit.h
	include/linux/netfilter/xt_statistic.h
make netfilter use strict integer types 2009-03-26T17:14:20+00:00 Arnd Bergmann arnd@arndb.de 2009-02-25T23:51:43+00:00 60c195c729532815c5209c81442fa0eb26ace706 Netfilter traditionally uses BSD integer types in its interface headers. This changes it to use the Linux strict integer types, like everyone else. Cc: netfilter-devel@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> 
Netfilter traditionally uses BSD integer types in its
interface headers. This changes it to use the Linux
strict integer types, like everyone else.

Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>