linux-stable.git/net/netfilter/ipset, branch linux-3.5.y

netfilter: ipset: fix crash if IPSET_CMD_NONE command is sent

2012-06-29T11:04:04+00:00

This patch fixes a crash if that ipset command is sent over nfnetlink.

Signed-off-by: Tomasz Bursztyka 
Acked-by: Jozsef Kadlecsik 
Signed-off-by: Pablo Neira Ayuso

netfilter: ipset: fix interface comparision in hash-netiface sets

2012-06-25T10:03:21+00:00

ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does

strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);

in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.

Use plain strcmp() instead.

Signed-off-by: Florian Westphal 
Signed-off-by: Pablo Neira Ayuso

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2012-05-17T02:17:37+00:00

netfilter: ipset: fix hash size checking in kernel

2012-05-16T19:38:49+00:00

The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.

Signed-off-by: Jozsef Kadlecsik 
Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: David S. Miller

netfilter: Convert compare_ether_addr to ether_addr_equal

2012-05-10T00:49:18+00:00

Use the new bool function ether_addr_equal to add
some clarity and reduce the likelihood for misuse
of compare_ether_addr for sorting.

Done via cocci script:

$ cat compare_ether_addr.cocci
@@
expression a,b;
@@
-	!compare_ether_addr(a, b)
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	compare_ether_addr(a, b)
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!ether_addr_equal(a, b) == 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!ether_addr_equal(a, b) != 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	ether_addr_equal(a, b) == 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	ether_addr_equal(a, b) != 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!!ether_addr_equal(a, b)
+	ether_addr_equal(a, b)

Signed-off-by: Joe Perches 
Signed-off-by: David S. Miller

net: cleanup unsigned to unsigned int

2012-04-15T16:44:40+00:00

Use of "unsigned int" is preferred to bare "unsigned" in net tree.

Signed-off-by: Eric Dumazet 
Signed-off-by: David S. Miller

ipset: Stop using NLA_PUT*().

2012-04-02T08:33:41+00:00

These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.

Signed-off-by: David S. Miller

netfilter: ipset: Exceptions support added to hash:net types

2012-03-07T16:40:35+00:00

The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:

        ipset create test hash:net
        ipset add test 192.168.0/24
        ipset add test 192.168.0/30 nomatch

In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.

Signed-off-by: Jozsef Kadlecsik 
Signed-off-by: Pablo Neira Ayuso

netfilter: ipset: use NFPROTO_ constants

2012-03-07T16:40:29+00:00

ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).

Signed-off-by: Jan Engelhardt 
Signed-off-by: Jozsef Kadlecsik 
Signed-off-by: Pablo Neira Ayuso

netlink: add netlink_dump_control structure for netlink_dump_start()

2012-02-26T19:10:06+00:00

Davem considers that the argument list of this interface is getting
out of control. This patch tries to address this issue following
his proposal:

struct netlink_dump_control c = { .dump = dump, .done = done, ... };

netlink_dump_start(..., &c);

Suggested by David S. Miller.

Signed-off-by: Pablo Neira Ayuso 
Signed-off-by: David S. Miller