linux-stable.git/net/netfilter/ipset, branch v3.7 Linux kernel stable tree netfilter: ipset: fix netiface set name overflow 2012-11-24T22:48:23+00:00 Florian Westphal fw@strlen.de 2012-11-22T01:32:45+00:00 4a6dd664eba59488c9e56b51a594396d7706eb08 attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
attribute is copied to IFNAMSIZ-size stack variable,
but IFNAMSIZ is smaller than IPSET_MAXNAMELEN.

Fortunately nfnetlink needs CAP_NET_ADMIN.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: Fix range bug in hash:ip,port,net 2012-11-21T22:49:02+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-11-19T06:42:21+00:00 4fe198e6b136c516df493ec325ab8f70d470f477 Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was the object, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was the object, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.

The error-prone default initialization is corrected in all hash:* types.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: Support to match elements marked with "nomatch" 2012-09-22T20:44:34+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T20:02:36+00:00 3e0304a583d72c747caa8afac76b8d514aa293f5 Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Exceptions can now be matched and we can branch according to the
possible cases:

a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match

i.e.

iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Coding style fixes 2012-09-22T20:44:29+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T20:01:45+00:00 3ace95c0ac125a042cfb682d0a9bbdbf1e5a2c65 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Include supported revisions in module description 2012-09-22T20:44:24+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T19:59:32+00:00 10111a6ef373c377e87730749a0f68210c3fd062 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Add /0 network support to hash:net,iface type 2012-09-22T20:44:15+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-10T19:22:23+00:00 bd9087e0407bfb5ec22d82d3bab1d2bba45daf5a Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Now it is possible to setup a single hash:net,iface type of set and
a single ip6?tables match which covers all egress/ingress filtering.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Check and reject crazy /0 input parameters 2012-09-21T19:51:34+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-04T15:45:59+00:00 b9fed748185a96b7cfe74afac4bd228e8af16f01 bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
when created and using such a set results in a kernel crash.
The hash types just silently ignored such parameters.

Reject invalid /0 input parameters explicitely.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Fix sparse warnings "incorrect type in assignment" 2012-09-21T19:51:22+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T19:44:58+00:00 6e27c9b4ee8f348770be5751e6a845ff52a31e19 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netlink: Rename pid to portid to avoid confusion 2012-09-10T19:30:41+00:00 Eric W. Biederman ebiederm@xmission.com 2012-09-07T20:12:54+00:00 15e473046cb6e5d18a4d0057e61d76315230382b It is a frequent mistake to confuse the netlink port identifier with a process identifier. Try to reduce this confusion by renaming fields that hold port identifiers portid instead of pid. I have carefully avoided changing the structures exported to userspace to avoid changing the userspace API. I have successfully built an allyesconfig kernel with this change. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
It is a frequent mistake to confuse the netlink port identifier with a
process identifier.  Try to reduce this confusion by renaming fields
that hold port identifiers portid instead of pid.

I have carefully avoided changing the structures exported to
userspace to avoid changing the userspace API.

I have successfully built an allyesconfig kernel with this change.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: ipset: fix crash if IPSET_CMD_NONE command is sent 2012-06-29T11:04:04+00:00 Tomasz Bursztyka tomasz.bursztyka@linux.intel.com 2012-06-28T02:57:48+00:00 d31f4d448f7671dc3e6a7a1c92a4c085a36058bb This patch fixes a crash if that ipset command is sent over nfnetlink. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch fixes a crash if that ipset command is sent over nfnetlink.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>