linux.git/net/bridge/netfilter, branch v2.6.16 Linux kernel source tree [NETFILTER]: Fix wrong option spelling in Makefile for CONFIG_BRIDGE_EBT_ULOG 2006-03-12T02:51:25+00:00 Gregor Maier gregor@net.in.tum.de 2006-03-12T02:51:25+00:00 c12743764129e40dc8461afc1096cf175c7c25f2 Signed-off-by: Gregor Maier <gregor@net.in.tum.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Gregor Maier <gregor@net.in.tum.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Restore {ipt,ip6t,ebt}_LOG compatibility 2006-02-27T21:04:17+00:00 Patrick McHardy kaber@trash.net 2006-02-27T21:04:17+00:00 bafac2a512bf4fd2ce7520f3976ce8aab4435f74 The nfnetlink_log infrastructure changes broke compatiblity of the LOG targets. They currently use whatever log backend was registered first, which means that if ipt_ULOG was loaded first, no messages will be printed to the ring buffer anymore. Restore compatiblity by using the old log functions by default and only use the nf_log backend if the user explicitly said so. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The nfnetlink_log infrastructure changes broke compatiblity of the LOG
targets. They currently use whatever log backend was registered first,
which means that if ipt_ULOG was loaded first, no messages will be printed
to the ring buffer anymore.

Restore compatiblity by using the old log functions by default and only use
the nf_log backend if the user explicitly said so.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Fix possible overflow in netfilters do_replace() 2006-02-05T07:51:25+00:00 Kirill Korotaev dev@openvz.org 2006-02-04T10:16:56+00:00 ee4bb818ae35f68d1f848eae0a7b150a38eb4168 netfilter's do_replace() can overflow on addition within SMP_ALIGN() and/or on multiplication by NR_CPUS, resulting in a buffer overflow on the copy_from_user(). In practice, the overflow on addition is triggerable on all systems, whereas the multiplication one might require much physical memory to be present due to the check above. Either is sufficient to overwrite arbitrary amounts of kernel memory. I really hate adding the same check to all 4 versions of do_replace(), but the code is duplicate... Found by Solar Designer during security audit of OpenVZ.org Signed-Off-By: Kirill Korotaev <dev@openvz.org> Signed-Off-By: Solar Designer <solar@openwall.com> Signed-off-by: Patrck McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user().  In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above.  Either is
sufficient to overwrite arbitrary amounts of kernel memory.

I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...

Found by Solar Designer during security audit of OpenVZ.org

Signed-Off-By: Kirill Korotaev <dev@openvz.org>
Signed-Off-By: Solar Designer <solar@openwall.com>
Signed-off-by: Patrck McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Fix undersized skb allocation in ipt_ULOG/ebt_ulog/nfnetlink_log 2006-02-05T07:51:19+00:00 Patrick McHardy kaber@trash.net 2006-02-04T10:13:57+00:00 ad2ad0f96546d6d56b2665bcc863c33ae57c49c4 The skb allocated is always of size nlbufsize, even if that is smaller than the size needed for the current packet. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The skb allocated is always of size nlbufsize, even if that is smaller than
the size needed for the current packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: ULOG/nfnetlink_log: Use better default value for 'nlbufsiz' 2006-02-05T07:51:18+00:00 Holger Eitzenberger heitzenberger@astaro.com 2006-02-04T10:13:14+00:00 c2db292438c20c3f13db6e5563e0ce5b449bedac Performance tests showed that ULOG may fail on heavy loaded systems because of failed order-N allocations (N >= 1). The default value of 4096 is not optimal in the sense that it actually allocates _two_ contigous physical pages. Reasoning: ULOG uses alloc_skb(), which adds another ~300 bytes for skb_shared_info. This patch sets the default value to NLMSG_GOODSIZE and adds some documentation at the top. Signed-off-by: Holger Eitzenberger <heitzenberger@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Performance tests showed that ULOG may fail on heavy loaded systems
because of failed order-N allocations (N >= 1).

The default value of 4096 is not optimal in the sense that it actually
allocates _two_ contigous physical pages.  Reasoning: ULOG uses
alloc_skb(), which adds another ~300 bytes for skb_shared_info.

This patch sets the default value to NLMSG_GOODSIZE and adds some
documentation at the top.

Signed-off-by: Holger Eitzenberger <heitzenberger@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[EBTABLES]: Handle SCTP/DCCP in ebt_{ip,log} 2006-01-17T21:01:31+00:00 Patrick McHardy kaber@trash.net 2006-01-17T21:01:31+00:00 ab67a4d511188680beb8a0d82a90f55dbeb53d5c Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12T22:06:43+00:00 Harald Welte laforge@netfilter.org 2006-01-12T21:30:04+00:00 2e4e6a17af35be359cc8f1c924f8f198fbd478cc This monster-patch tries to do the best job for unifying the data structures and backend interfaces for the three evil clones ip_tables, ip6_tables and arp_tables. In an ideal world we would never have allowed this kind of copy+paste programming... but well, our world isn't (yet?) ideal. o introduce a new x_tables module o {ip,arp,ip6}_tables depend on this x_tables module o registration functions for tables, matches and targets are only wrappers around x_tables provided functions o all matches/targets that are used from ip_tables and ip6_tables are now implemented as xt_FOOBAR.c files and provide module aliases to ipt_FOOBAR and ip6t_FOOBAR o header files for xt_matches are in include/linux/netfilter/, include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers around the xt_FOOBAR.h headers Based on this patchset we're going to further unify the code, gradually getting rid of all the layer 3 specific assumptions. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Remove more unneeded typecasts on *malloc() 2006-01-12T00:32:14+00:00 Kris Katterjohn kjak@users.sourceforge.net 2006-01-11T23:56:43+00:00 8b3a70058bfe711b2d05ba2134178bae623183ce This removes more unneeded casts on the return value for kmalloc(), sock_kmalloc(), and vmalloc(). Signed-off-by: Kris Katterjohn <kjak@users.sourceforge.net> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This removes more unneeded casts on the return value for kmalloc(),
sock_kmalloc(), and vmalloc().

Signed-off-by: Kris Katterjohn <kjak@users.sourceforge.net>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Some more missing include/etherdevice.h includes 2006-01-12T00:32:11+00:00 David S. Miller davem@sunset.davemloft.net 2006-01-11T23:38:28+00:00 82bf7e97ac5b9fd03aea10df6910cad50d6c032d For compare_ether_addr() Signed-off-by: David S. Miller <davem@davemloft.net> 
For compare_ether_addr()

Signed-off-by: David S. Miller <davem@davemloft.net>
[EBTABLES] Don't match tcp/udp source/destination port for IP fragments 2006-01-10T21:12:22+00:00 Bart De Schuymer bdschuym@pandora.be 2006-01-10T21:12:22+00:00 8a4c8a96a47c9e2f08156fd9664974df086eed50 Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: David S. Miller <davem@davemloft.net>