linux.git/net/ipv6/netfilter, branch v2.6.27 Linux kernel source tree netfilter: ip6t_{hbh,dst}: Rejects not-strict mode on rule insertion 2008-09-24T22:53:39+00:00 Yasuyuki Kozakai yasuyuki.kozakai@toshiba.co.jp 2008-09-24T22:53:39+00:00 8ca31ce52a5cfd03b960fd81a49197ae85d25347 The current code ignores rules for internal options in HBH/DST options header in packet processing if 'Not strict' mode is specified (which is not implemented). Clearly it is not expected by user. Kernel should reject HBH/DST rule insertion with 'Not strict' mode in the first place. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The current code ignores rules for internal options in HBH/DST options
header in packet processing if 'Not strict' mode is specified (which is not
implemented). Clearly it is not expected by user.

Kernel should reject HBH/DST rule insertion with 'Not strict' mode
in the first place.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: ip{,6}tables_security: fix future section mismatch 2008-07-27T00:48:38+00:00 Alexey Dobriyan adobriyan@gmail.com 2008-07-27T00:48:38+00:00 f858b4869a9136dd28cc2ab37f8b89268cc99462 Currently not visible, because NET_NS is mutually exclusive with SYSFS which is required by SECURITY. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Currently not visible, because NET_NS is mutually exclusive with SYSFS
which is required by SECURITY.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: convert BUG_TRAP to generic WARN_ON 2008-07-26T04:43:18+00:00 Ilpo Järvinen ilpo.jarvinen@helsinki.fi 2008-07-26T04:43:18+00:00 547b792cac0a038b9dbf958d3c120df3740b5572 Removes legacy reinvent-the-wheel type thing. The generic machinery integrates much better to automated debugging aids such as kerneloops.org (and others), and is unambiguous due to better naming. Non-intuively BUG_TRAP() is actually equal to WARN_ON() rather than BUG_ON() though some might actually be promoted to BUG_ON() but I left that to future. I could make at least one BUILD_BUG_ON conversion. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> 
Removes legacy reinvent-the-wheel type thing. The generic
machinery integrates much better to automated debugging aids
such as kerneloops.org (and others), and is unambiguous due to
better naming. Non-intuively BUG_TRAP() is actually equal to
WARN_ON() rather than BUG_ON() though some might actually be
promoted to BUG_ON() but I left that to future.

I could make at least one BUILD_BUG_ON conversion.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: make security table depend on NETFILTER_ADVANCED 2008-07-23T23:42:42+00:00 Patrick McHardy kaber@trash.net 2008-07-23T23:42:42+00:00 70eed75d76635ba7350651b9bd96529a306ec67a Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
netns: Use net_eq() to compare net-namespaces for optimization. 2008-07-20T05:34:43+00:00 YOSHIFUJI Hideaki yoshfuji@linux-ipv6.org 2008-07-20T05:34:43+00:00 721499e8931c5732202481ae24f2dfbf9910f129 Without CONFIG_NET_NS, namespace is always &init_net. Compiler will be able to omit namespace comparisons with this patch. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Without CONFIG_NET_NS, namespace is always &init_net.
Compiler will be able to omit namespace comparisons with this patch.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: ip6table_filter in netns for real 2008-07-08T09:36:18+00:00 Alexey Dobriyan adobriyan@gmail.com 2008-07-08T09:36:18+00:00 43de9dfeaa30f7ed801dc1c38bdb63b1738bddcc One still needs to remove checks in nf_hook_slow() and nf_sockopt_find() to test this, though. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
One still needs to remove checks in nf_hook_slow() and nf_sockopt_find()
to test this, though.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: use correct namespace in ip6table_security 2008-07-08T09:34:52+00:00 Alexey Dobriyan adobriyan@parallels.com 2008-07-08T09:34:52+00:00 d2789312cc6d875462d1d248e07a8a9caf8a6ae3 Signed-off-by: Alexey Dobriyan <adobriyan@parallels.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Alexey Dobriyan <adobriyan@parallels.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-06-28T08:19:40+00:00 David S. Miller davem@davemloft.net 2008-06-28T08:19:40+00:00 1b63ba8a86c85524a8d7e5953b314ce71ebcb9c9 Conflicts: drivers/net/wireless/iwlwifi/iwl4965-base.c 
Conflicts:

	drivers/net/wireless/iwlwifi/iwl4965-base.c
inet fragments: fix race between inet_frag_find and inet_frag_secret_rebuild 2008-06-28T03:06:08+00:00 Pavel Emelyanov xemul@openvz.org 2008-06-28T03:06:08+00:00 9a375803feaadb6c34e0807bd9325885dcca5c00 The problem is that while we work w/o the inet_frags.lock even read-locked the secret rebuild timer may occur (on another CPU, since BHs are still disabled in the inet_frag_find) and change the rnd seed for ipv4/6 fragments. It was caused by my patch fd9e63544cac30a34c951f0ec958038f0529e244 ([INET]: Omit double hash calculations in xxx_frag_intern) late in the 2.6.24 kernel, so this should probably be queued to -stable. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
The problem is that while we work w/o the inet_frags.lock even
read-locked the secret rebuild timer may occur (on another CPU, since
BHs are still disabled in the inet_frag_find) and change the rnd seed
for ipv4/6 fragments.

It was caused by my patch fd9e63544cac30a34c951f0ec958038f0529e244
([INET]: Omit double hash calculations in xxx_frag_intern) late 
in the 2.6.24 kernel, so this should probably be queued to -stable.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: ip6table_mangle: don't reroute in LOCAL_IN 2008-06-24T20:30:45+00:00 Patrick McHardy kaber@trash.net 2008-06-24T20:30:45+00:00 88a6f4ad76be425f47df7f892baf913bcd466fb3 Rerouting should only happen in LOCAL_OUT, in INPUT its useless since the packet has already chosen its final destination. Noticed by Alexey Dobriyan <adobriyan@gmail.com>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Rerouting should only happen in LOCAL_OUT, in INPUT its useless
since the packet has already chosen its final destination.

Noticed by Alexey Dobriyan <adobriyan@gmail.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>