<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/ipv6/netfilter, branch v2.6.32</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>netfilter: ip6t_eui: fix read outside array bounds</title>
<updated>2009-08-31T13:30:31+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2009-08-31T13:30:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=488908696971c5ea1dcc5d13f29c158ba4f6ae7d'/>
<id>488908696971c5ea1dcc5d13f29c158ba4f6ae7d</id>
<content type='text'>
Use memcmp() instead of open coded comparison that reads one byte past
the intended end.

Based on patch from Roel Kluin &lt;roel.kluin@gmail.com&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Use memcmp() instead of open coded comparison that reads one byte past
the intended end.

Based on patch from Roel Kluin &lt;roel.kluin@gmail.com&gt;

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: nf_conntrack: log packets dropped by helpers</title>
<updated>2009-08-25T13:33:08+00:00</updated>
<author>
<name>Patrick McHardy</name>
<email>kaber@trash.net</email>
</author>
<published>2009-08-25T13:33:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=74f7a6552c8d76ffc5e11eb8d9d6c07238b9ae77'/>
<id>74f7a6552c8d76ffc5e11eb8d9d6c07238b9ae77</id>
<content type='text'>
Log packets dropped by helpers using the netfilter logging API. This
is useful in combination with nfnetlink_log to analyze those packets
in userspace for debugging.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Log packets dropped by helpers using the netfilter logging API. This
is useful in combination with nfnetlink_log to analyze those packets
in userspace for debugging.

Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: mark initial tables constant</title>
<updated>2009-08-24T12:56:30+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-08-24T12:56:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=35aad0ffdf548617940ca1e78be1f2e0bafc4496'/>
<id>35aad0ffdf548617940ca1e78be1f2e0bafc4496</id>
<content type='text'>
The inputted table is never modified, so should be considered const.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The inputted table is never modified, so should be considered const.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: check for standard verdicts in policies</title>
<updated>2009-08-10T11:35:31+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-07-18T13:22:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e2fe35c17fed62d4ab5038fa9bc489e967ff8416'/>
<id>e2fe35c17fed62d4ab5038fa9bc489e967ff8416</id>
<content type='text'>
This adds the second check that Rusty wanted to have a long time ago. :-)

Base chain policies must have absolute verdicts that cease processing
in the table, otherwise rule execution may continue in an unexpected
spurious fashion (e.g. next chain that follows in memory).

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This adds the second check that Rusty wanted to have a long time ago. :-)

Base chain policies must have absolute verdicts that cease processing
in the table, otherwise rule execution may continue in an unexpected
spurious fashion (e.g. next chain that follows in memory).

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: check for unconditionality of policies</title>
<updated>2009-08-10T11:35:29+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-07-09T20:54:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=90e7d4ab5c8b0c4c2e00e4893977f6aeec0f18f1'/>
<id>90e7d4ab5c8b0c4c2e00e4893977f6aeec0f18f1</id>
<content type='text'>
This adds a check that iptables's original author Rusty set forth in
a FIXME comment.

Underflows in iptables are better known as chain policies, and are
required to be unconditional or there would be a stochastical chance
for the policy rule to be skipped if it does not match. If that were
to happen, rule execution would continue in an unexpected spurious
fashion.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This adds a check that iptables's original author Rusty set forth in
a FIXME comment.

Underflows in iptables are better known as chain policies, and are
required to be unconditional or there would be a stochastical chance
for the policy rule to be skipped if it does not match. If that were
to happen, rule execution would continue in an unexpected spurious
fashion.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks</title>
<updated>2009-08-10T11:35:28+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-07-18T12:52:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=a7d51738e757c1ab94595e7d05594c61f0fb32ce'/>
<id>a7d51738e757c1ab94595e7d05594c61f0fb32ce</id>
<content type='text'>
The "hook_entry" and "underflow" array contains values even for hooks
not provided, such as PREROUTING in conjunction with the "filter"
table. Usually, the values point to whatever the next rule is. For
the upcoming unconditionality and underflow checking patches however,
we must not inspect that arbitrary rule.

Skipping unassigned hooks seems like a good idea, also because
newinfo-&gt;hook_entry and newinfo-&gt;underflow will then continue to have
the poison value for detecting abnormalities.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The "hook_entry" and "underflow" array contains values even for hooks
not provided, such as PREROUTING in conjunction with the "filter"
table. Usually, the values point to whatever the next rule is. For
the upcoming unconditionality and underflow checking patches however,
we must not inspect that arbitrary rule.

Skipping unassigned hooks seems like a good idea, also because
newinfo-&gt;hook_entry and newinfo-&gt;underflow will then continue to have
the poison value for detecting abnormalities.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: use memcmp in unconditional check</title>
<updated>2009-08-10T11:35:27+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-07-09T21:00:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=47901dc2c4a3f1f9af453486a005d31fe9b393f0'/>
<id>47901dc2c4a3f1f9af453486a005d31fe9b393f0</id>
<content type='text'>
Instead of inspecting each u32/char open-coded, clean up and make use
of memcmp. On some arches, memcmp is implemented as assembly or GCC's
__builtin_memcmp which can possibly take advantages of known
alignment.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Instead of inspecting each u32/char open-coded, clean up and make use
of memcmp. On some arches, memcmp is implemented as assembly or GCC's
__builtin_memcmp which can possibly take advantages of known
alignment.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: switch table AFs to nfproto</title>
<updated>2009-08-10T11:35:23+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-06-13T04:25:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f88e6a8a50a603f8347343e75d035889784a507c'/>
<id>f88e6a8a50a603f8347343e75d035889784a507c</id>
<content type='text'>
Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: xtables: switch hook PFs to nfproto</title>
<updated>2009-08-10T11:35:21+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-06-13T04:20:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=24c232d8e911ef6189e02da411dc2b72cb03bfcf'/>
<id>24c232d8e911ef6189e02da411dc2b72cb03bfcf</id>
<content type='text'>
Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: conntrack: switch hook PFs to nfproto</title>
<updated>2009-08-10T11:35:20+00:00</updated>
<author>
<name>Jan Engelhardt</name>
<email>jengelh@medozas.de</email>
</author>
<published>2009-06-13T04:22:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=57750a22ed022ed6fcdcc5bc58d16011ccfe575f'/>
<id>57750a22ed022ed6fcdcc5bc58d16011ccfe575f</id>
<content type='text'>
Simple substitution to indicate that the fields indeed use the
NFPROTO_ space.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Simple substitution to indicate that the fields indeed use the
NFPROTO_ space.

Signed-off-by: Jan Engelhardt &lt;jengelh@medozas.de&gt;
</pre>
</div>
</content>
</entry>
</feed>
