kernel/linux.git/include/linux/netfilter, branch v3.12.62 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.12.62 2016-07-21T06:35:48+00:00 netfilter: x_tables: introduce and use xt_copy_counters_from_user 2016-07-21T06:35:48+00:00 Florian Westphal fw@strlen.de 2016-04-01T13:37:59+00:00 urn:sha1:6a8d4c2659ad0b5b672cafcf81ae0e5fbe18ada8 commit d7591f0c41ce3e67600a982bab6989ef0f07b3ce upstream The three variants use same copy&pasted code, condense this into a helper and use that. Make sure info.name is 0-terminated. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> netfilter: x_tables: xt_compat_match_from_user doesn't need a retval 2016-07-21T06:35:46+00:00 Florian Westphal fw@strlen.de 2016-04-01T12:17:33+00:00 urn:sha1:39d710d9a43073d4937468b7b959f8f86640cca5 commit 0188346f21e6546498c2a0f84888797ad4063fc5 upstream. Always returned 0. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> netfilter: x_tables: check for bogus target offset 2016-07-21T06:35:43+00:00 Florian Westphal fw@strlen.de 2016-04-01T12:17:28+00:00 urn:sha1:1812c704ac70a37c06f239d7c06fd4331a25c779 commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c upstream. We're currently asserting that targetoff + targetsize <= nextoff. Extend it to also check that targetoff is >= sizeof(xt_entry). Since this is generic code, add an argument pointing to the start of the match/target, we can then derive the base structure size from the delta. We also need the e->elems pointer in a followup change to validate matches. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> netfilter: x_tables: add compat version of xt_check_entry_offsets 2016-07-21T06:35:42+00:00 Florian Westphal fw@strlen.de 2016-04-01T12:17:26+00:00 urn:sha1:45c465bb1b42bb6869ffaf023432b23a889fd6f5 commit fc1221b3a163d1386d1052184202d5dc50d302d1 upstream. 32bit rulesets have different layout and alignment requirements, so once more integrity checks get added to xt_check_entry_offsets it will reject well-formed 32bit rulesets. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> netfilter: x_tables: add and use xt_check_entry_offsets 2016-07-21T06:35:41+00:00 Florian Westphal fw@strlen.de 2016-04-01T12:17:23+00:00 urn:sha1:d1b53f828e25976196e2a3f0397c98ebe7fc330c commit 7d35812c3214afa5b37a675113555259cfd67b98 upstream. Currently arp/ip and ip6tables each implement a short helper to check that the target offset is large enough to hold one xt_entry_target struct and that t->u.target_size fits within the current rule. Unfortunately these checks are not sufficient. To avoid adding new tests to all of ip/ip6/arptables move the current checks into a helper, then extend this helper in followup patches. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> netfilter: ipset: Consistent userspace testing with nomatch flag 2013-09-16T18:35:55+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-09-16T18:04:53+00:00 urn:sha1:0f1799ba1a5db4c48b72ac2da2dc70d8c190a73d The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> netfilter: export xt_HMARK.h to userland 2013-08-14T08:48:05+00:00 Nicolas Dichtel nicolas.dichtel@6wind.com 2013-08-13T13:05:39+00:00 urn:sha1:38c67328ac79cb9eaf61b5d4750fe3b9cff0dd15 This file contains the API for the target "HMARK", hence it should be exported to userland. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: export xt_rpfilter.h to userland 2013-08-14T08:47:15+00:00 Nicolas Dichtel nicolas.dichtel@6wind.com 2013-08-13T13:05:38+00:00 urn:sha1:f0c03956ac40fdc4fbce7bed262ae74ac372e765 This file contains the API for the match "rpfilter", hence it should be exported to userland. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: ipset: set match: add support to match the counters 2013-04-29T18:09:03+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-04-27T12:40:50+00:00 urn:sha1:6e01781d1c80e2e8263471252a631e86165b15c5 The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: ipset: Introduce the counter extension in the core 2013-04-29T18:08:59+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-04-27T12:38:56+00:00 urn:sha1:34d666d489cf70c246ca99b2387741915c34b88c Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>