summaryrefslogtreecommitdiffstats
path: root/kernel
Commit message (Collapse)AuthorAgeFilesLines
* ipset 6.33 releasedv6.33Jozsef Kadlecsik2017-09-121-0/+19
|
* Backport patch: sctp: remove the typedef sctp_sctphdr_tJozsef Kadlecsik2017-09-112-0/+6
|
* Backport patch: netfilter: nfnetlink: extended ACK reportingJozsef Kadlecsik2017-09-112-18/+35
|
* ipset: remove unused function __ip_set_get_netlinkAaron Conole2017-09-111-8/+0
| | | | | | | | There are no in-tree callers. Signed-off-by: Aaron Conole <aconole@bytheb.org> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Backport patch: netlink: pass extended ACK struct to parsing functionsJozsef Kadlecsik2017-09-112-19/+29
|
* Backport patch netlink: extended ACK reportingJozsef Kadlecsik2017-09-112-1/+8
|
* netfilter: Remove exceptional & on function nameArushi Singhal2017-09-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | Remove & from function pointers to conform to the style found elsewhere in the file. Done using the following semantic patch // <smpl> @r@ identifier f; @@ f(...) { ... } @@ identifier r.f; @@ - &f + f // </smpl> Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Backport missing part of patch: netfilter: Remove unnecessary cast on void ↵Jozsef Kadlecsik2017-09-111-2/+1
| | | | pointer
* Backport nfnl_msg_type()Jozsef Kadlecsik2017-09-112-1/+9
|
* netfilter: ipset: ipset list may return wrong member count for set with timeoutVishwanath Pai2017-09-061-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | Simple testcase: $ ipset create test hash:ip timeout 5 $ ipset add test 1.2.3.4 $ ipset add test 1.2.2.2 $ sleep 5 $ ipset l Name: test Type: hash:ip Revision: 5 Header: family inet hashsize 1024 maxelem 65536 timeout 5 Size in memory: 296 References: 0 Number of entries: 2 Members: We return "Number of entries: 2" but no members are listed. That is because mtype_list runs "ip_set_timeout_expired" and does not list the expired entries, but set->elements is never upated (until mtype_gc cleans it up later). Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com>
* netfilter: ipset: deduplicate prefixlen mapsAaron Conole2017-09-061-258/+137
| | | | | | | | The prefixlen maps used here are identical, and have been since introduction. It seems to make sense to use a single large map, that the preprocessor will fill appropriately. Signed-off-by: Aaron Conole <aconole@bytheb.org>
* Fix sparse warningsJozsef Kadlecsik2017-03-232-2/+2
|
* netfilter: ipset: Compress return logicsimran singhal2017-03-231-4/+1
| | | | | | | | Simplify function returns by merging assignment and return into one command line. Signed-off-by: simran singhal <singhalsimran0@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Remove unnecessary cast on void pointersimran singhal2017-03-232-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | The following Coccinelle script was used to detect this: @r@ expression x; void* e; type T; identifier f; @@ ( *((T *)e) | ((T *)x)[...] | ((T*)x)->f | - (T*) e ) Signed-off-by: simran singhal <singhalsimran0@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Compatibility: handle changes in 4.10 kernel treeJozsef Kadlecsik2017-03-234-17/+54
| | | | | Handle changes in struct xt_action_param and the new xt_family(), xt_net() interfaces (reported by Jan Engelhardt).
* ipset 6.31 releasedv6.31Jozsef Kadlecsik2017-02-191-0/+8
|
* netfilter: ipset: Null pointer exception in ipset list:setVishwanath Pai2017-02-161-3/+6
| | | | | | | | | | | | | | | | | | | If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will crash the kernel. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix bug: sometimes valid entries in hash:* types of sets were evictedJozsef Kadlecsik2017-02-161-1/+1
| | | | | | | | Wrong index was used and therefore when shrinking a hash bucket at deleting an entry, valid entries could be evicted as well. Thanks to Eric Ewanco for the thorough bugreport. Fixes netfilter bugzilla #1119
* Correct copyright ownerJozsef Kadlecsik2016-11-102-2/+2
| | | | | | | The functions was not introduced by Sergey Popovich, he proposed only separating them into individual extension header files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Revert patch "Correct rcu_dereference_bh_nfnl() usage"Jozsef Kadlecsik2016-11-101-6/+4
| | | | | | | The susbsystem param cannot be used to rely on subsystem mutex locking because the call is used in netlink dump context as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.30 releasedv6.30Jozsef Kadlecsik2016-10-171-0/+20
|
* netfilter: ipset: hash: fix boolreturn.cocci warningskbuild test robot2016-10-151-4/+4
| | | | | | | | | | | | | net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilinski@chilan.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix the nla_put_net64() API changes backportJozsef Kadlecsik2016-10-141-2/+2
| | | | | | | We must call nla_put_net64() because ipset uses net order in the netlink communication. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fixing unnamed union initElad Raz2016-10-132-12/+32
| | | | | | | | | | | | | | | In continue to proposed Vinson Lee's post [1], this patch fixes compilation issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed unions causes compilation error in gcc 4.4.x. References Visible links [1] https://lkml.org/lkml/2015/7/5/74 Signed-off-by: Elad Raz <eladr@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: x_tables: Use par->net instead of computing from the passed net ↵Eric W. Biederman2016-10-132-6/+9
| | | | | | | | | | devices Backported from kernel tree. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct the reported memory size for bitmap:* typesJozsef Kadlecsik2016-10-132-4/+7
| | | | | | | The patch "Fix extension alignmen" (c7cf6f3b) removed counting the non-dynamic extensions into the used up memory area, fixed. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix coding styles reported by checkpatch.pl, already in kernelJozsef Kadlecsik2016-10-111-4/+3
|
* netfilter: x_tables: Pass struct net in xt_action_paramEric W. Biederman2016-10-112-0/+4
| | | | | | | | | | | As xt_action_param lives on the stack this does not bloat any persistent data structures. This is a first step in making netfilter code that needs to know which network namespace it is executing in simpler. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* net: sched: fix skb->protocol use in case of accelerated vlan pathJiri Pirko2016-10-112-1/+12
| | | | | | | | | | | | | | tc code implicitly considers skb->protocol even in case of accelerated vlan paths and expects vlan protocol type here. However, on rx path, if the vlan header was already stripped, skb->protocol contains value of next header. Similar situation is on tx path. So for skbs that use skb->vlan_tci for tagging, use skb->vlan_proto instead. Reported-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Check IPSET_ATTR_ETHER netlink attribute length in hash:ipmac tooJozsef Kadlecsik2016-10-111-0/+2
| | | | | | The explicit length checking was missing, added. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: fix include files for compilationMikko Rapeli2016-10-113-0/+6
| | | | | | | | | Add missing header dependencies and other small changes so that each file compiles alone in userspace. Signed-off-by: Mikko Rapeli <mikko.rapeli@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Backports for the nla_put_net64() API changesNeutron Soutmun2016-06-284-7/+18
| | | | | | | | | | | | | | | | | | | * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1] by Nicolas Dichtel <nicolas.dichtel@6wind.com> * Since the nla_put_net64() API has been changed, therefore, the ip_set_compat.h.in should provides the macro IPSET_NLA_PUT_NET64 that point to the nla_put_net64() with appropriate number of arguments. The build script should distinguish the API changes by detect for the existence of nla_put_64bit() function in include/net/netlink.h. This function was added in the same patches set and called by the nla_put_be64() that called by nla_put_net64() respectively. [1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=e9bbe898cbe89b17ad3993c136aa13d0431cd537 Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:ipmac type support added to ipsetTomasz Chilinski2016-05-053-1/+323
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.29 releasedv6.29Jozsef Kadlecsik2016-03-161-0/+3
|
* netfilter: ipset: fix race condition in ipset save, swap and deleteVishwanath Pai2016-03-165-8/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.28 releasedv6.28Jozsef Kadlecsik2016-03-121-0/+8
|
* netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute lengthJozsef Kadlecsik2016-03-082-1/+4
| | | | | | | | | | | | Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length was not checked explicitly, just for the maximum possible size. Malicious netlink clients could send shorter attribute and thus resulting a kernel read after the buffer. The patch adds the explicit length checkings. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix __aligned_u64 compatibility support for older kernel releasesJozsef Kadlecsik2016-02-292-5/+1
| | | | The issue was reported by Mart Frauenlob.
* Add compatibility to support EXPORT_SYMBOL_GPL in module.hJozsef Kadlecsik2016-02-241-0/+5
| | | | Fixes netfilter bugzilla id #1008
* Fix set:list type crash when flush/dump set in parallelJozsef Kadlecsik2016-02-242-30/+28
| | | | | | | Flushing/listing entries was not RCU safe, so parallel flush/dump could lead to kernel crash. Bug reported by Deniz Eren. Fixes netfilter bugzilla id #1050.
* netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()Jozsef Kadlecsik2016-02-162-48/+58
| | | | Backport patch from Pablo Neira Ayuso <pablo@netfilter.org>
* netfilter: ipset: allow a 0 netmask with hash_netiface typeFlorian Westphal2016-01-131-4/+0
| | | | | | | | | | | | | | | | | Jozsef says: The correct behaviour is that if we have ipset create test1 hash:net,iface ipset add test1 0.0.0.0/0,eth0 iptables -A INPUT -m set --match-set test1 src,src then the rule should match for any traffic coming in through eth0. This removes the -EINVAL runtime test to make matching work in case packet arrived via the specified interface. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1297092 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.27 releasedv6.27Jozsef Kadlecsik2015-11-071-0/+14
|
* Fix reported memory size for hash:* typesJozsef Kadlecsik2015-11-071-7/+9
| | | | | | | | The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix hash type expire: release empty hash bucket blockJozsef Kadlecsik2015-11-071-4/+10
| | | | | | When all entries are expired/all slots are empty, release the bucket. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix hash:* type expirationJozsef Kadlecsik2015-11-071-1/+1
| | | | | | | | Incorrect index was used when the data blob was shrinked at expiration, which could lead to falsely expired entries and memory leak when the comment extension was used too. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Collapse same condition body to a single oneJozsef Kadlecsik2015-11-071-7/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>