- 08 Apr, 2010 4 commits
-
-
Herbert Xu authored
As we will set ip_summed to CHECKSUM_NONE when necessary in nfqnl_mangle, there is no need to zap CHECKSUM_COMPLETE in nfqnl_build_packet_message. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Herbert Xu authored
As we will set ip_summed to CHECKSUM_NONE when necessary in ipq_mangle_ipv6, there is no need to zap CHECKSUM_COMPLETE in ipq_build_packet_message. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Herbert Xu authored
While doing yet another audit on ip_summed I noticed ip_queue calling skb_checksum_help unnecessarily. As we will set ip_summed to CHECKSUM_NONE when necessary in ipq_mangle_ipv4, there is no need to zap CHECKSUM_COMPLETE in ipq_build_packet_message. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
When protocols use very long names, the sprintf calls might overflow the on-stack buffer. No protocol in the kernel does this however. Print the protocol name in the pr_debug statement directly to avoid this. Based on patch by Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
- 01 Apr, 2010 3 commits
-
-
Eric Dumazet authored
xt_hashlimit uses a central lock per hash table and suffers from contention on some workloads. (Multiqueue NIC or if RPS is enabled) After RCU conversion, central lock is only used when a writer wants to add or delete an entry. For 'readers', updating an existing entry, they use an individual lock per entry. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Eric Dumazet authored
If clusterip_seq_start() memory allocation fails, we crash later in clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM)) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Jiri Pirko authored
Message size should be dependent on the presence of an accounting extension, not on CONFIG_NF_CT_ACCT definition. Signed-off-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
- 25 Mar, 2010 21 commits
-
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Superseded by xt_string revision 1 (linux v2.6.26-rc8-1127-g4ad3f261, iptables 1.4.2-rc1). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Superseded by xt_multiport revision 1 (introduction already predates linux.git). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Superseded by xt_hashlimit revision 1 (linux v2.6.24-6212-g09e410de, iptables 1.4.1-rc1). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The return value of nf_ct_l3proto_get can directly be returned even in the case of success. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
When extended status codes are available, such as ENOMEM on failed allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing them up to userspace seems like a good idea compared to just always EINVAL. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Part of the transition of done by this semantic patch: // <smpl> @ rule1 @ struct xt_target ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The following semantic patch does part of the transformation: // <smpl> @ rule1 @ struct xt_match ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_tgchk_param *par) { ... } // </smpl> Minus the change it does to xt_ct_find_proto. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. This semantic patch may not be too precise (checking for functions that use xt_mtchk_param rather than functions referenced by xt_match.checkentry), but reviewed, it produced the intended result. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_mtchk_param *par) { ... } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
As I'm changing the return values soon, I want to have a clear visual path. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Semantic patch: // <smpl> @@ @@ IP_VS_XMIT( -PF_INET6, +NFPROTO_IPV6, ...) @@ @@ IP_VS_XMIT( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The semantic patch used was: // <smpl> @@ @@ NF_HOOK( -PF_DECnet, +NFPROTO_DECNET, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The semantic patch that was used: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_THRESH |nf_hook )( -PF_INET6, +NFPROTO_IPV6, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The semantic patch that was used: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_COND |nf_hook )( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The first argument to NF_HOOK* is an nfproto since quite some time. Commit v2.6.27-2457-gfdc9314c was the first to practically start using the new names. Do that now for the remaining NF_HOOK calls. The semantic patch used was: // <smpl> @@ @@ (NF_HOOK |NF_HOOK_THRESH )( -PF_BRIDGE, +NFPROTO_BRIDGE, ...) @@ @@ NF_HOOK( -PF_INET6, +NFPROTO_IPV6, ...) @@ @@ NF_HOOK( -PF_INET, +NFPROTO_IPV4, ...) // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Supplement to 1159683e. Downgrade the log level to INFO for most checkentry messages as they are, IMO, just an extra information to the -EINVAL code that is returned as part of a parameter "constraint violation". Leave errors to real errors, such as being unable to create a LED trigger. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Supplement to aa5fa318. The semantic patch for this change is: // <smpl> @@ struct xt_target_param *par; @@ -par->target->family +par->family @@ struct xt_tgchk_param *par; @@ -par->target->family +par->family @@ struct xt_tgdtor_param *par; @@ -par->target->family +par->family // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
- 19 Mar, 2010 2 commits
-
-
Zhitong Wang authored
Remove unused headers in net/ipv4/netfilter/nf_nat_h323.c Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Zhitong Wang authored
Remove unused headers in net/ipv6/netfilter/ip6t_LOG.c Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
- 18 Mar, 2010 10 commits
-
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
ENOMEM is a very obvious error code (cf. EINVAL), so I think we do not really need a warning message. Not to mention that if the allocation fails, the user is most likely going to get a stack trace from slab already. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
This will save one full padding chunk (8 bytes on x86_64) per target. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
This member is taking up a "long" per match, yet is only used by one module out of the roughly 90 modules, ip6t_hbh. ip6t_hbh can be restructured a little to accomodate for the lack of the .data member. This variant uses checking the par->match address, which should avoid having to add two extra functions, including calls, i.e. (hbh_mt6: call hbhdst_mt6(skb, par, NEXTHDR_OPT), dst_mt6: call hbhdst_mt6(skb, par, NEXTHDR_DEST)) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
The matches can have .family = NFPROTO_UNSPEC, and though that is not the case for the touched modules, it seems better to just use the nfproto from the caller. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Restore alphabetical ordering of the list and put the xt_osf option into its 'right' place again. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
I do not see a point of allowing the MAC module to work with devices that don't possibly have one, e.g. various tunnel interfaces such as tun and sit. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
-