1. 25 Sep, 2016 1 commit
  2. 24 Sep, 2016 7 commits
  3. 23 Sep, 2016 8 commits
  4. 22 Sep, 2016 1 commit
  5. 13 Sep, 2016 1 commit
  6. 12 Sep, 2016 13 commits
  7. 09 Sep, 2016 2 commits
  8. 07 Sep, 2016 7 commits
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: allow tab character in SIP headers · 1bcabc81
      Marco Angaroni authored
      Current parsing methods for SIP headers do not allow the presence of
      tab characters between header name and header value. As a result Call-ID
      SIP headers like the following are discarded by IPVS SIP persistence
      engine:
      
      "Call-ID\t: mycallid@abcde"
      "Call-ID:\tmycallid@abcde"
      
      In above examples Call-IDs are represented as strings in C language.
      Obviously in real message we have byte "09" before/after colon (":").
      
      Proposed fix is in nf_conntrack_sip module.
      Function sip_skip_whitespace() should skip tabs in addition to spaces,
      since in SIP grammar whitespace (WSP) corresponds to space or tab.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1bcabc81
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: introduce nft_overquota() · 22609b43
      Pablo Neira Ayuso authored
      This is patch renames the existing function to nft_overquota() and make
      it return a boolean that tells us if we have exceeded our byte quota.
      Just a cleanup.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      22609b43
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: fix overquota logic · db6d857b
      Pablo Neira Ayuso authored
      Use xor to decide to break further rule evaluation or not, since the
      existing logic doesn't achieve the expected inversion.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db6d857b
    • Laura Garcia Liebana's avatar
      netfilter: nft_numgen: rename until attribute by modulus · 0d9932b2
      Laura Garcia Liebana authored
      The _until_ attribute is renamed to _modulus_ as the behaviour is similar to
      other expresions with number limits (ex. nft_hash).
      
      Renaming is possible because there isn't a kernel release yet with these
      changes.
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0d9932b2
    • Gao Feng's avatar
      netfilter: ftp: Remove the useless code · ddb075b0
      Gao Feng authored
      There are some debug code which are commented out in find_pattern by #if 0.
      Now remove them.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ddb075b0
    • Gao Feng's avatar
      netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern · 723eb299
      Gao Feng authored
      The caller function "help" has already make sure the datalen could not be zero
      before invoke find_pattern as a parameter by the following codes
      
              if (dataoff >= skb->len) {
                      pr_debug("ftp: dataoff(%u) >= skblen(%u)\n", dataoff,
                               skb->len);
                      return NF_ACCEPT;
              }
              datalen = skb->len - dataoff;
      
      And the latter codes "ends_in_nl = (fb_ptr[datalen - 1] == '\n');" use datalen
      directly without checking if it is zero.
      
      So it is unneccessary to check it in find_pattern too.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      723eb299
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header · f0608cea
      Marco Angaroni authored
      Current parsing methods for SIP header Call-ID do not check correctly all
      characters allowed by RFC 3261. In particular "," character is allowed
      instead of "'" character. As a result Call-ID headers like the following
      are discarded by IPVS SIP persistence engine.
      
      Call-ID: -.!%*_+`'~()<>:\"/[]?{}
      
      Above example is composed using all non-alphanumeric characters listed
      in RFC 3261 for Call-ID header syntax.
      
      Proposed fix is in nf_conntrack_sip module; function iswordc() checks this
      range: (c >= '(' && c <= '/') which includes these characters: ()*+,-./
      They are all allowed except ",". Instead "'" is not included in the list.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f0608cea