linux/net/bridge/netfilter, branch v3.0.82 Linux kernel source tree https://git.amat.us/linux/atom/net/bridge/netfilter?h=v3.0.82 2011-05-26T17:09:07Z netfilter: Fix several warnings in compat_mtw_from_user(). 2011-05-26T17:09:07Z David Miller davem@davemloft.net 2011-05-19T22:14:39Z urn:sha1:97242c85a2c8160eac5a6e945209b5b6ae8ab5a3 Kill set but not used 'entry_offset'. Add a default case to the switch statement so the compiler can see that we always initialize off and size_kern before using them. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: ebtables: only call xt_compat_add_offset once per rule 2011-05-10T07:52:17Z Florian Westphal fw@strlen.de 2011-04-21T08:58:25Z urn:sha1:103a9778e07bcc0cd34b5c35a87281454eec719e The optimizations in commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations) assume that xt_compat_add_offset is called once per rule. ebtables however called it for each match/target found in a rule. The match/watcher/target parser already returns the needed delta, so it is sufficient to move the xt_compat_add_offset call to a more reasonable location. While at it, also get rid of the unused COMPAT iterator macros. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: fix ebtables compat support 2011-05-10T07:48:59Z Eric Dumazet eric.dumazet@gmail.com 2011-04-21T08:57:21Z urn:sha1:5a6351eecf8c87afed9c883bb6341d09406d74ba commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations) made ebtables not working anymore. 1) xt_compat_calc_jump() is not an exact match lookup 2) compat_table_info() has a typo in xt_compat_init_offsets() call 3) compat_do_replace() misses a xt_compat_init_offsets() call Reported-by: dann frazier <dannf@dannf.org> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> bridge: netfilter: fix information leak 2011-02-14T15:49:23Z Vasiliy Kulikov segoon@openwall.com 2011-02-14T15:49:23Z urn:sha1:d846f71195d57b0bbb143382647c2c6638b04c5a Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: ebt_ip6: allow matching on ipv6-icmp types/codes 2011-01-13T11:05:12Z Florian Westphal fw@strlen.de 2010-12-20T14:57:47Z urn:sha1:6faee60a4e82075853a437831768cc9e2e563e4e To avoid adding a new match revision icmp type/code are stored in the sport/dport area. Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Holger Eitzenberger <holger@eitzenberger.org> Reviewed-by: Bart De Schuymer<bdschuym@pandora.be> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: x_table: speedup compat operations 2011-01-13T11:05:12Z Eric Dumazet eric.dumazet@gmail.com 2010-12-18T17:35:15Z urn:sha1:255d0dc34068a976550ce555e153c0bfcfec7cc6 One iptables invocation with 135000 rules takes 35 seconds of cpu time on a recent server, using a 32bit distro and a 64bit kernel. We eventually trigger NMI/RCU watchdog. INFO: rcu_sched_state detected stall on CPU 3 (t=6000 jiffies) COMPAT mode has quadratic behavior and consume 16 bytes of memory per rule. Switch the xt_compat algos to use an array instead of list, and use a binary search to locate an offset in the sorted array. This halves memory need (8 bytes per rule), and removes quadratic behavior [ O(N*N) -> O(N*log2(N)) ] Time of iptables goes from 35 s to 150 ms. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> net/bridge: fix trivial sparse errors 2011-01-03T21:29:18Z Tomas Winkler tomas.winkler@intel.com 2011-01-03T11:08:58Z urn:sha1:1a9180a20f3a314fda3e96b77570cad3864b2896 net/bridge//br_stp_if.c:148:66: warning: conversion of net/bridge//br_stp_if.c:148:66: int to net/bridge//br_stp_if.c:148:66: int enum umh_wait net/bridge//netfilter/ebtables.c:1150:30: warning: Using plain integer as NULL pointer Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> bridge: fix RCU races with bridge port 2010-11-15T19:13:17Z stephen hemminger shemminger@vyatta.com 2010-11-15T06:38:13Z urn:sha1:b5ed54e94d324f17c97852296d61a143f01b227a The macro br_port_exists() is not enough protection when only RCU is being used. There is a tiny race where other CPU has cleared port handler hook, but is bridge port flag might still be set. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> bridge: add proper RCU annotation to should_route_hook 2010-11-15T19:13:16Z Eric Dumazet eric.dumazet@gmail.com 2010-11-15T06:38:11Z urn:sha1:a386f99025f13b32502fe5dedf223c20d7283826 Add br_should_route_hook_t typedef, this is the only way we can get a clean RCU implementation for function pointer. Move route_hook to location where it is used. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> vlan: Rename VLAN_GROUP_ARRAY_LEN to VLAN_N_VID. 2010-10-21T08:26:50Z Jesse Gross jesse@nicira.com 2010-10-20T13:56:02Z urn:sha1:b738127dfb469bb9f595cdace30e7f881e8146b2 VLAN_GROUP_ARRAY_LEN is simply the number of possible vlan VIDs. Since vlan groups will soon be more of an implementation detail for vlan devices, rename the constant to be descriptive of its actual purpose. Signed-off-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>