linux/net/bridge/netfilter, branch v3.1

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6

2011-08-30T21:43:56Z

net/bridge/netfilter/ebtables.c: use available error handling code

2011-08-11T12:52:57Z

Free the locally allocated table and newinfo as done in adjacent error handling code. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller

netfilter: ebtables: fix ebtables build dependency

2011-07-29T14:40:30Z

The configuration of ebtables shouldn't depend on CONFIG_BRIDGE_NETFILTER, only on CONFIG_NETFILTER. Reported-by: S�bastien Laveze Signed-off-by: Bart De Schuymer Signed-off-by: Patrick McHardy

net, netfilter: Remove redundant goto in ebt_ulog_packet

2011-07-21T12:02:17Z

In net/bridge/netfilter/ebt_ulog.c:ebt_ulog_packet() the 'goto unlock' before the 'alloc_failure' label is completely redundant. This patch removes it. Signed-off-by: Jesper Juhl Signed-off-by: Jiri Kosina

netfilter: Fix several warnings in compat_mtw_from_user().

2011-05-26T17:09:07Z

Kill set but not used 'entry_offset'. Add a default case to the switch statement so the compiler can see that we always initialize off and size_kern before using them. Signed-off-by: David S. Miller Signed-off-by: Pablo Neira Ayuso

netfilter: ebtables: only call xt_compat_add_offset once per rule

2011-05-10T07:52:17Z

The optimizations in commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations) assume that xt_compat_add_offset is called once per rule. ebtables however called it for each match/target found in a rule. The match/watcher/target parser already returns the needed delta, so it is sufficient to move the xt_compat_add_offset call to a more reasonable location. While at it, also get rid of the unused COMPAT iterator macros. Signed-off-by: Florian Westphal Signed-off-by: Patrick McHardy

netfilter: fix ebtables compat support

2011-05-10T07:48:59Z

commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations) made ebtables not working anymore. 1) xt_compat_calc_jump() is not an exact match lookup 2) compat_table_info() has a typo in xt_compat_init_offsets() call 3) compat_do_replace() misses a xt_compat_init_offsets() call Reported-by: dann frazier Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy

bridge: netfilter: fix information leak

2011-02-14T15:49:23Z

Struct tmp is copied from userspace. It is not checked whether the "name" field is NULL terminated. This may lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. Signed-off-by: Vasiliy Kulikov Signed-off-by: Patrick McHardy

netfilter: ebt_ip6: allow matching on ipv6-icmp types/codes

2011-01-13T11:05:12Z

To avoid adding a new match revision icmp type/code are stored in the sport/dport area. Signed-off-by: Florian Westphal Reviewed-by: Holger Eitzenberger Reviewed-by: Bart De Schuymer Signed-off-by: Pablo Neira Ayuso

netfilter: x_table: speedup compat operations

2011-01-13T11:05:12Z

One iptables invocation with 135000 rules takes 35 seconds of cpu time on a recent server, using a 32bit distro and a 64bit kernel. We eventually trigger NMI/RCU watchdog. INFO: rcu_sched_state detected stall on CPU 3 (t=6000 jiffies) COMPAT mode has quadratic behavior and consume 16 bytes of memory per rule. Switch the xt_compat algos to use an array instead of list, and use a binary search to locate an offset in the sorted array. This halves memory need (8 bytes per rule), and removes quadratic behavior [ O(N*N) -> O(N*log2(N)) ] Time of iptables goes from 35 s to 150 ms. Signed-off-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso