linux/net/ipv6/netfilter, branch v3.0.61

netfilter: fix looped (broad|multi)cast's MAC handling

2011-06-16T15:27:04Z

By default, when broadcast or multicast packet are sent from a local application, they are sent to the interface then looped by the kernel to other local applications, going throught netfilter hooks in the process. These looped packet have their MAC header removed from the skb by the kernel looping code. This confuse various netfilter's netlink queue, netlink log and the legacy ip_queue, because they try to extract a hardware address from these packets, but extracts a part of the IP header instead. This patch prevent NFQUEUE, NFLOG and ip_QUEUE to include a MAC header if there is none in the packet. Signed-off-by: Nicolas Cavallari Signed-off-by: Patrick McHardy

netfilter: use unsigned variables for packet lengths in ip[6]_queue.

2011-06-05T23:37:16Z

Netlink message lengths can't be negative, so use unsigned variables. Signed-off-by: Dave Jones Signed-off-by: Pablo Neira Ayuso

netfilter: nf_conntrack: fix ct refcount leak in l4proto->error()

2011-06-05T23:37:02Z

This patch fixes a refcount leak of ct objects that may occur if l4proto->error() assigns one conntrack object to one skbuff. In that case, we have to skip further processing in nf_conntrack_in(). With this patch, we can also fix wrong return values (-NF_ACCEPT) for special cases in ICMP[v6] that should not bump the invalid/error statistic counters. Reported-by: Zoltan Menyhart Signed-off-by: Pablo Neira Ayuso

netfilter: add more values to enum ip_conntrack_info

2011-06-05T23:35:10Z

Following error is raised (and other similar ones) : net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’: net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’ not in enumerated type ‘enum ip_conntrack_info’ gcc barfs on adding two enum values and getting a not enumerated result : case IP_CT_RELATED+IP_CT_IS_REPLY: Add missing enum values Signed-off-by: Eric Dumazet CC: David Miller Signed-off-by: Pablo Neira Ayuso

Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-3.6

2011-05-11T18:26:58Z

Conflicts: drivers/net/benet/be_main.c

netfilter: IPv6: initialize TOS field in REJECT target module

2011-05-10T07:55:44Z

The IPv6 header is not zeroed out in alloc_skb so we must initialize it properly unless we want to see IPv6 packets with random TOS fields floating around. The current implementation resets the flow label but this could be changed if deemed necessary. We stumbled upon this issue when trying to apply a mangle rule to the RST packet generated by the REJECT target module. Signed-off-by: Fernando Luis Vazquez Cao Signed-off-by: Pablo Neira Ayuso

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

2011-04-19T18:24:06Z

netfilter: ip6table_mangle: Fix set-but-unused variables.

2011-04-18T00:06:15Z

The variable 'flowlabel' is set but unused in ip6t_mangle_out(). The intention here was to compare this key to the header value after mangling, and trigger a route lookup on mismatch. Make it so. Signed-off-by: David S. Miller

netfilter: ip6_tables: Fix set-but-unused variables.

2011-04-18T00:04:48Z

The variable 'target' is set but unused in compat_copy_entry_from_user(). Just kill it off. Signed-off-by: David S. Miller

netfilter: get rid of atomic ops in fast path

2011-04-04T15:04:03Z

We currently use a percpu spinlock to 'protect' rule bytes/packets counters, after various attempts to use RCU instead. Lately we added a seqlock so that get_counters() can run without blocking BH or 'writers'. But we really only need the seqcount in it. Spinlock itself is only locked by the current/owner cpu, so we can remove it completely. This cleanups api, using correct 'writer' vs 'reader' semantic. At replace time, the get_counters() call makes sure all cpus are done using the old table. Signed-off-by: Eric Dumazet Cc: Jan Engelhardt Signed-off-by: Patrick McHardy