Linux kernel source tree https://git.amat.us/linux/atom/net/ipv6/netfilter?h=v3.15 2014-04-28T18:47:03Z 2014-04-28T18:47:03Z Julian Anastasov ja@ssi.bg 2014-04-28T07:51:56Z urn:sha1:e374c618b1465f0292047a9f4c244bd71ab5f1f0 To properly match iif in ip rules we have to provide LOOPBACK_IFINDEX in flowi6_iif, not 0. Some ip6mr_fib_lookup and fib6_rule_lookup callers need such fix. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-04-05T15:46:22Z Thomas Graf tgraf@suug.ch 2014-04-04T15:57:45Z urn:sha1:c58dd2dd443c26d856a168db108a0cd11c285bf3 All xtables variants suffer from the defect that the copy_to_user() to copy the counters to user memory may fail after the table has already been exchanged and thus exposed. Return an error at this point will result in freeing the already exposed table. Any subsequent packet processing will result in a kernel panic. We can't copy the counters before exposing the new tables as we want provide the counter state after the old table has been unhooked. Therefore convert this into a silent error. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-06T08:44:18Z Patrick McHardy kaber@trash.net 2014-02-05T15:03:39Z urn:sha1:05513e9e33dbded8124567466a444d32173eecc6 Add a reject module for NFPROTO_INET. It does nothing but dispatch to the AF-specific modules based on the hook family. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-02-06T08:44:10Z Patrick McHardy kaber@trash.net 2014-02-05T15:03:38Z urn:sha1:cc4723ca316742891954efa346298e7c747c0d17 Currently the nft_reject module depends on symbols from ipv6. This is wrong since no generic module should force IPv6 support to be loaded. Split up the module into AF-specific and a generic part. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-01-09T22:25:48Z Pablo Neira Ayuso pablo@netfilter.org 2014-01-09T19:32:19Z urn:sha1:cf4dfa85395ebe2769267a072b39e48301669842 We have to unregister chain type if this fails to register netns. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-01-09T19:17:16Z Patrick McHardy kaber@trash.net 2014-01-09T18:42:43Z urn:sha1:3876d22dba62ebf6582f33e1ef2160eeb95e1129 We don't encode argument types into function names and since besides nft_do_chain() there are only AF-specific versions, there is no risk of confusion. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-01-09T19:17:15Z Patrick McHardy kaber@trash.net 2014-01-09T18:42:38Z urn:sha1:fa2c1de0bbd98985f7f930205de97ae0d3e86c16 Minor nf_chain_type cleanups: - reorder struct to plug a hoe - rename struct module member to "owner" for consistency - rename nf_hookfn array to "hooks" for consistency - reorder initializers for better readability Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-01-09T19:17:15Z Patrick McHardy kaber@trash.net 2014-01-09T18:42:37Z urn:sha1:2a37d755b885995443f11cdcaf1f9d4b5f246eab Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-01-09T19:17:14Z Patrick McHardy kaber@trash.net 2014-01-09T18:42:35Z urn:sha1:88ce65a71c39901494eb2f1393856bff8ba0158d In some cases we neither take a reference to the AF info nor to the chain type, allowing the module to be unloaded while in use. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2014-01-07T22:57:25Z Patrick McHardy kaber@trash.net 2014-01-03T12:16:16Z urn:sha1:1d49144c0aaa61be4e3ccbef9cc5c40b0ec5f2fe This patch adds a new table family and a new filter chain that you can use to attach IPv4 and IPv6 rules. This should help to simplify rule-set maintainance in dual-stack setups. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>