linux/net/netfilter, branch v2.6.17

[NETFILTER]: nfnetlink_log: fix byteorder confusion

2006-05-19T09:17:18Z

flags is a u16, so use htons instead of htonl. Also avoid double conversion. Noticed by Alexey Dobriyan Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: x_tables: don't use __copy_{from,to}_user on unchecked memory in compat layer

2006-05-04T06:20:27Z

Noticed by Linus Torvalds Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER] SCTP conntrack: fix infinite loop

2006-05-03T00:26:39Z

fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar CVE-2006-1527 Signed-off-by: Patrick McHardy Signed-off-by: Linus Torvalds

[NETFILTER]: x_tables: move table->lock initialization

2006-04-25T00:27:33Z

xt_table->lock should be initialized before xt_replace_table() call, which uses it. This patch removes strict requirement that table should define lock before registering. Signed-off-by: Dmitry Mishin Signed-off-by: Kirill Korotaev Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_conntrack: kill unused callback init_conntrack

2006-04-25T00:27:31Z

Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_conntrack: Fix module refcount dropping too far

2006-04-25T00:27:28Z

If nf_ct_l3proto_find_get() fails to get the refcount of nf_ct_l3proto_generic, nf_ct_l3proto_put() will drop the refcount too far. This gets rid of '.me = THIS_MODULE' of nf_ct_l3proto_generic so that nf_ct_l3proto_find_get() doesn't try to get refcount of it. It's OK because its symbol is usable until nf_conntrack.ko is unloaded. This also kills unnecessary NULL pointer check as well. __nf_ct_proto_find() allways returns non-NULL pointer. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[PATCH] for_each_possible_cpu: network codes

2006-04-11T13:18:31Z

for_each_cpu() actually iterates across all possible CPUs. We've had mistakes in the past where people were using for_each_cpu() where they should have been iterating across only online or present CPUs. This is inefficient and possibly buggy. We're renaming for_each_cpu() to for_each_possible_cpu() to avoid this in the future. This patch replaces for_each_cpu with for_each_possible_cpu under /net Signed-off-by: KAMEZAWA Hiroyuki Acked-by: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

[NETFILTER]: Convert conntrack/ipt_REJECT to new checksumming functions

2006-04-10T05:25:42Z

Besides removing lots of duplicate code, all converted users benefit from improved HW checksum error handling. Tested with and without HW checksums in almost all combinations. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Introduce infrastructure for address family specific operations

2006-04-10T05:25:40Z

Change the queue rerouter intrastructure to a generic usable infrastructure for address family specific operations as a base for some cleanups. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: Fix section mismatch warnings

2006-04-10T05:25:34Z

Fix section mismatch warnings caused by netfilter's init_or_cleanup functions used in many places by splitting the init from the cleanup parts. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller