1. 18 Jan, 2019 1 commit
  2. 16 Jul, 2018 1 commit
  3. 04 Jun, 2018 1 commit
  4. 20 Jun, 2017 1 commit
  5. 16 Jun, 2017 3 commits
    • Johannes Berg's avatar
      networking: make skb_push & __skb_push return void pointers · d58ff351
      Johannes Berg authored
      
      
      It seems like a historic accident that these return unsigned char *,
      and in many places that means casts are required, more often than not.
      
      Make these functions return void * and remove all the casts across
      the tree, adding a (u8 *) cast only where the unsigned char pointer
      was used directly, all done with the following spatch:
      
          @@
          expression SKB, LEN;
          typedef u8;
          identifier fn = { skb_push, __skb_push, skb_push_rcsum };
          @@
          - *(fn(SKB, LEN))
          + *(u8 *)fn(SKB, LEN)
      
          @@
          expression E, SKB, LEN;
          identifier fn = { skb_push, __skb_push, skb_push_rcsum };
          type T;
          @@
          - E = ((T *)(fn(SKB, LEN)))
          + E = fn(SKB, LEN)
      
          @@
          expression SKB, LEN;
          identifier fn = { skb_push, __skb_push, skb_push_rcsum };
          @@
          - fn(SKB, LEN)[0]
          + *(u8 *)fn(SKB, LEN)
      
      Note that the last part there converts from push(...)[0] to the
      more idiomatic *(u8 *)push(...).
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d58ff351
    • Johannes Berg's avatar
      networking: introduce and use skb_put_data() · 59ae1d12
      Johannes Berg authored
      
      
      A common pattern with skb_put() is to just want to memcpy()
      some data into the new space, introduce skb_put_data() for
      this.
      
      An spatch similar to the one for skb_put_zero() converts many
      of the places using it:
      
          @@
          identifier p, p2;
          expression len, skb, data;
          type t, t2;
          @@
          (
          -p = skb_put(skb, len);
          +p = skb_put_data(skb, data, len);
          |
          -p = (t)skb_put(skb, len);
          +p = skb_put_data(skb, data, len);
          )
          (
          p2 = (t2)p;
          -memcpy(p2, data, len);
          |
          -memcpy(p, data, len);
          )
      
          @@
          type t, t2;
          identifier p, p2;
          expression skb, data;
          @@
          t *p;
          ...
          (
          -p = skb_put(skb, sizeof(t));
          +p = skb_put_data(skb, data, sizeof(t));
          |
          -p = (t *)skb_put(skb, sizeof(t));
          +p = skb_put_data(skb, data, sizeof(t));
          )
          (
          p2 = (t2)p;
          -memcpy(p2, data, sizeof(*p));
          |
          -memcpy(p, data, sizeof(*p));
          )
      
          @@
          expression skb, len, data;
          @@
          -memcpy(skb_put(skb, len), data, len);
          +skb_put_data(skb, data, len);
      
      (again, manually post-processed to retain some comments)
      Reviewed-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59ae1d12
    • Johannes Berg's avatar
      networking: convert many more places to skb_put_zero() · b080db58
      Johannes Berg authored
      
      
      There were many places that my previous spatch didn't find,
      as pointed out by yuan linyu in various patches.
      
      The following spatch found many more and also removes the
      now unnecessary casts:
      
          @@
          identifier p, p2;
          expression len;
          expression skb;
          type t, t2;
          @@
          (
          -p = skb_put(skb, len);
          +p = skb_put_zero(skb, len);
          |
          -p = (t)skb_put(skb, len);
          +p = skb_put_zero(skb, len);
          )
          ... when != p
          (
          p2 = (t2)p;
          -memset(p2, 0, len);
          |
          -memset(p, 0, len);
          )
      
          @@
          type t, t2;
          identifier p, p2;
          expression skb;
          @@
          t *p;
          ...
          (
          -p = skb_put(skb, sizeof(t));
          +p = skb_put_zero(skb, sizeof(t));
          |
          -p = (t *)skb_put(skb, sizeof(t));
          +p = skb_put_zero(skb, sizeof(t));
          )
          ... when != p
          (
          p2 = (t2)p;
          -memset(p2, 0, sizeof(*p));
          |
          -memset(p, 0, sizeof(*p));
          )
      
          @@
          expression skb, len;
          @@
          -memset(skb_put(skb, len), 0, len);
          +skb_put_zero(skb, len);
      
      Apply it to the tree (with one manual fixup to keep the
      comment in vxlan.c, which spatch removed.)
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b080db58
  6. 19 May, 2017 1 commit
  7. 06 Mar, 2017 1 commit
    • Liping Zhang's avatar
      netfilter: nf_tables: validate the expr explicitly after init successfully · c56e3956
      Liping Zhang authored
      
      
      When we want to validate the expr's dependency or hooks, we must do two
      things to accomplish it. First, write a X_validate callback function
      and point ->validate to it. Second, call X_validate in init routine.
      This is very common, such as fib, nat, reject expr and so on ...
      
      It is a little ugly, since we will call X_validate in the expr's init
      routine, it's better to do it in nf_tables_newexpr. So we can avoid to
      do this again and again. After doing this, the second step listed above
      is not useful anymore, remove them now.
      
      Patch was tested by nftables/tests/py/nft-test.py and
      nftables/tests/shell/run-tests.sh.
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c56e3956
  8. 03 Nov, 2016 1 commit
  9. 12 Sep, 2016 1 commit
  10. 17 Jul, 2016 1 commit
  11. 28 Mar, 2016 1 commit
  12. 17 Feb, 2016 1 commit
  13. 18 Sep, 2015 2 commits
  14. 13 Apr, 2015 1 commit
  15. 08 Apr, 2015 1 commit
  16. 10 Mar, 2015 1 commit
    • Florian Westphal's avatar
      netfilter: fix sparse warnings in reject handling · a03a8dbe
      Florian Westphal authored
      
      
      make C=1 CF=-D__CHECK_ENDIAN__ shows following:
      
      net/bridge/netfilter/nft_reject_bridge.c:65:50: warning: incorrect type in argument 3 (different base types)
      net/bridge/netfilter/nft_reject_bridge.c:65:50:    expected restricted __be16 [usertype] protocol [..]
      net/bridge/netfilter/nft_reject_bridge.c:102:37: warning: cast from restricted __be16
      net/bridge/netfilter/nft_reject_bridge.c:102:37: warning: incorrect type in argument 1 (different base types) [..]
      net/bridge/netfilter/nft_reject_bridge.c:121:50: warning: incorrect type in argument 3 (different base types) [..]
      net/bridge/netfilter/nft_reject_bridge.c:168:52: warning: incorrect type in argument 3 (different base types) [..]
      net/bridge/netfilter/nft_reject_bridge.c:233:52: warning: incorrect type in argument 3 (different base types) [..]
      
      Caused by two (harmless) errors:
      1. htons() instead of ntohs()
      2. __be16 for protocol in nf_reject_ipXhdr_put API, use u8 instead.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a03a8dbe
  17. 03 Mar, 2015 1 commit
    • Florian Westphal's avatar
      netfilter: bridge: rework reject handling · 72500bc1
      Florian Westphal authored
      
      
      bridge reject handling is not straightforward, there are many subtle
      differences depending on configuration.
      
      skb->dev is either the bridge port (PRE_ROUTING) or the bridge
      itself (INPUT), so we need to use indev instead.
      
      Also, checksum validation will only work reliably if we trim skb
      according to the l3 header size.
      
      While at it, add csum validation for ipv6 and skip existing tests
      if skb was already checked e.g. by GRO.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      72500bc1
  18. 19 Jan, 2015 1 commit
  19. 27 Nov, 2014 1 commit
  20. 03 Nov, 2014 1 commit
  21. 31 Oct, 2014 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nft_reject_bridge: restrict reject to prerouting and input · 127917c2
      Pablo Neira Ayuso authored
      
      
      Restrict the reject expression to the prerouting and input bridge
      hooks. If we allow this to be used from forward or any other later
      bridge hook, if the frame is flooded to several ports, we'll end up
      sending several reject packets, one per cloned packet.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      127917c2
    • Pablo Neira Ayuso's avatar
      netfilter: nft_reject_bridge: don't use IP stack to reject traffic · 523b929d
      Pablo Neira Ayuso authored
      
      
      If the packet is received via the bridge stack, this cannot reject
      packets from the IP stack.
      
      This adds functions to build the reject packet and send it from the
      bridge stack. Comments and assumptions on this patch:
      
      1) Validate the IPv4 and IPv6 headers before further processing,
         given that the packet comes from the bridge stack, we cannot assume
         they are clean. Truncated packets are dropped, we follow similar
         approach in the existing iptables match/target extensions that need
         to inspect layer 4 headers that is not available. This also includes
         packets that are directed to multicast and broadcast ethernet
         addresses.
      
      2) br_deliver() is exported to inject the reject packet via
         bridge localout -> postrouting. So the approach is similar to what
         we already do in the iptables reject target. The reject packet is
         sent to the bridge port from which we have received the original
         packet.
      
      3) The reject packet is forged based on the original packet. The TTL
         is set based on sysctl_ip_default_ttl for IPv4 and per-net
         ipv6.devconf_all hoplimit for IPv6.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      523b929d
  22. 02 Oct, 2014 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: nft_reject: introduce icmp code abstraction for inet and bridge · 51b0a5d8
      Pablo Neira Ayuso authored
      
      
      This patch introduces the NFT_REJECT_ICMPX_UNREACH type which provides
      an abstraction to the ICMP and ICMPv6 codes that you can use from the
      inet and bridge tables, they are:
      
      * NFT_REJECT_ICMPX_NO_ROUTE: no route to host - network unreachable
      * NFT_REJECT_ICMPX_PORT_UNREACH: port unreachable
      * NFT_REJECT_ICMPX_HOST_UNREACH: host unreachable
      * NFT_REJECT_ICMPX_ADMIN_PROHIBITED: administratevely prohibited
      
      You can still use the specific codes when restricting the rule to match
      the corresponding layer 3 protocol.
      
      I decided to not overload the existing NFT_REJECT_ICMP_UNREACH to have
      different semantics depending on the table family and to allow the user
      to specify ICMP family specific codes if they restrict it to the
      corresponding family.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      51b0a5d8
  23. 22 Jul, 2014 1 commit