linux/net/decnet/netfilter, branch v4.9

netfilter: Pass priv instead of nf_hook_ops to netfilter hooks

2015-09-18T20:00:16Z

Only pass the void *priv parameter out of the nf_hook_ops. That is all any of the functions are interested now, and by limiting what is passed it becomes simpler to change implementation details. Signed-off-by: "Eric W. Biederman" Signed-off-by: Pablo Neira Ayuso

netfilter: Make nf_hookfn use nf_hook_state.

2015-04-04T16:31:38Z

Pass the nf_hook_state all the way down into the hook functions themselves. Signed-off-by: David S. Miller

net: Use netlink_ns_capable to verify the permisions of netlink messages

2014-04-24T17:44:54Z

It is possible by passing a netlink socket to a more privileged executable and then to fool that executable into writing to the socket data that happens to be valid netlink message to do something that privileged executable did not intend to do. To keep this from happening replace bare capable and ns_capable calls with netlink_capable, netlink_net_calls and netlink_ns_capable calls. Which act the same as the previous calls except they verify that the opener of the socket had the desired permissions as well. Reported-by: Andy Lutomirski Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller

netfilter: pass hook ops to hookfn

2013-10-14T09:29:31Z

Pass the hook ops to the hookfn to allow for generic hook functions. This change is required by nf_tables. Signed-off-by: Patrick McHardy Signed-off-by: Pablo Neira Ayuso

net-next: replace obsolete NLMSG_* with type safe nlmsg_*

2013-03-28T18:25:25Z

Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller

net/decnet/netfilter: remove depends on CONFIG_EXPERIMENTAL

2013-01-11T19:39:34Z

The CONFIG_EXPERIMENTAL config item has not carried much meaning for a while now and is almost always enabled by default. As agreed during the Linux kernel summit, remove it from any "depends on" lines in Kconfigs. CC: Pablo Neira Ayuso CC: Patrick McHardy CC: "David S. Miller" Signed-off-by: Kees Cook Acked-by: David S. Miller

netlink: hide struct module parameter in netlink_kernel_create

2012-09-08T22:46:30Z

This patch defines netlink_kernel_create as a wrapper function of __netlink_kernel_create to hide the struct module *me parameter (which seems to be THIS_MODULE in all existing netlink subsystems). Suggested by David S. Miller. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

netlink: add netlink_kernel_cfg parameter to netlink_kernel_create

2012-06-29T23:46:02Z

This patch adds the following structure: struct netlink_kernel_cfg { unsigned int groups; void (*input)(struct sk_buff *skb); struct mutex *cb_mutex; }; That can be passed to netlink_kernel_create to set optional configurations for netlink kernel sockets. I've populated this structure by looking for NULL and zero parameters at the existing code. The remaining parameters that always need to be set are still left in the original interface. That includes optional parameters for the netlink socket creation. This allows easy extensibility of this interface in the future. This patch also adapts all callers to use this new interface. Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

decnet: dn_rtmsg: Move away from NLMSG_PUT().

2012-06-27T04:25:55Z

And use nlmsg_data() while we're here too. Also, remove pointless kernel log message. Signed-off-by: David S. Miller

netfilter: decnet: switch hook PFs to nfproto

2012-06-07T12:58:42Z

This patch is a cleanup. Use NFPROTO_* for consistency with other netfilter code. Signed-off-by: Alban Crequy Reviewed-by: Javier Martinez Canillas Reviewed-by: Vincent Sanders Signed-off-by: Pablo Neira Ayuso