linux/net/netfilter/xt_physdev.c, branch v5.11 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.11 2019-09-13T10:32:48Z netfilter: inline xt_hashlimit, ebt_802_3 and xt_physdev headers 2019-09-13T10:32:48Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:04Z urn:sha1:85cfbc25e5c5ee83307aba05eec4b04517890038 Three netfilter headers are only included once. Inline their contents at those sites and remove them. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: xt_physdev: Fix spurious error message in physdev_mt_check 2019-08-27T10:58:28Z Todd Seidelmann tseidelmann@linode.com 2019-08-21T15:47:53Z urn:sha1:3cf2f450fff304be9cf4868bf0df17f253bc5b1c Simplify the check in physdev_mt_check() to emit an error message only when passed an invalid chain (ie, NF_INET_LOCAL_OUT). This avoids cluttering up the log with errors against valid rules. For large/heavily modified rulesets, current behavior can quickly overwhelm the ring buffer, because this function gets called on every change, regardless of the rule that was changed. Signed-off-by: Todd Seidelmann <tseidelmann@linode.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19T15:09:55Z Thomas Gleixner tglx@linutronix.de 2019-06-04T08:11:33Z urn:sha1:d2912cb15bdda8ba4a5dd73396ad62641af2f520 Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> netfilter: physdev: relax br_netfilter dependency 2019-01-18T14:02:33Z Florian Westphal fw@strlen.de 2019-01-11T13:46:15Z urn:sha1:8e2f311a68494a6677c1724bdcb10bada21af37c Following command: iptables -D FORWARD -m physdev ... causes connectivity loss in some setups. Reason is that iptables userspace will probe kernel for the module revision of the physdev patch, and physdev has an artificial dependency on br_netfilter (xt_physdev use makes no sense unless a br_netfilter module is loaded). This causes the "phydev" module to be loaded, which in turn enables the "call-iptables" infrastructure. bridged packets might then get dropped by the iptables ruleset. The better fix would be to change the "call-iptables" defaults to 0 and enforce explicit setting to 1, but that breaks backwards compatibility. This does the next best thing: add a request_module call to checkentry. This was a stray '-D ... -m physdev' won't activate br_netfilter anymore. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: avoid using skb->nf_bridge directly 2018-12-19T19:21:37Z Florian Westphal fw@strlen.de 2018-12-18T16:15:15Z urn:sha1:c4b0e771f906f5beb7d90c3d28fe55ff9dbd038c This pointer is going to be removed soon, so use the existing helpers in more places to avoid noise when the removal happens. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14T20:05:38Z Florian Westphal fw@strlen.de 2018-02-09T14:52:07Z urn:sha1:b26066447bb8599b393b2dd2bbeb68767e09ba07 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: physdev: add missed blank 2016-08-11T22:42:14Z Hangbin Liu liuhangbin@gmail.com 2016-07-25T07:24:43Z urn:sha1:ceee4091d622790a7a06e5b202670ef9fdfe8c79 Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: physdev: physdev-is-out should not work with OUTPUT chain 2016-07-11T10:16:01Z Hangbin Liu liuhangbin@gmail.com 2016-07-05T12:55:36Z urn:sha1:47c74456257d2e50ace8c473d358cf4b9c0a912f physdev_mt() will check skb->nf_bridge first, which was alloced in br_nf_pre_routing. So if we want to use --physdev-out and physdev-is-out, we need to match it in FORWARD or POSTROUTING chain. physdev_mt_check() only checked physdev-out and missed physdev-is-out. Fix it and update the debug message to make it clearer. Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Reviewed-by: Marcelo R Leitner <marcelo.leitner@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: physdev: use helpers 2015-04-08T14:49:09Z Florian Westphal fw@strlen.de 2015-04-02T12:31:42Z urn:sha1:a99074ae1f5cce08c769542440391981899ac04c Avoid skb->nf_bridge accesses where possible. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: bridge: remove BRNF_STATE_BRIDGED flag 2015-03-16T13:35:02Z Florian Westphal fw@strlen.de 2015-03-10T09:36:48Z urn:sha1:e4bb9bcbfb7d67431dfd49860f62770a7f40193b Its not needed anymore since 2bf540b73ed5b ([NETFILTER]: bridge-netfilter: remove deferred hooks). Before this it was possible to have physoutdev set for locally generated packets -- this isn't the case anymore: BRNF_STATE_BRIDGED flag is set when we assign nf_bridge->physoutdev, so physoutdev != NULL means BRNF_STATE_BRIDGED is set. If physoutdev is NULL, then we are looking at locally-delivered and routed packet. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>