linux/net/netfilter, branch v2.6.16

[NETFILTER]: nfnetlink_queue: fix possible NULL-ptr dereference

2006-03-13T04:39:35Z

Fix NULL-ptr dereference when a config message for a non-existant queue containing only an NFQA_CFG_PARAMS attribute is received. Coverity #433 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_queue: fix end-of-list check

2006-02-27T21:03:55Z

The comparison wants to find out if the last list iteration reached the end of the list. It needs to compare the iterator with the list head to do this, not the element it is looking for. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_queue: remove unnecessary check for outfn

2006-02-27T21:03:39Z

The only point of registering a queue handler is to provide an outfn, so there is no need to check for it. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_queue: fix rerouting after packet mangling

2006-02-27T21:03:24Z

Packets should be rerouted when they come back from userspace, not before. Also move the queue_rerouters to RCU to avoid taking the queue_handler_lock for each reinjected packet. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_queue: check if rerouter is present before using it

2006-02-27T21:03:10Z

Every rerouter needs to provide a save and a reroute function, we don't need to check for them. But we do need to check if a rerouter is registered at all for the current family, with bridging for example packets of unregistered families can hit nf_queue. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_queue: don't copy registered rerouter data

2006-02-27T21:02:52Z

Use the registered data structure instead of copying it. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_conntrack: Fix TCP/UDP HW checksum handling for IPv6 packet

2006-02-15T23:25:18Z

If skb->ip_summed is CHECKSUM_HW here, skb->csum includes checksum of actual IPv6 header and extension headers. Then such excess checksum must be subtruct when nf_conntrack calculates TCP/UDP checksum with pseudo IPv6 header. Spotted by Ben Skeggs. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_conntrack: move registration of __nf_ct_attach

2006-02-15T23:22:21Z

Move registration of __nf_ct_attach to nf_conntrack_core to make it usable for IPv6 connection tracking as well. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: x_tables: fix dependencies of conntrack related modules

2006-02-15T23:21:31Z

NF_CONNTRACK_MARK is bool and depends on NF_CONNTRACK which is tristate. If a variable depends on NF_CONNTRACK_MARK and doesn't take care about NF_CONNTRACK, it can be y even if NF_CONNTRACK isn't y. NF_CT_ACCT have same issue, too. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER] Fix Kconfig menu level for x_tables

2006-02-13T23:42:48Z

The new x_tables related Kconfig options appear at the wrong menu level without this patch. Signed-off-by: Harald Welte Signed-off-by: David S. Miller