kpriv/linux-hardened
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux-hardened/net/ipv4/netfilter
History
Patrick McHardy 1f9352ae22 netfilter: {ip,ip6,arp}_tables: fix incorrect loop detection 
Commit e1b4b9f ([NETFILTER]: {ip,ip6,arp}_tables: fix exponential worst-case
search for loops) introduced a regression in the loop detection algorithm,
causing sporadic incorrectly detected loops.

When a chain has already been visited during the check, it is treated as
having a standard target containing a RETURN verdict directly at the
beginning in order to not check it again. The real target of the first
rule is then incorrectly treated as STANDARD target and checked not to
contain invalid verdicts.

Fix by making sure the rule does actually contain a standard target.

Based on patch by Francis Dupont <Francis_Dupont@isc.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-03-25 19:26:35 +01:00
..
arp_tables.c netfilter: {ip,ip6,arp}_tables: fix incorrect loop detection 2009-03-25 19:26:35 +01:00
arpt_mangle.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
arptable_filter.c netfilter: x_tables: remove unneeded initializations 2009-02-18 16:30:20 +01:00
ip_queue.c netfilter: auto-load ip_queue module when socket opened 2009-03-16 15:31:10 +01:00
ip_tables.c netfilter: {ip,ip6,arp}_tables: fix incorrect loop detection 2009-03-25 19:26:35 +01:00
ipt_addrtype.c netfilter: netns-aware ipt_addrtype 2008-11-04 14:21:48 +01:00
ipt_ah.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
ipt_CLUSTERIP.c net: replace NIPQUAD() in net/ipv4/netfilter/ 2008-10-31 00:53:08 -07:00
ipt_ECN.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
ipt_ecn.c netfilter: xtables: move extension arguments into compound structure (2/6) 2008-10-08 11:35:18 +02:00
ipt_LOG.c netfilter: use a linked list of loggers 2009-03-16 14:54:21 +01:00
ipt_MASQUERADE.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
ipt_NETMAP.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
ipt_REDIRECT.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
ipt_REJECT.c netfilter: xtables: move extension arguments into compound structure (5/6) 2008-10-08 11:35:19 +02:00
ipt_ULOG.c netfilter: use a linked list of loggers 2009-03-16 14:54:21 +01:00
iptable_filter.c netfilter: x_tables: remove unneeded initializations 2009-02-18 16:30:20 +01:00
iptable_mangle.c netfilter: x_tables: remove unneeded initializations 2009-02-18 16:30:20 +01:00
iptable_raw.c netfilter: x_tables: remove unneeded initializations 2009-02-18 16:30:20 +01:00
iptable_security.c netfilter: x_tables: remove unneeded initializations 2009-02-18 16:30:20 +01:00
Kconfig netfilter: Kconfig spelling fixes (trivial) 2009-03-16 15:17:23 +01:00
Makefile netfilter: Combine ipt_ttl and ip6t_hl source 2009-02-18 18:39:31 +01:00
nf_conntrack_l3proto_ipv4.c netfilter: conntrack: increase drop stats if sequence adjustment fails 2009-03-16 15:18:50 +01:00
nf_conntrack_l3proto_ipv4_compat.c cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits: net 2008-12-29 22:44:47 -08:00
nf_conntrack_proto_icmp.c netfilter 06/09: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian 2009-01-12 21:18:35 -08:00
nf_defrag_ipv4.c netfilter: restore lost #ifdef guarding defrag exception 2008-10-14 11:56:59 -07:00
nf_nat_amanda.c [NETFILTER]: remove unneeded rcu_dereference() calls 2007-11-07 04:08:23 -08:00
nf_nat_core.c netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat 2008-10-14 11:58:31 -07:00
nf_nat_ftp.c [NETFILTER]: remove unneeded rcu_dereference() calls 2007-11-07 04:08:23 -08:00
nf_nat_h323.c net: replace NIPQUAD() in net/ipv4/netfilter/ 2008-10-31 00:53:08 -07:00
nf_nat_helper.c netfilter: netns nf_conntrack: pass conntrack to nf_conntrack_event_cache() not skb 2008-10-08 11:35:07 +02:00
nf_nat_irc.c net: replace NIPQUAD() in net/ipv4/netfilter/ 2008-10-31 00:53:08 -07:00
nf_nat_pptp.c netfilter: netns nat: PPTP NAT in netns 2008-10-08 11:35:11 +02:00
nf_nat_proto_common.c nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization 2008-08-18 21:32:32 -07:00
nf_nat_proto_dccp.c [NETFILTER]: nf_conntrack: const annotations in nf_conntrack_sctp, nf_nat_proto_gre 2008-04-14 11:15:54 +02:00
nf_nat_proto_gre.c [NETFILTER]: nf_conntrack: const annotations in nf_conntrack_sctp, nf_nat_proto_gre 2008-04-14 11:15:54 +02:00
nf_nat_proto_icmp.c [NETFILTER]: nf_nat: use bool type in nf_nat_proto 2008-04-14 11:15:53 +02:00
nf_nat_proto_sctp.c sctp: remove unnecessary byteshifting, calculate directly in big-endian 2008-07-18 23:07:09 -07:00
nf_nat_proto_tcp.c [NETFILTER]: nf_nat: use bool type in nf_nat_proto 2008-04-14 11:15:53 +02:00
nf_nat_proto_udp.c [NETFILTER]: nf_nat: use bool type in nf_nat_proto 2008-04-14 11:15:53 +02:00
nf_nat_proto_udplite.c [NETFILTER]: nf_nat: use bool type in nf_nat_proto 2008-04-14 11:15:53 +02:00
nf_nat_proto_unknown.c [NETFILTER]: nf_nat: use bool type in nf_nat_proto 2008-04-14 11:15:53 +02:00
nf_nat_rule.c netfilter: x_tables: remove unneeded initializations 2009-02-18 16:30:20 +01:00
nf_nat_sip.c net: replace NIPQUAD() in net/ipv4/netfilter/ 2008-10-31 00:53:08 -07:00
nf_nat_snmp_basic.c net: replace uses of __constant_{endian} 2009-02-01 00:45:17 -08:00
nf_nat_standalone.c [NETFILTER]: nf_nat: kill helper and seq_adjust hooks 2008-04-14 11:15:52 +02:00
nf_nat_tftp.c [NETFILTER]: nf_{conntrack,nat}_tftp: annotate TFTP helper with const 2008-01-31 19:28:08 -08:00