linux-hardened/net/ipv6/netfilter
Jan Engelhardt f3c5c1bfd4 netfilter: xtables: make ip_tables reentrant
Currently, the table traverser stores return addresses in the ruleset
itself (struct ip6t_entry->comefrom). This has a well-known drawback:
the jumpstack is overwritten on reentry, making it necessary for
targets to return absolute verdicts. Also, the ruleset (which might
be heavy memory-wise) needs to be replicated for each CPU that can
possibly invoke ip6t_do_table.

This patch decouples the jumpstack from struct ip6t_entry and instead
puts it into xt_table_info. Not being restricted by 'comefrom'
anymore, we can set up a stack as needed. By default, there is room
allocated for two entries into the traverser.

arp_tables is not touched though, because there is just one/two
modules and further patches seek to collapse the table traverser
anyhow.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2010-04-19 16:05:10 +02:00
..
ip6_queue.c netfilter: only do skb_checksum_help on CHECKSUM_PARTIAL in ip6_queue 2010-04-08 14:53:40 +02:00
ip6_tables.c netfilter: xtables: make ip_tables reentrant 2010-04-19 16:05:10 +02:00
ip6t_ah.c netfilter: xtables: change matches to return error code 2010-03-25 16:55:24 +01:00
ip6t_eui64.c netfilter: ip6t_eui: fix read outside array bounds 2009-08-31 15:30:31 +02:00
ip6t_frag.c netfilter: xtables: change matches to return error code 2010-03-25 16:55:24 +01:00
ip6t_hbh.c netfilter: xtables: change matches to return error code 2010-03-25 16:55:24 +01:00
ip6t_ipv6header.c netfilter: xtables: change matches to return error code 2010-03-25 16:55:24 +01:00
ip6t_LOG.c netfilter: ipt_LOG/ip6t_LOG: use more appropriate log level as default 2010-04-15 19:09:01 +02:00
ip6t_mh.c netfilter: xtables: change matches to return error code 2010-03-25 16:55:24 +01:00
ip6t_REJECT.c netfilter: xtables: change targets to return error code 2010-03-25 16:55:49 +01:00
ip6t_rt.c netfilter: xtables: change matches to return error code 2010-03-25 16:55:24 +01:00
ip6table_filter.c netfilter: xtables: generate initial table on-demand 2010-02-10 17:50:47 +01:00
ip6table_mangle.c netfilter: iptables: remove unused function arguments 2010-02-15 16:56:51 +01:00
ip6table_raw.c netfilter: xtables: generate initial table on-demand 2010-02-10 17:50:47 +01:00
ip6table_security.c netfilter: xtables: generate initial table on-demand 2010-02-10 17:50:47 +01:00
Kconfig netfilter: trivial Kconfig spelling fixes 2009-03-24 13:35:27 -07:00
Makefile netfilter: Combine ipt_ttl and ip6t_hl source 2009-02-18 18:39:31 +01:00
nf_conntrack_l3proto_ipv6.c netfilter: nf_conntrack: add support for "conntrack zones" 2010-02-15 18:13:33 +01:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: add support for "conntrack zones" 2010-02-15 18:13:33 +01:00
nf_conntrack_reasm.c netfilter: ipv6: use NFPROTO values for NF_HOOK invocation 2010-03-25 16:00:49 +01:00