Displaying 14 results from an estimated 14 matches for "nf_accept".
Did you mean:
net_accept
2007 Apr 18
1
[Bridge] [PATCH/RFC] Reduce call chain length in netfilter (take 2)
...gt;hook(hook, skb, indev, outdev, okfn)) {
- case NF_QUEUE:
- return NF_QUEUE;
-
- case NF_STOLEN:
- return NF_STOLEN;
-
- case NF_DROP:
- return NF_DROP;
-
- case NF_REPEAT:
- *i = (*i)->prev;
- break;
-
+ verdict = elem->hook(hook, skb, indev, outdev, okfn);
+ if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG
- case NF_ACCEPT:
- break;
-
- default:
- NFDEBUG("Evil return from %p(%u).\n",
- elem->hook, hook);
+ if (unlikely(verdict > NF_MAX_VERDICT)) {
+ NFDEBUG("Evil return from %p(%u).\n",
+ elem->hook, hook);
+...
2007 Apr 18
3
[Bridge] Re: do_IRQ: stack overflow: 872..
On Fri, 07 Jan 2005 17:05:59 +0000
David Woodhouse <dwmw2@infradead.org> wrote:
> On Sat, 2004-12-18 at 08:50 +0100, Andi Kleen wrote:
> > It's not really an oops, just a warning that stack space got quiet
> > tight.
> >
> > The problem seems to be that the br netfilter code is nesting far too
> > deeply and recursing several times. Looks like a design
2007 Apr 18
4
[Bridge] [PATCH/RFC] Let {ip, arp}tables "see" bridged VLAN tagged {I, AR}P packets
...br_handle_frame_finish, 1);
@@ -220,13 +247,20 @@ static unsigned int br_nf_pre_routing(un
{
struct iphdr *iph;
__u32 len;
- struct sk_buff *skb;
+ struct sk_buff *skb = *pskb;
struct nf_bridge_info *nf_bridge;
- if ((*pskb)->protocol != __constant_htons(ETH_P_IP))
- return NF_ACCEPT;
-
- if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
+ if (skb->protocol != __constant_htons(ETH_P_IP)) {
+ struct vlan_ethhdr *hdr = (struct vlan_ethhdr *)
+ ((*pskb)->mac.ethernet);
+
+ if (!IS_VLAN_IP)
+ return NF_ACCEPT;
+ if ((skb = skb_share_check(*pskb, GFP_ATOMIC))...
2012 Apr 25
1
forwarding packets to service in same host without using loopback network
...accurate and robust.
The following code describes the core functionality of the application:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/types.h>
#include <linux/netfilter.h> /* for NF_ACCEPT */
#include <errno.h>
#include <libnetfilter_queue/libnetfilter_queue.h>
#define PREROUTING 0
#define POSTROUTING 4
#define OUTPUT 3
/* returns packet id */
static u_int32_t
print_pkt (struct nfq_data *tb)
{
int id = 0;
struct nfqnl_msg...
2007 Apr 18
2
[Bridge] The problem of bridge+netfilter+nat
...printk("[%s]", skb->dev->name);
if (has_bridge_parent(skb->dev))
printk("[%s]", bridge_parent(skb->dev)->name);
}
printk("\n");
return NF_ACCEPT;
}
And in the new bridge-nf version it is annouced this sould not happen anymore.
I think I should upgrade the kernel. But I'm curious on the problem and I wish
I could know what kind of packets caused such a problem.
Thanks for help. Please cc.
Regards,
Zheng chuanb...
2007 Jan 09
0
[Bug 530] New: loading nf_nat verision of the iptable_nat module kills existing connections
..., or course, that stops working.
I've poked around a bit and this section of nf_net_standalone.c appears to
be the culprit:
120: /* Don't try to NAT if this packet is not conntracked */
121: if (ct == &nf_conntrack_untracked)
122: return NF_ACCEPT;
123:
124: nat = nfct_nat(ct);
-> 125: if (!nat)
-> 126: return NF_DROP;
If I read this correctly, packets for connections which aren't tracked
at all are accepted, but packets for connections which are being tracked
don't have NAT inf...
2007 Jan 09
1
[Bug 530] loading nf_nat verision of the iptable_nat module kills existing connections
...|FIXED
------- Additional Comments From kaber@trash.net 2007-01-09 14:49 MET -------
I agree, I was already thinking about this, but came to no conclusion. I've
queued up this patch for 2.6.20 .. well I can't seem to attach it, but I queued
a patch which changes this line to NF_ACCEPT.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.
2006 Jul 25
0
[Bug 495] New: Netfilter Connection Tracking Race Condition in Kernel 2.4.x
...everity: normal
Priority: P2
Component: ip_conntrack
AssignedTo: laforge@netfilter.org
ReportedBy: Bob.Halley@nominum.com
Background
Our application uses ip_queue in prerouting to divert DNS UDP packets
to a userland daemon which inspects them and then issues a NF_ACCEPT
or NF_DROP verdict back to the kernel.
We found that if several packets with the same conntrack tuple,
i.e. the same src addr, src port, dst addr, and dst port, arrive very
close together, then only the first one accepted by our software
actually makes it back out to the wire; the others are silen...
2007 Aug 14
0
ebtables locking issue
...sponse and then pass the result back to ebtable code.
Everything seemed to be working fine until i encountered locking issues. In the ebt_do_table code there is a "read_lock_bh" is used. When i try to wait inside this code path after sending info to my userspace tool and before returning NF_ACCEPT or NF_DROP, either the CPU hangs or i get an error "schedule while atomic". I tried out different methods for waiting like "wait_event_timeout" or busy while loop etc. The problem that I understood is that since read_lock_bh disables CPU preemption and do "local_bh_disable...
2019 Dec 01
0
[Bug 1384] New: memory leaks when netfilter is used to filter network traffic
...ets.
Found memory leaks.
Then we built a kernel module to filter traffic to queue 0, and
libnetfilter_queue is used to do the same. Still found memory leaks.
We also did another testing: in the kernel module, we do some condition check
to all the packets, no matter pass or not simply "return NF_ACCEPT". In this
test, libnetfilter_queue is not involved. Still found memory leaks. Without the
kernel module, there will be no memory leaks.
kernel version: 4-14-131. platform: openwrt-18.06.4.
Is it netfilter to complain or we missed something or did something
incorrectly?
Thanks in advance for...
2003 Apr 25
0
[Bug 85] New: couldn't write file ,call syscall ,ex. sys_open
...*/
int fd = 0;
char pathname[50] ="/test/log/8.mail" ;
set_fs(new_fs) ;
fd = sys_open(pathname,O_WRONLY|O_CREAT,S_IRUSR|S_IWUSR);
printk("fd is [%d]",fd);
sys_write(fd,"Mail has develope sucesses , ",20) ;
sys_close(fd);
set_fs(old_fs) ;
return NF_ACCEPT;
}
static struct nf_hook_ops iplimitfilter=
{
{NULL,NULL},
myfirewall,
PF_INET,
NF_IP_PRE_ROUTING,
NF_IP_PRI_FILTER
};
int init_module(void)
{
mm_segment_t old_fs =get_fs() ;
mm_segment_t new_fs =get_ds();
printk("The** old fs is [%lu]\n",old_fs.seg) ;
printk("The** new...
2003 Aug 02
0
[SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS
...tuple)],
&ct->tuplehash[IP_CT_DIR_ORIGINAL]);
@@ -467,6 +464,7 @@
ct->timeout.expires +=3D jiffies;
add_timer(&ct->timeout);
atomic_inc(&ct->ct_general.use);
+ set_bit(IPS_CONFIRMED_BIT, &ct->status);
WRITE_UNLOCK(&ip_conntrack_lock);
return NF_ACCEPT;
}
@@ -585,7 +583,7 @@
connection. Too bad: we're in trouble anyway. */
static inline int unreplied(const struct ip_conntrack_tuple_hash *i)
{
- return !(i->ctrack->status & IPS_ASSURED);
+ return !(test_bit(IPS_ASSURED_BIT, &i->ctrack->status));
}
=20
static int...
2002 May 08
0
Security Advisory
...ipv4/netfilter/ip_nat_core.c linux-2.4=
.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.4.19-pre6.orig/net/ipv4/netfilter/ip_nat_core.c Sun Apr 7 15:2=
7:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c Fri Apr 12 00:=
52:31 2002
@@ -780,6 +780,18 @@
} else return NF_ACCEPT;
}
=20
+/*
+ * Decide whether to map inner header of an ICMP reply, including when
+ * we generate the reply ourselves.
+ */
+static inline int
+map_innards(unsigned int maniphook, unsigned int hooknum)
+{
+ return (maniphook =3D=3D opposite_hook[hooknum]
+ || (hooknum =3D=3D NF_IP_LOCAL_O...
2015 Dec 18
0
[ANNOUNCE] iptables 1.6.0 release
...n sync with arptables -L -n --line-numbers
arptables-compat: remove save code
refresh nf_tables.h cached copy
iptables-compat: fix chain policy reset with iptables -L -n
iptables-compat: statify unused built-in table/chain functions
iptables-compat: assume chain policy NF_ACCEPT when creating built-in chains
iptables-compat: fix empty chains after first invocation of iptables-compat -L
Merge branch 'ipset'
nft: bootstrap ebtables-compat
ebtables-compat: use ebtables_command_state in bootstrap code
iptables: use flock() instead of abstr...