1. 23 Sep, 2016 1 commit
  2. 22 Sep, 2016 1 commit
  3. 13 Sep, 2016 1 commit
  4. 12 Sep, 2016 13 commits
  5. 09 Sep, 2016 2 commits
  6. 07 Sep, 2016 10 commits
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: allow tab character in SIP headers · 1bcabc81
      Marco Angaroni authored
      Current parsing methods for SIP headers do not allow the presence of
      tab characters between header name and header value. As a result Call-ID
      SIP headers like the following are discarded by IPVS SIP persistence
      engine:
      
      "Call-ID\t: mycallid@abcde"
      "Call-ID:\tmycallid@abcde"
      
      In above examples Call-IDs are represented as strings in C language.
      Obviously in real message we have byte "09" before/after colon (":").
      
      Proposed fix is in nf_conntrack_sip module.
      Function sip_skip_whitespace() should skip tabs in addition to spaces,
      since in SIP grammar whitespace (WSP) corresponds to space or tab.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1bcabc81
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: introduce nft_overquota() · 22609b43
      Pablo Neira Ayuso authored
      This is patch renames the existing function to nft_overquota() and make
      it return a boolean that tells us if we have exceeded our byte quota.
      Just a cleanup.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      22609b43
    • Pablo Neira Ayuso's avatar
      netfilter: nft_quota: fix overquota logic · db6d857b
      Pablo Neira Ayuso authored
      Use xor to decide to break further rule evaluation or not, since the
      existing logic doesn't achieve the expected inversion.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      db6d857b
    • Laura Garcia Liebana's avatar
      netfilter: nft_numgen: rename until attribute by modulus · 0d9932b2
      Laura Garcia Liebana authored
      The _until_ attribute is renamed to _modulus_ as the behaviour is similar to
      other expresions with number limits (ex. nft_hash).
      
      Renaming is possible because there isn't a kernel release yet with these
      changes.
      Signed-off-by: default avatarLaura Garcia Liebana <nevola@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0d9932b2
    • Gao Feng's avatar
      netfilter: ftp: Remove the useless code · ddb075b0
      Gao Feng authored
      There are some debug code which are commented out in find_pattern by #if 0.
      Now remove them.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ddb075b0
    • Gao Feng's avatar
      netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern · 723eb299
      Gao Feng authored
      The caller function "help" has already make sure the datalen could not be zero
      before invoke find_pattern as a parameter by the following codes
      
              if (dataoff >= skb->len) {
                      pr_debug("ftp: dataoff(%u) >= skblen(%u)\n", dataoff,
                               skb->len);
                      return NF_ACCEPT;
              }
              datalen = skb->len - dataoff;
      
      And the latter codes "ends_in_nl = (fb_ptr[datalen - 1] == '\n');" use datalen
      directly without checking if it is zero.
      
      So it is unneccessary to check it in find_pattern too.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      723eb299
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header · f0608cea
      Marco Angaroni authored
      Current parsing methods for SIP header Call-ID do not check correctly all
      characters allowed by RFC 3261. In particular "," character is allowed
      instead of "'" character. As a result Call-ID headers like the following
      are discarded by IPVS SIP persistence engine.
      
      Call-ID: -.!%*_+`'~()<>:\"/[]?{}
      
      Above example is composed using all non-alphanumeric characters listed
      in RFC 3261 for Call-ID header syntax.
      
      Proposed fix is in nf_conntrack_sip module; function iswordc() checks this
      range: (c >= '(' && c <= '/') which includes these characters: ()*+,-./
      They are all allowed except ",". Instead "'" is not included in the list.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f0608cea
    • Marco Angaroni's avatar
      netfilter: nf_ct_sip: correct parsing of continuation lines in SIP headers · 68cb9fe4
      Marco Angaroni authored
      Current parsing methods for SIP headers do not properly manage
      continuation lines: in case of Call-ID header the first character of
      Call-ID header value is truncated. As a result IPVS SIP persistence
      engine hashes over a call-id that is not exactly the one present in
      the originale message.
      
      Example: "Call-ID: \r\n abcdeABCDE1234"
      results in extracted call-id equal to "bcdeABCDE1234".
      
      In above example Call-ID is represented as a string in C language.
      Obviously in real message the first bytes after colon (":") are
      "20 0d 0a 20".
      
      Proposed fix is in nf_conntrack_sip module.
      Since sip_follow_continuation() function walks past the leading
      spaces or tabs of the continuation line, sip_skip_whitespace()
      should simply return the ouput of sip_follow_continuation().
      Otherwise another iteration of the for loop is done and dptr
      is incremented by one pointing to the second character of the
      first word in the header.
      
      Below is an extract of relevant SIP ABNF syntax.
      
      Call-ID  =  ( "Call-ID" / "i" ) HCOLON callid
      callid   =  word [ "@" word ]
      
      HCOLON  =  *( SP / HTAB ) ":" SWS
      SWS     =  [LWS] ; sep whitespace
      LWS     =  [*WSP CRLF] 1*WSP ; linear whitespace
      WSP     =  SP / HTAB
      word    =  1*(alphanum / "-" / "." / "!" / "%" / "*" /
                 "_" / "+" / "`" / "'" / "~" /
                 "(" / ")" / "<" / ">" /
                 ":" / "\" / DQUOTE /
                 "/" / "[" / "]" / "?" /
                 "{" / "}" )
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      68cb9fe4
    • Gao Feng's avatar
      netfilter: gre: Use consistent GRE and PTTP header structure instead of the... · c579a9e7
      Gao Feng authored
      netfilter: gre: Use consistent GRE and PTTP header structure instead of the ones defined by netfilter
      
      There are two existing strutures which defines the GRE and PPTP header.
      So use these two structures instead of the ones defined by netfilter to
      keep consitent with other codes.
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c579a9e7
    • Gao Feng's avatar
      netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter. · ecc6569f
      Gao Feng authored
      There are already some GRE_* macros in kernel, so it is unnecessary
      to define these macros. And remove some useless macros
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ecc6569f
  7. 06 Sep, 2016 12 commits