Florian Westphal 7814b6ec6d netfilter: xtables: don't save/restore jumpstack offset ... In most cases there is no reentrancy into ip/ip6tables. For skbs sent by REJECT or SYNPROXY targets, there is one level of reentrancy, but its not relevant as those targets issue an absolute verdict, i.e. the jumpstack can be clobbered since its not used after the target issues absolute verdict (ACCEPT, DROP, STOLEN, etc). So the only special case where it is relevant is the TEE target, which returns XT_CONTINUE. This patch changes ip(6)_do_table to always use the jump stack starting from 0. When we detect we're operating on an skb sent via TEE (percpu nf_skb_duplicated is 1) we switch to an alternate stack to leave the original one alone. Since there is no TEE support for arptables, it doesn't need to test if tee is active. The jump stack overflow tests are no longer needed as well -- since ->stacksize is the largest call depth we cannot exceed it. A much better alternative to the external jumpstack would be to just declare a jumps[32] stack on the local stack frame, but that would mean we'd have to reject iptables rulesets that used to work before. Another alternative would be to start rejecting rulesets with a larger call depth, e.g. 1000 -- in this case it would be feasible to allocate the entire stack in the percpu area which would avoid one dereference. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>		2015-07-15 18:18:06 +02:00
..
netfilter	netfilter: xtables: don't save/restore jumpstack offset	2015-07-15 18:18:06 +02:00
addrconf.c	ipv6: Do not iterate over all interfaces when finding source address on specific interface.	2015-07-10 23:19:25 -07:00
addrconf_core.c	ipv6: fix possible use after free of dev stats	2015-06-08 12:12:45 -07:00
addrlabel.c	netlink: implement nla_put_in_addr and nla_put_in6_addr	2015-03-31 13:58:35 -04:00
af_inet6.c	ipv6: Nonlocal bind	2015-07-09 21:09:10 -07:00
ah6.c	ipv6: coding style: comparison for equality with NULL	2015-03-31 13:51:54 -04:00
anycast.c	ipv6: coding style: comparison for equality with NULL	2015-03-31 13:51:54 -04:00
datagram.c	ipv6: use flag instead of u16 for hop in inet6_skb_parm	2015-07-09 15:06:59 -07:00
esp6.c	esp6: Switch to new AEAD interface	2015-05-28 11:23:20 +08:00
exthdrs.c	ipv6: use flag instead of u16 for hop in inet6_skb_parm	2015-07-09 15:06:59 -07:00
exthdrs_core.c	ipv6: coding style: comparison for equality with NULL	2015-03-31 13:51:54 -04:00
exthdrs_offload.c
fib6_rules.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-04-06 22:34:15 -04:00
icmp.c	ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST	2015-05-25 13:25:33 -04:00
inet6_connection_sock.c	net: convert syn_wait_lock to a spinlock	2015-03-23 16:52:26 -04:00
inet6_hashtables.c	inet: inet_twsk_deschedule factorization	2015-07-09 15:12:20 -07:00
ip6_checksum.c
ip6_fib.c	ipv6: Create percpu rt6_info	2015-05-25 13:25:35 -04:00
ip6_flowlabel.c	ipv6: Flow label state ranges	2015-05-03 21:58:01 -04:00
ip6_gre.c	ip6_gre: use netdev_alloc_pcpu_stats()	2015-04-22 15:39:05 -04:00
ip6_icmp.c
ip6_input.c	ipv6: Make MLD packets to only be processed locally	2015-07-03 09:52:38 -07:00
ip6_offload.c	ipv6: coding style: comparison for inequality with NULL	2015-03-31 13:51:54 -04:00
ip6_offload.h
ip6_output.c	ipv6: don't increase size when refragmenting forwarded ipv6 skbs	2015-05-25 17:22:23 -04:00
ip6_tunnel.c	ipv6: Add rt6_get_cookie() function	2015-05-25 13:25:34 -04:00
ip6_udp_tunnel.c	net: Modify sk_alloc to not reference count the netns of kernel sockets.	2015-05-11 10:50:18 -04:00
ip6_vti.c	vti6: Add pmtu handling to vti6_xmit.	2015-06-01 16:03:43 -07:00
ip6mr.c	netfilter: Pass socket pointer down through okfn().	2015-04-07 15:25:55 -04:00
ipcomp6.c
ipv6_sockglue.c	ipv6: coding style: comparison for equality with NULL	2015-03-31 13:51:54 -04:00
Kconfig	net: Build IPv6 into kernel by default	2015-07-13 13:10:21 -07:00
Makefile	net: Export IGMP/MLD message validation code	2015-05-04 14:49:23 -04:00
mcast.c	netfilter: Pass socket pointer down through okfn().	2015-04-07 15:25:55 -04:00
mcast_snoop.c	net: fix two sparse warnings introduced by IGMP/MLD parsing exports	2015-05-04 19:19:54 -04:00
mip6.c
ndisc.c	ipv6: Remove external dependency on rt6i_dst and rt6i_src	2015-05-25 13:25:32 -04:00
netfilter.c	netfilter: bridge: forward IPv6 fragmented packets	2015-06-12 14:10:12 +02:00
output_core.c	netfilter: don't pull include/linux/netfilter.h from netns headers	2015-06-18 21:14:31 +02:00
ping.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-03-09 23:38:02 -04:00
proc.c
protocol.c
raw.c	ipv6: Nonlocal bind	2015-07-09 21:09:10 -07:00
reassembly.c	ipv6: coding style: comparison for inequality with NULL	2015-03-31 13:51:54 -04:00
route.c	net-ipv6: Delete an unnecessary check before the function call "free_percpu"	2015-07-03 09:27:42 -07:00
sit.c	ipv6: call iptunnel_xmit with NULL sock pointer if no tunnel sock is available	2015-04-08 12:09:43 -04:00
syncookies.c	tcp: get_cookie_sock() consolidation	2015-06-07 15:19:52 -07:00
sysctl_net_ipv6.c	ipv6: Nonlocal bind	2015-07-09 21:09:10 -07:00
tcp_ipv6.c	inet: inet_twsk_deschedule factorization	2015-07-09 15:12:20 -07:00
tcpv6_offload.c	tcp: cleanup static functions	2015-02-28 16:56:51 -05:00
tunnel6.c
udp.c	udp: fix behavior of wrong checksums	2015-05-31 21:42:18 -07:00
udp_impl.h	net: Remove iocb argument from sendmsg and recvmsg	2015-03-02 13:06:31 -05:00
udp_offload.c	ipv6: hash net ptr into fragmentation bucket selection	2015-03-25 14:07:04 -04:00
udplite.c
xfrm6_input.c	netfilter: Pass socket pointer down through okfn().	2015-04-07 15:25:55 -04:00
xfrm6_mode_beet.c	xfrm: simplify xfrm_address_t use	2015-03-31 13:58:35 -04:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c	netfilter: Pass socket pointer down through okfn().	2015-04-07 15:25:55 -04:00
xfrm6_policy.c	ipv6: Add rt6_get_cookie() function	2015-05-25 13:25:34 -04:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c