linux/net/ipv4/netfilter
Pablo Neira Ayuso cba85b532e netfilter: fix export secctx error handling
In 1ae4de0cdf, the secctx was exported
via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
instead of the secmark.

That patch introduced the use of security_secid_to_secctx() which may
return a non-zero value on error.

In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
security modules. Thus, security_secid_to_secctx() returns a negative
value that results in the breakage of the /proc and `conntrack -L'
outputs. To fix this, we skip the inclusion of secctx if the
aforementioned function fails.

This patch also fixes the dynamic netlink message size calculation
if security_secid_to_secctx() returns an error, since its logic is
also wrong.

This problem exists in Linux kernel >= 2.6.37.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-01-06 11:25:00 -08:00
..
arp_tables.c ipv4: netfilter: arp_tables: fix information leak to userland 2010-11-03 08:44:12 +01:00
arpt_mangle.c netfilter: xtables: resolve indirect macros 3/3 2010-10-13 18:00:46 +02:00
arptable_filter.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
ip_queue.c netfilter: ip_queue: rwlock to spinlock conversion 2010-06-09 15:47:41 +02:00
ip_tables.c ipv4: netfilter: ip_tables: fix information leak to userland 2010-11-03 08:45:06 +01:00
ipt_addrtype.c netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11 18:33:37 +02:00
ipt_ah.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ipt_CLUSTERIP.c netfilter: ipt_CLUSTERIP: use proto_ports_offset() to support AH message 2010-08-19 17:16:24 -07:00
ipt_ecn.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ipt_ECN.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
ipt_LOG.c netfilter: ipt_LOG: add bufferisation to call printk() once 2010-10-04 20:56:05 +02:00
ipt_MASQUERADE.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
ipt_NETMAP.c netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN 2010-06-17 06:12:26 +02:00
ipt_REDIRECT.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
ipt_REJECT.c ipv4: Don't pre-seed hoplimit metric. 2010-12-12 22:08:17 -08:00
ipt_ULOG.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
iptable_filter.c netfilter: cleanup printk messages 2010-05-13 15:02:08 +02:00
iptable_mangle.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
iptable_raw.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
iptable_security.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
Kconfig Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-10-24 13:41:39 -07:00
Makefile Net: ipv4: netfilter: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:11 -08:00
nf_conntrack_l3proto_ipv4_compat.c netfilter: fix export secctx error handling 2011-01-06 11:25:00 -08:00
nf_conntrack_l3proto_ipv4.c netfilter: cleanup printk messages 2010-05-13 15:02:08 +02:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: add support for "conntrack zones" 2010-02-15 18:13:33 +01:00
nf_defrag_ipv4.c netfilter: nf_conntrack_defrag: check socket type before touching nodefrag flag 2010-09-22 13:13:34 -07:00
nf_nat_amanda.c netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers 2010-09-22 08:34:12 +02:00
nf_nat_core.c netfilter: nf_nat: fix compiler warning with CONFIG_NF_CT_NETLINK=n 2010-10-29 16:28:07 +02:00
nf_nat_ftp.c netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers 2010-09-22 08:34:12 +02:00
nf_nat_h323.c netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers 2010-09-22 08:34:12 +02:00
nf_nat_helper.c netfilter: nf_nat: add nf_nat_csum() 2010-09-15 19:24:50 +02:00
nf_nat_irc.c netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers 2010-09-22 08:34:12 +02:00
nf_nat_pptp.c netfilter: nf_conntrack: add support for "conntrack zones" 2010-02-15 18:13:33 +01:00
nf_nat_proto_common.c netfilter: nf_nat: don't check if the tuple is unique when there isn't any other choice 2010-08-02 17:35:49 +02:00
nf_nat_proto_dccp.c netfilter: nf_nat: make unique_tuple return void 2010-08-02 17:20:54 +02:00
nf_nat_proto_gre.c netfilter: nf_nat: don't check if the tuple is unique when there isn't any other choice 2010-08-02 17:35:49 +02:00
nf_nat_proto_icmp.c netfilter: nf_nat: don't check if the tuple is unique when there isn't any other choice 2010-08-02 17:35:49 +02:00
nf_nat_proto_sctp.c netfilter: nf_nat: make unique_tuple return void 2010-08-02 17:20:54 +02:00
nf_nat_proto_tcp.c netfilter: nf_nat: make unique_tuple return void 2010-08-02 17:20:54 +02:00
nf_nat_proto_udp.c netfilter: nf_nat: make unique_tuple return void 2010-08-02 17:20:54 +02:00
nf_nat_proto_udplite.c netfilter: nf_nat: make unique_tuple return void 2010-08-02 17:20:54 +02:00
nf_nat_proto_unknown.c netfilter: nf_nat: make unique_tuple return void 2010-08-02 17:20:54 +02:00
nf_nat_rule.c netfilter: nf_nat: no IP_NAT_RANGE_MAP_IPS flags when alloc_null_binding() 2010-09-16 19:47:51 +02:00
nf_nat_sip.c netfilter: nf_nat: better error handling of nf_ct_expect_related() in helpers 2010-09-22 08:34:12 +02:00
nf_nat_snmp_basic.c netfilter: nf_nat_snmp: fix checksum calculation (v4) 2010-09-22 13:13:33 -07:00
nf_nat_standalone.c netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN 2010-06-17 06:12:26 +02:00
nf_nat_tftp.c netfilter: fix some coding styles and remove moduleparam.h 2010-04-13 11:25:41 +02:00