diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/bridge/netfilter/ebtables.c | 6 | ||||
-rw-r--r-- | net/netfilter/ipvs/Kconfig | 3 | ||||
-rw-r--r-- | net/netfilter/ipvs/ip_vs_ctl.c | 14 | ||||
-rw-r--r-- | net/netfilter/ipvs/ip_vs_wrr.c | 15 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_ftp.c | 18 |
5 files changed, 31 insertions, 25 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index bd1c65425d4f..0b7f262cd148 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk, | |||
1406 | { | 1406 | { |
1407 | int ret; | 1407 | int ret; |
1408 | 1408 | ||
1409 | if (!capable(CAP_NET_ADMIN)) | ||
1410 | return -EPERM; | ||
1411 | |||
1409 | switch(cmd) { | 1412 | switch(cmd) { |
1410 | case EBT_SO_SET_ENTRIES: | 1413 | case EBT_SO_SET_ENTRIES: |
1411 | ret = do_replace(sock_net(sk), user, len); | 1414 | ret = do_replace(sock_net(sk), user, len); |
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
1425 | struct ebt_replace tmp; | 1428 | struct ebt_replace tmp; |
1426 | struct ebt_table *t; | 1429 | struct ebt_table *t; |
1427 | 1430 | ||
1431 | if (!capable(CAP_NET_ADMIN)) | ||
1432 | return -EPERM; | ||
1433 | |||
1428 | if (copy_from_user(&tmp, user, sizeof(tmp))) | 1434 | if (copy_from_user(&tmp, user, sizeof(tmp))) |
1429 | return -EFAULT; | 1435 | return -EFAULT; |
1430 | 1436 | ||
diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig index 79a698052218..f2d76238b9b5 100644 --- a/net/netfilter/ipvs/Kconfig +++ b/net/netfilter/ipvs/Kconfig | |||
@@ -112,7 +112,8 @@ config IP_VS_RR | |||
112 | module, choose M here. If unsure, say N. | 112 | module, choose M here. If unsure, say N. |
113 | 113 | ||
114 | config IP_VS_WRR | 114 | config IP_VS_WRR |
115 | tristate "weighted round-robin scheduling" | 115 | tristate "weighted round-robin scheduling" |
116 | select GCD | ||
116 | ---help--- | 117 | ---help--- |
117 | The weighted robin-robin scheduling algorithm directs network | 118 | The weighted robin-robin scheduling algorithm directs network |
118 | connections to different real servers based on server weights | 119 | connections to different real servers based on server weights |
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 6bde12da2fe0..c37ac2d7bec4 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c | |||
@@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) | |||
2077 | if (!capable(CAP_NET_ADMIN)) | 2077 | if (!capable(CAP_NET_ADMIN)) |
2078 | return -EPERM; | 2078 | return -EPERM; |
2079 | 2079 | ||
2080 | if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) | ||
2081 | return -EINVAL; | ||
2082 | if (len < 0 || len > MAX_ARG_LEN) | ||
2083 | return -EINVAL; | ||
2080 | if (len != set_arglen[SET_CMDID(cmd)]) { | 2084 | if (len != set_arglen[SET_CMDID(cmd)]) { |
2081 | pr_err("set_ctl: len %u != %u\n", | 2085 | pr_err("set_ctl: len %u != %u\n", |
2082 | len, set_arglen[SET_CMDID(cmd)]); | 2086 | len, set_arglen[SET_CMDID(cmd)]); |
@@ -2352,17 +2356,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
2352 | { | 2356 | { |
2353 | unsigned char arg[128]; | 2357 | unsigned char arg[128]; |
2354 | int ret = 0; | 2358 | int ret = 0; |
2359 | unsigned int copylen; | ||
2355 | 2360 | ||
2356 | if (!capable(CAP_NET_ADMIN)) | 2361 | if (!capable(CAP_NET_ADMIN)) |
2357 | return -EPERM; | 2362 | return -EPERM; |
2358 | 2363 | ||
2364 | if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX) | ||
2365 | return -EINVAL; | ||
2366 | |||
2359 | if (*len < get_arglen[GET_CMDID(cmd)]) { | 2367 | if (*len < get_arglen[GET_CMDID(cmd)]) { |
2360 | pr_err("get_ctl: len %u < %u\n", | 2368 | pr_err("get_ctl: len %u < %u\n", |
2361 | *len, get_arglen[GET_CMDID(cmd)]); | 2369 | *len, get_arglen[GET_CMDID(cmd)]); |
2362 | return -EINVAL; | 2370 | return -EINVAL; |
2363 | } | 2371 | } |
2364 | 2372 | ||
2365 | if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0) | 2373 | copylen = get_arglen[GET_CMDID(cmd)]; |
2374 | if (copylen > 128) | ||
2375 | return -EINVAL; | ||
2376 | |||
2377 | if (copy_from_user(arg, user, copylen) != 0) | ||
2366 | return -EFAULT; | 2378 | return -EFAULT; |
2367 | 2379 | ||
2368 | if (mutex_lock_interruptible(&__ip_vs_mutex)) | 2380 | if (mutex_lock_interruptible(&__ip_vs_mutex)) |
diff --git a/net/netfilter/ipvs/ip_vs_wrr.c b/net/netfilter/ipvs/ip_vs_wrr.c index 6182e8ea0be7..3c115fc19784 100644 --- a/net/netfilter/ipvs/ip_vs_wrr.c +++ b/net/netfilter/ipvs/ip_vs_wrr.c | |||
@@ -24,6 +24,7 @@ | |||
24 | #include <linux/module.h> | 24 | #include <linux/module.h> |
25 | #include <linux/kernel.h> | 25 | #include <linux/kernel.h> |
26 | #include <linux/net.h> | 26 | #include <linux/net.h> |
27 | #include <linux/gcd.h> | ||
27 | 28 | ||
28 | #include <net/ip_vs.h> | 29 | #include <net/ip_vs.h> |
29 | 30 | ||
@@ -38,20 +39,6 @@ struct ip_vs_wrr_mark { | |||
38 | }; | 39 | }; |
39 | 40 | ||
40 | 41 | ||
41 | /* | ||
42 | * Get the gcd of server weights | ||
43 | */ | ||
44 | static int gcd(int a, int b) | ||
45 | { | ||
46 | int c; | ||
47 | |||
48 | while ((c = a % b)) { | ||
49 | a = b; | ||
50 | b = c; | ||
51 | } | ||
52 | return b; | ||
53 | } | ||
54 | |||
55 | static int ip_vs_wrr_gcd_weight(struct ip_vs_service *svc) | 42 | static int ip_vs_wrr_gcd_weight(struct ip_vs_service *svc) |
56 | { | 43 | { |
57 | struct ip_vs_dest *dest; | 44 | struct ip_vs_dest *dest; |
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index 38ea7ef3ccd2..f0732aa18e4f 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c | |||
@@ -323,24 +323,24 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq, | |||
323 | struct nf_ct_ftp_master *info, int dir, | 323 | struct nf_ct_ftp_master *info, int dir, |
324 | struct sk_buff *skb) | 324 | struct sk_buff *skb) |
325 | { | 325 | { |
326 | unsigned int i, oldest = NUM_SEQ_TO_REMEMBER; | 326 | unsigned int i, oldest; |
327 | 327 | ||
328 | /* Look for oldest: if we find exact match, we're done. */ | 328 | /* Look for oldest: if we find exact match, we're done. */ |
329 | for (i = 0; i < info->seq_aft_nl_num[dir]; i++) { | 329 | for (i = 0; i < info->seq_aft_nl_num[dir]; i++) { |
330 | if (info->seq_aft_nl[dir][i] == nl_seq) | 330 | if (info->seq_aft_nl[dir][i] == nl_seq) |
331 | return; | 331 | return; |
332 | |||
333 | if (oldest == info->seq_aft_nl_num[dir] || | ||
334 | before(info->seq_aft_nl[dir][i], | ||
335 | info->seq_aft_nl[dir][oldest])) | ||
336 | oldest = i; | ||
337 | } | 332 | } |
338 | 333 | ||
339 | if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { | 334 | if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { |
340 | info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; | 335 | info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; |
341 | } else if (oldest != NUM_SEQ_TO_REMEMBER && | 336 | } else { |
342 | after(nl_seq, info->seq_aft_nl[dir][oldest])) { | 337 | if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1])) |
343 | info->seq_aft_nl[dir][oldest] = nl_seq; | 338 | oldest = 0; |
339 | else | ||
340 | oldest = 1; | ||
341 | |||
342 | if (after(nl_seq, info->seq_aft_nl[dir][oldest])) | ||
343 | info->seq_aft_nl[dir][oldest] = nl_seq; | ||
344 | } | 344 | } |
345 | } | 345 | } |
346 | 346 | ||