Hooray for 2.6.34 ALIGN bug still biting.
libxt_gradm.c:84: warning: implicit declaration of function 'ALIGN'
libxt_gradm.c:84: error: initializer element is not constant
libxt_gradm.c:84: error: (near initialization for 'gradm_mt_reg.size')
This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.
See: http://grsecurity.net/
Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>
Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.
This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.
>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.
The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.
xt_TEE.c:54:19: error: request for member "dst" in something not a
structure or union
xt_TEE.c:55:20: error: "struct rtable" has no member named "u"
Linux kernel commit v2.6.36-rc1~571^2~616 changed this.
xt_SYSRQ.c:156:3: error: too many arguments to function 'handle_sysrq'
Linux kernel commit v2.6.36-rc3~19^2~5 changed it and finally removed
the last unused argument.
Basically Xtables-addons's copy of ipset is already functionally equal
to ipset 4.3 thanks to our compat_xtables layer (and our modifications
in ipset/ to use it).
This adds a "CHECKSUM" target, which can be used in the iptables mangle
table.
You can use this target to compute and fill in the checksum in a packet
that lacks a checksum. This is particularly useful, if you need to work
around old applications such as dhcp clients, that do not work well with
checksum offloads, but don't want to disable checksum offload in your
device.
The problem happens in the field with virtualized applications. For
reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
The first problem is that the error response from crypto_alloc_hash()
should be extracted from the pointer before setting the pointer to NULL.
The second error is that only the first half of the password hash is
checked which slightly weakens the password checking.
Signed-off-by: John Haxby <john.haxby@oracle.com>
It is possible for geoip_bsearch() to pick mid == sizeof(subnets).
Consider a set with a single entry and a "address to test"
higher than the range:
1st call: lo = 0, hi = 1 -> mid will be 0
2nd call: lo = 1, hi = 1 -> mid will be 1
On the 2nd call, we'll examine random data.
Reported-by: Florian Westphal <fw@strlen.de>
Since the last merge of the "api35" branch, further changes were
included into nf-next. This set of three commits updates the
xtables-addons API to match that.
Patrick McHardy let's it be known: "No need for interruptible locking,
the section is very short and usually there's only a single iptables
process running at a time."
