This adds a "CHECKSUM" target, which can be used in the iptables mangle
table.
You can use this target to compute and fill in the checksum in a packet
that lacks a checksum. This is particularly useful, if you need to work
around old applications such as dhcp clients, that do not work well with
checksum offloads, but don't want to disable checksum offload in your
device.
The problem happens in the field with virtualized applications. For
reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.html
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
The first problem is that the error response from crypto_alloc_hash()
should be extracted from the pointer before setting the pointer to NULL.
The second error is that only the first half of the password hash is
checked which slightly weakens the password checking.
Signed-off-by: John Haxby <john.haxby@oracle.com>
It is possible for geoip_bsearch() to pick mid == sizeof(subnets).
Consider a set with a single entry and a "address to test"
higher than the range:
1st call: lo = 0, hi = 1 -> mid will be 0
2nd call: lo = 1, hi = 1 -> mid will be 1
On the 2nd call, we'll examine random data.
Reported-by: Florian Westphal <fw@strlen.de>
Since the last merge of the "api35" branch, further changes were
included into nf-next. This set of three commits updates the
xtables-addons API to match that.
Patrick McHardy let's it be known: "No need for interruptible locking,
the section is very short and usually there's only a single iptables
process running at a time."
The loop detection does not work if the kernel is built without
conntrack. In fact, since cloned packets are sent directly and do not
pass through Xtables, there are no loops happening.
Patrick McHardy explains in [1] that locally-generated packets (such
as the clones xt_TEE will create) usually start with no iif and no
mark value, and even if cloned packets are a little more special than
locally-generated ones, let's do it that way.
[1] http://marc.info/?l=netfilter-devel&m=127012289008156&w=2
Because the build error logs of module-assistant are totally useless,
as the tarball filename has been stripped of the version, and
configure is not run either.
Michael S. Tsirkin