q3k/linux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux/net/netfilter
History
Eric W. Biederman df008c91f8 net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Allow creation of af_key sockets.
Allow creation of llc sockets.
Allow creation of af_packet sockets.

Allow sending xfrm netlink control messages.

Allow binding to netlink multicast groups.
Allow sending to netlink multicast groups.
Allow adding and dropping netlink multicast groups.
Allow sending to all netlink multicast groups and port ids.

Allow reading the netfilter SO_IP_SET socket option.
Allow sending netfilter netlink messages.
Allow setting and getting ip_vs netfilter socket options.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-18 20:32:45 -05:00
..
ipset net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
ipvs net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
core.c netfilter: pass 'nf_hook_ops' instead of 'list_head' to nf_queue() 2012-09-03 13:52:54 +02:00
Kconfig netfilter: combine ipt_REDIRECT and ip6t_REDIRECT 2012-09-21 12:12:05 +02:00
Makefile netfilter: combine ipt_REDIRECT and ip6t_REDIRECT 2012-09-21 12:12:05 +02:00
nf_conntrack_acct.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
nf_conntrack_amanda.c netfilter: nf_nat: support IPv6 in amanda NAT helper 2012-08-30 03:00:21 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: nf_nat: fix oops when unloading protocol modules 2012-09-21 11:35:18 +02:00
nf_conntrack_ecache.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
nf_conntrack_expect.c netfilter: nf_ct_expect: fix possible access to uninitialized timer 2012-08-16 11:49:53 +02:00
nf_conntrack_extend.c netfilter: nf_ct_ext: support variable length extensions 2012-06-16 15:08:49 +02:00
nf_conntrack_ftp.c netfilter: nf_ct_ftp: add sequence tracking pickup facility for injected entries 2012-09-24 14:29:40 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper 2012-10-22 12:21:55 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
nf_conntrack_irc.c netfilter: nf_nat: support IPv6 in IRC NAT helper 2012-08-30 03:00:23 +02:00
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: nf_ct_ftp: add sequence tracking pickup facility for injected entries 2012-09-24 14:29:40 +02:00
nf_conntrack_pptp.c netfilter: nf_nat: add protoff argument to packet mangling functions 2012-08-30 03:00:13 +02:00
nf_conntrack_proto.c netfilter: nf_conntrack: remove unnecessary RTNL locking 2012-08-20 12:46:29 +02:00
nf_conntrack_proto_dccp.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
nf_conntrack_proto_generic.c netfilter: nf_conntrack: generalize nf_ct_l4proto_net 2012-07-04 19:37:22 +02:00
nf_conntrack_proto_gre.c netfilter: nf_conntrack: prepare l4proto->init_net cleanup 2012-06-27 18:31:14 +02:00
nf_conntrack_proto_sctp.c netfilter: nf_ct_sctp: merge sctpv[4,6]_net_init into sctp_net_init 2012-06-27 19:13:31 +02:00
nf_conntrack_proto_tcp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-09-15 11:43:53 -04:00
nf_conntrack_proto_udp.c netfilter: nf_conntrack: generalize nf_ct_l4proto_net 2012-07-04 19:37:22 +02:00
nf_conntrack_proto_udplite.c netfilter: nf_ct_udplite: add udplite_kmemdup_sysctl_table function 2012-06-27 19:12:52 +02:00
nf_conntrack_sane.c netfilter: nf_ct_helper: implement variable length helper private data 2012-06-16 15:08:55 +02:00
nf_conntrack_sip.c netfilter: nf_nat: support IPv6 in SIP NAT helper 2012-08-30 03:00:22 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
nf_conntrack_tftp.c netfilter: nf_nat: support IPv6 in TFTP NAT helper 2012-08-30 03:00:24 +02:00
nf_conntrack_timeout.c netfilter: nf_ct_ext: add timeout extension 2012-03-07 17:41:25 +01:00
nf_conntrack_timestamp.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
nf_internals.h netfilter: pass 'nf_hook_ops' instead of 'list_head' to nf_queue() 2012-09-03 13:52:54 +02:00
nf_log.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_nat_amanda.c netfilter: nf_nat: support IPv6 in amanda NAT helper 2012-08-30 03:00:21 +02:00
nf_nat_core.c netfilter: nf_nat: remove obsolete rcu_read_unlock call 2012-09-21 12:09:25 +02:00
nf_nat_ftp.c netfilter: nf_nat: support IPv6 in FTP NAT helper 2012-08-30 03:00:20 +02:00
nf_nat_helper.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_irc.c netfilter: nf_nat: support IPv6 in IRC NAT helper 2012-08-30 03:00:23 +02:00
nf_nat_proto_common.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_dccp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_sctp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_tcp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_udp.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_udplite.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_proto_unknown.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_sip.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-09-03 15:34:51 +02:00
nf_nat_tftp.c netfilter: nf_nat: support IPv6 in TFTP NAT helper 2012-08-30 03:00:24 +02:00
nf_queue.c netfilter: pass 'nf_hook_ops' instead of 'list_head' to nf_queue() 2012-09-03 13:52:54 +02:00
nf_sockopt.c
nf_tproxy_core.c
nfnetlink.c net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
nfnetlink_acct.c netlink: Rename pid to portid to avoid confusion 2012-09-10 15:30:41 -04:00
nfnetlink_cthelper.c netfilter: nf_ct_ftp: add sequence tracking pickup facility for injected entries 2012-09-24 14:29:40 +02:00
nfnetlink_cttimeout.c netlink: Rename pid to portid to avoid confusion 2012-09-10 15:30:41 -04:00
nfnetlink_log.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-10-02 13:38:27 -07:00
nfnetlink_queue_core.c netfilter: nfnetlink_queue: add NFQA_CAP_LEN attribute 2012-09-24 15:10:29 +02:00
nfnetlink_queue_ct.c netfilter: nfnetlink_queue: fix sparse warning due to missing include 2012-06-23 02:13:38 +02:00
x_tables.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_addrtype.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_AUDIT.c ipv6: Add fragment reporting to ipv6_skip_exthdr(). 2011-12-03 09:35:10 -08:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c Merge branch 'nf-next' of git://1984.lsi.us.es/net-next 2011-12-25 02:21:45 -05:00
xt_connlimit.c netfilter: xt_connlimit: remove revision 0 2012-06-07 14:58:39 +02:00
xt_connmark.c
xt_CONNSECMARK.c
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: xt_CT: fix timeout setting with IPv6 2012-10-15 13:38:58 +02:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c netfilter: xtables: collapse conditions in xt_ecn 2011-12-27 20:45:25 +01:00
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: use _ALL macro to reject unknown flag bits 2012-05-17 00:56:31 +02:00
xt_helper.c
xt_hl.c netfilter: Reduce switch/case indent 2011-07-01 16:11:15 -07:00
xt_HL.c netfilter: Reduce switch/case indent 2011-07-01 16:11:15 -07:00
xt_HMARK.c netfilter: xt_HMARK: fix endianness and provide consistent hashing 2012-06-07 14:53:01 +02:00
xt_IDLETIMER.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
xt_iprange.c
xt_ipvs.c ipvs: API change to avoid rescan of IPv6 exthdr 2012-09-28 11:34:33 +09:00
xt_LED.c
xt_length.c
xt_limit.c netfilter: xt_limit: have r->cost != 0 case work 2012-09-26 01:33:16 +02:00
xt_LOG.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-10-02 11:11:09 -07:00
xt_mac.c netfilter: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:18 -04:00
xt_mark.c
xt_multiport.c
xt_nat.c netfilter: xt_nat: fix incorrect hooks for SNAT and DNAT targets 2012-10-15 13:39:12 +02:00
xt_NETMAP.c netfilter: combine ipt_NETMAP and ip6t_NETMAP 2012-09-21 12:11:08 +02:00
xt_nfacct.c netfilter: xtables: add nfacct match to support extended accounting 2011-12-25 02:43:17 +01:00
xt_NFLOG.c
xt_NFQUEUE.c netfilter: sparse endian fixes 2012-08-20 12:45:57 +02:00
xt_osf.c netfilter: sparse endian fixes 2012-08-20 12:45:57 +02:00
xt_owner.c userns: xt_owner: Add basic user namespace support. 2012-08-14 21:55:30 -07:00
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_rateest.c netfilter: xt_rateest: fix xt_rateest_mt_checkentry() 2011-07-29 16:24:46 +02:00
xt_RATEEST.c net,rcu: Convert call_rcu(xt_rateest_free_rcu) to kfree_rcu() 2011-07-20 14:10:19 -07:00
xt_realm.c
xt_recent.c userns xt_recent: Specify the owner/group of ip_list_perms in the initial user namespace 2012-08-14 21:55:29 -07:00
xt_REDIRECT.c netfilter: combine ipt_REDIRECT and ip6t_REDIRECT 2012-09-21 12:12:05 +02:00
xt_repldata.h
xt_sctp.c
xt_SECMARK.c
xt_set.c netfilter: ipset: Support to match elements marked with "nomatch" 2012-09-22 22:44:34 +02:00
xt_socket.c netfilter: xt_socket: fix compilation warnings with gcc 4.7 2012-09-03 13:31:39 +02:00
xt_state.c
xt_statistic.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_string.c
xt_TCPMSS.c net: Convert net_ratelimit uses to net_<level>_ratelimited 2012-05-15 13:45:03 -04:00
xt_tcpmss.c
xt_TCPOPTSTRIP.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_tcpudp.c
xt_TEE.c netfilter: xt_TEE: don't use destination address found in header 2012-10-17 11:00:31 +02:00
xt_time.c netfilter: xt_time: add support to ignore day transition 2012-09-24 14:29:01 +02:00
xt_TPROXY.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
xt_TRACE.c
xt_u32.c