korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-11 12:28:41 +08:00
Code Issues Packages Projects Releases Wiki Activity
eb92f76ef5
linux/net/netfilter
History
Krister Johansen 4548b683b7 Introduce a sysctl that modifies the value of PROT_SOCK. 
Add net.ipv4.ip_unprivileged_port_start, which is a per namespace sysctl
that denotes the first unprivileged inet port in the namespace.  To
disable all privileged ports set this to zero.  It also checks for
overlap with the local port range.  The privileged and local range may
not overlap.

The use case for this change is to allow containerized processes to bind
to priviliged ports, but prevent them from ever being allowed to modify
their container's network configuration.  The latter is accomplished by
ensuring that the network namespace is not a child of the user
namespace.  This modification was needed to allow the container manager
to disable a namespace's priviliged port restrictions without exposing
control of the network namespace to processes in the user namespace.

Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-24 12:10:51 -05:00
..
ipset netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
ipvs Introduce a sysctl that modifies the value of PROT_SOCK. 2017-01-24 12:10:51 -05:00
core.c netfilter: convert while loops to for loops 2016-12-06 21:42:16 +01:00
Kconfig netfilter: nf_tables: add stateful object reference expression 2016-12-06 21:48:25 +01:00
Makefile netfilter: nf_tables: add stateful object reference expression 2016-12-06 21:48:25 +01:00
nf_conntrack_acct.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_amanda.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
nf_conntrack_broadcast.c
nf_conntrack_core.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
nf_conntrack_ecache.c netfilter: don't rely on DYING bit to detect when destroy event was sent 2016-08-30 11:43:08 +02:00
nf_conntrack_expect.c netfilter: nf_ct_expect: remove the redundant slash when policy name is empty 2016-08-09 10:38:46 +02:00
nf_conntrack_extend.c netfilter: move nat hlist_head to nf_conn 2016-07-11 11:47:50 +02:00
nf_conntrack_ftp.c netfilter: ftp: Remove the useless code 2016-09-07 10:38:00 +02:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931 2016-07-11 12:32:45 +02:00
nf_conntrack_h323_main.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: fix CT target for UNSPEC helpers 2016-11-08 23:53:37 +01:00
nf_conntrack_irc.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_l3proto_generic.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c netfilter: connlabels: move set helper to xt_connlabel 2016-07-22 17:05:10 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: conntrack: remove packet hotpath stats 2016-09-12 19:59:39 +02:00
nf_conntrack_pptp.c netfilter: conntrack: get rid of conntrack timer 2016-08-30 11:43:09 +02:00
nf_conntrack_proto_dccp.c netfilter: conntrack: built-in support for DCCP 2016-12-04 20:53:15 +01:00
nf_conntrack_proto_generic.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_gre.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nf_conntrack_proto_sctp.c netfilter: conntrack: built-in support for SCTP 2016-12-04 20:55:37 +01:00
nf_conntrack_proto_tcp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_udp.c netfilter: remove ip_conntrack* sysctl compat code 2016-08-13 13:27:13 +02:00
nf_conntrack_proto_udplite.c netfilter: conntrack: built-in support for UDPlite 2016-12-04 20:57:36 +01:00
nf_conntrack_proto.c netfilter: conntrack: add nf_conntrack_default_on sysctl 2016-12-04 21:17:25 +01:00
nf_conntrack_sane.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_seqadj.c netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack 2016-09-25 14:54:01 +02:00
nf_conntrack_sip.c netfilter: nf_conntrack_sip: extend request line validation 2016-10-27 18:27:59 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: conntrack: add nf_conntrack_default_on sysctl 2016-12-04 21:17:25 +01:00
nf_conntrack_tftp.c netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_timeout.c netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
nf_conntrack_timestamp.c
nf_dup_netdev.c netfilter: add and use nf_fwd_netdev_egress 2016-12-06 21:48:22 +01:00
nf_internals.h netfilter: merge nf_iterate() into nf_hook_slow() 2016-11-03 11:52:59 +01:00
nf_log_common.c netfilter: nf_log: do not assume ethernet header in netdev family 2016-12-04 20:45:33 +01:00
nf_log_netdev.c netfilter: nf_log: do not assume ethernet header in netdev family 2016-12-04 20:45:33 +01:00
nf_log.c netfilter: fix namespace handling in nf_log_proc_dostring 2016-10-04 08:41:06 +02:00
nf_nat_amanda.c
nf_nat_core.c netfilter: built-in NAT support for UDPlite 2016-12-04 20:45:32 +01:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_proto_common.c
nf_nat_proto_dccp.c netfilter: built-in NAT support for DCCP 2016-12-04 20:45:30 +01:00
nf_nat_proto_sctp.c netfilter: nat: skip checksum on offload SCTP packets 2016-12-07 13:22:50 +01:00
nf_nat_proto_tcp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udplite.c netfilter: built-in NAT support for UDPlite 2016-12-04 20:45:32 +01:00
nf_nat_proto_unknown.c
nf_nat_redirect.c netfilter: nf_nat_redirect: add missing NULL pointer check 2015-10-27 06:54:56 +01:00
nf_nat_sip.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_nat_tftp.c
nf_queue.c netfilter: introduce accessor functions for hook entries 2016-12-06 21:42:15 +01:00
nf_sockopt.c netfilter: don't use mutex_lock_interruptible() 2014-08-08 16:47:23 +02:00
nf_synproxy_core.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nf_tables_api.c netfilter: nf_tables: fix oob access 2016-12-14 23:39:06 +01:00
nf_tables_core.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nf_tables_inet.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_netdev.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nf_tables_trace.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nfnetlink_acct.c netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects 2016-08-25 13:11:00 +02:00
nfnetlink_cthelper.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nfnetlink_cttimeout.c netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists 2016-08-25 13:11:30 +02:00
nfnetlink_log.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
nfnetlink_queue.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
nfnetlink.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
nft_bitwise.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nft_byteorder.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nft_cmp.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nft_compat.c netfilter: nft_compat: fix crash when related match/target module is removed 2016-07-23 12:25:00 +02:00
nft_counter.c netfilter: nft_counter: rework atomic dump and reset 2016-12-11 10:01:05 -05:00
nft_ct.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
nft_dup_netdev.c netfilter: nf_tables: add packet duplication to the netdev family 2016-01-03 21:04:23 +01:00
nft_dynset.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-15 10:54:36 -05:00
nft_exthdr.c netfilter: nft_exthdr: fix error handling in nft_exthdr_init() 2016-10-17 17:43:54 +02:00
nft_fib_inet.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_fib.c netfilter: nft_fib: convert htonl to ntohl properly 2016-12-06 21:42:20 +01:00
nft_fwd_netdev.c netfilter: add and use nf_fwd_netdev_egress 2016-12-06 21:48:22 +01:00
nft_hash.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
nft_immediate.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nft_limit.c netfilter: nft_limit: fix divided by zero panic 2016-10-04 08:59:03 +02:00
nft_log.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_lookup.c netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nft_masq.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_meta.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_nat.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_numgen.c netfilter: nft_numgen: start round robin from zero 2016-10-26 16:35:16 +02:00
nft_objref.c netfilter: nft_objref: support for stateful object maps 2016-12-07 13:22:48 +01:00
nft_payload.c netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR is set 2016-12-14 23:39:11 +01:00
nft_queue.c netfilter: nft_queue: use raw_smp_processor_id() 2016-12-14 23:39:01 +01:00
nft_quota.c netfilter: nft_quota: reset quota after dump 2016-12-14 23:38:51 +01:00
nft_range.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
nft_redir.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_reject_inet.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_reject.c netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
nft_rt.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00
nft_set_hash.c netfilter: nf_tables: support for set flushing 2016-12-07 13:31:40 +01:00
nft_set_rbtree.c netfilter: nf_tables: support for set flushing 2016-12-07 13:31:40 +01:00
x_tables.c netfilter: x_tables: avoid warn and OOM killer on vmalloc call 2016-12-07 13:31:41 +01:00
xt_addrtype.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_AUDIT.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_bpf.c netfilter: xt_bpf: support ebpf 2016-12-07 13:32:35 +01:00
xt_cgroup.c netfilter: implement xt_cgroup cgroup2 path match 2015-12-14 20:34:55 +01:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_comment.c
xt_connbytes.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_connlabel.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_connlimit.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_connmark.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_CONNSECMARK.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_conntrack.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_cpu.c
xt_CT.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_dccp.c
xt_devgroup.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_dscp.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_DSCP.c netfilter: fix various sparse warnings 2014-11-13 12:14:42 +01:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
xt_helper.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_hl.c
xt_HL.c
xt_HMARK.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_IDLETIMER.c netfilter: IDLETIMER: fix race condition when destroy the target 2016-04-29 14:28:48 +02:00
xt_ipcomp.c netfilter: xt_ipcomp: add "ip[6]t_ipcomp" module alias name 2016-10-17 17:38:19 +02:00
xt_iprange.c
xt_ipvs.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_l2tp.c
xt_LED.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-08-05 18:46:26 -07:00
xt_length.c
xt_limit.c
xt_LOG.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_mac.c
xt_mark.c netfilter: xt_MARK: Add ARP support 2015-05-14 13:00:27 +02:00
xt_multiport.c netfilter: xt_multiport: Fix wrong unmatch result with multiple ports 2016-12-06 21:48:20 +01:00
xt_nat.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
xt_NETMAP.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
xt_nfacct.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_NFLOG.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_NFQUEUE.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_osf.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_owner.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_physdev.c netfilter: physdev: add missed blank 2016-08-12 00:42:14 +02:00
xt_pkttype.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_policy.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_quota.c
xt_rateest.c net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00
xt_RATEEST.c net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00
xt_realm.c
xt_recent.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
xt_REDIRECT.c netfilter: nat: add dependencies on conntrack module 2016-12-04 21:16:51 +01:00
xt_repldata.h
xt_sctp.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
xt_SECMARK.c
xt_set.c netfilter: ipset: Improve skbinfo get/init helpers 2016-11-10 13:28:42 +01:00
xt_socket.c netfilter: defrag: only register defrag functionality if needed 2016-12-06 21:42:00 +01:00
xt_state.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
xt_statistic.c
xt_string.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
xt_tcpmss.c
xt_TCPMSS.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_TCPOPTSTRIP.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
xt_tcpudp.c netfilter: Convert FWINV<[foo]> macros and uses to NF_INVF 2016-07-03 10:55:07 +02:00
xt_TEE.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
xt_time.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
xt_TPROXY.c netfilter: defrag: only register defrag functionality if needed 2016-12-06 21:42:00 +01:00
xt_TRACE.c netfilter: xt_TRACE: add explicitly nf_logger_find_get call 2016-06-23 13:26:49 +02:00
xt_u32.c