23 Sep, 2006
35 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Split the xt_compat_match/xt_compat_target into smaller type-safe functions
performing just one operation. Handle all alignment and size-related
conversions centrally in these function instead of requiring each module to
implement a full-blown conversion function. Replace ->compat callback by
->compat_from_user and ->compat_to_user callbacks, responsible for
converting just a single private structure.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Brian Haley
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Don't count window updates as retransmissions.
Signed-off-by: George Hansper
Signed-off-by: Patrick McHardy -
sparse "defined twice" warning
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
On SMP environments the maximum number of conntracks can be overpassed
under heavy stress situations due to an existing race condition.CPU A CPU B
atomic_read() ...
early_drop() ...
... atomic_read()
allocate conntrack allocate conntrack
atomic_inc() atomic_inc()This patch moves the counter incrementation before the early drop stage.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Merge the bits to dump the conntrack table and the ones to dump and
zero counters in a single piece of code. This patch does not change
the default behaviour if accounting is not enabled.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The limit match reinitializes its state whenever the ruleset changes,
which means it will forget about previously used credits.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Also fix some whitespace errors and use the NAT bits instead of deriving
the state manually.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Kill listhelp.h and use the list.h functions instead.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Change some netfilter tunables to __read_mostly. Also fixed some
incorrect file reference comments while I was in there.(this will be my last __read_mostly patch unless someone points out
something else that needs it)Signed-off-by: Brian Haley
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller -
net/netfilter/xt_CONNMARK.c: In function 'target':
net/netfilter/xt_CONNMARK.c:59: warning: implicit declaration of
function 'nf_conntrack_event_cache'The warning is due to the following .config:
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
CONFIG_IP_NF_CONNTRACK_NETLINK=mThis change was introduced by:
http://www.kernel.org/git/?p=linux/kernel/git/davem/net-2.6.19.git;a=commit;h=76e4b41009b8a2e9dd246135cf43c7fe39553aa5Proposed solution (based on the define in
include/net/netfilter/nf_conntrack_compat.h:Signed-off-by: Benoit Boissinot
Acked-by: Pablo Neira Ayuso
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Noticed by Adrian Bunk.
Signed-off-by: David S. Miller
-
Signed-off-by: YOSHIFUJI Hideaki
-
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
- remove unused define
- remove useless wrapper function
- use new line for expression after conditionSigned-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The size is verified by x_tables and isn't needed by the modules anymore.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
IPCT_HELPER and IPCT_NATINFO bits are never set on updates.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch uses nfnetlink_has_listeners to check for listeners in
userspace.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
ctnetlink dumps the mark iif the event mark happened
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch introduces the mark event. ctnetlink can use this to know if
the mark needs to be dumped.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This replaces IPv4 DSCP target by address family independent version.
This also
- utilizes dsfield.h to get/mangle DS field in IPv4/IPv6 header
- fixes Kconfig help text.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This replaces IPv4 dscp match by address family independent version.
This also
- utilizes dsfield.h to get the DS field in IPv4/IPv6 header, and
- checks for the DSCP value from user space.
- fixes Kconfig help text.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Handle GSO packets in nf_queue by segmenting them before queueing to
avoid breaking GSO in case they get mangled.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Update hardware checksums incrementally to avoid breaking GSO.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Replace CHECKSUM_HW by CHECKSUM_PARTIAL (for outgoing packets, whose
checksum still needs to be completed) and CHECKSUM_COMPLETE (for
incoming packets, device supplied full checksum).Patch originally from Herbert Xu, updated by myself for 2.6.18-rc3.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
20 Sep, 2006
1 commit
-
Add missing aliases for ipt_quota and ip6t_quota to make autoload
work.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
18 Aug, 2006
2 commits
-
ip_conntrack_put must not be called while holding ip_conntrack_lock
since destroy_conntrack takes it again.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
It needs netfilter_bridge.h for brnf_deferred_hooks
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
14 Aug, 2006
2 commits
-
Fix kernel panic on various SMP machines. The culprit is a null
ub->skb in ulog_send(). If ulog_timer() has already been scheduled on
one CPU and is spinning on the lock, and ipt_ulog_packet() flushes the
queue on another CPU by calling ulog_send() right before it exits,
there will be no skbuff when ulog_timer() acquires the lock and calls
ulog_send(). Cancelling the timer in ulog_send() doesn't help because
it has already been scheduled and is running on the first CPU.Similar problem exists in ebt_ulog.c and nfnetlink_log.c.
Signed-off-by: Mark Huang
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The xt_string match is broken with ! negation.
This resolves a portion of netfilter bugzilla #497.Signed-off-by: Phil Oester
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
