27 Mar, 2009
1 commit
-
A number of standard posix types are used in exported headers, which
is not allowed if __STRICT_KERNEL_NAMES is defined. In order to
get rid of the non-__STRICT_KERNEL_NAMES part and to make sane headers
the default, we have to change them all to safe types.There are also still some leftovers in reiserfs_fs.h, elfcore.h
and coda.h, but these files have not compiled in user space for
a long time.This leaves out the various integer types ({u_,u,}int{8,16,32,64}_t),
which we take care of separately.Signed-off-by: Arnd Bergmann
Acked-by: Mauro Carvalho Chehab
Cc: David Airlie
Cc: Arnaldo Carvalho de Melo
Cc: YOSHIFUJI Hideaki
Cc: netdev@vger.kernel.org
Cc: linux-ppp@vger.kernel.org
Cc: Jaroslav Kysela
Cc: Takashi Iwai
Cc: David Woodhouse
Signed-off-by: H. Peter Anvin
Signed-off-by: Ingo Molnar
20 Nov, 2008
1 commit
-
It seems that all of the include/netfilter_{ipv4,ipv6}/{ipt,ip6t}_*.h which
share constants include the corresponding include/netfilter/xp_*.h files.
Neither ipt_policy.h not ip6t_policy.h do. Make these consistant with
the norm.Signed-off-by: Andy Whitcroft
Signed-off-by: Patrick McHardy
08 Oct, 2008
1 commit
-
Like with other modules (such as ipt_state), ipt_recent.h is changed
to forward definitions to (IOW include) xt_recent.h, and xt_recent.c
is changed to use the new constant names.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
22 May, 2008
1 commit
-
Greg Steuck points out that some of the netfilter
headers can't be used in userspace without including linux/types.h
first. The headers include their own linux/types.h include statements,
these are stripped by make headers-install because they are inside
#ifdef __KERNEL__ however. Move them out to fix this.Reported and Tested by Greg Steuck.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2008
1 commit
-
Typical table module registers xt_table structure (i.e. packet_filter)
and link it to list during it. We can't use one template for it because
corresponding list_head will become corrupted. We also can't unregister
with template because it wasn't changed at all and thus doesn't know in
which list it is.So, we duplicate template at the very first step of table registration.
Table modules will save it for use during unregistration time and actual
filtering.Do it at once to not screw bisection.
P.S.: renaming i.e. packet_filter => __packet_filter is temporary until
full netnsization of table modules is done.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
6 commits
-
This patch moves ipt_iprange to xt_iprange, in preparation for adding
IPv6 support to xt_iprange.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Use compat types and compat iterators when dealing with compat entries for
clarity. This doesn't actually make a difference for ip_tables, but is
needed for ip6_tables and arp_tables.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Addrtype match has a new revision (1), which lets address type checking
limited to the interface the current packet belongs to. Either incoming
or outgoing interface can be used depending on the current hook. In the
FORWARD hook two maches should be used if both interfaces have to be checked.
The new structure is ipt_addrtype_info_v1.Revision 0 lets older userspace programs use the match as earlier.
ipt_addrtype_info is used.Signed-off-by: Laszlo Attila Toth
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
07 Nov, 2007
1 commit
-
Sort matches and targets in the Kbuild file.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
18 Jul, 2007
1 commit
-
ipt_iprange.h must #include since it uses __be32.
This patch fixes kernel Bugzilla #7604.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
Adjust structure size and don't expect pointers passed in from
userspace to be valid. Also replace an enum in an ABI structure
by a fixed size type.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Jun, 2007
1 commit
-
check_compat_entry_size_and_hooks iterates over the matches and calls
compat_check_calc_match, which loads the match and calculates the
compat offsets, but unlike the non-compat version, doesn't call
->checkentry yet. On error however it calls cleanup_matches, which in
turn calls ->destroy, which can result in crashes if the destroy
function (validly) expects to only get called after the checkentry
function.Add a compat_release_match function that only drops the module reference
on error and rename compat_check_calc_match to compat_find_calc_match to
reflect the fact that it doesn't call the checkentry function.Reported by Jan Engelhardt
Signed-off-by: Dmitry Mishin
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 May, 2007
1 commit
-
- move arp_tables initial table structure definitions to arp_tables.h
similar to ip_tables and ip6_tables- use C99 initializers
- use initializer macros where possible
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2007
1 commit
-
Remove the obsolete IPv4 only connection tracking/NAT as scheduled in
feature-removal-schedule.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
06 Mar, 2007
1 commit
-
Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
- unconfirmed entries can not be killed manually, they are removed on
confirmation or final destruction of the conntrack entry, which means
we might iterate forever without making forward progress.This can happen in combination with the conntrack event cache, which
holds a reference to the conntrack entry, which is only released when
the packet makes it all the way through the stack or a different
packet is handled.- taking references to an unconfirmed entry and using it outside the
locked section doesn't work, the list entries are not refcounted and
another CPU might already be waiting to destroy the entryWhat the code really wants to do is make sure the references of the hash
table to the selected conntrack entries are released, so they will be
destroyed once all references from skbs and the event cache are dropped.Since unconfirmed entries haven't even entered the hash yet, simply mark
them as dying and skip confirmation based on that.Reported and tested by Chuck Ebbert
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Feb, 2007
1 commit
-
CONNTRACK_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding ip_conntrack_lock.Add CONNTRACK_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
09 Feb, 2007
5 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Use the x_tables functions directly to make it better visible which
parts are shared between ip_tables and ip6_tables.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch adds support to NAT to randomize source ports.
Signed-off-by: Eric Leblond
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
24 Jan, 2007
1 commit
-
With the introduction of x_tables we accidentally broke compatibility
by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of
XT_TABLE_MAXNAMELEN, which is two bytes larger.On most architectures it doesn't really matter since we don't have
any tables with names that long in the kernel and the structure
layout didn't change because of alignment requirements of following
members. On CRIS however (and other architectures that don't align
data) this changed the structure layout and thus broke compatibility
with old iptables binaries.Changing it back will break compatibility with binaries compiled
against recent kernels again, but since the breakage has only been
there for three releases this seems like the better choice.Spotted by Jonas Berlin .
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
04 Dec, 2006
1 commit
-
Signed-off-by: Al Viro
03 Dec, 2006
10 commits
-
Add IPv4 and IPv6 capable nf_conntrack port of the H.323 conntrack/NAT helper.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add FTP NAT helper.
Split out from Jozsef's big nf_nat patch with a few small fixes by myself.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
targets to optionally call to the nflog API. They lack a few features,
namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
related to nfnetlink_log, while the ULOG target is only available for IPv4.
Remove those hacks and add a clean way to use nfnetlink_log.Signed-off-by: Patrick McHardy
-
Signed-off-by: Patrick McHardy
-
The NAT handling of the SIP helper has a few problems:
- Request headers are only mangled in the reply direction, From/To headers
not at all, which can lead to authentication failures with DNAT in case
the authentication domain is the IP address- Contact headers in responses are only mangled for REGISTER responses
- Headers may be mangled even though they contain addresses not
participating in the connection, like alternative addresses- Packets are droppen when domain names are used where the helper expects
IP addressesThis patch takes a different approach, instead of fixed rules what field
to mangle to what content, it adds symetric mapping of From/To/Via/Contact
headers, which allows to deal properly with echoed addresses in responses
and foreign addresses not belonging to the connection.Signed-off-by: Patrick McHardy
-
SIP headers are generally case-insensitive, only SDP headers are
case sensitive.Signed-off-by: Patrick McHardy
-
- Use enum for header field enumeration
- Use numerical value instead of pointer to header info structure to
identify headers, unexport ct_sip_hdrs
- group SIP and SDP entries in header info structure
- remove double forward declaration of ct_sip_get_infoSigned-off-by: Patrick McHardy
-
We usually uses 'xxx_find_get' for function which increments
reference count.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
16 Nov, 2006
1 commit
-
66 and 67 for getsockopt on IPv6 socket is doubly used for IPv6 Advanced
API and ip6tables. This moves numbers for ip6tables to 68 and 69.
This also kills XT_SO_* because {ip,ip6,arp}_tables doesn't have so much
common numbers now.The old userland tools keep to behave as ever, because old kernel always
calls functions of IPv6 Advanced API for their numbers.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Sep, 2006
2 commits
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller