19 Apr, 2013
1 commit
-
Add copyright statements to all netfilter files which have had significant
changes done by myself in the past.Some notes:
- nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
Core Team when it got split out of nf_conntrack_core.c. The copyrights
even state a date which lies six years before it was written. It was
written in 2005 by Harald and myself.- net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
statements. I've added the copyright statement from net/netfilter/core.c,
where this code originated- for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
it to give the wrong impressionSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
08 Apr, 2013
1 commit
-
Propagate routing errors from ip_route_me_harder() when dropping a packet
using NF_DROP_ERR(). This makes userspace get the proper error instead of
EPERM for everything.# ip -6 r a unreachable default table 100
# ip -6 ru add fwmark 0x1 lookup 100
# ip6tables -t mangle -A OUTPUT -d 2001:4860:4860::8888 -j MARK --set-mark 0x1Old behaviour:
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permittedNew behaviour:
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachableSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
30 Aug, 2012
1 commit
-
Expand the skb headroom if the oif changed due to rerouting similar to
how IPv4 packets are handled.Signed-off-by: Patrick McHardy
07 Nov, 2011
1 commit
-
* 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux: (230 commits)
Revert "tracing: Include module.h in define_trace.h"
irq: don't put module.h into irq.h for tracking irqgen modules.
bluetooth: macroize two small inlines to avoid module.h
ip_vs.h: fix implicit use of module_get/module_put from module.h
nf_conntrack.h: fix up fallout from implicit moduleparam.h presence
include: replace linux/module.h with "struct module" wherever possible
include: convert various register fcns to macros to avoid include chaining
crypto.h: remove unused crypto_tfm_alg_modname() inline
uwb.h: fix implicit use of asm/page.h for PAGE_SIZE
pm_runtime.h: explicitly requires notifier.h
linux/dmaengine.h: fix implicit use of bitmap.h and asm/page.h
miscdevice.h: fix up implicit use of lists and types
stop_machine.h: fix implicit use of smp.h for smp_processor_id
of: fix implicit use of errno.h in include/linux/of.h
of_platform.h: delete needless include
acpi: remove module.h include from platform/aclinux.h
miscdevice.h: delete unnecessary inclusion of module.h
device_cgroup.h: delete needless include
net: sch_generic remove redundant use of
net: inet_timewait_sock doesnt need
...Fix up trivial conflicts (other header files, and removal of the ab3550 mfd driver) in
- drivers/media/dvb/frontends/dibx000_common.c
- drivers/media/video/{mt9m111.c,ov6650.c}
- drivers/mfd/ab3550-core.c
- include/linux/dmaengine.h
01 Nov, 2011
2 commits
-
Several callers (h323 conntrack, xt_addrtype) assume that the
returned **dst only needs to be released if the function returns 0.This is true for the ipv4 implementation, but not for the ipv6 one.
Instead of changing the users, change the ipv6 implementation
to behave like the ipv4 version by only providing the dst_entry result
in the success case.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.Signed-off-by: Paul Gortmaker
23 Apr, 2011
1 commit
-
Add const qualifiers to structs iphdr, ipv6hdr and in6_addr pointers
where possible, to make code intention more obvious.Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
04 Apr, 2011
2 commits
-
ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
to an interface, but this flag cannot be set via struct flowi.Also, it cannot be set via ip6_route_output: this function uses the
passed sock struct to determine if this flag is required
(by testing for nonzero sk_bound_dev_if).Work around this by passing in an artificial struct sk in case
'strict' argument is true.This is required to replace the rt6_lookup call in xt_addrtype.c with
nf_afinfo->route().Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy -
This is required to eventually replace the rt6_lookup call in
xt_addrtype.c with nf_afinfo->route().Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy
13 Mar, 2011
2 commits
-
Signed-off-by: David S. Miller
-
I intend to turn struct flowi into a union of AF specific flowi
structs. There will be a common structure that each variant includes
first, much like struct sock_common.This is the first step to move in that direction.
Signed-off-by: David S. Miller
03 Mar, 2011
1 commit
-
Instead of on the stack.
Signed-off-by: David S. Miller
18 Nov, 2010
1 commit
-
Use the macros defined for the members of flowi to clean the code up.
Signed-off-by: Changli Gao
Signed-off-by: David S. Miller
14 Jun, 2010
1 commit
-
If the returned csum value is 0, We has set ip_summed with
CHECKSUM_UNNECESSARY flag in __skb_checksum_complete_head().So this patch kills the check and changes to return to upper
caller directly.Signed-off-by: Shan Wei
Signed-off-by: Patrick McHardy
15 Apr, 2010
1 commit
-
xfrm_lookup should be called after ip6_route_output skb_dst_set,
otherwise skb_dst_set of xfrm_lookup is pointlessSigned-off-by: Ulrich Weber
Signed-off-by: Patrick McHardy
03 Jun, 2009
1 commit
-
Define three accessors to get/set dst attached to a skb
struct dst_entry *skb_dst(const struct sk_buff *skb)
void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;Delete skb->dst field
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
28 Nov, 2008
1 commit
-
Conflicts:
net/netfilter/nf_conntrack_netlink.c
26 Nov, 2008
1 commit
-
Pass netns to xfrm_lookup()/__xfrm_lookup(). For that pass netns
to flow_cache_lookup() and resolver callback.Take it from socket or netdevice. Stub DECnet to init_net.
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
25 Nov, 2008
1 commit
-
This patch let nfmark to be evaluated for routing decision for OUTPUT
packet, in mangle table, when process paquet in NFQUEUE. This patch is
an IPv6 port of Laurent Licour IPv4 one.Signed-off-by: Eric Leblond
Signed-off-by: Patrick McHardy
15 Oct, 2008
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
09 Oct, 2008
1 commit
-
Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller
08 Oct, 2008
1 commit
-
Take netns from skb->dst->dev. It should be safe because, they are called
from LOCAL_OUT hook where dst is valid (though, I'm not exactly sure about
IPVS and queueing packets to userspace).[Patrick: its safe everywhere since they already expect skb->dst to be set]
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
14 Apr, 2008
1 commit
-
Move the UDP-Lite conntrack checksum validation to a generic helper
similar to nf_checksum() and make it fall back to nf_checksum()
in case the full packet is to be checksummed and hardware checksums
are available. This is to be used by DCCP conntrack, which also
needs to verify partial checksums.Signed-off-by: Patrick McHardy
06 Mar, 2008
1 commit
-
Add an netns parameter to ip6_route_output. That will allow to access
to the right routing table for outgoing traffic.Signed-off-by: Daniel Lezcano
Signed-off-by: Benjamin Thery
Signed-off-by: David S. Miller
29 Jan, 2008
5 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Move common fields for queue management to struct nf_info and rename it
to struct nf_queue_entry. The avoids one allocation/free per packet and
simplifies the code a bit.Alternatively we could add some private room at the tail, but since
all current users use identical structs this seems easier.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
nf_conntrack_h323 needs ip6_route_output for the call forwarding filter.
Add a ->route function to nf_afinfo and use that to avoid pulling in the
ipv6 module.Fix the #ifdef for the IPv6 code while I'm at it - the IPv6 support is
only needed when IPv6 conntrack is enabled.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
26 Apr, 2007
1 commit
-
Now the skb->nh union has just one member, .raw, i.e. it is just like the
skb->mac union, strange, no? I'm just leaving it like that till the transport
layer is done with, when we'll rename skb->mac.raw to skb->mac_header (or
->mac_header_offset?), ditto for ->{h,nh}.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
06 Mar, 2007
1 commit
-
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
03 Dec, 2006
3 commits
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
For IP MIB (RFC4293).
Signed-off-by: YOSHIFUJI Hideaki
23 Sep, 2006
1 commit
-
Replace CHECKSUM_HW by CHECKSUM_PARTIAL (for outgoing packets, whose
checksum still needs to be completed) and CHECKSUM_COMPLETE (for
incoming packets, device supplied full checksum).Patch originally from Herbert Xu, updated by myself for 2.6.18-rc3.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
10 Apr, 2006
3 commits
-
Can't build with CONFIG_NETFILTER=y/m on IA64, there's a missing
#include in net/ipv6/netfilter.cnet/ipv6/netfilter.c: In function `nf_ip6_checksum':
net/ipv6/netfilter.c:92: warning: implicit declaration of function
`csum_ipv6_magic'Signed-off-by: Brian Haley
Signed-off-by: David S. Miller -
Add checksum operation which takes care of verifying the checksum and
dealing with HW checksum errors and avoids multiple checksum
operations by setting ip_summed to CHECKSUM_UNNECESSARY after
successful verification.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Change the queue rerouter intrastructure to a generic usable
infrastructure for address family specific operations as a base for
some cleanups.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
