20 Feb, 2006
2 commits
-
When redirecting an outgoing packet to loopback, it keeps the original
conntrack reference and information from the outgoing path, which
falsely triggers the check for DNAT on input and the dst_entry is
released to trigger rerouting. ip_route_input refuses to route the
packet because it has a local source address and it is dropped.Look at the packet itself to dermine if it was NATed. Also fix a
missing inversion that causes unneccesary xfrm lookups.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
ICMP errors are only SNATed when their source matches the source of the
connection they are related to, otherwise the source address is not
changed. This creates problems with ICMP frag. required messages
originating from a router behind the NAT, if private IPs are used the
packet has a good change of getting dropped on the path to its destination.Always NAT ICMP errors similar to the original connection.
Based on report by Al Viro.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Feb, 2006
1 commit
-
Move registration of __nf_ct_attach to nf_conntrack_core to make it usable
for IPv6 connection tracking as well.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
15 Feb, 2006
1 commit
-
To find out if a packet needs to be handled by IPsec after SNAT, packets
are currently rerouted in POST_ROUTING and a new xfrm lookup is done. This
breaks SNAT of non-unicast packets to non-local addresses because the
packet is routed as incoming packet and no neighbour entry is bound to the
dst_entry. In general, it seems to be a bad idea to replace the dst_entry
after the packet was already sent to the output routine because its state
might not match what's expected.This patch changes the xfrm lookup in POST_ROUTING to re-use the original
dst_entry without routing the packet again. This means no policy routing
can be used for transport mode transforms (which keep the original route)
when packets are SNATed to match the policy, but it looks like the best
we can do for now.Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
05 Feb, 2006
9 commits
-
After DNAT the original dst_entry needs to be released if present
so the packet doesn't skip input routing with its new address. The
current check for DNAT in ip_nat_in is reversed and checks for SNAT.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The IPv4 and IPv6 version of the policy match are identical besides address
comparison and the data structure used for userspace communication. Unify
the data structures to break compatiblity now (before it is released), so
we can port it to x_tables in 2.6.17.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user(). In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above. Either is
sufficient to overwrite arbitrary amounts of kernel memory.I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...Found by Solar Designer during security audit of OpenVZ.org
Signed-Off-By: Kirill Korotaev
Signed-Off-By: Solar Designer
Signed-off-by: Patrck McHardy
Signed-off-by: David S. Miller -
Reported by David Ahern , netfilter bugzilla #426.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The skb allocated is always of size nlbufsize, even if that is smaller than
the size needed for the current packet.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Performance tests showed that ULOG may fail on heavy loaded systems
because of failed order-N allocations (N >= 1).The default value of 4096 is not optimal in the sense that it actually
allocates _two_ contigous physical pages. Reasoning: ULOG uses
alloc_skb(), which adds another ~300 bytes for skb_shared_info.This patch sets the default value to NLMSG_GOODSIZE and adds some
documentation at the top.Signed-off-by: Holger Eitzenberger
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add load-on-demand support for expectation request. eg. conntrack -L expect
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The ctnetlink expectation events should use the NFNL_SUBSYS_CTNETLINK_EXP
subsystem, not NFNL_SUBSYS_CTNETLINK.Signed-off-by: Marcus Sundberg
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
17 Jan, 2006
3 commits
-
Signed-off-by: David S. Miller
-
These are replaced with x_tables matches and no longer exist.
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
ip[6]t_policy argument conversion slipped when merging with x_tables
Signed-off-by: Benoit Boissinot
Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
13 Jan, 2006
1 commit
-
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headersBased on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
12 Jan, 2006
2 commits
-
net: Use where capable() is used.
Signed-off-by: Randy Dunlap
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
It is invoked from failures paths of __init code.
Signed-off-by: David S. Miller
11 Jan, 2006
7 commits
-
Headers included twice.
Signed-off-by: Nicolas Kaiser
Signed-off-by: Adrian Bunk -
The connection tracking timeout variables are unsigned long, but
proc_dointvec_jiffies is used with sizeof(unsigned int) in the sysctl
tables. Since there is no proc_doulongvec_jiffies function, change the
timeout variables to unsigned int.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
->print and ->print_range are not used (and apparently never were).
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
ip_nat_mangle_tcp_packet doesn't return NF_* values but 0/1 for
failure/success.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The PPTP NAT helper calculates the offset at which the packet needs
to be mangled as difference between two pointers to the header. With
non-linear skbs however the pointers may point to two seperate buffers
on the stack and the calculation results in a wrong offset beeing
used.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This changes some memcmp(one,two,ETH_ALEN) to compare_ether_addr(one,two).
Signed-off-by: Kris Katterjohn
Signed-off-by: David S. Miller
10 Jan, 2006
1 commit
-
Additionally, one comment was reformulated by Joe Perches .
Signed-off-by: Adrian Bunk
08 Jan, 2006
5 commits
-
Signed-off-by: Joe Kappus
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi
of the original packet from the conntrack information for IPsec policy
checks.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
When NAT changes the key used for the xfrm lookup it needs to be done
again. If a new policy is returned in POST_ROUTING the packet needs
to be passed to xfrm4_output_one manually after all hooks were called
because POST_ROUTING is called with fixed okfn (ip_finish_output).Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Preparation for IPsec support for NAT:
Use conntrack information instead of saving the saving and comparing the
addresses to determine if a packet was NATed and needs to be rerouted to
make it easier to extend the key.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
07 Jan, 2006
3 commits
-
From: Joe
Signed-off-by: David S. Miller
-
Now when kbuild passes KBUILD_MODNAME with "" do not __stringify it when
used. Remove __stringnify for all users.
This also fixes the output of:$ ls -l /sys/module/
drwxr-xr-x 4 root root 0 2006-01-05 14:24 pcmcia
drwxr-xr-x 4 root root 0 2006-01-05 14:24 pcmcia_core
drwxr-xr-x 3 root root 0 2006-01-05 14:24 "processor"
drwxr-xr-x 3 root root 0 2006-01-05 14:24 "psmouse"The quoting of the module names will be gone again.
Thanks to GregKH + Kay Sievers for reproting this.Signed-off-by: Sam Ravnborg
06 Jan, 2006
5 commits
-
HOPLIMIT metric is appropriate to TCP reset sent by REJECT target
than hard-coded max TTL. Thanks to David S. Miller for hint.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: David S. Miller -
CC [M] net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.o
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c: In function 'ipv4_refrag':
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c:198: error: dereferencing pointer to incomplete type
make[3]: *** [net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.o] Error 1Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Call POST_ROUTING hook before fragmentation to get rid of the okfn use
in ip_refrag and save the useless fragmentation/defragmentation step
when NAT is used.The patch introduces one user-visible change, the POSTROUTING chain
in the mangle table gets entire packets, not fragments, which should
simplify use of the MARK and CLASSIFY targets for queueing as a nice
side-effect.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Properly dump the helper name instead of internal kernel data.
Based on patch by Marcus Sundberg .Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Fix netfilter module_param types and permissions. Also fix an off-by-one in
the ipt_ULOG nlbufsiz < 128k check.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller