13 Jan, 2011
1 commit
-
The IPv6 tproxy patches split IPv6 defragmentation off of conntrack, but
failed to update the #ifdef stanzas guarding the defragmentation related
fields and code in skbuff and conntrack related code in nf_defrag_ipv6.c.This patch adds the required #ifdefs so that IPv6 tproxy can truly be used
without connection tracking.Original report:
http://marc.info/?l=linux-netdev&m=129010118516341&w=2Reported-by: Randy Dunlap
Acked-by: Randy Dunlap
Signed-off-by: KOVACS Krisztian
Signed-off-by: Pablo Neira Ayuso
21 Oct, 2010
1 commit
-
Like with IPv4, TProxy needs IPv6 defragmentation but does not
require connection tracking. Since defragmentation was coupled
with conntrack, I split off the two, creating an nf_defrag_ipv6 module,
similar to the already existing nf_defrag_ipv4.Signed-off-by: Balazs Scheidler
Signed-off-by: KOVACS Krisztian
Signed-off-by: Patrick McHardy
15 Dec, 2009
1 commit
-
Currently the same reassembly queue might be used for packets reassembled
by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT),
as well as local delivery. This can cause "packet jumps" when the fragment
completing a reassembled packet is queued from a different position in the
stack than the previous ones.Add a "user" identifier to the reassembly queue key to seperate the queues
of each caller, similar to what we do for IPv4.Signed-off-by: Patrick McHardy
08 Jun, 2009
1 commit
-
Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.Signed-off-by: Jan "Yenya" Kasprzak
Signed-off-by: Patrick McHardy
29 Jan, 2008
1 commit
-
This is a preparation for sysctl netns-ization.
Move the ctl tables to the files, where the tuning
variables reside. Plus make the helpers to register
the tables.This will simplify the later patches and will keep
similar things closer to each other.ipv4, ipv6 and conntrack_reasm are patched differently,
but the result is all the tables are in appropriate files.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
Some sysctl variables are used to tune the frag queues
management and it will be useful to work with them in
a common way in the future, so move them into one
structure, moreover they are the same for all the frag
management codes.I don't place them in the existing inet_frags object,
introduced in the previous patch for two reasons:1. to keep them in the __read_mostly section;
2. not to export the whole inet_frags objects outside.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller
31 Jul, 2007
1 commit
-
nf_ct_ipv6_skip_exthdr() can now become static.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
15 Jul, 2007
1 commit
-
The icmp[v6] l4proto modules parse headers in ICMP[v6] error to get tuple.
But they have to find the offset to transport protocol header before that.
Their processings are almost same as prepare() of l3proto modules.
This makes prepare() more generic to simplify icmp[v6] l4proto module
later.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Dec, 2006
1 commit
-
Using extern in a C file is a bad idea because the compiler can't
catch type errors.Signed-off-by: Patrick McHardy
10 Nov, 2005
1 commit
-
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.In fact nf_conntrack is capable of working with any layer 3
protocol.The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv63) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Harald Welte
Signed-off-by: Arnaldo Carvalho de Melo