01 Nov, 2011
1 commit
-
This patch exports several definitions that used to live under
include/net/netfilter/nf_nat.h. These definitions, although not
exported, have been used by iptables and other userspace
applications like miniupnpd since long time. Basically, these
userspace tools included some internal definition of the required
structures and they assume no changes in the binary representation
(which is OK indeed).To resolve this situation, this patch makes public the required
structure and install them in INSTALL_HDR_PATH.See: https://bugs.gentoo.org/376873, for more information.
This patch is heavily based on the initial patch sent by:
Anthony G. Basile
Which was entitled:
netfilter: export sanitized nf_nat.h to INSTALL_HDR_PATH
Signed-off-by: Pablo Neira Ayuso
27 Aug, 2011
1 commit
-
These types are guaranteed to be defined by for
both userland and kernel, unlike u_intN_t.Signed-off-by: Ben Hutchings
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller
21 Jan, 2011
1 commit
-
Resolve these warnings on `make headers_check`:
usr/include/linux/netfilter/xt_CT.h:7: found __[us]{8,16,32,64} type
without #include
...Signed-off-by: Jan Engelhardt
18 Jan, 2011
1 commit
-
Signed-off-by: Jan Engelhardt
14 Oct, 2010
5 commits
-
Signed-off-by: Jan Engelhardt
-
Unification of struct *_error_target was forgotten in
v2.6.16-1689-g1e30a01.Signed-off-by: Jan Engelhardt
-
Signed-off-by: Jan Engelhardt
-
Many of the used macros are just there for userspace compatibility.
Substitute the in-kernel code to directly use the terminal macro
and stuff the defines into #ifndef __KERNEL__ sections.Signed-off-by: Jan Engelhardt
15 Aug, 2010
1 commit
-
unifdef-y and header-y has same semantic.
So there is no need to have both.Drop the unifdef-y variant and sort all lines again
Signed-off-by: Sam Ravnborg
28 Jun, 2010
1 commit
-
The LOG targets print the entire MAC header as one long string, which is not
readable very well:IN=eth0 OUT= MAC=00:15:f2:24:91:f8:00:1b:24:dc:61:e6:08:00 ...
Add an option to decode known header formats (currently just ARPHRD_ETHER devices)
in their individual fields:IN=eth0 OUT= MACSRC=00:1b:24:dc:61:e6 MACDST=00:15:f2:24:91:f8 MACPROTO=0800 ...
IN=eth0 OUT= MACSRC=00:1b:24:dc:61:e6 MACDST=00:15:f2:24:91:f8 MACPROTO=86dd ...The option needs to be explicitly enabled by userspace to avoid breaking
existing parsers.Signed-off-by: Patrick McHardy
25 Feb, 2010
2 commits
-
The macro is replaced by a list.h-like foreach loop. This makes
the code more inspectable.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
The macro is replaced by a list.h-like foreach loop. This makes
the code much more inspectable.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
11 Feb, 2010
1 commit
-
The static initial tables are pretty large, and after the net
namespace has been instantiated, they just hang around for nothing.
This commit removes them and creates tables on-demand at runtime when
needed.Size shrinks by 7735 bytes (x86_64).
Signed-off-by: Jan Engelhardt
18 Jan, 2010
1 commit
-
Add ->net to match destructor list like ->net in constructor list.
Make sure it's set in ebtables/iptables/ip6tables, this requires to
propagate netns up to *_unregister_table().Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
05 Nov, 2009
1 commit
-
This cleanup patch puts struct/union/enum opening braces,
in first line to ease grep games.struct something
{becomes :
struct something {
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
24 Aug, 2009
1 commit
-
The inputted table is never modified, so should be considered const.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
10 Aug, 2009
4 commits
-
When IPv4 and IPv6 matches were unified approx. 3.5 years ago, they
received new header filenames (e.g. xt_CLASSIFY.h). Let's remove the
old ones now.Signed-off-by: Jan Engelhardt
-
Superseded by xt_owner v1 (v2.6.24-2388-g0265ab4).
Signed-off-by: Jan Engelhardt
-
Superseded by xt_iprange v1 (v2.6.24-2928-g1a50c5a1).
Signed-off-by: Jan Engelhardt
-
Superseded by xt_TOS v1 (v2.6.24-2396-g5c350e5).
Signed-off-by: Jan Engelhardt
27 Mar, 2009
1 commit
-
A number of standard posix types are used in exported headers, which
is not allowed if __STRICT_KERNEL_NAMES is defined. In order to
get rid of the non-__STRICT_KERNEL_NAMES part and to make sane headers
the default, we have to change them all to safe types.There are also still some leftovers in reiserfs_fs.h, elfcore.h
and coda.h, but these files have not compiled in user space for
a long time.This leaves out the various integer types ({u_,u,}int{8,16,32,64}_t),
which we take care of separately.Signed-off-by: Arnd Bergmann
Acked-by: Mauro Carvalho Chehab
Cc: David Airlie
Cc: Arnaldo Carvalho de Melo
Cc: YOSHIFUJI Hideaki
Cc: netdev@vger.kernel.org
Cc: linux-ppp@vger.kernel.org
Cc: Jaroslav Kysela
Cc: Takashi Iwai
Cc: David Woodhouse
Signed-off-by: H. Peter Anvin
Signed-off-by: Ingo Molnar
20 Nov, 2008
1 commit
-
It seems that all of the include/netfilter_{ipv4,ipv6}/{ipt,ip6t}_*.h which
share constants include the corresponding include/netfilter/xp_*.h files.
Neither ipt_policy.h not ip6t_policy.h do. Make these consistant with
the norm.Signed-off-by: Andy Whitcroft
Signed-off-by: Patrick McHardy
08 Oct, 2008
1 commit
-
Like with other modules (such as ipt_state), ipt_recent.h is changed
to forward definitions to (IOW include) xt_recent.h, and xt_recent.c
is changed to use the new constant names.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
22 May, 2008
1 commit
-
Greg Steuck points out that some of the netfilter
headers can't be used in userspace without including linux/types.h
first. The headers include their own linux/types.h include statements,
these are stripped by make headers-install because they are inside
#ifdef __KERNEL__ however. Move them out to fix this.Reported and Tested by Greg Steuck.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2008
1 commit
-
Typical table module registers xt_table structure (i.e. packet_filter)
and link it to list during it. We can't use one template for it because
corresponding list_head will become corrupted. We also can't unregister
with template because it wasn't changed at all and thus doesn't know in
which list it is.So, we duplicate template at the very first step of table registration.
Table modules will save it for use during unregistration time and actual
filtering.Do it at once to not screw bisection.
P.S.: renaming i.e. packet_filter => __packet_filter is temporary until
full netnsization of table modules is done.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
6 commits
-
This patch moves ipt_iprange to xt_iprange, in preparation for adding
IPv6 support to xt_iprange.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Use compat types and compat iterators when dealing with compat entries for
clarity. This doesn't actually make a difference for ip_tables, but is
needed for ip6_tables and arp_tables.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Addrtype match has a new revision (1), which lets address type checking
limited to the interface the current packet belongs to. Either incoming
or outgoing interface can be used depending on the current hook. In the
FORWARD hook two maches should be used if both interfaces have to be checked.
The new structure is ipt_addrtype_info_v1.Revision 0 lets older userspace programs use the match as earlier.
ipt_addrtype_info is used.Signed-off-by: Laszlo Attila Toth
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
07 Nov, 2007
1 commit
-
Sort matches and targets in the Kbuild file.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
18 Jul, 2007
1 commit
-
ipt_iprange.h must #include since it uses __be32.
This patch fixes kernel Bugzilla #7604.
Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
Adjust structure size and don't expect pointers passed in from
userspace to be valid. Also replace an enum in an ABI structure
by a fixed size type.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Jun, 2007
1 commit
-
check_compat_entry_size_and_hooks iterates over the matches and calls
compat_check_calc_match, which loads the match and calculates the
compat offsets, but unlike the non-compat version, doesn't call
->checkentry yet. On error however it calls cleanup_matches, which in
turn calls ->destroy, which can result in crashes if the destroy
function (validly) expects to only get called after the checkentry
function.Add a compat_release_match function that only drops the module reference
on error and rename compat_check_calc_match to compat_find_calc_match to
reflect the fact that it doesn't call the checkentry function.Reported by Jan Engelhardt
Signed-off-by: Dmitry Mishin
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 May, 2007
1 commit
-
- move arp_tables initial table structure definitions to arp_tables.h
similar to ip_tables and ip6_tables- use C99 initializers
- use initializer macros where possible
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2007
1 commit
-
Remove the obsolete IPv4 only connection tracking/NAT as scheduled in
feature-removal-schedule.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
06 Mar, 2007
1 commit
-
Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
- unconfirmed entries can not be killed manually, they are removed on
confirmation or final destruction of the conntrack entry, which means
we might iterate forever without making forward progress.This can happen in combination with the conntrack event cache, which
holds a reference to the conntrack entry, which is only released when
the packet makes it all the way through the stack or a different
packet is handled.- taking references to an unconfirmed entry and using it outside the
locked section doesn't work, the list entries are not refcounted and
another CPU might already be waiting to destroy the entryWhat the code really wants to do is make sure the references of the hash
table to the selected conntrack entries are released, so they will be
destroyed once all references from skbs and the event cache are dropped.Since unconfirmed entries haven't even entered the hash yet, simply mark
them as dying and skip confirmation based on that.Reported and tested by Chuck Ebbert
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller