27 Aug, 2011
1 commit
-
Various headers use INT_MIN and INT_MAX, which are defined for
userland in .Signed-off-by: Ben Hutchings
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller
10 Jun, 2008
1 commit
-
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.Signed-off-by: James Morris
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Apr, 2008
1 commit
-
Connection tracking helpers (specifically FTP) need to be called
before NAT sequence numbers adjustments are performed to be able
to compare them against previously seen ones. We've introduced
two new hooks around 2.6.11 to maintain this ordering when NAT
modules were changed to get called from conntrack helpers directly.The cost of netfilter hooks is quite high and sequence number
adjustments are only rarely needed however. Add a RCU-protected
sequence number adjustment function pointer and call it from
IPv4 conntrack after calling the helper.Signed-off-by: Patrick McHardy
29 Jan, 2008
1 commit
-
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
14 Dec, 2006
1 commit
-
Remove the deferred hooks and all related code as scheduled in
feature-removal-schedule.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Dec, 2006
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
04 Oct, 2006
1 commit
-
By adding a type parameter to ip_route_me_harder() the
expensive call to inet_addr_type() can be avoided in some cases.
A followup patch where ip_route_me_harder() is called from within
ip_vs_out() is one such example.Signed-off-By: Simon Horman
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2006
1 commit
-
Signed-off-by: David Woodhouse
10 Apr, 2006
1 commit
-
Add checksum operation which takes care of verifying the checksum and
dealing with HW checksum errors and avoids multiple checksum
operations by setting ip_summed to CHECKSUM_UNNECESSARY after
successful verification.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
15 Feb, 2006
1 commit
-
To find out if a packet needs to be handled by IPsec after SNAT, packets
are currently rerouted in POST_ROUTING and a new xfrm lookup is done. This
breaks SNAT of non-unicast packets to non-local addresses because the
packet is routed as incoming packet and no neighbour entry is bound to the
dst_entry. In general, it seems to be a bad idea to replace the dst_entry
after the packet was already sent to the output routine because its state
might not match what's expected.This patch changes the xfrm lookup in POST_ROUTING to re-use the original
dst_entry without routing the packet again. This means no policy routing
can be used for transport mode transforms (which keep the original route)
when packets are SNATed to match the policy, but it looks like the best
we can do for now.Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
30 Aug, 2005
2 commits
-
There is nothing IPv4-specific in it. In fact, it was already used by
IPv6, too... Upcoming nfnetlink_queue code will use it for any kind
of packet.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
As discussed at netconf'05, we're trying to save every bit in sk_buff.
The patch below makes sk_buff 8 bytes smaller. I did some basic
testing on my notebook and it seems to work.The only real in-tree user of nfcache was IPVS, who only needs a
single bit. Unfortunately I couldn't find some other free bit in
sk_buff to stuff that bit into, so I introduced a separate field for
them. Maybe the IPVS guys can resolve that to further save space.Initially I wanted to shrink pkt_type to three bits (PACKET_HOST and
alike are only 6 values defined), but unfortunately the bluetooth code
overloads pkt_type :(The conntrack-event-api (out-of-tree) uses nfcache, but Rusty just
came up with a way how to do it without any skb fields, so it's safe
to remove it.- remove all never-implemented 'nfcache' code
- don't have ipvs code abuse 'nfcache' field. currently get's their own
compile-conditional skb->ipvs_property field. IPVS maintainers can
decide to move this bit elswhere, but nfcache needs to die.
- remove skb->nfcache field to save 4 bytes
- move skb->nfctinfo into three unused bits to save further 4 bytesSigned-off-by: Harald Welte
Signed-off-by: David S. Miller
22 Jun, 2005
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
25 Apr, 2005
1 commit
-
The NAT changes in 2.6.11 changed the position where helpers
are called and perform packet mangling. Before 2.6.11, a NAT
helper was called before the packet was NATed and had its
sequence number adjusted. Since 2.6.11, the helpers get packets
with already adjusted sequence numbers.This breaks sequence number adjustment, adjust_tcp_sequence()
needs the original sequence number to determine whether
a packet was a retransmission and to store it for further
corrections. It can't be reconstructed without more information
than available, so this patch restores the old order by
calling helpers from a new conntrack hook two priorities
below ip_conntrack_confirm() and adjusting the sequence number
from a new NAT hook one priority below ip_conntrack_confirm().Tracked down by Phil Oester
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
17 Apr, 2005
1 commit
-
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.Let it rip!
