22 Jun, 2019
1 commit
-
Minor SPDX change conflict.
Signed-off-by: David S. Miller
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
02 Jun, 2019
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-nextThe following patchset container Netfilter/IPVS update for net-next:
1) Add UDP tunnel support for ICMP errors in IPVS.
Julian Anastasov says:
This patchset is a followup to the commit that adds UDP/GUE tunnel:
"ipvs: allow tunneling with gue encapsulation".What we do is to put tunnel real servers in hash table (patch 1),
add function to lookup tunnels (patch 2) and use it to strip the
embedded tunnel headers from ICMP errors (patch 3).2) Extend xt_owner to match for supplementary groups, from
Lukasz Pawelczyk.3) Remove unused oif field in flow_offload_tuple object, from
Taehee Yoo.4) Release basechain counters from workqueue to skip synchronize_rcu()
call. From Florian Westphal.5) Replace skb_make_writable() by skb_ensure_writable(). Patchset
from Florian Westphal.6) Checksum support for gue encapsulation in IPVS, from Jacky Hu.
====================Signed-off-by: David S. Miller
01 Jun, 2019
1 commit
-
like previous patches -- convert conntrack to use the core helper.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
22 May, 2019
1 commit
-
Due to copy&paste error nf_nat_mangle_udp_packet passes IPPROTO_TCP,
resulting in incorrect udp checksum when payload had to be mangled.Fixes: dac3fe72596f9 ("netfilter: nat: remove csum_recalc hook")
Reported-by: Marc Haber
Tested-by: Marc Haber
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
27 Feb, 2019
3 commits
-
The l3proto name is gone, its header file is the last trace.
While at it, also remove nf_nat_core.h, its very small and all users
include nf_nat.h too.before:
text data bss dec hex filename
22948 1612 4136 28696 7018 nf_nat.koafter removal of l3proto register/unregister functions:
text data bss dec hex filename
22196 1516 4136 27848 6cc8 nf_nat.kocheckpatch complains about overly long lines, but line breaks
do not make things more readable and the line length gets smaller
here, not larger.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
We can now use direct calls.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
after ipv4/6 nat tracker merge, there are no external callers, so
make last function static and remove the header.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
21 Sep, 2018
1 commit
-
__nf_nat_mangle_tcp_packet() and nf_nat_mangle_udp_packet() call
mangle_contents(). and __nf_nat_mangle_tcp_packet()
and mangle_contents() call skb_is_nonlinear(). so that
skb_is_nonlinear() in __nf_nat_mangle_tcp_packet() is unnecessary.Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
24 Apr, 2018
1 commit
-
This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp
incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100)Currently DNAT only works for single port or identical port ranges. (i.e.
ports 5000-5100 on WAN interface redirected to a LAN host while original
destination port is not altered) When different port ranges are configured,
either 'random' mode should be used, or else all incoming connections are
mapped onto the first port in the redirect range. (in described example
WAN:5000-5100 will all be mapped to 192.168.1.5:2000)This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
which uses a base port value to calculate an offset with the destination port
present in the incoming stream. That offset is then applied as index within the
redirect port range (index modulo rangewidth to handle range overflow).In described example the base port would be 5000. An incoming stream with
destination port 5004 would result in an offset value 4 which means that the
NAT'ed stream will be using destination port 2004.Other possibilities include deterministic mapping of larger or multiple ranges
to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port
51xx)This patch does not change any current behavior. It just adds new NAT proto
range functionality which must be selected via the specific flag when intended
to use.A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed
which makes this functionality immediately available.Signed-off-by: Thierry Du Tre
Signed-off-by: Pablo Neira Ayuso
07 Apr, 2017
1 commit
-
nf_nat_mangle_{udp,tcp}_packet() returns int. However, it is used as
bool type in many spots. Fix this by consistently handle this return
value as a boolean.Signed-off-by: Gao Feng
Signed-off-by: Pablo Neira Ayuso
02 Feb, 2017
1 commit
-
Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
28 Aug, 2013
1 commit
-
Split out sequence number adjustments from NAT and move them to the conntrack
core to make them usable for SYN proxying. The sequence number adjustment
information is moved to a seperate extend. The extend is added to new
conntracks when a NAT mapping is set up for a connection using a helper.As a side effect, this saves 24 bytes per connection with NAT in the common
case that a connection does not have a helper assigned.Signed-off-by: Patrick McHardy
Tested-by: Martin Topholm
Signed-off-by: Jesper Dangaard Brouer
Signed-off-by: Pablo Neira Ayuso
01 Aug, 2013
3 commits
-
Get rid of the global lock and use per-conntrack locks for protecting the
sequencen number adjustment data. Additionally saves one lock/unlock
operation for every TCP packet.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
Using 16 bits is too small, when many adjustments happen the offsets might
overflow and break the connection.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
nf_nat_seq_adjust() needs to grab nf_nat_seqofs_lock to protect against
concurrent changes to the sequence adjustment data.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
01 Jun, 2013
1 commit
-
This corrects an regression introduced by "net: Use 16bits for *_headers
fields of struct skbuff" when NET_SKBUFF_DATA_USES_OFFSET is not set. In
that case skb->tail will be a pointer whereas skb->network_header
will be an offset from head. This is corrected by using wrappers that
ensure that calculations are always made using pointers.Reported-by: Stephen Rothwell
Reported-by: Chen Gang
Signed-off-by: Simon Horman
Signed-off-by: David S. Miller
19 Apr, 2013
1 commit
-
Add copyright statements to all netfilter files which have had significant
changes done by myself in the past.Some notes:
- nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
Core Team when it got split out of nf_conntrack_core.c. The copyrights
even state a date which lies six years before it was written. It was
written in 2005 by Harald and myself.- net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
statements. I've added the copyright statement from net/netfilter/core.c,
where this code originated- for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
it to give the wrong impressionSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
30 Aug, 2012
1 commit
-
Convert the IPv4 NAT implementation to a protocol independent core and
address family specific modules.Signed-off-by: Patrick McHardy