26 Apr, 2007
1 commit
-
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
11 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
05 Jan, 2007
1 commit
-
Packets generated by the REJECT target in the output chain have a local
destination address and a foreign source address. Make sure not to use
the foreign source address for the output route lookup.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Dec, 2006
4 commits
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Now that all protocols have been made aware of the mark
field it can be moved out of the union thus simplyfing
its usage.The config options in the IPv4/IPv6/DECnet subsystems
to enable respectively disable mark based routing only
obfuscate the code with ifdefs, the cost for the
additional comparison in the flow key is insignificant,
and most distributions have all these options enabled
by default anyway. Therefore it makes sense to remove
the config options and enable mark based routing by
default.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
nfmark is being used in various subsystems and has become
the defacto mark field for all kinds of packets. Therefore
it makes sense to rename it to `mark' and remove the
dependency on CONFIG_NETFILTER.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller
04 Oct, 2006
1 commit
-
By adding a type parameter to ip_route_me_harder() the
expensive call to inet_addr_type() can be avoided in some cases.
A followup patch where ip_route_me_harder() is called from within
ip_vs_out() is one such example.Signed-off-By: Simon Horman
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Sep, 2006
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
23 Sep, 2006
1 commit
-
Replace CHECKSUM_HW by CHECKSUM_PARTIAL (for outgoing packets, whose
checksum still needs to be completed) and CHECKSUM_COMPLETE (for
incoming packets, device supplied full checksum).Patch originally from Herbert Xu, updated by myself for 2.6.18-rc3.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
10 Apr, 2006
2 commits
-
Add checksum operation which takes care of verifying the checksum and
dealing with HW checksum errors and avoids multiple checksum
operations by setting ip_summed to CHECKSUM_UNNECESSARY after
successful verification.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Change the queue rerouter intrastructure to a generic usable
infrastructure for address family specific operations as a base for
some cleanups.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Mar, 2006
1 commit
-
Every netfilter module uses `init' for its module_init() function and
`fini' or `cleanup' for its module_exit() function.Problem is, this creates uninformative initcall_debug output and makes
ctags rather useless.So go through and rename them all to $(filename)_init and
$(filename)_fini.Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
15 Feb, 2006
1 commit
-
To find out if a packet needs to be handled by IPsec after SNAT, packets
are currently rerouted in POST_ROUTING and a new xfrm lookup is done. This
breaks SNAT of non-unicast packets to non-local addresses because the
packet is routed as incoming packet and no neighbour entry is bound to the
dst_entry. In general, it seems to be a bad idea to replace the dst_entry
after the packet was already sent to the output routine because its state
might not match what's expected.This patch changes the xfrm lookup in POST_ROUTING to re-use the original
dst_entry without routing the packet again. This means no policy routing
can be used for transport mode transforms (which keep the original route)
when packets are SNATed to match the policy, but it looks like the best
we can do for now.Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jan, 2006
1 commit
-
Don't wrap entire file in #ifdef CONFIG_NETFILTER, remove a few
unneccessary includes.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Jan, 2006
2 commits
-
Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi
of the original packet from the conntrack information for IPsec policy
checks.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
ip_route_me_harder doesn't use the port numbers of the xfrm lookup and
uses ip_route_input for non-local addresses which doesn't do a xfrm
lookup, ip6_route_me_harder doesn't do a xfrm lookup at all.Use xfrm_decode_session and do the lookup manually, make sure both
only do the lookup if the packet hasn't been transformed already.Makeing sure the lookup only happens once needs a new field in the
IP6CB, which exceeds the size of skb->cb. The size of skb->cb is
increased to 48b. Apparently the IPv6 mobile extensions need some
more room anyway.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
30 Aug, 2005
2 commits
-
The rerouting functionality is required by the core, therefore it has
to be implemented by the core and not in individual queue handlers.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller -
Netfilter cleanup
- Move ipv4 code from net/core/netfilter.c to net/ipv4/netfilter.c
- Move ipv6 netfilter code from net/ipv6/ip6_output.c to net/ipv6/netfilter.cSigned-off-by: Harald Welte
Signed-off-by: David S. Miller
