27 Jul, 2007
1 commit
-
no real bugs, just misannotations cropping up
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
15 Jul, 2007
1 commit
-
ipt_connlimit has been sitting in POM-NG for a long time.
Here is a new shiny xt_connlimit with:* xtables'ified
* will request the layer3 module
(previously it hotdropped every packet when it was not loaded)
* fixed: there was a deadlock in case of an OOM condition
* support for any layer4 protocol (e.g. UDP/SCTP)
* using jhash, as suggested by Eric Dumazet
* ipv6 supportSigned-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Jul, 2007
6 commits
-
Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Along comes... xt_u32, a revamped ipt_u32 from POM-NG,
Plus:* 2007-06-02: added ipv6 support
* 2007-06-05: uses kmalloc for the big buffer
* 2007-06-05: added inversion
* 2007-06-20: use skb_copy_bits() and get rid of the big buffer
and lock (suggested by Pablo Neira Ayuso)Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of target checkentry functions to boolean.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of match functions to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of match functions to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the "hotdrop" variables to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
25 May, 2007
2 commits
-
1. Add support for decoding IPv6 address. I know it was manually added in
the header file, but not in the template file. That wouldn't work.
2. Add missing support for decoding T.120 address in OLCA.
3. Remove unnecessary decoding of Information signal.Signed-off-by: Jing Min Zhao
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
When the packet size is changed by the FTP NAT helper, the connection
tracking helper adjusts the sequence number of the newline character
by the size difference. This is wrong because NAT sequence number
adjustment happens after helpers are called, so the unadjusted number
is compared to the already adjusted one.Based on report by YU, Haitao
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 May, 2007
1 commit
-
- move arp_tables initial table structure definitions to arp_tables.h
similar to ip_tables and ip6_tables- use C99 initializers
- use initializer macros where possible
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 May, 2007
1 commit
-
While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack
and nat modules to a 2.4.32 kernel I noticed that the gre_key function
returns a wrong pointer to the GRE key of a version 0 packet thus
corrupting the packet payload.The intended behaviour for GREv0 packets is to act like
nf_conntrack_proto_generic/nf_nat_proto_unknown so I have ripped the
offending functions (not used anymore) and modified the
nf_nat_proto_gre modules to not touch version 0 (non PPTP) packets.Signed-off-by: Jorge Boncompte
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2007
4 commits
-
The error pointer argument in netlink message handlers is used
to signal the special case where processing has to be interrupted
because a dump was started but no error happened. Instead it is
simpler and more clear to return -EINTR and have netlink_run_queue()
deal with getting the queue right.nfnetlink passed on this error pointer to its subsystem handlers
but only uses it to signal the start of a netlink dump. Therefore
it can be removed there as well.This patch also cleans up the error handling in the affected
message handlers to be consistent since it had to be touched anyway.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
So that it is also an offset from skb->head, reduces its size from 8 to 4 bytes
on 64bit architectures, allowing us to combine the 4 bytes hole left by the
layer headers conversion, reducing struct sk_buff size to 256 bytes, i.e. 4
64byte cachelines, and since the sk_buff slab cache is SLAB_HWCACHE_ALIGN...
:-)Many calculations that previously required that skb->{transport,network,
mac}_header be first converted to a pointer now can be done directly, being
meaningful as offsets or pointers.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
This patch let userspace programs set the IP_CT_TCP_BE_LIBERAL flag to
force the pickup of established connections.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
09 Feb, 2007
3 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Do liberal tracking (only RSTs need to be in-window) for connections picked
up without seeing a SYN to deal with window scaling. Also change logging
of invalid packets not to log packets accepted by liberal tracking to avoid
spamming the logs.Based on suggestion from James Ralston
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This is nf_conntrack_sane, a netfilter connection tracking helper module
for the SANE protocol used by the 'saned' daemon to make scanners available
via network. The SANE protocol uses separate control & data connections,
similar to passive FTP. The helper module is needed to recognize the data
connection as RELATED to the control one.Signed-off-by: Michal Schmidt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
10 Jan, 2007
1 commit
-
IP_CT_TCP_FLAG_CLOSE_INIT is a flag and should have a value of 0x4 instead
of 0x3, which is IP_CT_TCP_FLAG_WINDOW_SCALE | IP_CT_TCP_FLAG_SACK_PERM.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
07 Dec, 2006
1 commit
-
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
03 Dec, 2006
13 commits
-
Add IPv4 and IPv6 capable nf_conntrack port of the TFTP conntrack/NAT helper.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add IPv4 and IPv6 capable nf_conntrack port of the SIP conntrack/NAT helper.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add nf_conntrack port of the PPtP conntrack/NAT helper. Since there seems
to be no IPv6-capable PPtP implementation the helper only support IPv4.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add nf_conntrack port of the IRC conntrack/NAT helper. Since DCC doesn't
support IPv6 yet, the helper is still IPv4 only.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add IPv4 and IPv6 capable nf_conntrack port of the H.323 conntrack/NAT helper.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add IPv4 and IPv6 capable nf_conntrack port of the Amanda conntrack/NAT helper.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add FTP NAT helper.
Split out from Jozsef's big nf_nat patch with a few small fixes by myself.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
targets to optionally call to the nflog API. They lack a few features,
namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
related to nfnetlink_log, while the ULOG target is only available for IPv4.
Remove those hacks and add a clean way to use nfnetlink_log.Signed-off-by: Patrick McHardy
-
Signed-off-by: Patrick McHardy
-
There is no reason for limiting netlink attributes in size.
Signed-off-by: Patrick McHardy
-
Signed-off-by: Eric Leblond
Signed-off-by: Patrick McHardy -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
16 Nov, 2006
1 commit
-
66 and 67 for getsockopt on IPv6 socket is doubly used for IPv6 Advanced
API and ip6tables. This moves numbers for ip6tables to 68 and 69.
This also kills XT_SO_* because {ip,ip6,arp}_tables doesn't have so much
common numbers now.The old userland tools keep to behave as ever, because old kernel always
calls functions of IPv6 Advanced API for their numbers.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
25 Sep, 2006
2 commits
-
This patch adds xt_dscp.h and xt_DSCP.h to the kernel headers which are
exported via 'make headers_install'. These are necessary for userspace
to add rules using dscp match and DSCP target.Signed-off-by: Yasuyuki Kozakai
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
23 Sep, 2006
3 commits
-
Split the xt_compat_match/xt_compat_target into smaller type-safe functions
performing just one operation. Handle all alignment and size-related
conversions centrally in these function instead of requiring each module to
implement a full-blown conversion function. Replace ->compat callback by
->compat_from_user and ->compat_to_user callbacks, responsible for
converting just a single private structure.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Don't count window updates as retransmissions.
Signed-off-by: George Hansper
Signed-off-by: Patrick McHardy -
Kill listhelp.h and use the list.h functions instead.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller