- 03 Dec, 2006 40 commits
-
-
Bart De Schuymer authored
The attached patch adds --snat-arp support, which makes it possible to change the source mac address in both the mac header and the arp header with one rule. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
There is no reason for limiting netlink attributes in size. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Eric Leblond authored
Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Pablo Neira Ayuso authored
| NEW | UPDATE | DESTROY | ----------------------------------------| tuples | Y | Y | Y | status | Y | Y | N | timeout | Y | Y | N | protoinfo | S | S | N | helper | S | S | N | mark | S | S | N | counters | F | F | Y | Leyend: Y: yes N: no S: iif the field is set F: iif overflow This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to track the helper assignation process, not the changes in the private information held by the helper. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Pablo Neira Ayuso authored
Check that status flags are available in the netlink message received to create a new conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Not every header has a shortcut, so make them optional instead of searching for the same string twice. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
SIP headers are generally case-insensitive, only SDP headers are case sensitive. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
- Use enum for header field enumeration - Use numerical value instead of pointer to header info structure to identify headers, unexport ct_sip_hdrs - group SIP and SDP entries in header info structure - remove double forward declaration of ct_sip_get_info Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
The NAT helpr hooks are protected by RCU, but all of the conntrack helpers test and use the global pointers instead of copying them first using rcu_dereference() Also replace synchronize_net() by synchronize_rcu() for clarity since sychronizing only with packet receive processing is insufficient to prevent races. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Yasuyuki Kozakai authored
We usually uses 'xxx_find_get' for function which increments reference count. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
This patch adds /proc/net/ip_conntrack, /proc/net/ip_conntrack_expect and /proc/net/stat/ip_conntrack files to keep old programs using them working. The /proc/net/ip_conntrack and /proc/net/ip_conntrack_expect files show only IPv4 entries, the /proc/net/stat/ip_conntrack shows global statistics. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Add helper functions for sysctl registration with optional instantiating of common path elements (like net/netfilter) and use it for support for automatic registation of conntrack protocol sysctls. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Using extern in a C file is a bad idea because the compiler can't catch type errors. Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Patrick McHardy authored
Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Only update the conntrack timer if there's been at least HZ jiffies since the last update. Reduces the number of del_timer/add_timer cycles from one per packet to one per connection per second (plus once for each state change of a connection) Should handle timer wraparounds and connection timeout changes. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Remove unused struct list_head from struct nf_conntrack_l3proto and nf_conntrack_l4proto as all protocols are kept in arrays, not linked lists. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Minor whitespace cleanup. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Remove the usage of ASSERT_READ_LOCK/ASSERT_WRITE_LOCK in nf_conntrack, it didn't do anything, it was just an empty define and it uglified the code. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Add some more sanity checks when registering/unregistering l3/l4 protocols. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets rather confusing with 'nf_conntrack_protocol'. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
Place rarely written variables in the read-mostly section by using __read_mostly Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
This patch splits out L3/L4 protocol handling into its own file nf_conntrack_proto.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
This patch splits out the event cache into its own file nf_conntrack_ecache.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
This patch splits out handling of helpers into its own file nf_conntrack_helper.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Martin Josefsson authored
This patch splits out expectation handling into its own file nf_conntrack_expect.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
David S. Miller authored
This helps Vegas cope better with delayed ACKs, see analysis at: http://www.cs.caltech.edu/%7Eweixl/technical/ns2linux/known_linux/index.html#vegasSigned-off-by: David S. Miller <davem@davemloft.net>
-
Gerrit Renker authored
This patch implements a suggestion by Ian McDonald and 1) Avoids tests against negative packet lengths by using unsigned int for packet payload lengths in the CCID send_packet()/packet_sent() routines 2) As a consequence, it removes an now unnecessary test with regard to `len > 0' in ccid3_hc_tx_packet_sent: that condition is always true, since * negative packet lengths are avoided * ccid3_hc_tx_send_packet flags an error whenever the payload length is 0. As a consequence, ccid3_hc_tx_packet_sent is never called as all errors returned by ccid_hc_tx_send_packet are caught in dccp_write_xmit 3) Removes the third argument of ccid_hc_tx_send_packet (the `len' parameter), since it is currently always set to skb->len. The code is updated with regard to this parameter change. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Gerrit Renker authored
This implements the larger-initial-windows feature for CCID 3, as described in section 5 of RFC 4342. When the first feedback packet arrives, the sender can send up to 2..4 packets per RTT, instead of just one. The patch further * reduces the number of timestamping calls by passing the timestamp value (which is computed in one of the calling functions anyway) as argument * renames one constant with a very long name into one which is shorter and resembles the one in RFC 3448 (t_mbi) * simplifies some of the min_t/max_t cases where both `x', `y' have the same type Commiter note: renamed TFRC_t_mbi to TFRC_T_MBI, to follow Linux coding style. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Arnaldo Carvalho de Melo authored
To reflect the fact that this now is of no effect, not making apps stop working, just be warned in the system log. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Gerrit Renker authored
This removes and cleans up unused variables and structures which have become unnecessary following the introduction of the EWMA patch to automatically track the CCID 3 receiver/sender packet sizes `s'. It deprecates the PACKET_SIZE socket option by returning an error code and printing a deprecation warning if an application tries to read or write this socket option. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Gerrit Renker authored
Problem:
-
Gerrit Renker authored
This corrects the setting of the nofeedback timer with regard to RFC 3448 - previously it was not set to max(4*R, 2*s/X) as specified. Using the maximum of 1 second as upper bound (as it was done before) can have detrimental effects, especially if R is small. Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Gerrit Renker authored
This is in response to a request sent earlier by Eric W. Biederman and replaces all sysctl numbers for net.dccp.default with CTL_UNNUMBERED. It has been tested to compile and to work. Commiter note: I've removed the use of CTL_UNNUMBERED, not setting .ctl_name sets it to 0, that is the what CTL_UNNUMBERED is, reason is to avoid unneeded source code cluttering. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Arnaldo Carvalho de Melo authored
[acme@newtoy net-2.6.20]$ pahole /tmp/tcp_ipv6.o inet_protosw /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/protocol.h:69 */ struct inet_protosw { struct list_head list; /* 0 8 */ short unsigned int type; /* 8 2 */ /* XXX 2 bytes hole, try to pack */ int protocol; /* 12 4 */ struct proto * prot; /* 16 4 */ const struct proto_ops * ops; /* 20 4 */ int capability; /* 24 4 */ char no_check; /* 28 1 */ unsigned char flags; /* 29 1 */ }; /* size: 32, sum members: 28, holes: 1, sum holes: 2, padding: 2 */ So that we can kill that hole, protocol can only go all the way to 255 (RAW). Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Arnaldo Carvalho de Melo authored
As this struct is not userland visible at all. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-