Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
e490c1de
Commit
e490c1de
authored
Jul 02, 2010
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
parents
0a17d8c7
4df53d8b
Changes
22
Hide whitespace changes
Inline
Side-by-side
Showing
22 changed files
with
262 additions
and
126 deletions
+262
-126
Documentation/feature-removal-schedule.txt
Documentation/feature-removal-schedule.txt
+0
-9
Documentation/kernel-parameters.txt
Documentation/kernel-parameters.txt
+1
-2
include/linux/ip_vs.h
include/linux/ip_vs.h
+2
-0
include/linux/netfilter_ipv4/ipt_LOG.h
include/linux/netfilter_ipv4/ipt_LOG.h
+2
-1
include/linux/netfilter_ipv6/ip6t_LOG.h
include/linux/netfilter_ipv6/ip6t_LOG.h
+2
-1
include/net/netfilter/nf_conntrack_acct.h
include/net/netfilter/nf_conntrack_acct.h
+12
-0
include/net/netfilter/nf_nat_rule.h
include/net/netfilter/nf_nat_rule.h
+0
-2
net/bridge/br_netfilter.c
net/bridge/br_netfilter.c
+22
-9
net/bridge/br_private.h
net/bridge/br_private.h
+3
-0
net/bridge/br_sysfs_br.c
net/bridge/br_sysfs_br.c
+72
-0
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+40
-14
net/ipv4/netfilter/ipt_NETMAP.c
net/ipv4/netfilter/ipt_NETMAP.c
+4
-2
net/ipv4/netfilter/nf_nat_rule.c
net/ipv4/netfilter/nf_nat_rule.c
+6
-4
net/ipv4/netfilter/nf_nat_standalone.c
net/ipv4/netfilter/nf_nat_standalone.c
+1
-7
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_LOG.c
+53
-28
net/netfilter/Kconfig
net/netfilter/Kconfig
+1
-23
net/netfilter/ipvs/ip_vs_conn.c
net/netfilter/ipvs/ip_vs_conn.c
+7
-3
net/netfilter/ipvs/ip_vs_core.c
net/netfilter/ipvs/ip_vs_core.c
+16
-4
net/netfilter/ipvs/ip_vs_ctl.c
net/netfilter/ipvs/ip_vs_ctl.c
+6
-4
net/netfilter/nf_conntrack_acct.c
net/netfilter/nf_conntrack_acct.c
+1
-13
net/netfilter/xt_IDLETIMER.c
net/netfilter/xt_IDLETIMER.c
+1
-0
net/netfilter/xt_connbytes.c
net/netfilter/xt_connbytes.c
+10
-0
No files found.
Documentation/feature-removal-schedule.txt
View file @
e490c1de
...
...
@@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net>
---------------------------
What: CONFIG_NF_CT_ACCT
When: 2.6.29
Why: Accounting can now be enabled/disabled without kernel recompilation.
Currently used only to set a default value for a feature that is also
controlled by a kernel/module/sysfs/sysctl parameter.
Who: Krzysztof Piotr Oledzki <ole@ans.pl>
---------------------------
What: sysfs ui for changing p4-clockmod parameters
When: September 2009
Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
...
...
Documentation/kernel-parameters.txt
View file @
e490c1de
...
...
@@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file
[NETFILTER] Enable connection tracking flow accounting
0 to disable accounting
1 to enable accounting
Default value depends on CONFIG_NF_CT_ACCT that is
going to be removed in 2.6.29.
Default value is 0.
nfsaddrs= [NFS]
See Documentation/filesystems/nfs/nfsroot.txt.
...
...
include/linux/ip_vs.h
View file @
e490c1de
...
...
@@ -19,6 +19,7 @@
*/
#define IP_VS_SVC_F_PERSISTENT 0x0001
/* persistent port */
#define IP_VS_SVC_F_HASHED 0x0002
/* hashed entry */
#define IP_VS_SVC_F_ONEPACKET 0x0004
/* one-packet scheduling */
/*
* Destination Server Flags
...
...
@@ -85,6 +86,7 @@
#define IP_VS_CONN_F_SEQ_MASK 0x0600
/* in/out sequence mask */
#define IP_VS_CONN_F_NO_CPORT 0x0800
/* no client port set yet */
#define IP_VS_CONN_F_TEMPLATE 0x1000
/* template, not connection */
#define IP_VS_CONN_F_ONE_PACKET 0x2000
/* forward only one packet */
#define IP_VS_SCHEDNAME_MAXLEN 16
#define IP_VS_IFNAME_MAXLEN 16
...
...
include/linux/netfilter_ipv4/ipt_LOG.h
View file @
e490c1de
...
...
@@ -7,7 +7,8 @@
#define IPT_LOG_IPOPT 0x04
/* Log IP options */
#define IPT_LOG_UID 0x08
/* Log UID owning local socket */
#define IPT_LOG_NFLOG 0x10
/* Unsupported, don't reuse */
#define IPT_LOG_MASK 0x1f
#define IPT_LOG_MACDECODE 0x20
/* Decode MAC header */
#define IPT_LOG_MASK 0x2f
struct
ipt_log_info
{
unsigned
char
level
;
...
...
include/linux/netfilter_ipv6/ip6t_LOG.h
View file @
e490c1de
...
...
@@ -7,7 +7,8 @@
#define IP6T_LOG_IPOPT 0x04
/* Log IP options */
#define IP6T_LOG_UID 0x08
/* Log UID owning local socket */
#define IP6T_LOG_NFLOG 0x10
/* Unsupported, don't use */
#define IP6T_LOG_MASK 0x1f
#define IP6T_LOG_MACDECODE 0x20
/* Decode MAC header */
#define IP6T_LOG_MASK 0x2f
struct
ip6t_log_info
{
unsigned
char
level
;
...
...
include/net/netfilter/nf_conntrack_acct.h
View file @
e490c1de
...
...
@@ -45,6 +45,18 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
extern
unsigned
int
seq_print_acct
(
struct
seq_file
*
s
,
const
struct
nf_conn
*
ct
,
int
dir
);
/* Check if connection tracking accounting is enabled */
static
inline
bool
nf_ct_acct_enabled
(
struct
net
*
net
)
{
return
net
->
ct
.
sysctl_acct
!=
0
;
}
/* Enable/disable connection tracking accounting */
static
inline
void
nf_ct_set_acct
(
struct
net
*
net
,
bool
enable
)
{
net
->
ct
.
sysctl_acct
=
enable
;
}
extern
int
nf_conntrack_acct_init
(
struct
net
*
net
);
extern
void
nf_conntrack_acct_fini
(
struct
net
*
net
);
...
...
include/net/netfilter/nf_nat_rule.h
View file @
e490c1de
...
...
@@ -12,6 +12,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb,
const
struct
net_device
*
out
,
struct
nf_conn
*
ct
);
extern
unsigned
int
alloc_null_binding
(
struct
nf_conn
*
ct
,
unsigned
int
hooknum
);
#endif
/* _NF_NAT_RULE_H */
net/bridge/br_netfilter.c
View file @
e490c1de
...
...
@@ -55,6 +55,9 @@ static int brnf_call_arptables __read_mostly = 1;
static
int
brnf_filter_vlan_tagged
__read_mostly
=
0
;
static
int
brnf_filter_pppoe_tagged
__read_mostly
=
0
;
#else
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
#define brnf_call_arptables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#endif
...
...
@@ -544,25 +547,30 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
struct
net_bridge_port
*
p
;
struct
net_bridge
*
br
;
struct
iphdr
*
iph
;
__u32
len
=
nf_bridge_encap_header_len
(
skb
);
if
(
unlikely
(
!
pskb_may_pull
(
skb
,
len
)))
goto
out
;
p
=
br_port_get_rcu
(
in
);
if
(
p
==
NULL
)
goto
out
;
br
=
p
->
br
;
if
(
skb
->
protocol
==
htons
(
ETH_P_IPV6
)
||
IS_VLAN_IPV6
(
skb
)
||
IS_PPPOE_IPV6
(
skb
))
{
#ifdef CONFIG_SYSCTL
if
(
!
brnf_call_ip6tables
)
if
(
!
brnf_call_ip6tables
&&
!
br
->
nf_call_ip6tables
)
return
NF_ACCEPT
;
#endif
nf_bridge_pull_encap_header_rcsum
(
skb
);
return
br_nf_pre_routing_ipv6
(
hook
,
skb
,
in
,
out
,
okfn
);
}
#ifdef CONFIG_SYSCTL
if
(
!
brnf_call_iptables
)
if
(
!
brnf_call_iptables
&&
!
br
->
nf_call_iptables
)
return
NF_ACCEPT
;
#endif
if
(
skb
->
protocol
!=
htons
(
ETH_P_IP
)
&&
!
IS_VLAN_IP
(
skb
)
&&
!
IS_PPPOE_IP
(
skb
))
...
...
@@ -715,12 +723,17 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
struct
net_bridge_port
*
p
;
struct
net_bridge
*
br
;
struct
net_device
**
d
=
(
struct
net_device
**
)(
skb
->
cb
);
#ifdef CONFIG_SYSCTL
if
(
!
brnf_call_arptables
)
p
=
br_port_get_rcu
(
out
);
if
(
p
==
NULL
)
return
NF_ACCEPT
;
br
=
p
->
br
;
if
(
!
brnf_call_arptables
&&
!
br
->
nf_call_arptables
)
return
NF_ACCEPT
;
#endif
if
(
skb
->
protocol
!=
htons
(
ETH_P_ARP
))
{
if
(
!
IS_VLAN_ARP
(
skb
))
...
...
net/bridge/br_private.h
View file @
e490c1de
...
...
@@ -176,6 +176,9 @@ struct net_bridge
unsigned
long
feature_mask
;
#ifdef CONFIG_BRIDGE_NETFILTER
struct
rtable
fake_rtable
;
bool
nf_call_iptables
;
bool
nf_call_ip6tables
;
bool
nf_call_arptables
;
#endif
unsigned
long
flags
;
#define BR_SET_MAC_ADDR 0x00000001
...
...
net/bridge/br_sysfs_br.c
View file @
e490c1de
...
...
@@ -611,6 +611,73 @@ static DEVICE_ATTR(multicast_startup_query_interval, S_IRUGO | S_IWUSR,
show_multicast_startup_query_interval
,
store_multicast_startup_query_interval
);
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
static
ssize_t
show_nf_call_iptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
char
*
buf
)
{
struct
net_bridge
*
br
=
to_bridge
(
d
);
return
sprintf
(
buf
,
"%u
\n
"
,
br
->
nf_call_iptables
);
}
static
int
set_nf_call_iptables
(
struct
net_bridge
*
br
,
unsigned
long
val
)
{
br
->
nf_call_iptables
=
val
?
true
:
false
;
return
0
;
}
static
ssize_t
store_nf_call_iptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
const
char
*
buf
,
size_t
len
)
{
return
store_bridge_parm
(
d
,
buf
,
len
,
set_nf_call_iptables
);
}
static
DEVICE_ATTR
(
nf_call_iptables
,
S_IRUGO
|
S_IWUSR
,
show_nf_call_iptables
,
store_nf_call_iptables
);
static
ssize_t
show_nf_call_ip6tables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
char
*
buf
)
{
struct
net_bridge
*
br
=
to_bridge
(
d
);
return
sprintf
(
buf
,
"%u
\n
"
,
br
->
nf_call_ip6tables
);
}
static
int
set_nf_call_ip6tables
(
struct
net_bridge
*
br
,
unsigned
long
val
)
{
br
->
nf_call_ip6tables
=
val
?
true
:
false
;
return
0
;
}
static
ssize_t
store_nf_call_ip6tables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
const
char
*
buf
,
size_t
len
)
{
return
store_bridge_parm
(
d
,
buf
,
len
,
set_nf_call_ip6tables
);
}
static
DEVICE_ATTR
(
nf_call_ip6tables
,
S_IRUGO
|
S_IWUSR
,
show_nf_call_ip6tables
,
store_nf_call_ip6tables
);
static
ssize_t
show_nf_call_arptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
char
*
buf
)
{
struct
net_bridge
*
br
=
to_bridge
(
d
);
return
sprintf
(
buf
,
"%u
\n
"
,
br
->
nf_call_arptables
);
}
static
int
set_nf_call_arptables
(
struct
net_bridge
*
br
,
unsigned
long
val
)
{
br
->
nf_call_arptables
=
val
?
true
:
false
;
return
0
;
}
static
ssize_t
store_nf_call_arptables
(
struct
device
*
d
,
struct
device_attribute
*
attr
,
const
char
*
buf
,
size_t
len
)
{
return
store_bridge_parm
(
d
,
buf
,
len
,
set_nf_call_arptables
);
}
static
DEVICE_ATTR
(
nf_call_arptables
,
S_IRUGO
|
S_IWUSR
,
show_nf_call_arptables
,
store_nf_call_arptables
);
#endif
static
struct
attribute
*
bridge_attrs
[]
=
{
&
dev_attr_forward_delay
.
attr
,
...
...
@@ -644,6 +711,11 @@ static struct attribute *bridge_attrs[] = {
&
dev_attr_multicast_query_interval
.
attr
,
&
dev_attr_multicast_query_response_interval
.
attr
,
&
dev_attr_multicast_startup_query_interval
.
attr
,
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
&
dev_attr_nf_call_iptables
.
attr
,
&
dev_attr_nf_call_ip6tables
.
attr
,
&
dev_attr_nf_call_arptables
.
attr
,
#endif
NULL
};
...
...
net/ipv4/netfilter/ipt_LOG.c
View file @
e490c1de
...
...
@@ -13,6 +13,7 @@
#include <linux/module.h>
#include <linux/spinlock.h>
#include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/ip.h>
#include <net/icmp.h>
#include <net/udp.h>
...
...
@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info,
/* maxlen = 230+ 91 + 230 + 252 = 803 */
}
static
void
dump_mac_header
(
const
struct
nf_loginfo
*
info
,
const
struct
sk_buff
*
skb
)
{
struct
net_device
*
dev
=
skb
->
dev
;
unsigned
int
logflags
=
0
;
if
(
info
->
type
==
NF_LOG_TYPE_LOG
)
logflags
=
info
->
u
.
log
.
logflags
;
if
(
!
(
logflags
&
IPT_LOG_MACDECODE
))
goto
fallback
;
switch
(
dev
->
type
)
{
case
ARPHRD_ETHER
:
printk
(
"MACSRC=%pM MACDST=%pM MACPROTO=%04x "
,
eth_hdr
(
skb
)
->
h_source
,
eth_hdr
(
skb
)
->
h_dest
,
ntohs
(
eth_hdr
(
skb
)
->
h_proto
));
return
;
default:
break
;
}
fallback:
printk
(
"MAC="
);
if
(
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
unsigned
int
i
;
printk
(
"%02x"
,
*
p
++
);
for
(
i
=
1
;
i
<
dev
->
hard_header_len
;
i
++
,
p
++
)
printk
(
":%02x"
,
*
p
);
}
printk
(
" "
);
}
static
struct
nf_loginfo
default_loginfo
=
{
.
type
=
NF_LOG_TYPE_LOG
,
.
u
=
{
...
...
@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf,
}
#endif
if
(
in
&&
!
out
)
{
/* MAC logging for input chain only. */
printk
(
"MAC="
);
if
(
skb
->
dev
&&
skb
->
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
int
i
;
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
for
(
i
=
0
;
i
<
skb
->
dev
->
hard_header_len
;
i
++
,
p
++
)
printk
(
"%02x%c"
,
*
p
,
i
==
skb
->
dev
->
hard_header_len
-
1
?
' '
:
':'
);
}
else
printk
(
" "
);
}
/* MAC logging for input path only. */
if
(
in
&&
!
out
)
dump_mac_header
(
loginfo
,
skb
);
dump_packet
(
loginfo
,
skb
,
0
);
printk
(
"
\n
"
);
...
...
net/ipv4/netfilter/ipt_NETMAP.c
View file @
e490c1de
...
...
@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
NF_CT_ASSERT
(
par
->
hooknum
==
NF_INET_PRE_ROUTING
||
par
->
hooknum
==
NF_INET_POST_ROUTING
||
par
->
hooknum
==
NF_INET_LOCAL_OUT
);
par
->
hooknum
==
NF_INET_LOCAL_OUT
||
par
->
hooknum
==
NF_INET_LOCAL_IN
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
netmask
=
~
(
mr
->
range
[
0
].
min_ip
^
mr
->
range
[
0
].
max_ip
);
...
...
@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = {
.
table
=
"nat"
,
.
hooks
=
(
1
<<
NF_INET_PRE_ROUTING
)
|
(
1
<<
NF_INET_POST_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_OUT
),
(
1
<<
NF_INET_LOCAL_OUT
)
|
(
1
<<
NF_INET_LOCAL_IN
),
.
checkentry
=
netmap_tg_check
,
.
me
=
THIS_MODULE
};
...
...
net/ipv4/netfilter/nf_nat_rule.c
View file @
e490c1de
...
...
@@ -28,7 +28,8 @@
#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_LOCAL_IN))
static
const
struct
xt_table
nat_table
=
{
.
name
=
"nat"
,
...
...
@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
enum
ip_conntrack_info
ctinfo
;
const
struct
nf_nat_multi_range_compat
*
mr
=
par
->
targinfo
;
NF_CT_ASSERT
(
par
->
hooknum
==
NF_INET_POST_ROUTING
);
NF_CT_ASSERT
(
par
->
hooknum
==
NF_INET_POST_ROUTING
||
par
->
hooknum
==
NF_INET_LOCAL_IN
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
...
...
@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
return
0
;
}
unsigned
int
static
unsigned
int
alloc_null_binding
(
struct
nf_conn
*
ct
,
unsigned
int
hooknum
)
{
/* Force range to this IP; let proto decide mapping for
...
...
@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
.
target
=
ipt_snat_target
,
.
targetsize
=
sizeof
(
struct
nf_nat_multi_range_compat
),
.
table
=
"nat"
,
.
hooks
=
1
<<
NF_INET_POST_ROUTING
,
.
hooks
=
(
1
<<
NF_INET_POST_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_IN
)
,
.
checkentry
=
ipt_snat_checkentry
,
.
family
=
AF_INET
,
};
...
...
net/ipv4/netfilter/nf_nat_standalone.c
View file @
e490c1de
...
...
@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum,
if
(
!
nf_nat_initialized
(
ct
,
maniptype
))
{
unsigned
int
ret
;
if
(
hooknum
==
NF_INET_LOCAL_IN
)
/* LOCAL_IN hook doesn't have a chain! */
ret
=
alloc_null_binding
(
ct
,
hooknum
);
else
ret
=
nf_nat_rule_find
(
skb
,
hooknum
,
in
,
out
,
ct
);
ret
=
nf_nat_rule_find
(
skb
,
hooknum
,
in
,
out
,
ct
);
if
(
ret
!=
NF_ACCEPT
)
return
ret
;
}
else
...
...
net/ipv6/netfilter/ip6t_LOG.c
View file @
e490c1de
...
...
@@ -373,6 +373,56 @@ static void dump_packet(const struct nf_loginfo *info,
printk
(
"MARK=0x%x "
,
skb
->
mark
);
}
static
void
dump_mac_header
(
const
struct
nf_loginfo
*
info
,
const
struct
sk_buff
*
skb
)
{
struct
net_device
*
dev
=
skb
->
dev
;
unsigned
int
logflags
=
0
;
if
(
info
->
type
==
NF_LOG_TYPE_LOG
)
logflags
=
info
->
u
.
log
.
logflags
;
if
(
!
(
logflags
&
IP6T_LOG_MACDECODE
))
goto
fallback
;
switch
(
dev
->
type
)
{
case
ARPHRD_ETHER
:
printk
(
"MACSRC=%pM MACDST=%pM MACPROTO=%04x "
,
eth_hdr
(
skb
)
->
h_source
,
eth_hdr
(
skb
)
->
h_dest
,
ntohs
(
eth_hdr
(
skb
)
->
h_proto
));
return
;
default:
break
;
}
fallback:
printk
(
"MAC="
);
if
(
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
unsigned
int
len
=
dev
->
hard_header_len
;
unsigned
int
i
;
if
(
dev
->
type
==
ARPHRD_SIT
&&
(
p
-=
ETH_HLEN
)
<
skb
->
head
)
p
=
NULL
;
if
(
p
!=
NULL
)
{
printk
(
"%02x"
,
*
p
++
);
for
(
i
=
1
;
i
<
len
;
i
++
)
printk
(
":%02x"
,
p
[
i
]);
}
printk
(
" "
);
if
(
dev
->
type
==
ARPHRD_SIT
)
{
const
struct
iphdr
*
iph
=
(
struct
iphdr
*
)
skb_mac_header
(
skb
);
printk
(
"TUNNEL=%pI4->%pI4 "
,
&
iph
->
saddr
,
&
iph
->
daddr
);
}
}
else
printk
(
" "
);
}
static
struct
nf_loginfo
default_loginfo
=
{
.
type
=
NF_LOG_TYPE_LOG
,
.
u
=
{
...
...
@@ -400,35 +450,10 @@ ip6t_log_packet(u_int8_t pf,
prefix
,
in
?
in
->
name
:
""
,
out
?
out
->
name
:
""
);
if
(
in
&&
!
out
)
{
unsigned
int
len
;
/* MAC logging for input chain only. */
printk
(
"MAC="
);
if
(
skb
->
dev
&&
(
len
=
skb
->
dev
->
hard_header_len
)
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
int
i
;
if
(
skb
->
dev
->
type
==
ARPHRD_SIT
&&
(
p
-=
ETH_HLEN
)
<
skb
->
head
)
p
=
NULL
;
if
(
p
!=
NULL
)
{
for
(
i
=
0
;
i
<
len
;
i
++
)
printk
(
"%02x%s"
,
p
[
i
],
i
==
len
-
1
?
""
:
":"
);
}
printk
(
" "
);
if
(
skb
->
dev
->
type
==
ARPHRD_SIT
)
{
const
struct
iphdr
*
iph
=
(
struct
iphdr
*
)
skb_mac_header
(
skb
);
printk
(
"TUNNEL=%pI4->%pI4 "
,
&
iph
->
saddr
,
&
iph
->
daddr
);
}
}
else
printk
(
" "
);
}
/* MAC logging for input path only. */
if
(
in
&&
!
out
)
dump_mac_header
(
loginfo
,
skb
);
dump_packet
(
loginfo
,
skb
,
skb_network_offset
(
skb
),
1
);
printk
(
"
\n
"
);
...
...
net/netfilter/Kconfig
View file @
e490c1de
...
...
@@ -40,27 +40,6 @@ config NF_CONNTRACK
if NF_CONNTRACK
config NF_CT_ACCT
bool "Connection tracking flow accounting"
depends on NETFILTER_ADVANCED
help
If this option is enabled, the connection tracking code will
keep per-flow packet and byte counters.
Those counters can be used for flow-based accounting or the
`connbytes' match.
Please note that currently this option only sets a default state.
You may change it at boot time with nf_conntrack.acct=0/1 kernel
parameter or by loading the nf_conntrack module with acct=0/1.
You may also disable/enable it on a running system with:
sysctl net.netfilter.nf_conntrack_acct=0/1
This option will be removed in 2.6.29.
If unsure, say `N'.
config NF_CONNTRACK_MARK
bool 'Connection mark tracking support'
depends on NETFILTER_ADVANCED
...
...
@@ -515,7 +494,7 @@ config NETFILTER_XT_TARGET_RATEEST
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_TEE
tristate '"TEE" - packet cloning to alternate desti
an
tion'
tristate '"TEE" - packet cloning to alternate desti
na
tion'
depends on NETFILTER_ADVANCED
depends on (IPV6 || IPV6=n)
depends on !NF_CONNTRACK || NF_CONNTRACK
...
...
@@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
select NF_CT_ACCT
help
This option adds a `connbytes' match, which allows you to match the
number of bytes and/or packets for each direction within a connection.
...
...
net/netfilter/ipvs/ip_vs_conn.c
View file @
e490c1de
...
...
@@ -158,6 +158,9 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
unsigned
hash
;
int
ret
;
if
(
cp
->
flags
&
IP_VS_CONN_F_ONE_PACKET
)
return
0
;
/* Hash by protocol, client address and port */
hash
=
ip_vs_conn_hashkey
(
cp
->
af
,
cp
->
protocol
,
&
cp
->
caddr
,
cp
->
cport
);
...
...
@@ -359,8 +362,9 @@ struct ip_vs_conn *ip_vs_conn_out_get
*/
void
ip_vs_conn_put
(
struct
ip_vs_conn
*
cp
)
{
/* reset it expire in its timeout */
mod_timer
(
&
cp
->
timer
,
jiffies
+
cp
->
timeout
);
unsigned
long
t
=
(
cp
->
flags
&
IP_VS_CONN_F_ONE_PACKET
)
?
0
:
cp
->
timeout
;
mod_timer
(
&
cp
->
timer
,
jiffies
+
t
);
__ip_vs_conn_put
(
cp
);
}
...
...
@@ -653,7 +657,7 @@ static void ip_vs_conn_expire(unsigned long data)
/*
* unhash it if it is hashed in the conn table
*/
if
(
!
ip_vs_conn_unhash
(
cp
))
if
(
!
ip_vs_conn_unhash
(
cp
)
&&
!
(
cp
->
flags
&
IP_VS_CONN_F_ONE_PACKET
)
)
goto
expire_later
;
/*
...
...
net/netfilter/ipvs/ip_vs_core.c
View file @
e490c1de
...
...
@@ -194,6 +194,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
struct
ip_vs_dest
*
dest
;
struct
ip_vs_conn
*
ct
;
__be16
dport
;
/* destination port to forward */
__be16
flags
;
union
nf_inet_addr
snet
;
/* source network of the client,
after masking */
...
...
@@ -340,6 +341,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
dport
=
ports
[
1
];
}
flags
=
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
&&
iph
.
protocol
==
IPPROTO_UDP
)
?
IP_VS_CONN_F_ONE_PACKET
:
0
;
/*
* Create a new connection according to the template
*/
...
...
@@ -347,7 +352,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
&
iph
.
saddr
,
ports
[
0
],
&
iph
.
daddr
,
ports
[
1
],
&
dest
->
addr
,
dport
,
0
,
flags
,
dest
);
if
(
cp
==
NULL
)
{
ip_vs_conn_put
(
ct
);
...
...
@@ -377,7 +382,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
struct
ip_vs_conn
*
cp
=
NULL
;
struct
ip_vs_iphdr
iph
;
struct
ip_vs_dest
*
dest
;
__be16
_ports
[
2
],
*
pptr
;
__be16
_ports
[
2
],
*
pptr
,
flags
;
ip_vs_fill_iphdr
(
svc
->
af
,
skb_network_header
(
skb
),
&
iph
);
pptr
=
skb_header_pointer
(
skb
,
iph
.
len
,
sizeof
(
_ports
),
_ports
);
...
...
@@ -407,6 +412,10 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
return
NULL
;
}
flags
=
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
&&
iph
.
protocol
==
IPPROTO_UDP
)
?
IP_VS_CONN_F_ONE_PACKET
:
0
;
/*
* Create a connection entry.
*/
...
...
@@ -414,7 +423,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
&
iph
.
saddr
,
pptr
[
0
],
&
iph
.
daddr
,
pptr
[
1
],
&
dest
->
addr
,
dest
->
port
?
dest
->
port
:
pptr
[
1
],
0
,
flags
,
dest
);
if
(
cp
==
NULL
)
return
NULL
;
...
...
@@ -464,6 +473,9 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
if
(
sysctl_ip_vs_cache_bypass
&&
svc
->
fwmark
&&
unicast
)
{
int
ret
,
cs
;
struct
ip_vs_conn
*
cp
;
__u16
flags
=
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
&&
iph
.
protocol
==
IPPROTO_UDP
)
?
IP_VS_CONN_F_ONE_PACKET
:
0
;
union
nf_inet_addr
daddr
=
{
.
all
=
{
0
,
0
,
0
,
0
}
};
ip_vs_service_put
(
svc
);
...
...
@@ -474,7 +486,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
&
iph
.
saddr
,
pptr
[
0
],
&
iph
.
daddr
,
pptr
[
1
],
&
daddr
,
0
,
IP_VS_CONN_F_BYPASS
,
IP_VS_CONN_F_BYPASS
|
flags
,
NULL
);
if
(
cp
==
NULL
)
return
NF_DROP
;
...
...
net/netfilter/ipvs/ip_vs_ctl.c
View file @
e490c1de
...
...
@@ -1864,14 +1864,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
svc
->
scheduler
->
name
);
else
#endif
seq_printf
(
seq
,
"%s %08X:%04X %s "
,
seq_printf
(
seq
,
"%s %08X:%04X %s
%s
"
,
ip_vs_proto_name
(
svc
->
protocol
),
ntohl
(
svc
->
addr
.
ip
),
ntohs
(
svc
->
port
),
svc
->
scheduler
->
name
);
svc
->
scheduler
->
name
,
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
)
?
"ops "
:
""
);
}
else
{
seq_printf
(
seq
,
"FWM %08X %s "
,
svc
->
fwmark
,
svc
->
scheduler
->
name
);
seq_printf
(
seq
,
"FWM %08X %s %s"
,
svc
->
fwmark
,
svc
->
scheduler
->
name
,
(
svc
->
flags
&
IP_VS_SVC_F_ONEPACKET
)
?
"ops "
:
""
);
}
if
(
svc
->
flags
&
IP_VS_SVC_F_PERSISTENT
)
...
...
net/netfilter/nf_conntrack_acct.c
View file @
e490c1de
...
...
@@ -17,13 +17,7 @@
#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_acct.h>
#ifdef CONFIG_NF_CT_ACCT
#define NF_CT_ACCT_DEFAULT 1
#else
#define NF_CT_ACCT_DEFAULT 0
#endif
static
int
nf_ct_acct
__read_mostly
=
NF_CT_ACCT_DEFAULT
;
static
int
nf_ct_acct
__read_mostly
;
module_param_named
(
acct
,
nf_ct_acct
,
bool
,
0644
);
MODULE_PARM_DESC
(
acct
,
"Enable connection tracking flow accounting."
);
...
...
@@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net)
net
->
ct
.
sysctl_acct
=
nf_ct_acct
;
if
(
net_eq
(
net
,
&
init_net
))
{
#ifdef CONFIG_NF_CT_ACCT
printk
(
KERN_WARNING
"CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
\n
"
);
printk
(
KERN_WARNING
"nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
\n
"
);
printk
(
KERN_WARNING
"sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
\n
"
);
#endif
ret
=
nf_ct_extend_register
(
&
acct_extend
);
if
(
ret
<
0
)
{
printk
(
KERN_ERR
"nf_conntrack_acct: Unable to register extension
\n
"
);
...
...
net/netfilter/xt_IDLETIMER.c
View file @
e490c1de
...
...
@@ -36,6 +36,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_IDLETIMER.h>
#include <linux/kdev_t.h>
#include <linux/kobject.h>
#include <linux/workqueue.h>
#include <linux/sysfs.h>
...
...
net/netfilter/xt_connbytes.c
View file @
e490c1de
...
...
@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
if
(
ret
<
0
)
pr_info
(
"cannot load conntrack support for proto=%u
\n
"
,
par
->
family
);
/*
* This filter cannot function correctly unless connection tracking
* accounting is enabled, so complain in the hope that someone notices.
*/
if
(
!
nf_ct_acct_enabled
(
par
->
net
))
{
pr_warning
(
"Forcing CT accounting to be enabled
\n
"
);
nf_ct_set_acct
(
par
->
net
,
true
);
}
return
ret
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment