summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'master' of ↵David S. Miller2008-04-14105-1032/+2383
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.26
| * [NETFILTER]: nf_conntrack: fix incorrect check for expectationsPatrick McHardy2008-04-141-1/+1
| | | | | | | | | | | | | | The expectation classes changed help->expectations to an array, fix use as scalar value. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: bridge: add ebt_nflog watcherPeter Warasin2008-04-144-0/+110
| | | | | | | | | | | | | | | | This patch adds the ebtables nflog watcher to the kernel in order to allow ebtables log through the nfnetlink_log backend. Signed-off-by: Peter Warasin <peter@endian.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: replace NF_CT_DUMP_TUPLE macro indrection by ↵Jan Engelhardt2008-04-1412-32/+30
| | | | | | | | | | | | | | | | | | | | function call Directly call IPv4 and IPv6 variants where the address family is easily known. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: const annotations in nf_conntrack_sctp, ↵Jan Engelhardt2008-04-143-8/+13
| | | | | | | | | | | | | | nf_nat_proto_gre Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: use bool type in nf_nat_protoJan Engelhardt2008-04-1411-87/+87
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_tuple.hJan Engelhardt2008-04-144-38/+38
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l4protoJan Engelhardt2008-04-1410-132/+125
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l3protoJan Engelhardt2008-04-144-24/+24
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: Remove unused callbacks in nf_conntrack_l3protoJan Engelhardt2008-04-141-11/+0
| | | | | | | | | | | | | | These functions are never called. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: add tuplehash l3num/protonum accessorsPatrick McHardy2008-04-1416-94/+64
| | | | | | | | | | | | | | Add accessors for l3num and protonum and get rid of some overly long expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack_tcp: catch invalid state updates over ctnetlinkPatrick McHardy2008-04-141-2/+4
| | | | | | | | | | | | | | Invalid states can cause out-of-bound memory accesses of the state table. Also don't insist on having a new state contained in the netlink message. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: kill helper and seq_adjust hooksPatrick McHardy2008-04-146-67/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Connection tracking helpers (specifically FTP) need to be called before NAT sequence numbers adjustments are performed to be able to compare them against previously seen ones. We've introduced two new hooks around 2.6.11 to maintain this ordering when NAT modules were changed to get called from conntrack helpers directly. The cost of netfilter hooks is quite high and sequence number adjustments are only rarely needed however. Add a RCU-protected sequence number adjustment function pointer and call it from IPv4 conntrack after calling the helper. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack_extend: warn on confirmed conntracksPatrick McHardy2008-04-142-8/+4
| | | | | | | | | | | | | | | | | | New extensions may only be added to unconfirmed conntracks to avoid races when reallocating the storage. Also change NF_CT_ASSERT to use WARN_ON to get backtraces. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: don't add NAT extension for confirmed conntracksPatrick McHardy2008-04-143-26/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding extensions to confirmed conntracks is not allowed to avoid races on reallocation. Don't setup NAT for confirmed conntracks in case NAT module is loaded late. The has one side-effect, the connections existing before the NAT module was loaded won't enter the bysource hash. The only case where this actually makes a difference is in case of SNAT to a multirange where the IP before NAT is also part of the range. Since old connections don't enter the bysource hash the first new connection from the IP will have a new address selected. This shouldn't matter at all. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: remove obsolete check for ICMP redirectsPatrick McHardy2008-04-141-14/+1
| | | | | | | | | | | | | | | | | | Locally generated ICMP packets have a reference to the conntrack entry of the original packet manually attached by icmp_send(). Therefore the check for locally originated untracked ICMP redirects can never be true. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: add SCTP protocol supportPatrick McHardy2008-04-144-2/+106
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: add DCCP protocol supportPatrick McHardy2008-04-144-2/+118
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: add DCCP protocol supportPatrick McHardy2008-04-147-0/+883
| | | | | | | | | | | | | | Add DCCP conntrack helper. Thanks to Gerrit Renker <gerrit@erg.abdn.ac.uk> for review and testing. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: Add partial checksum validation helperPatrick McHardy2008-04-144-40/+94
| | | | | | | | | | | | | | | | | | | | Move the UDP-Lite conntrack checksum validation to a generic helper similar to nf_checksum() and make it fall back to nf_checksum() in case the full packet is to be checksummed and hardware checksums are available. This is to be used by DCCP conntrack, which also needs to verify partial checksums. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: add UDP-Lite supportPatrick McHardy2008-04-144-2/+109
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: remove unused name from struct nf_nat_protocolPatrick McHardy2008-04-146-8/+0
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack_netlink: clean up NAT protocol parsingPatrick McHardy2008-04-142-25/+8
| | | | | | | | | | | | | | | | Move responsibility for setting the IP_NAT_RANGE_PROTO_SPECIFIED flag to the NAT protocol, properly propagate errors and get rid of ugly return value convention. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: move NAT ctnetlink helpers to nf_nat_proto_commonPatrick McHardy2008-04-147-52/+50
| | | | | | | | | | | | | | Move to nf_nat_proto_common and rename to nf_nat_proto_... since they're also used by protocols that don't have port numbers. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: fix random mode not to overwrite port roverPatrick McHardy2008-04-141-5/+10
| | | | | | | | | | | | | | The port rover should not get overwritten when using random mode, otherwise other rules will also use more or less random ports. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_nat: add helpers for common NAT protocol operationsPatrick McHardy2008-04-146-141/+106
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add generic ->in_range and ->unique_tuple ops to avoid duplicating them again and again for future NAT modules and save a few bytes of text: net/ipv4/netfilter/nf_nat_proto_tcp.c: tcp_in_range | -62 (removed) tcp_unique_tuple | -259 # 271 -> 12, # inlines: 1 -> 0, size inlines: 7 -> 0 2 functions changed, 321 bytes removed net/ipv4/netfilter/nf_nat_proto_udp.c: udp_in_range | -62 (removed) udp_unique_tuple | -259 # 271 -> 12, # inlines: 1 -> 0, size inlines: 7 -> 0 2 functions changed, 321 bytes removed net/ipv4/netfilter/nf_nat_proto_gre.c: gre_in_range | -62 (removed) 1 function changed, 62 bytes removed vmlinux: 5 functions changed, 704 bytes removed Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: {ip,ip6,arp}_tables: return EAGAIN for invalid SO_GET_ENTRIES sizePatrick McHardy2008-04-143-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rule dumping is performed in two steps: first userspace gets the ruleset size using getsockopt(SO_GET_INFO) and allocates memory, then it calls getsockopt(SO_GET_ENTRIES) to actually dump the ruleset. When another process changes the ruleset in between the sizes from the first getsockopt call doesn't match anymore and the kernel aborts. Unfortunately it returns EAGAIN, as for multiple other possible errors, so userspace can't distinguish this case from real errors. Return EAGAIN so userspace can retry the operation. Fixes (with current iptables SVN version) netfilter bugzilla #104. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack_sip: clear address in parse_addr()Patrick McHardy2008-04-141-0/+1
| | | | | | | | | | | | | | Some callers pass uninitialized structures, clear the address to make sure later comparisions work properly. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: Explicitly initialize .priority in arptable_filterJan Engelhardt2008-04-141-0/+3
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: remove arpt_(un)register_target indirection macrosJan Engelhardt2008-04-142-10/+3
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: remove arpt_target indirection macroJan Engelhardt2008-04-143-6/+5
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: remove arpt_table indirection macroJan Engelhardt2008-04-143-21/+19
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: annotate rest of nf_nat_* with constJan Engelhardt2008-04-143-17/+16
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: annotate rest of nf_conntrack_* with constJan Engelhardt2008-04-145-14/+17
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: annotate {arp,ip,ip6,x}tables with constJan Engelhardt2008-04-146-56/+59
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: annotate xtables targets with const and remove castsJan Engelhardt2008-04-1421-38/+55
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: xt_sctp: simplify xt_sctp.hJan Engelhardt2008-04-141-49/+35
| | | | | | | | | | | | | | | | | | | | | | | | The use of xt_sctp.h flagged up -Wshadow warnings in userspace, which prompted me to look at it and clean it up. Basic operations have been directly replaced by library calls (memcpy, memset is both available in the kernel and userspace, and usually faster than a self-made loop). The is_set and is_clear functions now use a processing time shortcut, too. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: Use non-deprecated __RW_LOCK_UNLOCKED macroRobert P. J. Day2008-04-148-8/+8
| | | | | | | | | | Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: bridge netfilter: use non-deprecated __RW_LOCK_UNLOCKED macro.Robert P. J. Day2008-04-143-3/+3
| | | | | | | | | | Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: ip_tables: per-netns FILTER/MANGLE/RAW tables for realAlexey Dobriyan2008-04-144-13/+115
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 9335f047fe61587ec82ff12fbb1220bcfdd32006 aka "[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW" added per-netns _view_ of iptables rules. They were shown to user, but ignored by filtering code. Now that it's possible to at least ping loopback, per-netns tables can affect filtering decisions. netns is taken in case of PRE_ROUTING, LOCAL_IN -- from in device, POST_ROUTING, LOCAL_OUT -- from out device, FORWARD -- from in device which should be equal to out device's netns. This code is relatively new, so BUG_ON was plugged. Wrappers were added to a) keep code the same from CONFIG_NET_NS=n users (overwhelming majority), b) consolidate code in one place -- similar changes will be done in ipv6 and arp netfilter code. Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: {ip,ip6}t_LOG: print MARK value in log outputPatrick McHardy2008-04-142-2/+10
| | | | | | | | | | | | | | | | Dump the mark value in log messages similar to nfnetlink_log. This is useful for debugging complex setups where marks are used for routing or traffic classification. Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [NETFILTER]: nf_conntrack: less hairy ifdefs around proc and sysctlAlexey Dobriyan2008-04-141-40/+76
| | | | | | | | | | | | | | | | | | | | Patch splits creation of /proc/net/nf_conntrack, /proc/net/stat/nf_conntrack and net.netfilter hierarchy into their own functions with dummy ones if PROC_FS or SYSCTL is not set. Also, remove dead "ret = 0" write while I'm at it. Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | [SOCK]: Add some notes about per-bind-bucket sock lookup.Pavel Emelyanov2008-04-142-0/+11
| | | | | | | | | | | | | | | | | | | | | | I was asked about "why don't we perform a sk_net filtering in bind_conflict calls, like we do in other sock lookup places" for a couple of times. Can we please add a comment about why we do not need one? Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [DCCP]: Fix comment about control sockets.Pavel Emelyanov2008-04-142-2/+2
| | | | | | | | | | | | | | | | | | | | These sockets now have a bit other names and are no longer global. Shame on me, I haven't provided a good comment for this when sending DCCP netnsization patches. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2008-04-1469-358/+835
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/ehea/ehea_main.c drivers/net/wireless/iwlwifi/Kconfig drivers/net/wireless/rt2x00/rt61pci.c net/ipv4/inet_timewait_sock.c net/ipv6/raw.c net/mac80211/ieee80211_sta.c
| * [BRIDGE]: Fix crash in __ip_route_output_key with bridge netfilterPatrick McHardy2008-04-141-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The bridge netfilter code attaches a fake dst_entry with a pointer to a fake net_device structure to skbs it passes up to IPv4 netfilter. This leads to crashes when the skb is passed to __ip_route_output_key when dereferencing the namespace pointer. Since bridging can currently only operate in the init_net namespace, the easiest fix for now is to initialize the nd_net pointer of the fake net_device struct to &init_net. Should fix bugzilla 10323: http://bugzilla.kernel.org/show_bug.cgi?id=10323 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NETFILTER]: ipt_CLUSTERIP: fix race between clusterip_config_find_get and ↵Pavel Emelyanov2008-04-141-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | _entry_put Consider we are putting a clusterip_config entry with the "entries" count == 1, and on the other CPU there's a clusterip_config_find_get in progress: CPU1: CPU2: clusterip_config_entry_put: clusterip_config_find_get: if (atomic_dec_and_test(&c->entries)) { /* true */ read_lock_bh(&clusterip_lock); c = __clusterip_config_find(clusterip); /* found - it's still in list */ ... atomic_inc(&c->entries); read_unlock_bh(&clusterip_lock); write_lock_bh(&clusterip_lock); list_del(&c->list); write_unlock_bh(&clusterip_lock); ... dev_put(c->dev); Oops! We have an entry returned by the clusterip_config_find_get, which is a) not in list b) has a stale dev pointer. The problems will happen when the CPU2 will release the entry - it will remove it from the list for the 2nd time, thus spoiling it, and will put a stale dev pointer. The fix is to make atomic_dec_and_test under the clusterip_lock. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * [IPV6] ADDRCONF: Don't generate temporary address for ip6-ip6 interface.YOSHIFUJI Hideaki2008-04-131-2/+1
| | | | | | | | | | | | | | | | | | | | As far as I can remember, I was going to disable privacy extensions on all "tunnel" interfaces. Disable it on ip6-ip6 interface as well. Also, just remove ifdefs for SIT for simplicity. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV6] ADDRCONF: Ensure disabling multicast RS even if privacy extensions ↵YOSHIFUJI Hideaki2008-04-131-7/+9
| | | | | | | | | | | | | | are disabled. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPV6]: Use appropriate sock tclass setting for routing lookup.YOSHIFUJI Hideaki2008-04-131-1/+1
| | | | | | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
OpenPOWER on IntegriCloud