f229f6ce481ceb33a966311722b8ef0cb6c25de7 |
|
06-Apr-2013 |
Patrick McHardy <kaber@trash.net> |
netfilter: add my copyright statements Add copyright statements to all netfilter files which have had significant changes done by myself in the past. Some notes: - nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter Core Team when it got split out of nf_conntrack_core.c. The copyrights even state a date which lies six years before it was written. It was written in 2005 by Harald and myself. - net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright statements. I've added the copyright statement from net/netfilter/core.c, where this code originated - for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want it to give the wrong impression Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
0d98da5d845e0d0293055913ce65c9904b3b902a |
|
07-Mar-2013 |
Gao feng <gaofeng@cn.fujitsu.com> |
netfilter: nf_conntrack: register pernet subsystem before register L4 proto In (c296bb4 netfilter: nf_conntrack: refactor l4proto support for netns) the l4proto gre/dccp/udplite/sctp registration happened before the pernet subsystem, which is wrong. Register pernet subsystem before register L4proto since after register L4proto, init_conntrack may try to access the resources which allocated in register_pernet_subsys. Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
c296bb4d5d417d466c9bcc8afef68a3db5449a64 |
|
23-Jan-2013 |
Gao feng <gaofeng@cn.fujitsu.com> |
netfilter: nf_conntrack: refactor l4proto support for netns Move the code that register/unregister l4proto to the module_init/exit context. Given that we have to modify some interfaces to accomodate these changes, it is a good time to use shorter function names for this using the nf_ct_* prefix instead of nf_conntrack_*, that is: nf_ct_l4proto_register nf_ct_l4proto_pernet_register nf_ct_l4proto_unregister nf_ct_l4proto_pernet_unregister We same many line breaks with it. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
f42c4183c781733b1947ae79916849574d86aced |
|
21-Jun-2012 |
Gao feng <gaofeng@cn.fujitsu.com> |
netfilter: nf_ct_sctp: merge sctpv[4,6]_net_init into sctp_net_init Merge sctpv4_net_init and sctpv6_net_init into sctp_net_init to remove redundant code now that we have the u_int16_t proto parameter. And use nf_proto_net.users to identify if it's the first time we use the nf_proto_net, in that case, we initialize i Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
f1caad274515ffd9841ac57ce9a7b5fc35bbf689 |
|
21-Jun-2012 |
Gao feng <gaofeng@cn.fujitsu.com> |
netfilter: nf_conntrack: prepare l4proto->init_net cleanup l4proto->init contain quite redundant code. We can simplify this by adding a new parameter l3proto. This patch prepares that code simplification. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
8264deb81853462da5cbcfb19b54c4fd9f3d88ba |
|
28-May-2012 |
Gao feng <gaofeng@cn.fujitsu.com> |
netfilter: nf_conntrack: add namespace support for cttimeout This patch adds namespace support for cttimeout. Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
e76d0af5e45f4152e3fdcc103b753a8aff93fcb5 |
|
05-Jun-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_conntrack: remove now unused sysctl for nf_conntrack_l[3|4]proto Since the sysctl data for l[3|4]proto now resides in pernet nf_proto_net. We can now remove this unused fields from struct nf_contrack_l[3,4]proto. Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
49d485a30f3058b2633f86f85efae04c824ceffe |
|
28-May-2012 |
Gao feng <gaofeng@cn.fujitsu.com> |
netfilter: nf_ct_sctp: add namespace support This patch adds namespace support for SCTP protocol tracker. Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
2c352f444ccfa966a1aa4fd8e9ee29381c467448 |
|
28-May-2012 |
Gao feng <gaofeng@cn.fujitus.com> |
netfilter: nf_conntrack: prepare namespace support for l4 protocol trackers This patch prepares the namespace support for layer 4 protocol trackers. Basically, this modifies the following interfaces: * nf_ct_[un]register_sysctl * nf_conntrack_l4proto_[un]register to include the namespace parameter. We still use init_net in this patch to prepare the ground for follow-up patches for each layer 4 protocol tracker. We add a new net_id field to struct nf_conntrack_l4proto that is used to store the pernet_operations id for each layer 4 protocol tracker. Note that AF_INET6's protocols do not need to do sysctl compat. Thus, we only register compat sysctl when l4proto.l3proto != AF_INET6. Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
5e8d1eb5fb51e5b9d266a611133fea808320ab97 |
|
02-Apr-2012 |
David S. Miller <davem@davemloft.net> |
nf_conntrack_proto_sctp: Stop using NLA_PUT*(). These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
|
50978462300f74dc48aea4a38471cb69bdf741a5 |
|
28-Feb-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: add cttimeout infrastructure for fine timeout tuning This patch adds the infrastructure to add fine timeout tuning over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT subsystem to create/delete/dump timeout objects that contain some specific timeout policy for one flow. The follow up patches will allow you attach timeout policy object to conntrack via the CT target and the conntrack extension infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
2c8503f55fbdfbeff4164f133df804cf4d316290 |
|
28-Feb-2012 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: nf_conntrack: pass timeout array to l4->new and l4->packet This patch defines a new interface for l4 protocol trackers: unsigned int *(*get_timeouts)(struct net *net); that is used to return the array of unsigned int that contains the timeouts that will be applied for this flow. This is passed to the l4proto->new(...) and l4proto->packet(...) functions to specify the timeout policy. This interface allows per-net global timeout configuration (although only DCCP supports this by now) and it will allow custom custom timeout configuration by means of follow-up patches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
c0cd115667bcd23c2a31fe2114beaab3608de68c |
|
12-Dec-2011 |
Igor Maravić <igorm@etf.rs> |
net:netfilter: use IS_ENABLED Use IS_ENABLED(CONFIG_FOO) instead of defined(CONFIG_FOO) || defined (CONFIG_FOO_MODULE) Signed-off-by: Igor Maravić <igorm@etf.rs> Signed-off-by: David S. Miller <davem@davemloft.net>
|
25985edcedea6396277003854657b5f3cb31a628 |
|
31-Mar-2011 |
Lucas De Marchi <lucas.demarchi@profusion.mobi> |
Fix common misspellings Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>
|
e5fc9e7a666e5964b60e05903b90aa832354b68c |
|
12-Nov-2010 |
Changli Gao <xiaosuo@gmail.com> |
netfilter: nf_conntrack: don't always initialize ct->proto ct->proto is big(60 bytes) due to structure ip_ct_tcp, and we don't need to initialize the whole for all the other protocols. This patch moves proto to the end of structure nf_conn, and pushes the initialization down to the individual protocols. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
654d0fbdc8fe1041918741ed5b6abc8ad6b4c1d8 |
|
13-May-2010 |
Stephen Hemminger <shemminger@vyatta.com> |
netfilter: cleanup printk messages Make sure all printk messages have a severity level. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
858b31330054a9ad259feceea0ad1ce5385c47f0 |
|
03-Feb-2010 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack: split up IPCT_STATUS event Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is generated when the IPS_ASSURED bit is set. In combination with a following patch to support selective event delivery, this can be used for "sparse" conntrack replication: start replicating the conntrack entry after it reached the ASSURED state and that way it's SYN-flood resistant. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
f8572d8f2a2ba75408b97dc24ef47c83671795d7 |
|
05-Nov-2009 |
Eric W. Biederman <ebiederm@xmission.com> |
sysctl net: Remove unused binary sysctl code Now that sys_sysctl is a compatiblity wrapper around /proc/sys all sysctl strategy routines, and all ctl_name and strategy entries in the sysctl tables are unused, and can be revmoed. In addition neigh_sysctl_register has been modified to no longer take a strategy argument and it's callers have been modified not to pass one. Cc: "David Miller" <davem@davemloft.net> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: netdev@vger.kernel.org Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
|
440f0d588555892601cfe511728a0fc0c8204063 |
|
10-Jun-2009 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack: use per-conntrack locks for protocol data Introduce per-conntrack locks and use them instead of the global protocol locks to avoid contention. Especially tcp_lock shows up very high in profiles on larger machines. This will also allow to simplify the upcoming reliable event delivery patches. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
a400c30edb1958ceb53c4b8ce78989189b36df47 |
|
25-Mar-2009 |
Holger Eitzenberger <holger@eitzenberger.org> |
netfilter: nf_conntrack: calculate per-protocol nlattr size Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
328bd8997dbb7184d5389e45c642af44ae6e9043 |
|
24-Nov-2008 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_proto_sctp: avoid bogus warning net/netfilter/nf_conntrack_proto_sctp.c: In function 'sctp_packet': net/netfilter/nf_conntrack_proto_sctp.c:376: warning: array subscript is above array bounds gcc doesn't realize that do_basic_checks() guarantees that there is at least one valid chunk and thus new_state is never SCTP_CONNTRACK_MAX after the loop. Initialize to SCTP_CONNTRACK_NONE to avoid the warning. Based on patch by Wu Fengguang <wfg@linux.intel.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
6d9f239a1edb31d6133230f478fd1dc2da338ec5 |
|
04-Nov-2008 |
Alexey Dobriyan <adobriyan@gmail.com> |
net: '&' redux I want to compile out proc_* and sysctl_* handlers totally and stub them to NULL depending on config options, however usage of & will prevent this, since taking adress of NULL pointer will break compilation. So, drop & in front of every ->proc_handler and every ->strategy handler, it was never needed in fact. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
a71996fccce4b2086a26036aa3c915365ca36926 |
|
08-Oct-2008 |
Alexey Dobriyan <adobriyan@gmail.com> |
netfilter: netns nf_conntrack: pass conntrack to nf_conntrack_event_cache() not skb This is cleaner, we already know conntrack to which event is relevant. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
76108cea065cda58366d16a7eb6ca90d717a1396 |
|
08-Oct-2008 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: Use unsigned types for hooknum and pf vars and (try to) consistently use u_int8_t for the L3 family. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
5547cd0ae8b46db9a084505239294eed9b8c8e2d |
|
21-Jul-2008 |
Patrick McHardy <kaber@trash.net> |
netfilter: nf_conntrack_sctp: fix sparse warnings Introduced by a258860e (netfilter: ctnetlink: add full support for SCTP to ctnetlink): net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: incorrect type in argument 1 (different base types) net/netfilter/nf_conntrack_proto_sctp.c:483:2: expected unsigned int [unsigned] [usertype] x net/netfilter/nf_conntrack_proto_sctp.c:483:2: got restricted unsigned int const <noident> net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: incorrect type in argument 1 (different base types) net/netfilter/nf_conntrack_proto_sctp.c:487:2: expected unsigned int [unsigned] [usertype] x net/netfilter/nf_conntrack_proto_sctp.c:487:2: got restricted unsigned int const <noident> net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type net/netfilter/nf_conntrack_proto_sctp.c:532:42: warning: incorrect type in assignment (different base types) net/netfilter/nf_conntrack_proto_sctp.c:532:42: expected restricted unsigned int <noident> net/netfilter/nf_conntrack_proto_sctp.c:532:42: got unsigned int net/netfilter/nf_conntrack_proto_sctp.c:534:39: warning: incorrect type in assignment (different base types) net/netfilter/nf_conntrack_proto_sctp.c:534:39: expected restricted unsigned int <noident> net/netfilter/nf_conntrack_proto_sctp.c:534:39: got unsigned int Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
a258860e01b80e8f554a4ab1a6c95e6042eb8b73 |
|
10-Jun-2008 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: ctnetlink: add full support for SCTP to ctnetlink This patch adds full support for SCTP to ctnetlink. This includes three new attributes: state, original vtag and reply vtag. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
12c33aa20e1e248ac199d58076fcd4522acbff17 |
|
14-Apr-2008 |
Jan Engelhardt <jengelh@computergmbh.de> |
[NETFILTER]: nf_conntrack: const annotations in nf_conntrack_sctp, nf_nat_proto_gre Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
09f263cd39751cada63dec2dccc71e67c00bc38c |
|
14-Apr-2008 |
Jan Engelhardt <jengelh@computergmbh.de> |
[NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l4proto Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
c88130bcd546e73e66165f9c29113dae9facf1ec |
|
31-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: naming unification Rename all "conntrack" variables to "ct" for more consistency and avoiding some overly long lines. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
2f0d2f10391e190f940da70cbdc8a61e4dad98eb |
|
31-Jan-2008 |
Stephen Hemminger <shemminger@vyatta.com> |
[NETFILTER]: conntrack: get rid of sparse warnings Teach sparse about locking here, and fix signed/unsigned warnings. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
86c0bf4095b35b978540aa43b12840d138a0b376 |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: remove timeout indirection Instead of keeping pointers to the timeout values in a table, simply put the timeout values in the table directly. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
9b1c2cfd7a8b3840cf5c99d0560e641ff4a3425b |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: replace magic value by symbolic constant Use SCTP_CHUNK_FLAG_T instead of 0x1. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
4a64830af0fd4dbec908cfbab117def5086acd4a |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: don't take sctp_lock once per chunk Don't take and release the lock once per SCTP chunk, simply hold it the entire time while iterating through the chunks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
efe9f68afeaf2ce12636990a8c811fb1cc23b12b |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: rename "newconntrack" variable The name is misleading, it holds the new connection state, so rename it to "newstate". Also rename "oldsctpstate" to "oldstate" for consistency. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
b37e933ac7bdad2d587a6048babb8db2718460de |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: consolidate sctp_packet() error paths Consolidate error paths and use proper symbolic return value instead of magic values. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
8528819adc613e0b4bc3e5cb4123b4b33d2b03c4 |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: reduce line length further Eliminate a few lines over 80 characters by using a local variable to hold the conntrack direction instead of using CTINFO2DIR everywhere. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
112f35c9c164e06e038d506dd3eb15e76829ef8a |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: reduce line length Reduce the length of some overly long lines by renaming all "conntrack" variables to "ct". Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
35c6d3cbe1b97b860087f6082e764ac8da2a12b2 |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: use proper types for bitops Use unsigned long instead of char for the bitmap and removed lots of casts. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
5447d4777c48218e90844fa6f6e544119075faad |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_sctp: basic cleanups Reindent switch cases properly, get rid of weird constructs like "!(x == y)", put logical operations on the end of the line instead of the next line, get rid of superfluous braces. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
a5e73c29d9243cc2e889a9d7155f331923eee655 |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_{tcp,sctp}: shrink state table The TCP and SCTP conntrack state transition tables only holds small numbers, but gcc uses 4 byte per entry for the enum. Switching to an u8 reduces the size from 480 to 120 bytes for TCP and from 576 to 144 bytes for SCTP. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
77e2420b85573f57c2774775ead81ebb500b803d |
|
15-Jan-2008 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack_{tcp,sctp}: mark state table const Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
e79ec50b9587c175f65f98550d66ad5b96c05dd9 |
|
18-Dec-2007 |
Jan Engelhardt <jengelh@computergmbh.de> |
[NETFILTER]: Parenthesize macro parameters Parenthesize macro parameters. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
c7212e9d3938258abe3fd17d15bb0d5c1856b8df |
|
18-Dec-2007 |
Pablo Neira Ayuso <pablo@netfilter.org> |
[NETFILTER]: nf_conntrack_sctp: add ctnetlink support This patch adds support for SCTP to ctnetlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
064b5bba0cc495201729285c6a6ce205df0a386a |
|
18-Oct-2007 |
Eric W. Biederman <ebiederm@xmission.com> |
sysctl: remove broken netfilter binary sysctls No one has bothered to set strategy routine for the the netfilter sysctls that return jiffies to be sysctl_jiffies. So it appears the sys_sysctl path is unused and untested, so this patch removes the binary sysctl numbers. Which fixes the netfilter oops in 2.6.23-rc2-mm2 for me. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Cc: Patrick McHardy <kaber@trash.net> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
61075af51f252913401c41fbe94075b46c94e9f1 |
|
15-Jul-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: mark protocols __read_mostly Also remove two unnecessary EXPORT_SYMBOLs and move the nf_conntrack_l3proto_ipv4 declaration to the correct file. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
99d24edeb6abc6ca3a0d0fbdb83c664c04403c8c |
|
11-Jul-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876) When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
0d53778e81ac7af266dac8a20cc328328c327112 |
|
08-Jul-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: Convert DEBUGP to pr_debug Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
1b53d9042c04b8eb875d02e65792e9884efc3784 |
|
23-Mar-2007 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: Remove changelogs and CVS IDs Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
cd354f1ae75e6466a7e31b727faede57a1f89ca5 |
|
14-Feb-2007 |
Tim Schmielau <tim@physik3.uni-rostock.de> |
[PATCH] remove many unneeded #includes of sched.h After Al Viro (finally) succeeded in removing the sched.h #include in module.h recently, it makes sense again to remove other superfluous sched.h includes. There are quite a lot of files which include it but don't actually need anything defined in there. Presumably these includes were once needed for macros that used to live in sched.h, but moved to other header files in the course of cleaning it up. To ease the pain, this time I did not fiddle with any header files and only removed #includes from .c-files, which tend to cause less trouble. Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha, arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig, allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all configs in arch/arm/configs on arm. I also checked that no new warnings were introduced by the patch (actually, some warnings are removed that were emitted by unnecessarily included header files). Signed-off-by: Tim Schmielau <tim@physik3.uni-rostock.de> Acked-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
601e68e100b6bf8ba13a32db8faf92d43acaa997 |
|
12-Feb-2007 |
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> |
[NETFILTER]: Fix whitespace errors Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
d2483ddefd38b06053cdce7206382ca61f6282b1 |
|
03-Dec-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: add module aliases to IPv4 conntrack names Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
bff9a89bcac5b68ac0a1ea856b1726a35ae1eabb |
|
03-Dec-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: endian annotations Resync with Al Viro's ip_conntrack annotations and fix a missed spot in ip_nat_proto_icmp.c. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
a999e6837603e4b5a164333c93918a1292f074c8 |
|
29-Nov-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: sysctl compatibility with old connection tracking This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
933a41e7e12b773d1dd026018f02b86b5d257a22 |
|
29-Nov-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: nf_conntrack: move conntrack protocol sysctls to individual modules Signed-off-by: Patrick McHardy <kaber@trash.net>
|
605dcad6c85226e6d43387917b329d65b95cef39 |
|
29-Nov-2006 |
Martin Josefsson <gandalf@wlug.westbo.se> |
[NETFILTER]: nf_conntrack: rename struct nf_conntrack_protocol Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets rather confusing with 'nf_conntrack_protocol'. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
f61801218a58381f498ae5c38ae3eae0bc73e976 |
|
29-Nov-2006 |
Martin Josefsson <gandalf@wlug.westbo.se> |
[NETFILTER]: nf_conntrack: split out the event cache This patch splits out the event cache into its own file nf_conntrack_ecache.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
94aec08ea426903a3fb3cafd4d8b900cd50df702 |
|
18-Sep-2006 |
Brian Haley <brian.haley@hp.com> |
[NETFILTER]: Change tunables to __read_mostly Change some netfilter tunables to __read_mostly. Also fixed some incorrect file reference comments while I was in there. (this will be my last __read_mostly patch unless someone points out something else that needs it) Signed-off-by: Brian Haley <brian.haley@hp.com> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
dd7271feba61d5dc0fab1cb5365db9926d35ea3a |
|
30-Jun-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: SCTP conntrack: fix crash triggered by packet without chunks When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
40a839fdbd5d76cebb2a61980bc1fc7ecd784be2 |
|
27-Jun-2006 |
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> |
[NETFILTER]: nf_conntrack: Fix undefined references to local_bh_* CC net/netfilter/nf_conntrack_proto_sctp.o net/netfilter/nf_conntrack_proto_sctp.c: In function `sctp_print_conntrack': net/netfilter/nf_conntrack_proto_sctp.c:206: warning: implicit declaration of function `local_bh_disable' net/netfilter/nf_conntrack_proto_sctp.c:208: warning: implicit declaration of function `local_bh_enable' CC net/netfilter/nf_conntrack_netlink.o net/netfilter/nf_conntrack_netlink.c: In function `ctnetlink_dump_table': net/netfilter/nf_conntrack_netlink.c:429: warning: implicit declaration of function `local_bh_disable' net/netfilter/nf_conntrack_netlink.c:452: warning: implicit declaration of function `local_bh_enable' Spotted by Toralf Förster Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
e17df688f7064dae1417ce425dd1e4b71d24d63b |
|
02-May-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER] SCTP conntrack: fix infinite loop fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> CVE-2006-1527 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
65b4b4e81a5094d52cbe372b887b1779abe53f9b |
|
29-Mar-2006 |
Andrew Morton <akpm@osdl.org> |
[NETFILTER]: Rename init functions. Every netfilter module uses `init' for its module_init() function and `fini' or `cleanup' for its module_exit() function. Problem is, this creates uninformative initcall_debug output and makes ctags rather useless. So go through and rename them all to $(filename)_init and $(filename)_fini. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
babbdb1a18d37e57acae7e348ef122f2b905df0a |
|
10-Jan-2006 |
Patrick McHardy <kaber@trash.net> |
[NETFILTER]: Fix timeout sysctls on big-endian 64bit architectures The connection tracking timeout variables are unsigned long, but proc_dointvec_jiffies is used with sizeof(unsigned int) in the sysctl tables. Since there is no proc_doulongvec_jiffies function, change the timeout variables to unsigned int. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
|
9fb9cbb1082d6b31fb45aa1a14432449a0df6cf1 |
|
10-Nov-2005 |
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> |
[NETFILTER]: Add nf_conntrack subsystem. The existing connection tracking subsystem in netfilter can only handle ipv4. There were basically two choices present to add connection tracking support for ipv6. We could either duplicate all of the ipv4 connection tracking code into an ipv6 counterpart, or (the choice taken by these patches) we could design a generic layer that could handle both ipv4 and ipv6 and thus requiring only one sub-protocol (TCP, UDP, etc.) connection tracking helper module to be written. In fact nf_conntrack is capable of working with any layer 3 protocol. The existing ipv4 specific conntrack code could also not deal with the pecularities of doing connection tracking on ipv6, which is also cured here. For example, these issues include: 1) ICMPv6 handling, which is used for neighbour discovery in ipv6 thus some messages such as these should not participate in connection tracking since effectively they are like ARP messages 2) fragmentation must be handled differently in ipv6, because the simplistic "defrag, connection track and NAT, refrag" (which the existing ipv4 connection tracking does) approach simply isn't feasible in ipv6 3) ipv6 extension header parsing must occur at the correct spots before and after connection tracking decisions, and there were no provisions for this in the existing connection tracking design 4) ipv6 has no need for stateful NAT The ipv4 specific conntrack layer is kept around, until all of the ipv4 specific conntrack helpers are ported over to nf_conntrack and it is feature complete. Once that occurs, the old conntrack stuff will get placed into the feature-removal-schedule and we will fully kill it off 6 months later. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|