1. 02 Dec, 2006 1 commit
  2. 04 Oct, 2006 1 commit
  3. 28 Sep, 2006 1 commit
  4. 22 Sep, 2006 3 commits
  5. 30 Jun, 2006 1 commit
  6. 04 May, 2006 1 commit
  7. 09 Apr, 2006 2 commits
  8. 28 Mar, 2006 1 commit
  9. 24 Mar, 2006 1 commit
  10. 19 Feb, 2006 1 commit
    • Patrick McHardy's avatar
      [NETFILTER]: Fix outgoing redirects to loopback · 8e249f08
      Patrick McHardy authored
      
      
      When redirecting an outgoing packet to loopback, it keeps the original
      conntrack reference and information from the outgoing path, which
      falsely triggers the check for DNAT on input and the dst_entry is
      released to trigger rerouting. ip_route_input refuses to route the
      packet because it has a local source address and it is dropped.
      
      Look at the packet itself to dermine if it was NATed. Also fix a
      missing inversion that causes unneccesary xfrm lookups.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8e249f08
  11. 15 Feb, 2006 1 commit
    • Patrick McHardy's avatar
      [NETFILTER]: Fix xfrm lookup after SNAT · ee68cea2
      Patrick McHardy authored
      
      
      To find out if a packet needs to be handled by IPsec after SNAT, packets
      are currently rerouted in POST_ROUTING and a new xfrm lookup is done. This
      breaks SNAT of non-unicast packets to non-local addresses because the
      packet is routed as incoming packet and no neighbour entry is bound to the
      dst_entry. In general, it seems to be a bad idea to replace the dst_entry
      after the packet was already sent to the output routine because its state
      might not match what's expected.
      
      This patch changes the xfrm lookup in POST_ROUTING to re-use the original
      dst_entry without routing the packet again. This means no policy routing
      can be used for transport mode transforms (which keep the original route)
      when packets are SNATed to match the policy, but it looks like the best
      we can do for now.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee68cea2
  12. 05 Feb, 2006 1 commit
  13. 12 Jan, 2006 1 commit
    • Harald Welte's avatar
      [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables · 2e4e6a17
      Harald Welte authored
      
      
      This monster-patch tries to do the best job for unifying the data
      structures and backend interfaces for the three evil clones ip_tables,
      ip6_tables and arp_tables.  In an ideal world we would never have
      allowed this kind of copy+paste programming... but well, our world
      isn't (yet?) ideal.
      
      o introduce a new x_tables module
      o {ip,arp,ip6}_tables depend on this x_tables module
      o registration functions for tables, matches and targets are only
        wrappers around x_tables provided functions
      o all matches/targets that are used from ip_tables and ip6_tables
        are now implemented as xt_FOOBAR.c files and provide module aliases
        to ipt_FOOBAR and ip6t_FOOBAR
      o header files for xt_matches are in include/linux/netfilter/,
        include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
        around the xt_FOOBAR.h headers
      
      Based on this patchset we're going to further unify the code,
      gradually getting rid of all the layer 3 specific assumptions.
      Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e4e6a17
  14. 07 Jan, 2006 3 commits
  15. 05 Jan, 2006 1 commit
  16. 26 Sep, 2005 1 commit
    • Harald Welte's avatar
      [NETFILTER]: Fix invalid module autoloading by splitting iptable_nat · 188bab3a
      Harald Welte authored
      
      
      When you've enabled conntrack and NAT as a module (standard case in all
      distributions), and you've also enabled the new conntrack netlink
      interface, loading ip_conntrack_netlink.ko will auto-load iptable_nat.ko.
      This causes a huge performance penalty, since for every packet you iterate
      the nat code, even if you don't want it.
      
      This patch splits iptable_nat.ko into the NAT core (ip_nat.ko) and the
      iptables frontend (iptable_nat.ko).  Threfore, ip_conntrack_netlink.ko will
      only pull ip_nat.ko, but not the frontend.  ip_nat.ko will "only" allocate
      some resources, but not affect runtime performance.
      
      This separation is also a nice step in anticipation of new packet filters
      (nf-hipac, ipset, pkttables) being able to use the NAT core.
      Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      188bab3a
  17. 06 Sep, 2005 1 commit
    • Patrick McHardy's avatar
      [NETFILTER]: Handle NAT module load race · 03486a4f
      Patrick McHardy authored
      
      
      When the NAT module is loaded when connections are already confirmed
      it must not change their tuples anymore. This is especially important
      with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will
      refuse to remove an entry from a list when it can not be found on
      the list, so when a changed tuple hashes to a new bucket the entry
      is kept in the list until and after the conntrack is freed.
      
      Allocate the exact conntrack tuple for NAT for already confirmed
      connections or drop them if that fails.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      03486a4f
  18. 29 Aug, 2005 2 commits
    • Harald Welte's avatar
      [NETFILTER]: Add ctnetlink subsystem · 080774a2
      Harald Welte authored
      
      
      Add ctnetlink subsystem for userspace-access to ip_conntrack table.
      This allows reading and updating of existing entries, as well as
      creating new ones (and new expect's) via nfnetlink.
      
      Please note the 'strange' byte order: nfattr (tag+length) are in host
      byte order, while the payload is always guaranteed to be in network
      byte order.  This allows a simple userspace process to encapsulate netlink
      messages into arch-independent udp packets by just processing/swapping the
      headers and not knowing anything about the actual payload.
      Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      080774a2
    • Harald Welte's avatar
      [NETFILTER]: reduce netfilter sk_buff enlargement · 6869c4d8
      Harald Welte authored
      
      
      As discussed at netconf'05, we're trying to save every bit in sk_buff.
      The patch below makes sk_buff 8 bytes smaller.  I did some basic
      testing on my notebook and it seems to work.
      
      The only real in-tree user of nfcache was IPVS, who only needs a
      single bit.  Unfortunately I couldn't find some other free bit in
      sk_buff to stuff that bit into, so I introduced a separate field for
      them.  Maybe the IPVS guys can resolve that to further save space.
      
      Initially I wanted to shrink pkt_type to three bits (PACKET_HOST and
      alike are only 6 values defined), but unfortunately the bluetooth code
      overloads pkt_type :(
      
      The conntrack-event-api (out-of-tree) uses nfcache, but Rusty just
      came up with a way how to do it without any skb fields, so it's safe
      to remove it.
      
      - remove all never-implemented 'nfcache' code
      - don't have ipvs code abuse 'nfcache' field. currently get's their own
        compile-conditional skb->ipvs_property field.  IPVS maintainers can
        decide to move this bit elswhere, but nfcache needs to die.
      - remove skb->nfcache field to save 4 bytes
      - move skb->nfctinfo into three unused bits to save further 4 bytes
      Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6869c4d8
  19. 08 Aug, 2005 1 commit
    • Harald Welte's avatar
      [PATCH] don't try to do any NAT on untracked connections · 8b83bc77
      Harald Welte authored
      
      
      With the introduction of 'rustynat' in 2.6.11, the old tricks of preventing
      NAT of 'untracked' connections (e.g. NOTRACK target in 'raw' table) are no
      longer sufficient.
      
      The ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK effectively
      prevents iteration of the 'nat' table, but doesn't prevent nat_packet()
      to be executed.  Since nr_manips is gone in 'rustynat', nat_packet() now
      implicitly thinks that it has to do NAT on the packet.
      
      This patch fixes that problem by explicitly checking for
      ip_conntrack_untracked in ip_nat_fn().
      Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      8b83bc77
  20. 21 Jun, 2005 1 commit
  21. 24 Apr, 2005 1 commit
    • Patrick McHardy's avatar
      [NETFILTER]: Fix NAT sequence number adjustment · e281e3ac
      Patrick McHardy authored
      
      
      The NAT changes in 2.6.11 changed the position where helpers
      are called and perform packet mangling. Before 2.6.11, a NAT
      helper was called before the packet was NATed and had its
      sequence number adjusted. Since 2.6.11, the helpers get packets
      with already adjusted sequence numbers.
      
      This breaks sequence number adjustment, adjust_tcp_sequence()
      needs the original sequence number to determine whether
      a packet was a retransmission and to store it for further
      corrections. It can't be reconstructed without more information
      than available, so this patch restores the old order by
      calling helpers from a new conntrack hook two priorities
      below ip_conntrack_confirm() and adjusting the sequence number
      from a new NAT hook one priority below ip_conntrack_confirm().
      
      Tracked down by Phil Oester <kernel@linuxace.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e281e3ac
  22. 16 Apr, 2005 1 commit
    • Linus Torvalds's avatar
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds authored
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4