- 28 Jan, 2008 8 commits
-
-
Patrick McHardy authored
Eliminate a few lines over 80 characters by using a local variable to hold the conntrack direction instead of using CTINFO2DIR everywhere. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
Reduce the length of some overly long lines by renaming all "conntrack" variables to "ct". Signed-off-by:
-
Patrick McHardy authored
Use unsigned long instead of char for the bitmap and removed lots of casts. Signed-off-by:
-
Patrick McHardy authored
Reindent switch cases properly, get rid of weird constructs like "!(x == y)", put logical operations on the end of the line instead of the next line, get rid of superfluous braces. Signed-off-by:
-
Patrick McHardy authored
The TCP and SCTP conntrack state transition tables only holds small numbers, but gcc uses 4 byte per entry for the enum. Switching to an u8 reduces the size from 480 to 120 bytes for TCP and from 576 to 144 bytes for SCTP. Signed-off-by:
-
Patrick McHardy authored
Signed-off-by:
-
Jan Engelhardt authored
Parenthesize macro parameters. Signed-off-by:
Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by:
-
Pablo Neira Ayuso authored
This patch adds support for SCTP to ctnetlink. Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
-
- 18 Oct, 2007 1 commit
-
-
Eric W. Biederman authored
No one has bothered to set strategy routine for the the netfilter sysctls that return jiffies to be sysctl_jiffies. So it appears the sys_sysctl path is unused and untested, so this patch removes the binary sysctl numbers. Which fixes the netfilter oops in 2.6.23-rc2-mm2 for me. Signed-off-by:
Eric W. Biederman <ebiederm@xmission.com> Cc: Patrick McHardy <kaber@trash.net> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
- 14 Jul, 2007 1 commit
-
-
Patrick McHardy authored
Also remove two unnecessary EXPORT_SYMBOLs and move the nf_conntrack_l3proto_ipv4 declaration to the correct file. Signed-off-by:
-
- 11 Jul, 2007 1 commit
-
-
Patrick McHardy authored
When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by:
Chris Wright <chrisw@sous-sol.org> Signed-off-by:
-
- 10 Jul, 2007 1 commit
-
-
Patrick McHardy authored
Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements. Signed-off-by:
-
- 25 Apr, 2007 1 commit
-
-
Patrick McHardy authored
Signed-off-by:
-
- 14 Feb, 2007 1 commit
-
-
Tim Schmielau authored
After Al Viro (finally) succeeded in removing the sched.h #include in module.h recently, it makes sense again to remove other superfluous sched.h includes. There are quite a lot of files which include it but don't actually need anything defined in there. Presumably these includes were once needed for macros that used to live in sched.h, but moved to other header files in the course of cleaning it up. To ease the pain, this time I did not fiddle with any header files and only removed #includes from .c-files, which tend to cause less trouble. Compile tested against 2.6.20-rc2 and 2.6.20-rc2-mm2 (with offsets) on alpha, arm, i386, ia64, mips, powerpc, and x86_64 with allnoconfig, defconfig, allmodconfig, and allyesconfig as well as a few randconfigs on x86_64 and all configs in arch/arm/configs on arm. I also checked that no new warnings were introduced by the patch (actually, some warnings are removed that were emitted by unnecessarily included header files). Signed-off-by:
Tim Schmielau <tim@physik3.uni-rostock.de> Acked-by:
Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by:
-
- 12 Feb, 2007 1 commit
-
-
YOSHIFUJI Hideaki authored
Signed-off-by:
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by:
-
- 02 Dec, 2006 6 commits
-
-
Patrick McHardy authored
Signed-off-by:
-
Patrick McHardy authored
Resync with Al Viro's ip_conntrack annotations and fix a missed spot in ip_nat_proto_icmp.c. Signed-off-by:
-
Patrick McHardy authored
This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: -
Patrick McHardy authored
Signed-off-by: -
Martin Josefsson authored
Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets rather confusing with 'nf_conntrack_protocol'. Signed-off-by:
Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by:
-
Martin Josefsson authored
This patch splits out the event cache into its own file nf_conntrack_ecache.c Signed-off-by:
-
- 22 Sep, 2006 1 commit
-
-
Brian Haley authored
Change some netfilter tunables to __read_mostly. Also fixed some incorrect file reference comments while I was in there. (this will be my last __read_mostly patch unless someone points out something else that needs it) Signed-off-by:
Brian Haley <brian.haley@hp.com> Acked-by:
-
- 30 Jun, 2006 1 commit
-
-
Patrick McHardy authored
When a packet without any chunks is received, the newconntrack variable in sctp_packet contains an out of bounds value that is used to look up an pointer from the array of timeouts, which is then dereferenced, resulting in a crash. Make sure at least a single chunk is present. Problem noticed by George A. Theall <theall@tenablesecurity.com> Signed-off-by:
-
- 29 Jun, 2006 1 commit
-
-
Yasuyuki Kozakai authored
CC net/netfilter/nf_conntrack_proto_sctp.o net/netfilter/nf_conntrack_proto_sctp.c: In function `sctp_print_conntrack': net/netfilter/nf_conntrack_proto_sctp.c:206: warning: implicit declaration of function `local_bh_disable' net/netfilter/nf_conntrack_proto_sctp.c:208: warning: implicit declaration of function `local_bh_enable' CC net/netfilter/nf_conntrack_netlink.o net/netfilter/nf_conntrack_netlink.c: In function `ctnetlink_dump_table': net/netfilter/nf_conntrack_netlink.c:429: warning: implicit declaration of function `local_bh_disable' net/netfilter/nf_conntrack_netlink.c:452: warning: implicit declaration of function `local_bh_enable' Spotted by Toralf Förster Signed-off-by:
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by:
-
- 02 May, 2006 1 commit
-
-
Patrick McHardy authored
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to guarantee progress of for_each_sctp_chunk(). (all other uses of for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix should be complete.) Based on patch from Ingo Molnar <mingo@elte.hu> CVE-2006-1527 Signed-off-by:
Linus Torvalds <torvalds@osdl.org>
-
- 28 Mar, 2006 1 commit
-
-
Andrew Morton authored
Every netfilter module uses `init' for its module_init() function and `fini' or `cleanup' for its module_exit() function. Problem is, this creates uninformative initcall_debug output and makes ctags rather useless. So go through and rename them all to $(filename)_init and $(filename)_fini. Signed-off-by:
Andrew Morton <akpm@osdl.org> Signed-off-by:
-
- 10 Jan, 2006 1 commit
-
-
Patrick McHardy authored
The connection tracking timeout variables are unsigned long, but proc_dointvec_jiffies is used with sizeof(unsigned int) in the sysctl tables. Since there is no proc_doulongvec_jiffies function, change the timeout variables to unsigned int. Signed-off-by:
-
- 09 Nov, 2005 1 commit
-
-
Yasuyuki Kozakai authored
The existing connection tracking subsystem in netfilter can only handle ipv4. There were basically two choices present to add connection tracking support for ipv6. We could either duplicate all of the ipv4 connection tracking code into an ipv6 counterpart, or (the choice taken by these patches) we could design a generic layer that could handle both ipv4 and ipv6 and thus requiring only one sub-protocol (TCP, UDP, etc.) connection tracking helper module to be written. In fact nf_conntrack is capable of working with any layer 3 protocol. The existing ipv4 specific conntrack code could also not deal with the pecularities of doing connection tracking on ipv6, which is also cured here. For example, these issues include: 1) ICMPv6 handling, which is used for neighbour discovery in ipv6 thus some messages such as these should not participate in connection tracking since effectively they are like ARP messages 2) fragmentation must be handled differently in ipv6, because the simplistic "defrag, connection track and NAT, refrag" (which the existing ipv4 connection tracking does) approach simply isn't feasible in ipv6 3) ipv6 extension header parsing must occur at the correct spots before and after connection tracking decisions, and there were no provisions for this in the existing connection tracking design 4) ipv6 has no need for stateful NAT The ipv4 specific conntrack layer is kept around, until all of the ipv4 specific conntrack helpers are ported over to nf_conntrack and it is feature complete. Once that occurs, the old conntrack stuff will get placed into the feature-removal-schedule and we will fully kill it off 6 months later. Signed-off-by:
Harald Welte <laforge@netfilter.org> Signed-off-by:
Arnaldo Carvalho de Melo <acme@mandriva.com>
-
- 24 Sep, 2005 1 commit
-
-
Harald Welte authored
The GRE, SCTP and TCP protocol helpers did not call ip_conntrack_event_cache() when updating ct->status. This patch adds the respective calls. Signed-off-by:
-
- 29 Aug, 2005 2 commits
-
-
Harald Welte authored
Add ctnetlink subsystem for userspace-access to ip_conntrack table. This allows reading and updating of existing entries, as well as creating new ones (and new expect's) via nfnetlink. Please note the 'strange' byte order: nfattr (tag+length) are in host byte order, while the payload is always guaranteed to be in network byte order. This allows a simple userspace process to encapsulate netlink messages into arch-independent udp packets by just processing/swapping the headers and not knowing anything about the actual payload. Signed-off-by:
-
Harald Welte authored
This adds a notifier chain based event mechanism for ip_conntrack state changes. As opposed to the previous implementations in patch-o-matic, we do no longer need a field in the skb to achieve this. Thanks to the valuable input from Patrick McHardy and Rusty on the idea of a per_cpu implementation. Signed-off-by:
-
- 21 Jun, 2005 1 commit
-
-
Patrick McHardy authored
Signed-off-by:
-
- 16 Apr, 2005 1 commit
-
-
Linus Torvalds authored
Initial git repository build. I'm not bothering with the full history, even though we have it. We can create a separate "historical" git archive of that later if we want to, and in the meantime it's about 3.2GB when imported into git - space that would just make the early git days unnecessarily complicated, when we don't have a lot of good infrastructure for it. Let it rip!
-
