1. 20 1月, 2011 1 次提交
    • J
      netfilter: xtables: connlimit revision 1 · cc4fc022
      Jan Engelhardt 提交于
      This adds destination address-based selection. The old "inverse"
      member is overloaded (memory-wise) with a new "flags" variable,
      similar to how J.Park did it with xt_string rev 1. Since revision 0
      userspace only sets flag 0x1, no great changes are made to explicitly
      test for different revisions.
      Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
      cc4fc022
  2. 19 1月, 2011 1 次提交
    • J
      netfilter: nf_conntrack: nf_conntrack snmp helper · 93557f53
      Jiri Olsa 提交于
      Adding support for SNMP broadcast connection tracking. The SNMP
      broadcast requests are now paired with the SNMP responses.
      Thus allowing using SNMP broadcasts with firewall enabled.
      
      Please refer to the following conversation:
      http://marc.info/?l=netfilter-devel&m=125992205006600&w=2
      
      Patrick McHardy wrote:
      > > The best solution would be to add generic broadcast tracking, the
      > > use of expectations for this is a bit of abuse.
      > > The second best choice I guess would be to move the help() function
      > > to a shared module and generalize it so it can be used for both.
      This patch implements the "second best choice".
      
      Since the netbios-ns conntrack module uses the same helper
      functionality as the snmp, only one helper function is added
      for both snmp and netbios-ns modules into the new object -
      nf_conntrack_broadcast.
      Signed-off-by: NJiri Olsa <jolsa@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      93557f53
  3. 18 1月, 2011 14 次提交
  4. 17 1月, 2011 2 次提交
    • T
      netfilter: create audit records for x_tables replaces · fbabf31e
      Thomas Graf 提交于
      The setsockopt() syscall to replace tables is already recorded
      in the audit logs. This patch stores additional information
      such as table name and netfilter protocol.
      
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: NThomas Graf <tgraf@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      fbabf31e
    • T
      netfilter: audit target to record accepted/dropped packets · 43f393ca
      Thomas Graf 提交于
      This patch adds a new netfilter target which creates audit records
      for packets traversing a certain chain.
      
      It can be used to record packets which are rejected administraively
      as follows:
      
        -N AUDIT_DROP
        -A AUDIT_DROP -j AUDIT --type DROP
        -A AUDIT_DROP -j DROP
      
      a rule which would typically drop or reject a packet would then
      invoke the new chain to record packets before dropping them.
      
        -j AUDIT_DROP
      
      The module is protocol independant and works for iptables, ip6tables
      and ebtables.
      
      The following information is logged:
       - netfilter hook
       - packet length
       - incomming/outgoing interface
       - MAC src/dst/proto for ethernet packets
       - src/dst/protocol address for IPv4/IPv6
       - src/dst port for TCP/UDP/UDPLITE
       - icmp type/code
      
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: NThomas Graf <tgraf@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      43f393ca
  5. 14 1月, 2011 3 次提交
  6. 13 1月, 2011 19 次提交