You need to sign in or sign up before continuing.
- 15 11月, 2005 2 次提交
-
-
由 Harald Welte 提交于
This patch unconditionally requires CAP_NET_ADMIN for all nfnetlink messages. It also removes the per-message cap_required field, since all existing subsystems use CAP_NET_ADMIN for all their messages anyway. Patrick McHardy owes me a beer if we ever need to re-introduce this. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 KOVACS Krisztian 提交于
Looks like the nf_conntrack TCP code was slightly mismerged: it does not contain an else branch present in the IPv4 version. Let's add that code and make the testsuite happy. Signed-off-by: NKOVACS Krisztian <hidden@balabit.hu> Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 13 11月, 2005 1 次提交
-
-
由 Vlad Drukker 提交于
Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware 3.0.0.4) initiates TCP with SYN and PUSH flags set. The Linux TCP/IP stack deals fine with that, but the connection tracking code doesn't. This patch alters TCP connection tracking to accept SYN+PUSH as a valid flag combination. Signed-off-by: NVlad Drukker <vlad@storewiz.com> Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 10 11月, 2005 3 次提交
-
-
由 Yasuyuki Kozakai 提交于
The existing connection tracking subsystem in netfilter can only handle ipv4. There were basically two choices present to add connection tracking support for ipv6. We could either duplicate all of the ipv4 connection tracking code into an ipv6 counterpart, or (the choice taken by these patches) we could design a generic layer that could handle both ipv4 and ipv6 and thus requiring only one sub-protocol (TCP, UDP, etc.) connection tracking helper module to be written. In fact nf_conntrack is capable of working with any layer 3 protocol. The existing ipv4 specific conntrack code could also not deal with the pecularities of doing connection tracking on ipv6, which is also cured here. For example, these issues include: 1) ICMPv6 handling, which is used for neighbour discovery in ipv6 thus some messages such as these should not participate in connection tracking since effectively they are like ARP messages 2) fragmentation must be handled differently in ipv6, because the simplistic "defrag, connection track and NAT, refrag" (which the existing ipv4 connection tracking does) approach simply isn't feasible in ipv6 3) ipv6 extension header parsing must occur at the correct spots before and after connection tracking decisions, and there were no provisions for this in the existing connection tracking design 4) ipv6 has no need for stateful NAT The ipv4 specific conntrack layer is kept around, until all of the ipv4 specific conntrack helpers are ported over to nf_conntrack and it is feature complete. Once that occurs, the old conntrack stuff will get placed into the feature-removal-schedule and we will fully kill it off 6 months later. Signed-off-by: NYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NArnaldo Carvalho de Melo <acme@mandriva.com>
-
由 Harald Welte 提交于
Without this patch, any user can cause nfnetlink subsystems to be autoloaded. Those subsystems however could add significant processing overhead to packet processing, and would refuse any configuration messages from non-CAP_NET_ADMIN processes anyway. This patch follows a suggestion from Patrick McHardy. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
nfattr_parse (and thus nfattr_parse_nested) always returns success. So we can make them 'void' and remove all the checking at the caller side. Based on original patch by Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 06 11月, 2005 2 次提交
-
-
由 Harald Welte 提交于
With the new nf_queue generalization in 2.6.14, we've introduced a bug that causes an oops as soon as a packet is queued but no queue handler registered. This patch fixes it. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NArnaldo Carvalho de Melo <acme@mandriva.com>
-
由 Harald Welte 提交于
These is a cleanup patch, kzalloc can be used in a couple of cases Signed-off-by: NSamir Bellabes <sbellabes@mandriva.com> Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NArnaldo Carvalho de Melo <acme@mandriva.com>
-
- 11 10月, 2005 1 次提交
-
-
由 Harald Welte 提交于
As Henrik Nordstrom pointed out, all our efforts with "split endian" (i.e. host byte order tags, net byte order values) are useless, unless a parser can determine whether an attribute is nested or not. This patch steals the highest bit of nfattr.nfa_type to indicate whether the data payload contains a nested nfattr (1) or not (0). This will break userspace compatibility, but luckily no kernel with nfnetlink was released so far. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 09 10月, 2005 1 次提交
-
-
由 Al Viro 提交于
- added typedef unsigned int __nocast gfp_t; - replaced __nocast uses for gfp flags with gfp_t - it gives exactly the same warnings as far as sparse is concerned, doesn't change generated code (from gcc point of view we replaced unsigned int with typedef) and documents what's going on far better. Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
-
- 05 10月, 2005 1 次提交
-
-
由 Randy Dunlap 提交于
Fix implicit nocast warnings in nfnetlink code: net/netfilter/nfnetlink.c:204:43: warning: implicit cast to nocast type Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 04 10月, 2005 1 次提交
-
-
由 Herbert Xu 提交于
I've found the problem in general. It affects any 64-bit architecture. The problem occurs when you change the system time. Suppose that when you boot your system clock is forward by a day. This gets recorded down in skb_tv_base. You then wind the clock back by a day. From that point onwards the offset will be negative which essentially overflows the 32-bit variables they're stored in. In fact, why don't we just store the real time stamp in those 32-bit variables? After all, we're not going to overflow for quite a while yet. When we do overflow, we'll need a better solution of course. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 07 9月, 2005 1 次提交
-
-
由 Patrick McHardy 提交于
Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 06 9月, 2005 2 次提交
-
-
由 Harald Welte 提交于
htonll() is nothing else than cpu_to_be64(), so we'd rather call the latter. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Adrian Bunk 提交于
This patch makes needlessly global functions static. Signed-off-by: NAdrian Bunk <bunk@stusta.de> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 30 8月, 2005 19 次提交
-
-
由 Patrick McHardy 提交于
Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Patrick McHardy 提交于
Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Patrick McHardy 提交于
Reduces skb size by 8 bytes on 64-bit. Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
Check whether pf is too large in order to prevent array overflow. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
This adds EEXIST to distinguish between the following return values: 0: nobody was registered, registration successful EEXIST: the exact same handler was already registered, no registration required EBUSY: somebody else is registered, registration unsuccessful. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
This patch adds a /proc/net/netfilter/nf_queue file, similar to the recently-added /proc/net/netfilter/nf_log. It indicates which queue handler is registered to which protocol family. This is useful since there are now multiple queue handlers in the treee (ip[6]_queue, nfnetlink_queue). Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
This patch adds support for passing the real 'physical' device ifindex down to userspace via nfnetlink_log and nfnetlink_queue. This feature basically obsoletes net/bridge/netfilter/ebt_ulog.c, and it is likely ebt_ulog.c will die with one of the next couple of patches. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
This patch doesn't introduce any code changes, but merely splits the core netfilter code into four separate files. It also moves it from it's old location in net/core/ to the recently-created net/netfilter/ directory. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
This patch adds the MODULE_ALIAS required for netnlink autoloading of nfnetlink_log. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
1) memset return parameter 'cda' (nfattr pointer array) only on success 2) a message without attributes and just a 'struct nfgenmsg' is valid, don't return -EINVAL 3) use likely() and unlikely() where apropriate Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
Prior to this patch, every nfnetlink subsystem had to specify it's attribute count. However, in reality the attribute count depends on the message type within the subsystem, not the subsystem itself. This patch moves 'attr_count' from 'struct nfnetlink_subsys' into nfnl_callback to fix this. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
This is a generic (layer3 independent) version of what ipt_ULOG is already doing for IPv4 today. ipt_ULOG, ebt_ulog and finally also ip[6]t_LOG will be deprecated by this mechanism in the long term. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
- Add new nfnetlink_queue module - Add new ipt_NFQUEUE and ip6t_NFQUEUE modules to access queue numbers 1-65535 - Mark ip_queue and ip6_queue Kconfig options as OBSOLETE - Update feature-removal-schedule to remove ip[6]_queue in December Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
- split netfiler verdict in 16bit verdict and 16bit queue number - add 'queuenum' argument to nf_queue_outfn_t and its users ip[6]_queue - move NFNL_SUBSYS_ definitions from enum to #define - introduce autoloading for nfnetlink subsystem modules - add MODULE_ALIAS_NFNL_SUBSYS macro - add nf_unregister_queue_handlers() to register all handlers for a given nf_queue_outfn_t - add more verbose DEBUGP macro definition to nfnetlink.c - make nfnetlink_subsys_register fail if subsys already exists - add some more comments and debug statements to nfnetlink.c Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
- Remove bogus code for compiling netlink as module - Add module refcounting support for modules implementing a netlink protocol - Add support for autoloading modules that implement a netlink protocol as soon as someone opens a socket for that protocol Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
Add ctnetlink subsystem for userspace-access to ip_conntrack table. This allows reading and updating of existing entries, as well as creating new ones (and new expect's) via nfnetlink. Please note the 'strange' byte order: nfattr (tag+length) are in host byte order, while the payload is always guaranteed to be in network byte order. This allows a simple userspace process to encapsulate netlink messages into arch-independent udp packets by just processing/swapping the headers and not knowing anything about the actual payload. Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Harald Welte 提交于
Introduce "nfnetlink" (netfilter netlink) layer. This layer is used as transport layer for all userspace communication of the new upcoming netfilter subsystems, such as ctnetlink, nfnetlink_queue and some day even the mythical pkttables ;) Signed-off-by: NHarald Welte <laforge@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-