Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.16 2006-02-15T23:10:22Z 2006-02-15T23:10:22Z Patrick McHardy kaber@trash.net 2006-02-15T23:10:22Z urn:sha1:48d5cad87c3a4998d0bda16ccfb5c60dfe4de5fb When a packet matching an IPsec policy is SNATed so it doesn't match any policy anymore it looses its xfrm bundle, which makes xfrm4_output_finish crash because of a NULL pointer dereference. This patch directs these packets to the original output path instead. Since the packets have already passed the POST_ROUTING hook, but need to start at the beginning of the original output path which includes another POST_ROUTING invocation, a flag is added to the IPCB to indicate that the packet was rerouted and doesn't need to pass the POST_ROUTING hook again. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-01-07T21:23:39Z Adrian Bunk bunk@stusta.de 2006-01-07T21:23:39Z urn:sha1:97dc627fb3471664c72d0933790a90ba3f91e131 Since there's no longer any external user of ip_fragment() we can make it static. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-01-07T20:57:33Z Patrick McHardy kaber@trash.net 2006-01-07T07:04:54Z urn:sha1:3e3850e989c5d2eb1aab6f0fd9257759f0f4cbc6 ip_route_me_harder doesn't use the port numbers of the xfrm lookup and uses ip_route_input for non-local addresses which doesn't do a xfrm lookup, ip6_route_me_harder doesn't do a xfrm lookup at all. Use xfrm_decode_session and do the lookup manually, make sure both only do the lookup if the packet hasn't been transformed already. Makeing sure the lookup only happens once needs a new field in the IP6CB, which exceeds the size of skb->cb. The size of skb->cb is increased to 48b. Apparently the IPv6 mobile extensions need some more room anyway. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-01-07T20:57:32Z Patrick McHardy kaber@trash.net 2006-01-07T07:04:01Z urn:sha1:8cdfab8a43bb4b3da686ea503a702cb6f9f6a803 Reset IPSKB_XFRM_TUNNEL_SIZE flags in ipip and ip_gre hard_start_xmit function before the packet reenters IP. This is neccessary so the encapsulated packets are checked not to be oversized in xfrm4_output.c again. Reset all flags in sit when a packet changes its address family. Also remove some obsolete IPSKB flags. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-01-05T20:20:59Z Patrick McHardy kaber@trash.net 2006-01-05T20:20:59Z urn:sha1:1bd9bef6f9fe06dd0c628ac877c85b6b36aca062 Call POST_ROUTING hook before fragmentation to get rid of the okfn use in ip_refrag and save the useless fragmentation/defragmentation step when NAT is used. The patch introduces one user-visible change, the POSTROUTING chain in the mangle table gets entire packets, not fragments, which should simplify use of the MARK and CLASSIFY targets for queueing as a nice side-effect. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-01-03T21:11:21Z Arnaldo Carvalho de Melo acme@mandriva.com 2005-12-27T04:43:12Z urn:sha1:14c850212ed8f8cbb5972ad6b8812e08a0bc901c To help in reducing the number of include dependencies, several files were touched as they were getting needed headers indirectly for stuff they use. Thanks also to Alan Menegotto for pointing out that net/dccp/proto.c had linux/dccp.h include twice. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-01-03T21:10:31Z Herbert Xu herbert@gondor.apana.org.au 2005-12-14T07:14:27Z urn:sha1:89cee8b1cbb9dac40c92ef1968aea2b45f82fd18 Another spin of Herbert Xu's "safer ip reassembly" patch for 2.6.16. (The original patch is here: http://marc.theaimsgroup.com/?l=linux-netdev&m=112281936522415&w=2 and my only contribution is to have tested it.) This patch (optionally) does additional checks before accepting IP fragments, which can greatly reduce the possibility of reassembling fragments which originated from different IP datagrams. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arthur Kepner <akepner@sgi.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2005-08-29T23:01:39Z Arnaldo Carvalho de Melo acme@mandriva.com 2005-08-16T22:46:48Z urn:sha1:4c6ea29d82e0d1b9b37e6b879e0a7fd6c409333d This variant is needed to satisfy sparse __user annotations. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2005-08-29T23:01:32Z Arnaldo Carvalho de Melo acme@mandriva.com 2005-08-16T05:18:02Z urn:sha1:20380731bc2897f2952ae055420972ded4cd786e Of this type, mostly: CHECK net/ipv6/netfilter.c net/ipv6/netfilter.c:96:12: warning: symbol 'ipv6_netfilter_init' was not declared. Should it be static? net/ipv6/netfilter.c:101:6: warning: symbol 'ipv6_netfilter_fini' was not declared. Should it be static? Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2005-08-29T22:33:20Z Adrian Bunk bunk@stusta.de 2005-08-10T02:35:47Z urn:sha1:0742fd53a3774781255bd1e471e7aa2e4a82d5f7 This patch contains the following possible cleanups: - make needlessly global code static - #if 0 the following unused global function: - xfrm4_state.c: xfrm4_state_fini - remove the following unneeded EXPORT_SYMBOL's: - ip_output.c: ip_finish_output - ip_output.c: sysctl_ip_default_ttl - fib_frontend.c: ip_dev_find - inetpeer.c: inet_peer_idlock - ip_options.c: ip_options_compile - ip_options.c: ip_options_undo - net/core/request_sock.c: sysctl_max_syn_backlog Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>