linux/include/net/netfilter, branch v2.6.28

netfilter: ctnetlink: remove bogus module dependency between ctnetlink and nf_nat

2008-10-14T18:58:31Z

This patch removes the module dependency between ctnetlink and nf_nat by means of an indirect call that is initialized when nf_nat is loaded. Now, nf_conntrack_netlink only requires nf_conntrack and nfnetlink. This patch puts nfnetlink_parse_nat_setup_hook into the nf_conntrack_core to avoid dependencies between ctnetlink, nf_conntrack_ipv4 and nf_conntrack_ipv6. This patch also introduces the function ctnetlink_change_nat that is only invoked from the creation path. Actually, the nat handling cannot be invoked from the update path since this is not allowed. By introducing this function, we remove the useless nat handling in the update path and we avoid deadlock-prone code. This patch also adds the required EAGAIN logic for nfnetlink. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

net: fix dummy 'nf_conntrack_event_cache()'

2008-10-11T16:46:24Z

The dummy version of 'nf_conntrack_event_cache()' (used when the NF_CONNTRACK_EVENTS config option is not enabled) had not been updated when the calling convention changed. This was introduced by commit a71996fccce4b2086a26036aa3c915365ca36926 ("netfilter: netns nf_conntrack: pass conntrack to nf_conntrack_event_cache() not skb") Tssk. Cc: Alexey Dobriyan Cc: Patrick McHardy Cc: David Miller Signed-off-by: Linus Torvalds

nf_conntrack_ecache.h: Fix missing braces

2008-10-10T04:10:36Z

This patch add missing braces of today's net-next-2.6: include/net/netfilter/nf_conntrack_ecache.h Signed-off-by: Guo-Fu Tseng Signed-off-by: David S. Miller

netfilter: iptables tproxy core

2008-10-08T09:35:12Z

The iptables tproxy core is a module that contains the common routines used by various tproxy related modules (TPROXY target and socket match) Signed-off-by: KOVACS Krisztian Signed-off-by: Patrick McHardy

netfilter: split netfilter IPv4 defragmentation into a separate module

2008-10-08T09:35:12Z

Netfilter connection tracking requires all IPv4 packets to be defragmented. Both the socket match and the TPROXY target depend on this functionality, so this patch separates the Netfilter IPv4 defrag hooks into a separate module. Signed-off-by: KOVACS Krisztian Signed-off-by: Patrick McHardy

netfilter: netns nf_conntrack: per-netns conntrack accounting

2008-10-08T09:35:09Z

Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy

netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_log_invalid sysctl

2008-10-08T09:35:08Z

Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy

netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_checksum sysctl

2008-10-08T09:35:08Z

Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy

netfilter: netns nf_conntrack: per-netns statistics

2008-10-08T09:35:07Z

Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy

netfilter: netns nf_conntrack: per-netns event cache

2008-10-08T09:35:07Z

Heh, last minute proof-reading of this patch made me think, that this is actually unneeded, simply because "ct" pointers will be different for different conntracks in different netns, just like they are different in one netns. Not so sure anymore. [Patrick: pointers will be different, flushing can only be done while inactive though and thus it needs to be per netns] Signed-off-by: Alexey Dobriyan Signed-off-by: Patrick McHardy