linux/include/net/netfilter, branch v2.6.30 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.30 2009-04-16T16:33:01Z netfilter: nf_nat: add support for persistent mappings 2009-04-16T16:33:01Z Patrick McHardy kaber@trash.net 2009-04-16T16:33:01Z urn:sha1:98d500d66cb7940747b424b245fc6a51ecfbf005 The removal of the SAME target accidentally removed one feature that is not available from the normal NAT targets so far, having multi-range mappings that use the same mapping for each connection from a single client. The current behaviour is to choose the address from the range based on source and destination IP, which breaks when communicating with sites having multiple addresses that require all connections to originate from the same IP address. Introduce a IP_NAT_RANGE_PERSISTENT option that controls whether the destination address is taken into account for selecting addresses. http://bugzilla.kernel.org/show_bug.cgi?id=12954 Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: ctnetlink: fix regression in expectation handling 2009-04-06T15:47:20Z Pablo Neira Ayuso pablo@netfilter.org 2009-04-06T15:47:20Z urn:sha1:83731671d9e6878c0a05d309c68fb71c16d3235a This patch fixes a regression (introduced by myself in commit 19abb7b: netfilter: ctnetlink: deliver events for conntracks changed from userspace) that results in an expectation re-insertion since __nf_ct_expect_check() may return 0 for expectation timer refreshing. This patch also removes a unnecessary refcount bump that pretended to avoid a possible race condition with event delivery and expectation timers (as said, not needed since we hold a reference to the object since until we finish the expectation setup). This also merges nf_ct_expect_related_report() and nf_ct_expect_related() which look basically the same. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-27T05:45:23Z David S. Miller davem@davemloft.net 2009-03-27T05:45:23Z urn:sha1:01e6de64d9c8d0e75dca3bb4cf898db73abe00d4 netfilter: nf_conntrack: add generic function to get len of generic policy 2009-03-25T20:52:17Z Holger Eitzenberger holger@eitzenberger.org 2009-03-25T20:52:17Z urn:sha1:5c0de29d06318ec8f6e3ba0d17d62529dbbdc1e8 Usefull for all protocols which do not add additional data, such as GRE or UDPlite. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() 2009-03-25T20:05:46Z Eric Dumazet dada1@cosmosbay.com 2009-03-25T20:05:46Z urn:sha1:ea781f197d6a835cbb93a0bf88ee1696296ed8aa Use "hlist_nulls" infrastructure we added in 2.6.29 for RCUification of UDP & TCP. This permits an easy conversion from call_rcu() based hash lists to a SLAB_DESTROY_BY_RCU one. Avoiding call_rcu() delay at nf_conn freeing time has numerous gains. First, it doesnt fill RCU queues (up to 10000 elements per cpu). This reduces OOM possibility, if queued elements are not taken into account This reduces latency problems when RCU queue size hits hilimit and triggers emergency mode. - It allows fast reuse of just freed elements, permitting better use of CPU cache. - We delete rcu_head from "struct nf_conn", shrinking size of this structure by 8 or 16 bytes. This patch only takes care of "struct nf_conn". call_rcu() is still used for less critical conntrack parts, that may be converted later if necessary. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: limit the length of the helper name 2009-03-25T17:44:01Z Holger Eitzenberger holger@eitzenberger.org 2009-03-25T17:44:01Z urn:sha1:af9d32ad6718b9a80fa89f557cc1fbb63a93ec15 This is necessary in order to have an upper bound for Netlink message calculation, which is not a problem at all, as there are no helpers with a longer name. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: ctnetlink: add callbacks to the per-proto nlattrs 2009-03-25T17:24:48Z Holger Eitzenberger holger@eitzenberger.org 2009-03-25T17:24:48Z urn:sha1:d0dba7255b541f1651a88e75ebdb20dd45509c2f There is added a single callback for the l3 proto helper. The two callbacks for the l4 protos are necessary because of the general structure of a ctnetlink event, which is in short: CTA_TUPLE_ORIG <l3/l4-proto-attributes> CTA_TUPLE_REPLY <l3/l4-proto-attributes> CTA_ID ... CTA_PROTOINFO <l4-proto-attributes> CTA_TUPLE_MASTER <l3/l4-proto-attributes> Therefore the formular is size := sizeof(generic-nlas) + 3 * sizeof(tuple_nlas) + sizeof(protoinfo_nlas) Some of the NLAs are optional, e. g. CTA_TUPLE_MASTER, which is only set if it's an expected connection. But the number of optional NLAs is small enough to prevent netlink_trim() from reallocating if calculated properly. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2009-03-24T20:24:36Z David S. Miller davem@davemloft.net 2009-03-24T20:24:36Z urn:sha1:b5bb14386eabcb4229ade2bc0a2b237ca166d37d netfilter: remove nf_ct_l4proto_find_get/nf_ct_l4proto_put 2009-03-18T16:30:50Z Florian Westphal fw@strlen.de 2009-03-18T16:30:50Z urn:sha1:711d60a9e7f88e394ccca10f5fc83f95f0cea5b1 users have been moved to __nf_ct_l4proto_find. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: remove IPvX specific parts from nf_conntrack_l4proto.h 2009-03-16T14:15:35Z Christoph Paasch christoph.paasch@gmail.com 2009-03-16T14:15:35Z urn:sha1:9d2493f88f846b391a15a736efc7f4b97d6c4046 Moving the structure definitions to the corresponding IPvX specific header files. Signed-off-by: Patrick McHardy <kaber@trash.net>