linux-stable.git/include/linux/netfilter.h, branch linux-2.6.17.y Linux kernel stable tree [NETFILTER]: Add address family specific checksum helpers 2006-04-10T05:25:41+00:00 Patrick McHardy kaber@trash.net 2006-04-06T21:18:43+00:00 422c346fad806e2abaeffac686860ebc98dfe33e Add checksum operation which takes care of verifying the checksum and dealing with HW checksum errors and avoids multiple checksum operations by setting ip_summed to CHECKSUM_UNNECESSARY after successful verification. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add checksum operation which takes care of verifying the checksum and
dealing with HW checksum errors and avoids multiple checksum
operations by setting ip_summed to CHECKSUM_UNNECESSARY after
successful verification.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Introduce infrastructure for address family specific operations 2006-04-10T05:25:40+00:00 Patrick McHardy kaber@trash.net 2006-04-06T21:18:09+00:00 bce8032ef3cc58170ab3550e9e271dba7b4c4764 Change the queue rerouter intrastructure to a generic usable infrastructure for address family specific operations as a base for some cleanups. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Change the queue rerouter intrastructure to a generic usable
infrastructure for address family specific operations as a base for
some cleanups.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Add helper functions for mass hook registration/unregistration 2006-04-10T05:25:32+00:00 Patrick McHardy kaber@trash.net 2006-04-06T21:09:12+00:00 972d1cb1427946f4980240363aac4e73fb375290 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: {get|set}sockopt compatibility layer 2006-03-21T06:45:21+00:00 Dmitry Mishin dim@openvz.org 2006-03-21T06:45:21+00:00 3fdadf7d27e3fbcf72930941884387d1f4936f04 This patch extends {get|set}sockopt compatibility layer in order to move protocol specific parts to their place and avoid huge universal net/compat.c file in the future. Signed-off-by: Dmitry Mishin <dim@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch extends {get|set}sockopt compatibility layer in order to
move protocol specific parts to their place and avoid huge universal
net/compat.c file in the future.

Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Don't invoke okfn in CONFIG_NETFILTER=n variant of nf_hook() 2006-02-15T23:18:19+00:00 Patrick McHardy kaber@trash.net 2006-02-15T23:18:19+00:00 9c92d3486434e7310cb288587953e2dae4a79701 nf_hook() is supposed to call the netfilter hook and return control of the packet back to the caller in case it may pass, the okfn is only used for queueing. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
nf_hook() is supposed to call the netfilter hook and return control of the
packet back to the caller in case it may pass, the okfn is only used for
queueing.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: Fix SNAT-related crash in xfrm4_output_finish 2006-02-15T23:10:22+00:00 Patrick McHardy kaber@trash.net 2006-02-15T23:10:22+00:00 48d5cad87c3a4998d0bda16ccfb5c60dfe4de5fb When a packet matching an IPsec policy is SNATed so it doesn't match any policy anymore it looses its xfrm bundle, which makes xfrm4_output_finish crash because of a NULL pointer dereference. This patch directs these packets to the original output path instead. Since the packets have already passed the POST_ROUTING hook, but need to start at the beginning of the original output path which includes another POST_ROUTING invocation, a flag is added to the IPCB to indicate that the packet was rerouted and doesn't need to pass the POST_ROUTING hook again. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
When a packet matching an IPsec policy is SNATed so it doesn't match any
policy anymore it looses its xfrm bundle, which makes xfrm4_output_finish
crash because of a NULL pointer dereference.

This patch directs these packets to the original output path instead. Since
the packets have already passed the POST_ROUTING hook, but need to start at
the beginning of the original output path which includes another
POST_ROUTING invocation, a flag is added to the IPCB to indicate that the
packet was rerouted and doesn't need to pass the POST_ROUTING hook again.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Add dummy nf_hook{_thresh}() when NETFILTER is disabled. 2006-01-07T20:57:42+00:00 David S. Miller davem@sunset.davemloft.net 2006-01-07T20:50:27+00:00 f53b61d8c385140fe7f09e0c9187ae813ee9f330 Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Handle NAT in IPsec policy checks 2006-01-07T20:57:37+00:00 Patrick McHardy kaber@trash.net 2006-01-07T07:06:30+00:00 eb9c7ebe6980c41cf6ae889e301c3b49f473ee9f Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi of the original packet from the conntrack information for IPsec policy checks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi
of the original packet from the conntrack information for IPsec policy
checks.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: Netfilter IPsec output hooks 2006-01-07T20:57:28+00:00 Patrick McHardy kaber@trash.net 2006-01-07T07:01:48+00:00 16a6677fdf1d1194f688f8291b06fbaff248c353 Call netfilter hooks before IPsec transforms. Packets visit the FORWARD/LOCAL_OUT and POST_ROUTING hook before the first encapsulation and the LOCAL_OUT and POST_ROUTING hook before each following tunnel mode transform. Patch from Herbert Xu <herbert@gondor.apana.org.au>: Move the loop from dst_output into xfrm4_output/xfrm6_output since they're the only ones who need to it. xfrm{4,6}_output_one() processes the first SA all subsequent transport mode SAs and is called in a loop that calls the netfilter hooks between each two calls. In order to avoid the tail call issue, I've added the inline function nf_hook which is nf_hook_slow plus the empty list check. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Call netfilter hooks before IPsec transforms. Packets visit the
FORWARD/LOCAL_OUT and POST_ROUTING hook before the first encapsulation
and the LOCAL_OUT and POST_ROUTING hook before each following tunnel mode
transform.

Patch from Herbert Xu <herbert@gondor.apana.org.au>:

Move the loop from dst_output into xfrm4_output/xfrm6_output since they're
the only ones who need to it. xfrm{4,6}_output_one() processes the first SA
all subsequent transport mode SAs and is called in a loop that calls the
netfilter hooks between each two calls.

In order to avoid the tail call issue, I've added the inline function
nf_hook which is nf_hook_slow plus the empty list check.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Fix gcc-3.4.x warning about iplicit operator precedence 2005-08-29T22:57:14+00:00 Harald Welte laforge@netfilter.org 2005-08-12T18:36:44+00:00 b766b305d3f2d8be173e5d9853534ea1afdbabba Fix gcc-3.4.x warning about iplicit operator precedence in NF_QUEUE_NR() Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix gcc-3.4.x warning about iplicit operator precedence in NF_QUEUE_NR()

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>