linux-stable.git/include/linux/netfilter, branch linux-2.6.14.y Linux kernel stable tree [NETFILTER]: Use only 32bit counters for CONNTRACK_ACCT 2005-10-11T04:21:10+00:00 Harald Welte laforge@netfilter.org 2005-10-11T04:21:10+00:00 a051a8f7306476af0a74370ad56e793cb6c43bf7 Initially we used 64bit counters for conntrack-based accounting, since we had no event mechanism to tell userspace that our counters are about to overflow. With nfnetlink_conntrack, we now have such a event mechanism and thus can save 16bytes per connection. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Initially we used 64bit counters for conntrack-based accounting, since we
had no event mechanism to tell userspace that our counters are about to
overflow.  With nfnetlink_conntrack, we now have such a event mechanism and
thus can save 16bytes per connection.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] ctnetlink: add one nesting level for TCP state 2005-10-11T03:55:49+00:00 Pablo Neira Ayuso pablo@netfilter.org 2005-10-11T03:55:49+00:00 e1c73b78e3706bd3c336d4730a01dd4081dfb7ee To keep consistency, the TCP private protocol information is nested attributes under CTA_PROTOINFO_TCP. This way the sequence of attributes to access the TCP state information looks like here below: CTA_PROTOINFO CTA_PROTOINFO_TCP CTA_PROTOINFO_TCP_STATE instead of: CTA_PROTOINFO CTA_PROTOINFO_TCP_STATE Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
To keep consistency, the TCP private protocol information is nested
attributes under CTA_PROTOINFO_TCP. This way the sequence of attributes to
access the TCP state information looks like here below:

CTA_PROTOINFO
CTA_PROTOINFO_TCP
CTA_PROTOINFO_TCP_STATE

instead of:

CTA_PROTOINFO
CTA_PROTOINFO_TCP_STATE

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] nfnetlink: use highest bit of nfa_type to indicate nested TLV 2005-10-11T03:52:19+00:00 Harald Welte laforge@netfilter.org 2005-10-11T03:52:19+00:00 ebe0bbf06c9e03613bdcb6b5a704595a9344b7ff As Henrik Nordstrom pointed out, all our efforts with "split endian" (i.e. host byte order tags, net byte order values) are useless, unless a parser can determine whether an attribute is nested or not. This patch steals the highest bit of nfattr.nfa_type to indicate whether the data payload contains a nested nfattr (1) or not (0). This will break userspace compatibility, but luckily no kernel with nfnetlink was released so far. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
As Henrik Nordstrom pointed out, all our efforts with "split endian" (i.e.
host byte order tags, net byte order values) are useless, unless a parser
can determine whether an attribute is nested or not.

This patch steals the highest bit of nfattr.nfa_type to indicate whether
the data payload contains a nested nfattr (1) or not (0).

This will break userspace compatibility, but luckily no kernel with
nfnetlink was released so far.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETLINK]: Convert netlink users to use group numbers instead of bitmasks 2005-08-29T23:00:54+00:00 Patrick McHardy kaber@trash.net 2005-08-15T02:29:52+00:00 ac6d439d2097b72ea0cbc2322ce1263a38bc1fd0 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: introduce and use aligned_u64 data type 2005-08-29T22:57:59+00:00 Harald Welte laforge@netfilter.org 2005-08-13T20:55:44+00:00 0ba2c6e8c0fb5cde5a23a213c2e7cb851b85c310 As proposed by Andi Kleen, this is required esp. for x86_64 architecture, where 64bit code needs 8byte aligned 64bit data types, but 32bit userspace apps will only align to 4bytes. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
As proposed by Andi Kleen, this is required esp. for x86_64 architecture,
where 64bit code needs 8byte aligned 64bit data types, but 32bit userspace
apps will only align to 4bytes.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: add correct bridging support to nfnetlink_{queue,log} 2005-08-29T22:51:15+00:00 Harald Welte laforge@netfilter.org 2005-08-10T03:22:10+00:00 fbcd923c3e0c8ec9e4ed64f5a4e5766807b32729 This patch adds support for passing the real 'physical' device ifindex down to userspace via nfnetlink_log and nfnetlink_queue. This feature basically obsoletes net/bridge/netfilter/ebt_ulog.c, and it is likely ebt_ulog.c will die with one of the next couple of patches. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch adds support for passing the real 'physical' device ifindex
down to userspace via nfnetlink_log and nfnetlink_queue.

This feature basically obsoletes net/bridge/netfilter/ebt_ulog.c, and
it is likely ebt_ulog.c will die with one of the next couple of
patches.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: don't use nested attributes for conntrack_expect 2005-08-29T22:40:09+00:00 Harald Welte laforge@netfilter.org 2005-08-10T03:04:07+00:00 1444fc559b01aa5d4fedf4ee4f306a9e9cd56f95 We used to use nested nfattr structures for ip_conntrack_expect. This is bogus, since ip_conntrack and ip_conntrack_expect are communicated in different netlink message types. both should be encoded at the top level attributes, no extra nesting required. This patch addresses the issue. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
We used to use nested nfattr structures for ip_conntrack_expect.  This is
bogus, since ip_conntrack and ip_conntrack_expect are communicated in
different netlink message types.  both should be encoded at the top level
attributes, no extra nesting required.  This patch addresses the issue.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: attribute count is an attribute of message type, not subsytem 2005-08-29T22:39:14+00:00 Harald Welte laforge@netfilter.org 2005-08-10T03:03:40+00:00 927ccbcc28dceee29dad876982768cca29738564 Prior to this patch, every nfnetlink subsystem had to specify it's attribute count. However, in reality the attribute count depends on the message type within the subsystem, not the subsystem itself. This patch moves 'attr_count' from 'struct nfnetlink_subsys' into nfnl_callback to fix this. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Prior to this patch, every nfnetlink subsystem had to specify it's
attribute count.  However, in reality the attribute count depends on
the message type within the subsystem, not the subsystem itself.  This
patch moves 'attr_count' from 'struct nfnetlink_subsys' into
nfnl_callback to fix this.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Add new "nfnetlink_log" userspace packet logging facility 2005-08-29T22:38:12+00:00 Harald Welte laforge@netfilter.org 2005-08-10T02:58:39+00:00 0597f2680d666a3bcf101ac0c771ba7e50016bbd This is a generic (layer3 independent) version of what ipt_ULOG is already doing for IPv4 today. ipt_ULOG, ebt_ulog and finally also ip[6]t_LOG will be deprecated by this mechanism in the long term. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This is a generic (layer3 independent) version of what ipt_ULOG is already
doing for IPv4 today.  ipt_ULOG, ebt_ulog and finally also ip[6]t_LOG will
be deprecated by this mechanism in the long term.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Add refcounting and /proc/net/netfilter interface to nfnetlink_queue 2005-08-29T22:38:01+00:00 Harald Welte laforge@netfilter.org 2005-08-10T02:50:45+00:00 838ab6364956d9bdcefe84712de1621cf20a40b3 Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>