linux-stable.git/include/linux/netfilter_ipv4.h, branch v3.2.16 Linux kernel stable tree headers, netfilter: Add missing #include <limits.h> for userland 2011-08-26T16:02:50+00:00 Ben Hutchings ben@decadent.org.uk 2011-08-24T18:45:36+00:00 598aaff2ee05c91728e5845956dd9754ed04315c Various headers use INT_MIN and INT_MAX, which are defined for userland in <limits.h>. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Various headers use INT_MIN and INT_MAX, which are defined for
userland in <limits.h>.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: ip_tables: add iptables security table for mandatory access control rules 2008-06-09T22:57:24+00:00 James Morris jmorris@namei.org 2008-06-09T22:57:24+00:00 560ee653b67074b805f1b661988a72a0e58811a5 The following patch implements a new "security" table for iptables, so that MAC (SELinux etc.) networking rules can be managed separately to standard DAC rules. This is to help with distro integration of the new secmark-based network controls, per various previous discussions. The need for a separate table arises from the fact that existing tools and usage of iptables will likely clash with centralized MAC policy management. The SECMARK and CONNSECMARK targets will still be valid in the mangle table to prevent breakage of existing users. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.

This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.

The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.

The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.

Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nf_nat: kill helper and seq_adjust hooks 2008-04-14T09:15:52+00:00 Patrick McHardy kaber@trash.net 2008-04-14T09:15:52+00:00 dd13b010368f85dfa59364ba87bfe8ae930b2832 Connection tracking helpers (specifically FTP) need to be called before NAT sequence numbers adjustments are performed to be able to compare them against previously seen ones. We've introduced two new hooks around 2.6.11 to maintain this ordering when NAT modules were changed to get called from conntrack helpers directly. The cost of netfilter hooks is quite high and sequence number adjustments are only rarely needed however. Add a RCU-protected sequence number adjustment function pointer and call it from IPv4 conntrack after calling the helper. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Connection tracking helpers (specifically FTP) need to be called
before NAT sequence numbers adjustments are performed to be able
to compare them against previously seen ones. We've introduced
two new hooks around 2.6.11 to maintain this ordering when NAT
modules were changed to get called from conntrack helpers directly.

The cost of netfilter hooks is quite high and sequence number
adjustments are only rarely needed however. Add a RCU-protected
sequence number adjustment function pointer and call it from
IPv4 conntrack after calling the helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETFILTER]: Introduce NF_INET_ hook values 2008-01-28T22:53:55+00:00 Patrick McHardy kaber@trash.net 2007-11-20T02:53:30+00:00 6e23ae2a48750bda407a4a58f52a4865d7308bf5 The IPv4 and IPv6 hook values are identical, yet some code tries to figure out the "correct" value by looking at the address family. Introduce NF_INET_* values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__ section for userspace compatibility. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15T19:26:29+00:00 Herbert Xu herbert@gondor.apana.org.au 2007-10-15T07:53:15+00:00 3db05fea51cdb162cfa8f69e9cfb9e228919d2a9 With all the users of the double pointers removed, this patch mops up by finally replacing all occurances of sk_buff ** in the netfilter API by sk_buff *. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: bridge-netfilter: remove deferred hooks 2006-12-14T00:54:25+00:00 Patrick McHardy kaber@trash.net 2006-12-14T00:54:25+00:00 2bf540b73ed5b304e84bb4d4c390d49d1cfa0ef8 Remove the deferred hooks and all related code as scheduled in feature-removal-schedule. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Remove the deferred hooks and all related code as scheduled in
feature-removal-schedule.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Annotate __skb_checksum_complete() and friends. 2006-12-03T05:23:38+00:00 Al Viro viro@zeniv.linux.org.uk 2006-11-15T05:40:42+00:00 b51655b958dfb1176bfcf99466231fdbef8751ff Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: add type parameter to ip_route_me_harder 2006-10-04T07:30:54+00:00 Simon Horman horms@verge.net.au 2006-10-02T23:11:13+00:00 b4c4ed175ff0ee816df48571cfa9b73f521964b6 By adding a type parameter to ip_route_me_harder() the expensive call to inet_addr_type() can be avoided in some cases. A followup patch where ip_route_me_harder() is called from within ip_vs_out() is one such example. Signed-off-By: Simon Horman <horms@verge.net.au> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
By adding a type parameter to ip_route_me_harder() the
expensive call to inet_addr_type() can be avoided in some cases.
A followup patch where ip_route_me_harder() is called from within
ip_vs_out() is one such example.

Signed-off-By: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Don't include linux/config.h from anywhere else in include/ 2006-04-26T11:56:16+00:00 David Woodhouse dwmw2@infradead.org 2006-04-26T11:56:16+00:00 62c4f0a2d5a188f73a94f2cb8ea0dba3e7cf0a7f Signed-off-by: David Woodhouse <dwmw2@infradead.org> 
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
[NETFILTER]: Add address family specific checksum helpers 2006-04-10T05:25:41+00:00 Patrick McHardy kaber@trash.net 2006-04-06T21:18:43+00:00 422c346fad806e2abaeffac686860ebc98dfe33e Add checksum operation which takes care of verifying the checksum and dealing with HW checksum errors and avoids multiple checksum operations by setting ip_summed to CHECKSUM_UNNECESSARY after successful verification. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add checksum operation which takes care of verifying the checksum and
dealing with HW checksum errors and avoids multiple checksum
operations by setting ip_summed to CHECKSUM_UNNECESSARY after
successful verification.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>