linux.git/include/linux/netfilter, branch v2.6.34 Linux kernel source tree netfilter: ctnetlink: fix reliable event delivery if message building fails 2010-03-20T21:29:03+00:00 Pablo Neira Ayuso pablo@netfilter.org 2010-03-16T13:30:21+00:00 37b7ef7203240b3aba577bb1ff6765fe15225976 This patch fixes a bug that allows to lose events when reliable event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR and NETLINK_RECV_NO_ENOBUFS socket options are set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch fixes a bug that allows to lose events when reliable
event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR
and NETLINK_RECV_NO_ENOBUFS socket options are set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: xtables: replace XT_MATCH_ITERATE macro 2010-02-24T17:34:48+00:00 Jan Engelhardt jengelh@medozas.de 2010-02-24T17:34:48+00:00 dcea992aca82cb08b4674c4c783e325835408d1e The macro is replaced by a list.h-like foreach loop. This makes the code more inspectable. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The macro is replaced by a list.h-like foreach loop. This makes
the code more inspectable.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: xtables: replace XT_ENTRY_ITERATE macro 2010-02-24T17:32:59+00:00 Jan Engelhardt jengelh@medozas.de 2010-02-24T17:32:59+00:00 72b2b1dd77e8feb0b7c0b26dee58f2a1e2c9828c The macro is replaced by a list.h-like foreach loop. This makes the code much more inspectable. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The macro is replaced by a list.h-like foreach loop. This makes
the code much more inspectable.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: CONFIG_COMPAT: allow delta to exceed 32767 2010-02-15T17:17:10+00:00 Florian Westphal fwestphal@astaro.com 2010-02-15T17:17:10+00:00 3e5e524ffb5fcf2447eb5dd9f8e54ad22dd9baa7 with 32 bit userland and 64 bit kernels, it is unlikely but possible that insertion of new rules fails even tough there are only about 2000 iptables rules. This happens because the compat delta is using a short int. Easily reproducible via "iptables -m limit" ; after about 2050 rules inserting new ones fails with -ELOOP. Note that compat_delta included 2 bytes of padding on x86_64, so structure size remains the same. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net> 
with 32 bit userland and 64 bit kernels, it is unlikely but possible
that insertion of new rules fails even tough there are only about 2000
iptables rules.

This happens because the compat delta is using a short int.
Easily reproducible via "iptables -m limit" ; after about 2050
rules inserting new ones fails with -ELOOP.

Note that compat_delta included 2 bytes of padding on x86_64, so
structure size remains the same.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ctnetlink: add zone support 2010-02-15T17:14:57+00:00 Patrick McHardy kaber@trash.net 2010-02-15T17:14:57+00:00 ef00f89f1eb7e056aab9dfe068521e6f2320c94a Parse and dump the conntrack zone in ctnetlink. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Parse and dump the conntrack zone in ctnetlink.

Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack: add support for "conntrack zones" 2010-02-15T17:13:33+00:00 Patrick McHardy kaber@trash.net 2010-02-15T17:13:33+00:00 5d0aa2ccd4699a01cfdf14886191c249d7b45a01 Normally, each connection needs a unique identity. Conntrack zones allow to specify a numerical zone using the CT target, connections in different zones can use the same identity. Example: iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1 iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1 Signed-off-by: Patrick McHardy <kaber@trash.net> 
Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.

Example:

iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1

Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: xtables: constify args in compat copying functions 2010-02-15T15:59:28+00:00 Jan Engelhardt jengelh@medozas.de 2009-06-26T06:23:19+00:00 739674fb7febf116e7d647031fab16989a08a965 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: nf_conntrack_sip: add T.38 FAX support 2010-02-11T11:30:21+00:00 Patrick McHardy kaber@trash.net 2010-02-11T11:30:21+00:00 9d288dffe3a276e1f06ba556845c456d696c5a4f Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nf_nat_sip: add TCP support 2010-02-11T11:29:38+00:00 Patrick McHardy kaber@trash.net 2010-02-11T11:29:38+00:00 48f8ac26537c1b7b1a2422f5232f45d06c945348 Add support for mangling TCP SIP packets. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Add support for mangling TCP SIP packets.

Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack_sip: add TCP support 2010-02-11T11:26:19+00:00 Patrick McHardy kaber@trash.net 2010-02-11T11:26:19+00:00 f5b321bd37fbec9188feb1f721ab46a5ac0b35da Add TCP support, which is mandated by RFC3261 for all SIP elements. SIP over TCP is similar to UDP, except that messages are delimited by Content-Length: headers and multiple messages may appear in one packet. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Add TCP support, which is mandated by RFC3261 for all SIP elements.

SIP over TCP is similar to UDP, except that messages are delimited
by Content-Length: headers and multiple messages may appear in one
packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>