linux.git/include/linux/netfilter_ipv4, branch v2.6.20 Linux kernel source tree [NETFILTER]: Fix iptables ABI breakage on (at least) CRIS 2007-01-24T06:00:13+00:00 Patrick McHardy kaber@trash.net 2007-01-24T06:00:13+00:00 2748e5dec7ca8a3804852c7c4171f9156384d15c With the introduction of x_tables we accidentally broke compatibility by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of XT_TABLE_MAXNAMELEN, which is two bytes larger. On most architectures it doesn't really matter since we don't have any tables with names that long in the kernel and the structure layout didn't change because of alignment requirements of following members. On CRIS however (and other architectures that don't align data) this changed the structure layout and thus broke compatibility with old iptables binaries. Changing it back will break compatibility with binaries compiled against recent kernels again, but since the breakage has only been there for three releases this seems like the better choice. Spotted by Jonas Berlin <xkr47@outerspace.dyndns.org>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
With the introduction of x_tables we accidentally broke compatibility
by defining IPT_TABLE_MAXNAMELEN to XT_FUNCTION_MAXNAMELEN instead of
XT_TABLE_MAXNAMELEN, which is two bytes larger.

On most architectures it doesn't really matter since we don't have
any tables with names that long in the kernel and the structure
layout didn't change because of alignment requirements of following
members. On CRIS however (and other architectures that don't align
data) this changed the structure layout and thus broke compatibility
with old iptables binaries.

Changing it back will break compatibility with binaries compiled
against recent kernels again, but since the breakage has only been
there for three releases this seems like the better choice.

Spotted by Jonas Berlin <xkr47@outerspace.dyndns.org>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PATCH] severing skbuff.h -> mm.h 2006-12-04T07:00:34+00:00 Al Viro viro@zeniv.linux.org.uk 2006-12-04T04:15:30+00:00 d7fe0f241dceade9c8d4af75498765c5ff7f27e6 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port 2006-12-03T06:08:46+00:00 Patrick McHardy kaber@trash.net 2006-12-03T06:08:46+00:00 f587de0e2feb9eb9b94f98d0a7b7437e4d6617b4 Add IPv4 and IPv6 capable nf_conntrack port of the H.323 conntrack/NAT helper. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add IPv4 and IPv6 capable nf_conntrack port of the H.323 conntrack/NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nf_nat: add FTP NAT helper port 2006-12-03T06:07:44+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2006-12-03T06:07:44+00:00 55a733247d6d2883d9bb77825fafac3dfca13fc2 Add FTP NAT helper. Split out from Jozsef's big nf_nat patch with a few small fixes by myself. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Add FTP NAT helper.

Split out from Jozsef's big nf_nat patch with a few small fixes by myself.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: x_tables: add NFLOG target 2006-12-03T05:31:31+00:00 Patrick McHardy kaber@trash.net 2006-11-29T01:35:38+00:00 baf7b1e11282127e068d149825cccec002091d61 Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
targets to optionally call to the nflog API. They lack a few features,
namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
related to nfnetlink_log, while the ULOG target is only available for IPv4.
Remove those hacks and add a clean way to use nfnetlink_log.

Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6 2006-12-03T05:31:31+00:00 Patrick McHardy kaber@trash.net 2006-11-29T01:35:36+00:00 39b46fc6f0d1161a5585cd8af7b3a05e8118ab7e Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETFILTER]: sip conntrack: better NAT handling 2006-12-03T05:31:26+00:00 Patrick McHardy kaber@trash.net 2006-11-29T01:35:30+00:00 1b683b551209ca46ae59b29572018001db5af078 The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: Patrick McHardy <kaber@trash.net> 
The NAT handling of the SIP helper has a few problems:

- Request headers are only mangled in the reply direction, From/To headers
  not at all, which can lead to authentication failures with DNAT in case
  the authentication domain is the IP address

- Contact headers in responses are only mangled for REGISTER responses

- Headers may be mangled even though they contain addresses not
  participating in the connection, like alternative addresses

- Packets are droppen when domain names are used where the helper expects
  IP addresses

This patch takes a different approach, instead of fixed rules what field
to mangle to what content, it adds symetric mapping of From/To/Via/Contact
headers, which allows to deal properly with echoed addresses in responses
and foreign addresses not belonging to the connection.

Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETFILTER]: sip conntrack: do case insensitive SIP header search 2006-12-03T05:31:24+00:00 Patrick McHardy kaber@trash.net 2006-11-29T01:35:27+00:00 40883e8184947879f135605a05c0764c60656cc5 SIP headers are generally case-insensitive, only SDP headers are case sensitive. Signed-off-by: Patrick McHardy <kaber@trash.net> 
SIP headers are generally case-insensitive, only SDP headers are
case sensitive.

Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETFILTER]: sip conntrack: minor cleanup 2006-12-03T05:31:23+00:00 Patrick McHardy kaber@trash.net 2006-11-29T01:35:26+00:00 9d5b8baa4e9ace9be113c6151aaeeb3c07a26fc8 - Use enum for header field enumeration - Use numerical value instead of pointer to header info structure to identify headers, unexport ct_sip_hdrs - group SIP and SDP entries in header info structure - remove double forward declaration of ct_sip_get_info Signed-off-by: Patrick McHardy <kaber@trash.net> 
- Use enum for header field enumeration
- Use numerical value instead of pointer to header info structure to
  identify headers, unexport ct_sip_hdrs
- group SIP and SDP entries in header info structure
- remove double forward declaration of ct_sip_get_info

Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETFILTER]: conntrack: add '_get' to {ip, nf}_conntrack_expect_find 2006-12-03T05:31:21+00:00 Yasuyuki Kozakai yasuyuki.kozakai@toshiba.co.jp 2006-11-29T01:35:23+00:00 468ec44bd5a863736d955f78b8c38896f26864a1 We usually uses 'xxx_find_get' for function which increments reference count. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> 
We usually uses 'xxx_find_get' for function which increments
reference count.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>