linux.git/include/net/netfilter, branch v2.6.29 Linux kernel source tree netfilter: conntrack: don't deliver events for racy packets 2009-03-16T14:06:42+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-03-16T14:06:42+00:00 b1e93a68ca41e7e73766f95ba32ca05cf9052e15 This patch skips the delivery of conntrack events if the packet was drop due to a race condition in the conntrack insertion. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 
This patch skips the delivery of conntrack events if the packet
was drop due to a race condition in the conntrack insertion.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack: don't try to deliver events for untracked connections 2009-02-18T14:30:34+00:00 Patrick McHardy kaber@trash.net 2009-02-18T14:30:34+00:00 5962fc6d5fff09c8e6fb8cadcb18327a0f4277f7 The untracked conntrack actually does usually have events marked for delivery as its not special-cased in that part of the code. Skip the actual delivery since it impacts performance noticeably. Signed-off-by: Patrick McHardy <kaber@trash.net> 
The untracked conntrack actually does usually have events marked for
delivery as its not special-cased in that part of the code. Skip the
actual delivery since it impacts performance noticeably.

Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: fix warning in net/netfilter/nf_conntrack_proto_tcp.c 2008-11-25T17:20:13+00:00 Ingo Molnar mingo@elte.hu 2008-11-25T17:20:13+00:00 65f233fb1669e6c990cd1d7fd308ac7dc66dc207 fix this warning: net/netfilter/nf_conntrack_proto_tcp.c: In function \u2018tcp_in_window\u2019: net/netfilter/nf_conntrack_proto_tcp.c:491: warning: unused variable \u2018net\u2019 net/netfilter/nf_conntrack_proto_tcp.c: In function \u2018tcp_packet\u2019: net/netfilter/nf_conntrack_proto_tcp.c:812: warning: unused variable \u2018net\u2019 Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
fix this warning:

  net/netfilter/nf_conntrack_proto_tcp.c: In function \u2018tcp_in_window\u2019:
  net/netfilter/nf_conntrack_proto_tcp.c:491: warning: unused variable \u2018net\u2019
  net/netfilter/nf_conntrack_proto_tcp.c: In function \u2018tcp_packet\u2019:
  net/netfilter/nf_conntrack_proto_tcp.c:812: warning: unused variable \u2018net\u2019

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nfnetlink_log: fix warning and prototype mismatch 2008-11-18T11:16:52+00:00 Patrick McHardy kaber@trash.net 2008-11-18T11:16:52+00:00 d9e150071d18b5c87ba7a097af4063a5ad0c6a0c net/netfilter/nfnetlink_log.c:537:1: warning: symbol 'nfulnl_log_packet' was not declared. Should it be static? Including the proper header also revealed an incorrect prototype. Signed-off-by: Patrick McHardy <kaber@trash.net> 
net/netfilter/nfnetlink_log.c:537:1: warning: symbol 'nfulnl_log_packet' was not declared. Should it be static?

Including the proper header also revealed an incorrect prototype.

Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ctnetlink: deliver events for conntracks changed from userspace 2008-11-18T10:56:20+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-11-18T10:56:20+00:00 19abb7b090a6bce88d4e9b2914a0367f4f684432 As for now, the creation and update of conntracks via ctnetlink do not propagate an event to userspace. This can result in inconsistent situations if several userspace processes modify the connection tracking table by means of ctnetlink at the same time. Specifically, using the conntrack command line tool and conntrackd at the same time can trigger unconsistencies. This patch also modifies the event cache infrastructure to pass the process PID and the ECHO flag to nfnetlink_send() to report back to userspace if the process that triggered the change needs so. Based on a suggestion from Patrick McHardy. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 
As for now, the creation and update of conntracks via ctnetlink do not
propagate an event to userspace. This can result in inconsistent situations
if several userspace processes modify the connection tracking table by means
of ctnetlink at the same time. Specifically, using the conntrack command
line tool and conntrackd at the same time can trigger unconsistencies.

This patch also modifies the event cache infrastructure to pass the
process PID and the ECHO flag to nfnetlink_send() to report back
to userspace if the process that triggered the change needs so.
Based on a suggestion from Patrick McHardy.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ctnetlink: helper modules load-on-demand support 2008-11-18T10:54:05+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-11-18T10:54:05+00:00 226c0c0ef2abdf91b8d9cce1aaf7d4635a5e5926 This patch adds module loading for helpers via ctnetlink. * Creation path: We support explicit and implicit helper assignation. For the explicit case, we try to load the module. If the module is correctly loaded and the helper is present, we return EAGAIN to re-start the creation. Otherwise, we return EOPNOTSUPP. * Update path: release the spin lock, load the module and check. If it is present, then return EAGAIN to re-start the update. This patch provides a refactorized function to lookup-and-set the connection tracking helper. The function removes the exported symbol __nf_ct_helper_find as it has not clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 
This patch adds module loading for helpers via ctnetlink.

* Creation path: We support explicit and implicit helper assignation. For
  the explicit case, we try to load the module. If the module is correctly
  loaded and the helper is present, we return EAGAIN to re-start the
  creation. Otherwise, we return EOPNOTSUPP.
* Update path: release the spin lock, load the module and check. If it is
  present, then return EAGAIN to re-start the update.

This patch provides a refactorized function to lookup-and-set the
connection tracking helper. The function removes the exported symbol
__nf_ct_helper_find as it has not clients anymore.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack: connection tracking helper name persistent aliases 2008-11-17T15:01:42+00:00 Pablo Neira Ayuso pablo@netfilter.org 2008-11-17T15:01:42+00:00 4dc06f9633444f426ef9960c53426f2d2ded64ac This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a way to provide generic and persistent aliases for the connection tracking helpers. This next patch requires this patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 
This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a
way to provide generic and persistent aliases for the connection
tracking helpers.

This next patch requires this patch.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: xt_NFLOG: don't call nf_log_packet in NFLOG module. 2008-11-04T13:21:08+00:00 Eric Leblond eric@inl.fr 2008-11-04T13:21:08+00:00 5f7340eff8f68f41b7e5c7ad47ec4cd1ea1afb40 This patch modifies xt_NFLOG to suppress the call to nf_log_packet() function. The call of this wrapper in xt_NFLOG was causing NFLOG to use the first initialized module. Thus, if ipt_ULOG is loaded before nfnetlink_log all NFLOG rules are treated as plain LOG rules. Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net> 
This patch modifies xt_NFLOG to suppress the call to nf_log_packet()
function. The call of this wrapper in xt_NFLOG was causing NFLOG to
use the first initialized module. Thus, if ipt_ULOG is loaded before
nfnetlink_log all NFLOG rules are treated as plain LOG rules.

Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
misc: replace NIPQUAD() 2008-10-31T07:56:49+00:00 Harvey Harrison harvey.harrison@gmail.com 2008-10-31T07:56:49+00:00 3685f25de1b0447fff381c420de1e25bd57c9efb Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u can be replaced with %pI4 Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u
can be replaced with %pI4

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: replace %p6 with %pI6 2008-10-29T19:52:50+00:00 Harvey Harrison harvey.harrison@gmail.com 2008-10-29T19:52:50+00:00 5b095d98928fdb9e3b75be20a54b7a6cbf6ca9ad Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>