linux.git/net/ipv4/netfilter.c, branch v2.6.29 Linux kernel source tree Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6 2008-11-28T10:19:15+00:00 David S. Miller davem@davemloft.net 2008-11-28T10:19:15+00:00 ed77a89c30fa03dcb234a84ddea710b3fb7b62da Conflicts: net/netfilter/nf_conntrack_netlink.c 
Conflicts:

	net/netfilter/nf_conntrack_netlink.c
netns xfrm: lookup in netns 2008-11-26T01:35:18+00:00 Alexey Dobriyan adobriyan@gmail.com 2008-11-26T01:35:18+00:00 52479b623d3d41df84c499325b6a8c7915413032 Pass netns to xfrm_lookup()/__xfrm_lookup(). For that pass netns to flow_cache_lookup() and resolver callback. Take it from socket or netdevice. Stub DECnet to init_net. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Pass netns to xfrm_lookup()/__xfrm_lookup(). For that pass netns
to flow_cache_lookup() and resolver callback.

Take it from socket or netdevice. Stub DECnet to init_net.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: nfmark routing in OUTPUT, mangle, NFQUEUE 2008-11-25T11:15:16+00:00 Eric Leblond eric@inl.fr 2008-11-25T11:15:16+00:00 5f145e44ae09f629d25536b2947a91e9c01bddcb This patch let nfmark to be evaluated for routing decision for OUTPUT packet, in mangle table, when process paquet in NFQUEUE Until now, only change (in NFQUEUE process) on fields src_addr, dest_addr and tos could make netfilter to reevalute the routing. From: Laurent Licour <laurent@licour.com> Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net> 
This patch let nfmark to be evaluated for routing decision for OUTPUT
packet, in mangle table, when process paquet in NFQUEUE
Until now, only change (in NFQUEUE process) on fields src_addr,
dest_addr and tos could make netfilter to reevalute the routing.

From: Laurent Licour <laurent@licour.com>
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: netns: fix {ip,6}_route_me_harder() in netns 2008-10-08T09:35:03+00:00 Alexey Dobriyan adobriyan@gmail.com 2008-10-08T09:35:03+00:00 b21f89019399ff75d9c239010e38b840eb6e01e7 Take netns from skb->dst->dev. It should be safe because, they are called from LOCAL_OUT hook where dst is valid (though, I'm not exactly sure about IPVS and queueing packets to userspace). [Patrick: its safe everywhere since they already expect skb->dst to be set] Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Take netns from skb->dst->dev. It should be safe because, they are called
from LOCAL_OUT hook where dst is valid (though, I'm not exactly sure about
IPVS and queueing packets to userspace).

[Patrick: its safe everywhere since they already expect skb->dst to be set]

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
ipv4: Make Netfilter's ip_route_me_harder() non-local address compatible 2008-10-01T14:44:42+00:00 KOVACS Krisztian hidden@sch.bme.hu 2008-10-01T14:44:42+00:00 86b08d867d7de001ab224180ed7865fab93fd56e Netfilter's ip_route_me_harder() tries to re-route packets either generated or re-routed by Netfilter. This patch changes ip_route_me_harder() to handle packets from non-locally-bound sockets with IP_TRANSPARENT set as local and to set the appropriate flowi flags when re-doing the routing lookup. Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: David S. Miller <davem@davemloft.net> 
Netfilter's ip_route_me_harder() tries to re-route packets either
generated or re-routed by Netfilter. This patch changes
ip_route_me_harder() to handle packets from non-locally-bound sockets
with IP_TRANSPARENT set as local and to set the appropriate flowi
flags when re-doing the routing lookup.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Add partial checksum validation helper 2008-04-14T09:15:49+00:00 Patrick McHardy kaber@trash.net 2008-03-20T14:15:53+00:00 d63a650736f566a1f9e9434725d2089597c0d2cc Move the UDP-Lite conntrack checksum validation to a generic helper similar to nf_checksum() and make it fall back to nf_checksum() in case the full packet is to be checksummed and hardware checksums are available. This is to be used by DCCP conntrack, which also needs to verify partial checksums. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Move the UDP-Lite conntrack checksum validation to a generic helper
similar to nf_checksum() and make it fall back to nf_checksum()
in case the full packet is to be checksummed and hardware checksums
are available. This is to be used by DCCP conntrack, which also
needs to verify partial checksums.

Signed-off-by: Patrick McHardy <kaber@trash.net>
[NETNS]: Add namespace parameter to ip_route_output_key. 2008-01-28T23:11:07+00:00 Denis V. Lunev den@openvz.org 2008-01-23T06:07:34+00:00 f206351a50ea86250fabea96b9af8d8f8fc02603 Needed to propagate it down to the ip_route_output_flow. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Needed to propagate it down to the ip_route_output_flow.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: kill nf_sysctl.c 2008-01-28T23:02:40+00:00 Patrick McHardy kaber@trash.net 2008-01-15T07:48:39+00:00 4f536522dae9d5326ad1872cd254ee84681cf563 Since there now is generic support for shared sysctl paths, the only remains are the net/netfilter and net/ipv4/netfilter paths. Move them to net/netfilter/core.c and net/ipv4/netfilter.c and kill nf_sysctl.c. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Since there now is generic support for shared sysctl paths, the only
remains are the net/netfilter and net/ipv4/netfilter paths. Move them
to net/netfilter/core.c and net/ipv4/netfilter.c and kill nf_sysctl.c.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETNS]: Add netns parameter to inet_(dev_)add_type. 2008-01-28T23:01:27+00:00 Eric W. Biederman ebiederm@xmission.com 2008-01-10T11:25:28+00:00 6b175b26c1048d331508940ad3516ead1998084f The patch extends the inet_addr_type and inet_dev_addr_type with the network namespace pointer. That allows to access the different tables relatively to the network namespace. The modification of the signature function is reported in all the callers of the inet_addr_type using the pointer to the well known init_net. Acked-by: Benjamin Thery <benjamin.thery@bull.net> Acked-by: Daniel Lezcano <dlezcano@fr.ibm.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
The patch extends the inet_addr_type and inet_dev_addr_type with the
network namespace pointer. That allows to access the different tables
relatively to the network namespace.

The modification of the signature function is reported in all the
callers of the inet_addr_type using the pointer to the well known
init_net.

Acked-by: Benjamin Thery <benjamin.thery@bull.net>
Acked-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: constify nf_afinfo 2008-01-28T22:59:05+00:00 Patrick McHardy kaber@trash.net 2007-12-18T06:42:27+00:00 1e796fda00f06bac584f0e4ad8750ab9430d79d3 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>