linux.git/net/ipv4/netfilter, branch v2.6.31 Linux kernel source tree netfilter: tcp conntrack: fix unacknowledged data detection with NAT 2009-06-29T12:07:56+00:00 Patrick McHardy kaber@trash.net 2009-06-29T12:07:56+00:00 a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272 When NAT helpers change the TCP packet size, the highest seen sequence number needs to be corrected. This is currently only done upwards, when the packet size is reduced the sequence number is unchanged. This causes TCP conntrack to falsely detect unacknowledged data and decrease the timeout. Fix by updating the highest seen sequence number in both directions after packet mangling. Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> 
When NAT helpers change the TCP packet size, the highest seen sequence
number needs to be corrected. This is currently only done upwards, when
the packet size is reduced the sequence number is unchanged. This causes
TCP conntrack to falsely detect unacknowledged data and decrease the
timeout.

Fix by updating the highest seen sequence number in both directions after
packet mangling.

Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ip_tables: fix build error 2009-06-11T23:53:09+00:00 Patrick McHardy kaber@trash.net 2009-06-11T23:53:09+00:00 24992eacd8a9f4af286bdaaab627b6802ceb8bce Fix build error introduced by commit bb70dfa5 (netfilter: xtables: consolidate comefrom debug cast access): net/ipv4/netfilter/ip_tables.c: In function 'ipt_do_table': net/ipv4/netfilter/ip_tables.c:421: error: 'comefrom' undeclared (first use in this function) net/ipv4/netfilter/ip_tables.c:421: error: (Each undeclared identifier is reported only once net/ipv4/netfilter/ip_tables.c:421: error: for each function it appears in.) Signed-off-by: Patrick McHardy <kaber@trash.net> 
Fix build error introduced by commit bb70dfa5 (netfilter: xtables:
consolidate comefrom debug cast access):

net/ipv4/netfilter/ip_tables.c: In function 'ipt_do_table':
net/ipv4/netfilter/ip_tables.c:421: error: 'comefrom' undeclared (first use in this function)
net/ipv4/netfilter/ip_tables.c:421: error: (Each undeclared identifier is reported only once
net/ipv4/netfilter/ip_tables.c:421: error: for each function it appears in.)

Signed-off-by: Patrick McHardy <kaber@trash.net>
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-06-11T14:00:49+00:00 Patrick McHardy kaber@trash.net 2009-06-11T14:00:49+00:00 36432dae73cf2c90a59b39c8df9fd8219272b005 






netfilter: Fix extra semi-colon in skb_walk_frags() changes.
2009-06-10T01:05:28+00:00

David S. Miller
davem@davemloft.net

2009-06-10T01:05:28+00:00

0808dc80939b08ec215f472e17a5d8f6b148037e

Noticed by Jesper Dangaard Brouer

Signed-off-by: David S. Miller <davem@davemloft.net>





Noticed by Jesper Dangaard Brouer

Signed-off-by: David S. Miller <davem@davemloft.net>







netfilter: Use frag list abstraction interfaces.
2009-06-09T07:23:58+00:00

David S. Miller
davem@davemloft.net

2009-06-09T07:23:58+00:00

343a99724e4431d8618bea2eb7552e12c965425a

Signed-off-by: David S. Miller <davem@davemloft.net>





Signed-off-by: David S. Miller <davem@davemloft.net>







netfilter: nf_ct_icmp: keep the ICMP ct entries longer
2009-06-08T13:53:43+00:00

Jan Kasprzak
kas@fi.muni.cz

2009-06-08T13:53:43+00:00

f87fb666bb00a7afcbd7992d236e42ac544996f9

Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.

Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.

Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>





Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.

Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.

Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>







netfilter: ipt_MASQUERADE: remove redundant rwlock
2009-06-05T11:26:21+00:00

Florian Westphal
fw@strlen.de

2009-06-05T11:26:21+00:00

17f2f52be0edb6d1ff5a3675f2bc545aea2dbf76

The lock "protects" an assignment and a comparision of an integer.
When the caller of device_cmp() evaluates the result, nat->masq_index
may already have been changed (regardless if the lock is there or not).

So, the lock either has to be held during nf_ct_iterate_cleanup(),
or can be removed.

This does the latter.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>





The lock "protects" an assignment and a comparision of an integer.
When the caller of device_cmp() evaluates the result, nat->masq_index
may already have been changed (regardless if the lock is there or not).

So, the lock either has to be held during nf_ct_iterate_cleanup(),
or can be removed.

This does the latter.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>







netfilter: x_tables: added hook number into match extension parameter structure.
2009-06-04T14:54:42+00:00

Evgeniy Polyakov
zbr@ioremap.net

2009-06-04T14:54:42+00:00

a5e78820966e17c2316866e00047e4e7e5480f04

Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>





Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>







net: skb->dst accessors
2009-06-03T09:51:04+00:00

Eric Dumazet
eric.dumazet@gmail.com

2009-06-02T05:19:30+00:00

adf30907d63893e4208dfe3f5c88ae12bc2f25d5

Define three accessors to get/set dst attached to a skb

struct dst_entry *skb_dst(const struct sk_buff *skb)

void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)

void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;

Delete skb->dst field

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>





Define three accessors to get/set dst attached to a skb

struct dst_entry *skb_dst(const struct sk_buff *skb)

void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)

void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;

Delete skb->dst field

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>







net: skb->rtable accessor
2009-06-03T09:51:02+00:00

Eric Dumazet
eric.dumazet@gmail.com

2009-06-02T05:14:27+00:00

511c3f92ad5b6d9f8f6464be1b4f85f0422be91a

Define skb_rtable(const struct sk_buff *skb) accessor to get rtable from skb

Delete skb->rtable field

Setting rtable is not allowed, just set dst instead as rtable is an alias.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>





Define skb_rtable(const struct sk_buff *skb) accessor to get rtable from skb

Delete skb->rtable field

Setting rtable is not allowed, just set dst instead as rtable is an alias.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>