linux.git/net/ipv6/netfilter, branch v2.6.31 Linux kernel source tree Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-06-11T14:00:49+00:00 Patrick McHardy kaber@trash.net 2009-06-11T14:00:49+00:00 36432dae73cf2c90a59b39c8df9fd8219272b005 






netfilter: Use frag list abstraction interfaces.
2009-06-09T07:23:58+00:00

David S. Miller
davem@davemloft.net

2009-06-09T07:23:58+00:00

343a99724e4431d8618bea2eb7552e12c965425a

Signed-off-by: David S. Miller <davem@davemloft.net>





Signed-off-by: David S. Miller <davem@davemloft.net>







netfilter: nf_ct_icmp: keep the ICMP ct entries longer
2009-06-08T13:53:43+00:00

Jan Kasprzak
kas@fi.muni.cz

2009-06-08T13:53:43+00:00

f87fb666bb00a7afcbd7992d236e42ac544996f9

Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.

Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.

Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>





Current conntrack code kills the ICMP conntrack entry as soon as
the first reply is received. This is incorrect, as we then see only
the first ICMP echo reply out of several possible duplicates as
ESTABLISHED, while the rest will be INVALID. Also this unnecessarily
increases the conntrackd traffic on H-A firewalls.

Make all the ICMP conntrack entries (including the replied ones)
last for the default of nf_conntrack_icmp{,v6}_timeout seconds.

Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>







netfilter: x_tables: added hook number into match extension parameter structure.
2009-06-04T14:54:42+00:00

Evgeniy Polyakov
zbr@ioremap.net

2009-06-04T14:54:42+00:00

a5e78820966e17c2316866e00047e4e7e5480f04

Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>





Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>







net: skb->dst accessors
2009-06-03T09:51:04+00:00

Eric Dumazet
eric.dumazet@gmail.com

2009-06-02T05:19:30+00:00

adf30907d63893e4208dfe3f5c88ae12bc2f25d5

Define three accessors to get/set dst attached to a skb

struct dst_entry *skb_dst(const struct sk_buff *skb)

void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)

void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;

Delete skb->dst field

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>





Define three accessors to get/set dst attached to a skb

struct dst_entry *skb_dst(const struct sk_buff *skb)

void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)

void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;

Delete skb->dst field

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>







netfilter: conntrack: simplify event caching system
2009-06-02T18:08:46+00:00

Pablo Neira Ayuso
pablo@netfilter.org

2009-06-02T18:08:46+00:00

17e6e4eac070607a35464ea7e2c5eceac32e5eca

This patch simplifies the conntrack event caching system by removing
several events:

 * IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
   since the have no clients.
 * IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
   days.
 * IPCT_REFRESH which is not of any use since we always include the
   timeout in the messages.

After this patch, the existing events are:

 * IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
 addition and deletion of entries.
 * IPCT_STATUS, that notes that the status bits have changes,
 eg. IPS_SEEN_REPLY and IPS_ASSURED.
 * IPCT_PROTOINFO, that reports that internal protocol information has
 changed, eg. the TCP, DCCP and SCTP protocol state.
 * IPCT_HELPER, that a helper has been assigned or unassigned to this
 entry.
 * IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
 covers the case when a mark is set to zero.
 * IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
 adjustment.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>





This patch simplifies the conntrack event caching system by removing
several events:

 * IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
   since the have no clients.
 * IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
   days.
 * IPCT_REFRESH which is not of any use since we always include the
   timeout in the messages.

After this patch, the existing events are:

 * IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
 addition and deletion of entries.
 * IPCT_STATUS, that notes that the status bits have changes,
 eg. IPS_SEEN_REPLY and IPS_ASSURED.
 * IPCT_PROTOINFO, that reports that internal protocol information has
 changed, eg. the TCP, DCCP and SCTP protocol state.
 * IPCT_HELPER, that a helper has been assigned or unassigned to this
 entry.
 * IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
 covers the case when a mark is set to zero.
 * IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
 adjustment.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>







Merge branch 'master' of git://dev.medozas.de/linux
2009-06-02T11:44:56+00:00

Patrick McHardy
kaber@trash.net

2009-06-02T11:44:56+00:00

8cc848fa3445b3503465dfba5d8ad47559faa05a












netfilter: xtables: consolidate comefrom debug cast access
2009-05-08T08:30:49+00:00

Jan Engelhardt
jengelh@medozas.de

2009-04-15T19:40:13+00:00

bb70dfa5f8ab4a0f1c699ddb3ef0276d91219b7c

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>





Signed-off-by: Jan Engelhardt <jengelh@medozas.de>







netfilter: xtables: remove another level of indent
2009-05-08T08:30:49+00:00

Jan Engelhardt
jengelh@medozas.de

2009-04-15T19:35:33+00:00

7a6b1c46e28ab0511be26c238d552c00b51b88c5

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>





Signed-off-by: Jan Engelhardt <jengelh@medozas.de>







netfilter: xtables: remove some goto
2009-05-08T08:30:48+00:00

Jan Engelhardt
jengelh@medozas.de

2009-04-15T19:31:32+00:00

9452258d8173806f67b1be5b3b00c39b052060c8

Combining two ifs, and goto is easily gone.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>





Combining two ifs, and goto is easily gone.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>