linux.git/net/netfilter, branch v2.6.15 Linux kernel source tree [NETFILTER]: Wait for untracked references in nf_conntrack module unload 2005-12-05T21:36:50+00:00 Patrick McHardy kaber@trash.net 2005-12-05T21:36:50+00:00 6636568cf85ef5898a892e90fcc88b61cca9ca27 Noticed by Pablo Neira <pablo@eurodev.net>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Noticed by Pablo Neira <pablo@eurodev.net>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Mark ctnetlink as EXPERIMENTAL 2005-12-05T21:36:25+00:00 Patrick McHardy kaber@trash.net 2005-12-05T21:36:25+00:00 a79575633300adb5d3f1bd856cc518c45fefcb86 Should have been marked EXPERIMENTAL from the beginning, as the current bunch of fixes show. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Should have been marked EXPERIMENTAL from the beginning, as the current
bunch of fixes show.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: nfnetlink: Fix calculation of minimum message length 2005-12-05T21:33:26+00:00 Yasuyuki Kozakai yasuyuki.kozakai@toshiba.co.jp 2005-12-05T21:33:26+00:00 3ebbe0cdd41f62e5c79cb4d7aa42a1ca50d7d2f2 At least, valid nfnetlink message should have nlmsghdr and nfgenmsg. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
At least, valid nfnetlink message should have nlmsghdr and nfgenmsg.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Ignore ACKs ACKs on half open connections in TCP conntrack 2005-12-01T22:28:58+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2005-12-01T22:28:58+00:00 73f306024c15bd12e59677d6eaf43ecced614f04 Mounting NFS file systems after a (warm) reboot could take a long time if firewalling and connection tracking was enabled. The reason is that the NFS clients tends to use the same ports (800 and counting down). Now on reboot, the server would still have a TCB for an existing TCP connection client:800 -> server:2049. The client sends a SYN from port 800 to server:2049, which elicits an ACK from the server. The firewall on the client drops the ACK because (from its point of view) the connection is still in half-open state, and it expects to see a SYNACK. The client will eventually time out after several minutes. The following patch corrects this, by accepting ACKs on half open connections as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Mounting NFS file systems after a (warm) reboot could take a long time if
firewalling and connection tracking was enabled.

The reason is that the NFS clients tends to use the same ports (800 and
counting down). Now on reboot, the server would still have a TCB for an
existing TCP connection client:800 -> server:2049. The client sends a
SYN from port 800 to server:2049, which elicits an ACK from the server.
The firewall on the client drops the ACK because (from its point of
view) the connection is still in half-open state, and it expects to see
a SYNACK.

The client will eventually time out after several minutes.

The following patch corrects this, by accepting ACKs on half open
connections as well.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER]: Fix nf_conntrack compilation with CONFIG_NETFILTER_DEBUG 2005-11-17T07:14:19+00:00 Patrick McHardy kaber@trash.net 2005-11-17T07:14:19+00:00 4a59a810513d5f7aa76515908b8e3620fa1b9b69 CC [M] net/netfilter/nf_conntrack_core.o net/netfilter/nf_conntrack_core.c: In function 'nf_ct_unlink_expect': net/netfilter/nf_conntrack_core.c:390: error: 'exp_timeout' undeclared (first use in this function) net/netfilter/nf_conntrack_core.c:390: error: (Each undeclared identifier is reported only once net/netfilter/nf_conntrack_core.c:390: error: for each function it appears in.) Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
CC [M]  net/netfilter/nf_conntrack_core.o
net/netfilter/nf_conntrack_core.c: In function 'nf_ct_unlink_expect':
net/netfilter/nf_conntrack_core.c:390: error: 'exp_timeout' undeclared (first use in this function)
net/netfilter/nf_conntrack_core.c:390: error: (Each undeclared identifier is reported only once
net/netfilter/nf_conntrack_core.c:390: error: for each function it appears in.)

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] Free layer-3 specific protocol tables at cleanup 2005-11-16T00:47:34+00:00 KOVACS Krisztian hidden@balabit.hu 2005-11-16T00:47:34+00:00 5a6f294e43e432bd207a702fea49ebb303ef9b23 Although the comment around the allocation code tells us that the layer-3 specific protocol tables will be freed when cleaning up, they aren't. And this makes nfsim complain loudly... Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Although the comment around the allocation code tells us that
the layer-3 specific protocol tables will be freed when cleaning up,
they aren't. And this makes nfsim complain loudly...

Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] Remove nf_conntrack stat proc file when cleaning up 2005-11-16T00:47:09+00:00 KOVACS Krisztian hidden@balabit.hu 2005-11-16T00:47:09+00:00 96479376c89e5be92c85bd350e3e2e8f0e7e3b52 Fix nf_conntrack statistics proc file removal. Looks like the old bug was forward-ported from ip_conntrack. :-] Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix nf_conntrack statistics proc file removal. Looks like the old bug
was forward-ported from ip_conntrack. :-]

Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] nfnetlink: unconditionally require CAP_NET_ADMIN 2005-11-14T23:24:59+00:00 Harald Welte laforge@netfilter.org 2005-11-14T23:24:59+00:00 37d2e7a20d745035b600f1a6be56cbb9c7259419 This patch unconditionally requires CAP_NET_ADMIN for all nfnetlink messages. It also removes the per-message cap_required field, since all existing subsystems use CAP_NET_ADMIN for all their messages anyway. Patrick McHardy owes me a beer if we ever need to re-introduce this. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch unconditionally requires CAP_NET_ADMIN for all nfnetlink
messages.  It also removes the per-message cap_required field, since all
existing subsystems use CAP_NET_ADMIN for all their messages anyway.

Patrick McHardy owes me a beer if we ever need to re-introduce this.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] nf_conntrack: Add missing code to TCP conntrack module 2005-11-14T23:23:01+00:00 KOVACS Krisztian hidden@balabit.hu 2005-11-14T23:23:01+00:00 3746a2b1402e7933c7f1eabdce384b8454dc2ef7 Looks like the nf_conntrack TCP code was slightly mismerged: it does not contain an else branch present in the IPv4 version. Let's add that code and make the testsuite happy. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Looks like the nf_conntrack TCP code was slightly mismerged: it does
not contain an else branch present in the IPv4 version. Let's add that
code and make the testsuite happy.

Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[NETFILTER] {ip,nf}_conntrack TCP: Accept SYN+PUSH like SYN 2005-11-12T20:13:14+00:00 Vlad Drukker vlad@storewiz.com 2005-11-12T20:13:14+00:00 a2d7222f0f5861ce13b9308c30bd18f28ebeb583 Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware 3.0.0.4) initiates TCP with SYN and PUSH flags set. The Linux TCP/IP stack deals fine with that, but the connection tracking code doesn't. This patch alters TCP connection tracking to accept SYN+PUSH as a valid flag combination. Signed-off-by: Vlad Drukker <vlad@storewiz.com> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware
3.0.0.4) initiates TCP with SYN and PUSH flags set.

The Linux TCP/IP stack deals fine with that, but the connection tracking
code doesn't.

This patch alters TCP connection tracking to accept SYN+PUSH as a valid
flag combination.

Signed-off-by: Vlad Drukker <vlad@storewiz.com>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>