aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bridge/br_netfilter.c31
-rw-r--r--net/bridge/br_private.h3
-rw-r--r--net/bridge/br_sysfs_br.c72
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c54
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c6
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c10
-rw-r--r--net/ipv4/netfilter/nf_nat_standalone.c8
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c81
-rw-r--r--net/netfilter/Kconfig24
-rw-r--r--net/netfilter/ipvs/ip_vs_conn.c10
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c20
-rw-r--r--net/netfilter/ipvs/ip_vs_ctl.c10
-rw-r--r--net/netfilter/nf_conntrack_acct.c14
-rw-r--r--net/netfilter/xt_IDLETIMER.c1
-rw-r--r--net/netfilter/xt_connbytes.c10
15 files changed, 243 insertions, 111 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 84060bc48f11..9fdf1b116bd7 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -55,6 +55,9 @@ static int brnf_call_arptables __read_mostly = 1;
55static int brnf_filter_vlan_tagged __read_mostly = 0; 55static int brnf_filter_vlan_tagged __read_mostly = 0;
56static int brnf_filter_pppoe_tagged __read_mostly = 0; 56static int brnf_filter_pppoe_tagged __read_mostly = 0;
57#else 57#else
58#define brnf_call_iptables 1
59#define brnf_call_ip6tables 1
60#define brnf_call_arptables 1
58#define brnf_filter_vlan_tagged 0 61#define brnf_filter_vlan_tagged 0
59#define brnf_filter_pppoe_tagged 0 62#define brnf_filter_pppoe_tagged 0
60#endif 63#endif
@@ -544,25 +547,30 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
544 const struct net_device *out, 547 const struct net_device *out,
545 int (*okfn)(struct sk_buff *)) 548 int (*okfn)(struct sk_buff *))
546{ 549{
550 struct net_bridge_port *p;
551 struct net_bridge *br;
547 struct iphdr *iph; 552 struct iphdr *iph;
548 __u32 len = nf_bridge_encap_header_len(skb); 553 __u32 len = nf_bridge_encap_header_len(skb);
549 554
550 if (unlikely(!pskb_may_pull(skb, len))) 555 if (unlikely(!pskb_may_pull(skb, len)))
551 goto out; 556 goto out;
552 557
558 p = br_port_get_rcu(in);
559 if (p == NULL)
560 goto out;
561 br = p->br;
562
553 if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || 563 if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
554 IS_PPPOE_IPV6(skb)) { 564 IS_PPPOE_IPV6(skb)) {
555#ifdef CONFIG_SYSCTL 565 if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
556 if (!brnf_call_ip6tables)
557 return NF_ACCEPT; 566 return NF_ACCEPT;
558#endif 567
559 nf_bridge_pull_encap_header_rcsum(skb); 568 nf_bridge_pull_encap_header_rcsum(skb);
560 return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn); 569 return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
561 } 570 }
562#ifdef CONFIG_SYSCTL 571
563 if (!brnf_call_iptables) 572 if (!brnf_call_iptables && !br->nf_call_iptables)
564 return NF_ACCEPT; 573 return NF_ACCEPT;
565#endif
566 574
567 if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) && 575 if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
568 !IS_PPPOE_IP(skb)) 576 !IS_PPPOE_IP(skb))
@@ -715,12 +723,17 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
715 const struct net_device *out, 723 const struct net_device *out,
716 int (*okfn)(struct sk_buff *)) 724 int (*okfn)(struct sk_buff *))
717{ 725{
726 struct net_bridge_port *p;
727 struct net_bridge *br;
718 struct net_device **d = (struct net_device **)(skb->cb); 728 struct net_device **d = (struct net_device **)(skb->cb);
719 729
720#ifdef CONFIG_SYSCTL 730 p = br_port_get_rcu(out);
721 if (!brnf_call_arptables) 731 if (p == NULL)
732 return NF_ACCEPT;
733 br = p->br;
734
735 if (!brnf_call_arptables && !br->nf_call_arptables)
722 return NF_ACCEPT; 736 return NF_ACCEPT;
723#endif
724 737
725 if (skb->protocol != htons(ETH_P_ARP)) { 738 if (skb->protocol != htons(ETH_P_ARP)) {
726 if (!IS_VLAN_ARP(skb)) 739 if (!IS_VLAN_ARP(skb))
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 3f0678fd1fd0..75c90edaf7db 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -176,6 +176,9 @@ struct net_bridge
176 unsigned long feature_mask; 176 unsigned long feature_mask;
177#ifdef CONFIG_BRIDGE_NETFILTER 177#ifdef CONFIG_BRIDGE_NETFILTER
178 struct rtable fake_rtable; 178 struct rtable fake_rtable;
179 bool nf_call_iptables;
180 bool nf_call_ip6tables;
181 bool nf_call_arptables;
179#endif 182#endif
180 unsigned long flags; 183 unsigned long flags;
181#define BR_SET_MAC_ADDR 0x00000001 184#define BR_SET_MAC_ADDR 0x00000001
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 486b8f3861d2..5c1e5559ebba 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -611,6 +611,73 @@ static DEVICE_ATTR(multicast_startup_query_interval, S_IRUGO | S_IWUSR,
611 show_multicast_startup_query_interval, 611 show_multicast_startup_query_interval,
612 store_multicast_startup_query_interval); 612 store_multicast_startup_query_interval);
613#endif 613#endif
614#ifdef CONFIG_BRIDGE_NETFILTER
615static ssize_t show_nf_call_iptables(
616 struct device *d, struct device_attribute *attr, char *buf)
617{
618 struct net_bridge *br = to_bridge(d);
619 return sprintf(buf, "%u\n", br->nf_call_iptables);
620}
621
622static int set_nf_call_iptables(struct net_bridge *br, unsigned long val)
623{
624 br->nf_call_iptables = val ? true : false;
625 return 0;
626}
627
628static ssize_t store_nf_call_iptables(
629 struct device *d, struct device_attribute *attr, const char *buf,
630 size_t len)
631{
632 return store_bridge_parm(d, buf, len, set_nf_call_iptables);
633}
634static DEVICE_ATTR(nf_call_iptables, S_IRUGO | S_IWUSR,
635 show_nf_call_iptables, store_nf_call_iptables);
636
637static ssize_t show_nf_call_ip6tables(
638 struct device *d, struct device_attribute *attr, char *buf)
639{
640 struct net_bridge *br = to_bridge(d);
641 return sprintf(buf, "%u\n", br->nf_call_ip6tables);
642}
643
644static int set_nf_call_ip6tables(struct net_bridge *br, unsigned long val)
645{
646 br->nf_call_ip6tables = val ? true : false;
647 return 0;
648}
649
650static ssize_t store_nf_call_ip6tables(
651 struct device *d, struct device_attribute *attr, const char *buf,
652 size_t len)
653{
654 return store_bridge_parm(d, buf, len, set_nf_call_ip6tables);
655}
656static DEVICE_ATTR(nf_call_ip6tables, S_IRUGO | S_IWUSR,
657 show_nf_call_ip6tables, store_nf_call_ip6tables);
658
659static ssize_t show_nf_call_arptables(
660 struct device *d, struct device_attribute *attr, char *buf)
661{
662 struct net_bridge *br = to_bridge(d);
663 return sprintf(buf, "%u\n", br->nf_call_arptables);
664}
665
666static int set_nf_call_arptables(struct net_bridge *br, unsigned long val)
667{
668 br->nf_call_arptables = val ? true : false;
669 return 0;
670}
671
672static ssize_t store_nf_call_arptables(
673 struct device *d, struct device_attribute *attr, const char *buf,
674 size_t len)
675{
676 return store_bridge_parm(d, buf, len, set_nf_call_arptables);
677}
678static DEVICE_ATTR(nf_call_arptables, S_IRUGO | S_IWUSR,
679 show_nf_call_arptables, store_nf_call_arptables);
680#endif
614 681
615static struct attribute *bridge_attrs[] = { 682static struct attribute *bridge_attrs[] = {
616 &dev_attr_forward_delay.attr, 683 &dev_attr_forward_delay.attr,
@@ -645,6 +712,11 @@ static struct attribute *bridge_attrs[] = {
645 &dev_attr_multicast_query_response_interval.attr, 712 &dev_attr_multicast_query_response_interval.attr,
646 &dev_attr_multicast_startup_query_interval.attr, 713 &dev_attr_multicast_startup_query_interval.attr,
647#endif 714#endif
715#ifdef CONFIG_BRIDGE_NETFILTER
716 &dev_attr_nf_call_iptables.attr,
717 &dev_attr_nf_call_ip6tables.attr,
718 &dev_attr_nf_call_arptables.attr,
719#endif
648 NULL 720 NULL
649}; 721};
650 722
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 5234f4f3499a..915fc17d7ce2 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -13,6 +13,7 @@
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/spinlock.h> 14#include <linux/spinlock.h>
15#include <linux/skbuff.h> 15#include <linux/skbuff.h>
16#include <linux/if_arp.h>
16#include <linux/ip.h> 17#include <linux/ip.h>
17#include <net/icmp.h> 18#include <net/icmp.h>
18#include <net/udp.h> 19#include <net/udp.h>
@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info,
363 /* maxlen = 230+ 91 + 230 + 252 = 803 */ 364 /* maxlen = 230+ 91 + 230 + 252 = 803 */
364} 365}
365 366
367static void dump_mac_header(const struct nf_loginfo *info,
368 const struct sk_buff *skb)
369{
370 struct net_device *dev = skb->dev;
371 unsigned int logflags = 0;
372
373 if (info->type == NF_LOG_TYPE_LOG)
374 logflags = info->u.log.logflags;
375
376 if (!(logflags & IPT_LOG_MACDECODE))
377 goto fallback;
378
379 switch (dev->type) {
380 case ARPHRD_ETHER:
381 printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
382 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
383 ntohs(eth_hdr(skb)->h_proto));
384 return;
385 default:
386 break;
387 }
388
389fallback:
390 printk("MAC=");
391 if (dev->hard_header_len &&
392 skb->mac_header != skb->network_header) {
393 const unsigned char *p = skb_mac_header(skb);
394 unsigned int i;
395
396 printk("%02x", *p++);
397 for (i = 1; i < dev->hard_header_len; i++, p++)
398 printk(":%02x", *p);
399 }
400 printk(" ");
401}
402
366static struct nf_loginfo default_loginfo = { 403static struct nf_loginfo default_loginfo = {
367 .type = NF_LOG_TYPE_LOG, 404 .type = NF_LOG_TYPE_LOG,
368 .u = { 405 .u = {
@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf,
404 } 441 }
405#endif 442#endif
406 443
407 if (in && !out) { 444 /* MAC logging for input path only. */
408 /* MAC logging for input chain only. */ 445 if (in && !out)
409 printk("MAC="); 446 dump_mac_header(loginfo, skb);
410 if (skb->dev && skb->dev->hard_header_len &&
411 skb->mac_header != skb->network_header) {
412 int i;
413 const unsigned char *p = skb_mac_header(skb);
414 for (i = 0; i < skb->dev->hard_header_len; i++,p++)
415 printk("%02x%c", *p,
416 i==skb->dev->hard_header_len - 1
417 ? ' ':':');
418 } else
419 printk(" ");
420 }
421 447
422 dump_packet(loginfo, skb, 0); 448 dump_packet(loginfo, skb, 0);
423 printk("\n"); 449 printk("\n");
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index f43867d1697f..6cdb298f1035 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
48 48
49 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || 49 NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
50 par->hooknum == NF_INET_POST_ROUTING || 50 par->hooknum == NF_INET_POST_ROUTING ||
51 par->hooknum == NF_INET_LOCAL_OUT); 51 par->hooknum == NF_INET_LOCAL_OUT ||
52 par->hooknum == NF_INET_LOCAL_IN);
52 ct = nf_ct_get(skb, &ctinfo); 53 ct = nf_ct_get(skb, &ctinfo);
53 54
54 netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip); 55 netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = {
77 .table = "nat", 78 .table = "nat",
78 .hooks = (1 << NF_INET_PRE_ROUTING) | 79 .hooks = (1 << NF_INET_PRE_ROUTING) |
79 (1 << NF_INET_POST_ROUTING) | 80 (1 << NF_INET_POST_ROUTING) |
80 (1 << NF_INET_LOCAL_OUT), 81 (1 << NF_INET_LOCAL_OUT) |
82 (1 << NF_INET_LOCAL_IN),
81 .checkentry = netmap_tg_check, 83 .checkentry = netmap_tg_check,
82 .me = THIS_MODULE 84 .me = THIS_MODULE
83}; 85};
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 98ed78281aee..ebbd319f62f5 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,7 +28,8 @@
28 28
29#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \ 29#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
30 (1 << NF_INET_POST_ROUTING) | \ 30 (1 << NF_INET_POST_ROUTING) | \
31 (1 << NF_INET_LOCAL_OUT)) 31 (1 << NF_INET_LOCAL_OUT) | \
32 (1 << NF_INET_LOCAL_IN))
32 33
33static const struct xt_table nat_table = { 34static const struct xt_table nat_table = {
34 .name = "nat", 35 .name = "nat",
@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
45 enum ip_conntrack_info ctinfo; 46 enum ip_conntrack_info ctinfo;
46 const struct nf_nat_multi_range_compat *mr = par->targinfo; 47 const struct nf_nat_multi_range_compat *mr = par->targinfo;
47 48
48 NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING); 49 NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
50 par->hooknum == NF_INET_LOCAL_IN);
49 51
50 ct = nf_ct_get(skb, &ctinfo); 52 ct = nf_ct_get(skb, &ctinfo);
51 53
@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
99 return 0; 101 return 0;
100} 102}
101 103
102unsigned int 104static unsigned int
103alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) 105alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
104{ 106{
105 /* Force range to this IP; let proto decide mapping for 107 /* Force range to this IP; let proto decide mapping for
@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
141 .target = ipt_snat_target, 143 .target = ipt_snat_target,
142 .targetsize = sizeof(struct nf_nat_multi_range_compat), 144 .targetsize = sizeof(struct nf_nat_multi_range_compat),
143 .table = "nat", 145 .table = "nat",
144 .hooks = 1 << NF_INET_POST_ROUTING, 146 .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN),
145 .checkentry = ipt_snat_checkentry, 147 .checkentry = ipt_snat_checkentry,
146 .family = AF_INET, 148 .family = AF_INET,
147}; 149};
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 6723c682250d..95481fee8bdb 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum,
131 if (!nf_nat_initialized(ct, maniptype)) { 131 if (!nf_nat_initialized(ct, maniptype)) {
132 unsigned int ret; 132 unsigned int ret;
133 133
134 if (hooknum == NF_INET_LOCAL_IN) 134 ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
135 /* LOCAL_IN hook doesn't have a chain! */
136 ret = alloc_null_binding(ct, hooknum);
137 else
138 ret = nf_nat_rule_find(skb, hooknum, in, out,
139 ct);
140
141 if (ret != NF_ACCEPT) 135 if (ret != NF_ACCEPT)
142 return ret; 136 return ret;
143 } else 137 } else
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index af4ee11f2066..0a07ae7b933f 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -373,6 +373,56 @@ static void dump_packet(const struct nf_loginfo *info,
373 printk("MARK=0x%x ", skb->mark); 373 printk("MARK=0x%x ", skb->mark);
374} 374}
375 375
376static void dump_mac_header(const struct nf_loginfo *info,
377 const struct sk_buff *skb)
378{
379 struct net_device *dev = skb->dev;
380 unsigned int logflags = 0;
381
382 if (info->type == NF_LOG_TYPE_LOG)
383 logflags = info->u.log.logflags;
384
385 if (!(logflags & IP6T_LOG_MACDECODE))
386 goto fallback;
387
388 switch (dev->type) {
389 case ARPHRD_ETHER:
390 printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
391 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
392 ntohs(eth_hdr(skb)->h_proto));
393 return;
394 default:
395 break;
396 }
397
398fallback:
399 printk("MAC=");
400 if (dev->hard_header_len &&
401 skb->mac_header != skb->network_header) {
402 const unsigned char *p = skb_mac_header(skb);
403 unsigned int len = dev->hard_header_len;
404 unsigned int i;
405
406 if (dev->type == ARPHRD_SIT &&
407 (p -= ETH_HLEN) < skb->head)
408 p = NULL;
409
410 if (p != NULL) {
411 printk("%02x", *p++);
412 for (i = 1; i < len; i++)
413 printk(":%02x", p[i]);
414 }
415 printk(" ");
416
417 if (dev->type == ARPHRD_SIT) {
418 const struct iphdr *iph =
419 (struct iphdr *)skb_mac_header(skb);
420 printk("TUNNEL=%pI4->%pI4 ", &iph->saddr, &iph->daddr);
421 }
422 } else
423 printk(" ");
424}
425
376static struct nf_loginfo default_loginfo = { 426static struct nf_loginfo default_loginfo = {
377 .type = NF_LOG_TYPE_LOG, 427 .type = NF_LOG_TYPE_LOG,
378 .u = { 428 .u = {
@@ -400,35 +450,10 @@ ip6t_log_packet(u_int8_t pf,
400 prefix, 450 prefix,
401 in ? in->name : "", 451 in ? in->name : "",
402 out ? out->name : ""); 452 out ? out->name : "");
403 if (in && !out) {
404 unsigned int len;
405 /* MAC logging for input chain only. */
406 printk("MAC=");
407 if (skb->dev && (len = skb->dev->hard_header_len) &&
408 skb->mac_header != skb->network_header) {
409 const unsigned char *p = skb_mac_header(skb);
410 int i;
411
412 if (skb->dev->type == ARPHRD_SIT &&
413 (p -= ETH_HLEN) < skb->head)
414 p = NULL;
415
416 if (p != NULL) {
417 for (i = 0; i < len; i++)
418 printk("%02x%s", p[i],
419 i == len - 1 ? "" : ":");
420 }
421 printk(" ");
422 453
423 if (skb->dev->type == ARPHRD_SIT) { 454 /* MAC logging for input path only. */
424 const struct iphdr *iph = 455 if (in && !out)
425 (struct iphdr *)skb_mac_header(skb); 456 dump_mac_header(loginfo, skb);
426 printk("TUNNEL=%pI4->%pI4 ",
427 &iph->saddr, &iph->daddr);
428 }
429 } else
430 printk(" ");
431 }
432 457
433 dump_packet(loginfo, skb, skb_network_offset(skb), 1); 458 dump_packet(loginfo, skb, skb_network_offset(skb), 1);
434 printk("\n"); 459 printk("\n");
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 413ed24a968a..aa2f106347e4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -40,27 +40,6 @@ config NF_CONNTRACK
40 40
41if NF_CONNTRACK 41if NF_CONNTRACK
42 42
43config NF_CT_ACCT
44 bool "Connection tracking flow accounting"
45 depends on NETFILTER_ADVANCED
46 help
47 If this option is enabled, the connection tracking code will
48 keep per-flow packet and byte counters.
49
50 Those counters can be used for flow-based accounting or the
51 `connbytes' match.
52
53 Please note that currently this option only sets a default state.
54 You may change it at boot time with nf_conntrack.acct=0/1 kernel
55 parameter or by loading the nf_conntrack module with acct=0/1.
56
57 You may also disable/enable it on a running system with:
58 sysctl net.netfilter.nf_conntrack_acct=0/1
59
60 This option will be removed in 2.6.29.
61
62 If unsure, say `N'.
63
64config NF_CONNTRACK_MARK 43config NF_CONNTRACK_MARK
65 bool 'Connection mark tracking support' 44 bool 'Connection mark tracking support'
66 depends on NETFILTER_ADVANCED 45 depends on NETFILTER_ADVANCED
@@ -515,7 +494,7 @@ config NETFILTER_XT_TARGET_RATEEST
515 To compile it as a module, choose M here. If unsure, say N. 494 To compile it as a module, choose M here. If unsure, say N.
516 495
517config NETFILTER_XT_TARGET_TEE 496config NETFILTER_XT_TARGET_TEE
518 tristate '"TEE" - packet cloning to alternate destiantion' 497 tristate '"TEE" - packet cloning to alternate destination'
519 depends on NETFILTER_ADVANCED 498 depends on NETFILTER_ADVANCED
520 depends on (IPV6 || IPV6=n) 499 depends on (IPV6 || IPV6=n)
521 depends on !NF_CONNTRACK || NF_CONNTRACK 500 depends on !NF_CONNTRACK || NF_CONNTRACK
@@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES
630 tristate '"connbytes" per-connection counter match support' 609 tristate '"connbytes" per-connection counter match support'
631 depends on NF_CONNTRACK 610 depends on NF_CONNTRACK
632 depends on NETFILTER_ADVANCED 611 depends on NETFILTER_ADVANCED
633 select NF_CT_ACCT
634 help 612 help
635 This option adds a `connbytes' match, which allows you to match the 613 This option adds a `connbytes' match, which allows you to match the
636 number of bytes and/or packets for each direction within a connection. 614 number of bytes and/or packets for each direction within a connection.
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index ff04e9edbed6..654544e72264 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -158,6 +158,9 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
158 unsigned hash; 158 unsigned hash;
159 int ret; 159 int ret;
160 160
161 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
162 return 0;
163
161 /* Hash by protocol, client address and port */ 164 /* Hash by protocol, client address and port */
162 hash = ip_vs_conn_hashkey(cp->af, cp->protocol, &cp->caddr, cp->cport); 165 hash = ip_vs_conn_hashkey(cp->af, cp->protocol, &cp->caddr, cp->cport);
163 166
@@ -359,8 +362,9 @@ struct ip_vs_conn *ip_vs_conn_out_get
359 */ 362 */
360void ip_vs_conn_put(struct ip_vs_conn *cp) 363void ip_vs_conn_put(struct ip_vs_conn *cp)
361{ 364{
362 /* reset it expire in its timeout */ 365 unsigned long t = (cp->flags & IP_VS_CONN_F_ONE_PACKET) ?
363 mod_timer(&cp->timer, jiffies+cp->timeout); 366 0 : cp->timeout;
367 mod_timer(&cp->timer, jiffies+t);
364 368
365 __ip_vs_conn_put(cp); 369 __ip_vs_conn_put(cp);
366} 370}
@@ -653,7 +657,7 @@ static void ip_vs_conn_expire(unsigned long data)
653 /* 657 /*
654 * unhash it if it is hashed in the conn table 658 * unhash it if it is hashed in the conn table
655 */ 659 */
656 if (!ip_vs_conn_unhash(cp)) 660 if (!ip_vs_conn_unhash(cp) && !(cp->flags & IP_VS_CONN_F_ONE_PACKET))
657 goto expire_later; 661 goto expire_later;
658 662
659 /* 663 /*
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 1cd6e3fd058b..50907d8472a3 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -194,6 +194,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
194 struct ip_vs_dest *dest; 194 struct ip_vs_dest *dest;
195 struct ip_vs_conn *ct; 195 struct ip_vs_conn *ct;
196 __be16 dport; /* destination port to forward */ 196 __be16 dport; /* destination port to forward */
197 __be16 flags;
197 union nf_inet_addr snet; /* source network of the client, 198 union nf_inet_addr snet; /* source network of the client,
198 after masking */ 199 after masking */
199 200
@@ -340,6 +341,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
340 dport = ports[1]; 341 dport = ports[1];
341 } 342 }
342 343
344 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
345 && iph.protocol == IPPROTO_UDP)?
346 IP_VS_CONN_F_ONE_PACKET : 0;
347
343 /* 348 /*
344 * Create a new connection according to the template 349 * Create a new connection according to the template
345 */ 350 */
@@ -347,7 +352,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
347 &iph.saddr, ports[0], 352 &iph.saddr, ports[0],
348 &iph.daddr, ports[1], 353 &iph.daddr, ports[1],
349 &dest->addr, dport, 354 &dest->addr, dport,
350 0, 355 flags,
351 dest); 356 dest);
352 if (cp == NULL) { 357 if (cp == NULL) {
353 ip_vs_conn_put(ct); 358 ip_vs_conn_put(ct);
@@ -377,7 +382,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
377 struct ip_vs_conn *cp = NULL; 382 struct ip_vs_conn *cp = NULL;
378 struct ip_vs_iphdr iph; 383 struct ip_vs_iphdr iph;
379 struct ip_vs_dest *dest; 384 struct ip_vs_dest *dest;
380 __be16 _ports[2], *pptr; 385 __be16 _ports[2], *pptr, flags;
381 386
382 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph); 387 ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
383 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports); 388 pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
@@ -407,6 +412,10 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
407 return NULL; 412 return NULL;
408 } 413 }
409 414
415 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
416 && iph.protocol == IPPROTO_UDP)?
417 IP_VS_CONN_F_ONE_PACKET : 0;
418
410 /* 419 /*
411 * Create a connection entry. 420 * Create a connection entry.
412 */ 421 */
@@ -414,7 +423,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
414 &iph.saddr, pptr[0], 423 &iph.saddr, pptr[0],
415 &iph.daddr, pptr[1], 424 &iph.daddr, pptr[1],
416 &dest->addr, dest->port ? dest->port : pptr[1], 425 &dest->addr, dest->port ? dest->port : pptr[1],
417 0, 426 flags,
418 dest); 427 dest);
419 if (cp == NULL) 428 if (cp == NULL)
420 return NULL; 429 return NULL;
@@ -464,6 +473,9 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
464 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) { 473 if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
465 int ret, cs; 474 int ret, cs;
466 struct ip_vs_conn *cp; 475 struct ip_vs_conn *cp;
476 __u16 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
477 iph.protocol == IPPROTO_UDP)?
478 IP_VS_CONN_F_ONE_PACKET : 0;
467 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } }; 479 union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
468 480
469 ip_vs_service_put(svc); 481 ip_vs_service_put(svc);
@@ -474,7 +486,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
474 &iph.saddr, pptr[0], 486 &iph.saddr, pptr[0],
475 &iph.daddr, pptr[1], 487 &iph.daddr, pptr[1],
476 &daddr, 0, 488 &daddr, 0,
477 IP_VS_CONN_F_BYPASS, 489 IP_VS_CONN_F_BYPASS | flags,
478 NULL); 490 NULL);
479 if (cp == NULL) 491 if (cp == NULL)
480 return NF_DROP; 492 return NF_DROP;
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 36dc1d88c2fa..0f0c079c422a 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1864,14 +1864,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
1864 svc->scheduler->name); 1864 svc->scheduler->name);
1865 else 1865 else
1866#endif 1866#endif
1867 seq_printf(seq, "%s %08X:%04X %s ", 1867 seq_printf(seq, "%s %08X:%04X %s %s ",
1868 ip_vs_proto_name(svc->protocol), 1868 ip_vs_proto_name(svc->protocol),
1869 ntohl(svc->addr.ip), 1869 ntohl(svc->addr.ip),
1870 ntohs(svc->port), 1870 ntohs(svc->port),
1871 svc->scheduler->name); 1871 svc->scheduler->name,
1872 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
1872 } else { 1873 } else {
1873 seq_printf(seq, "FWM %08X %s ", 1874 seq_printf(seq, "FWM %08X %s %s",
1874 svc->fwmark, svc->scheduler->name); 1875 svc->fwmark, svc->scheduler->name,
1876 (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
1875 } 1877 }
1876 1878
1877 if (svc->flags & IP_VS_SVC_F_PERSISTENT) 1879 if (svc->flags & IP_VS_SVC_F_PERSISTENT)
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
index ab81b380eae6..5178c691ecbf 100644
--- a/net/netfilter/nf_conntrack_acct.c
+++ b/net/netfilter/nf_conntrack_acct.c
@@ -17,13 +17,7 @@
17#include <net/netfilter/nf_conntrack_extend.h> 17#include <net/netfilter/nf_conntrack_extend.h>
18#include <net/netfilter/nf_conntrack_acct.h> 18#include <net/netfilter/nf_conntrack_acct.h>
19 19
20#ifdef CONFIG_NF_CT_ACCT 20static int nf_ct_acct __read_mostly;
21#define NF_CT_ACCT_DEFAULT 1
22#else
23#define NF_CT_ACCT_DEFAULT 0
24#endif
25
26static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
27 21
28module_param_named(acct, nf_ct_acct, bool, 0644); 22module_param_named(acct, nf_ct_acct, bool, 0644);
29MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting."); 23MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
@@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net)
114 net->ct.sysctl_acct = nf_ct_acct; 108 net->ct.sysctl_acct = nf_ct_acct;
115 109
116 if (net_eq(net, &init_net)) { 110 if (net_eq(net, &init_net)) {
117#ifdef CONFIG_NF_CT_ACCT
118 printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use\n");
119 printk(KERN_WARNING "nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or\n");
120 printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
121#endif
122
123 ret = nf_ct_extend_register(&acct_extend); 111 ret = nf_ct_extend_register(&acct_extend);
124 if (ret < 0) { 112 if (ret < 0) {
125 printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); 113 printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index e11090a0675c..be1f22e13545 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -36,6 +36,7 @@
36#include <linux/netfilter.h> 36#include <linux/netfilter.h>
37#include <linux/netfilter/x_tables.h> 37#include <linux/netfilter/x_tables.h>
38#include <linux/netfilter/xt_IDLETIMER.h> 38#include <linux/netfilter/xt_IDLETIMER.h>
39#include <linux/kdev_t.h>
39#include <linux/kobject.h> 40#include <linux/kobject.h>
40#include <linux/workqueue.h> 41#include <linux/workqueue.h>
41#include <linux/sysfs.h> 42#include <linux/sysfs.h>
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 73517835303d..5b138506690e 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
112 if (ret < 0) 112 if (ret < 0)
113 pr_info("cannot load conntrack support for proto=%u\n", 113 pr_info("cannot load conntrack support for proto=%u\n",
114 par->family); 114 par->family);
115
116 /*
117 * This filter cannot function correctly unless connection tracking
118 * accounting is enabled, so complain in the hope that someone notices.
119 */
120 if (!nf_ct_acct_enabled(par->net)) {
121 pr_warning("Forcing CT accounting to be enabled\n");
122 nf_ct_set_acct(par->net, true);
123 }
124
115 return ret; 125 return ret;
116} 126}
117 127
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-21 20:13:43 -0500