aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* NetLabel: convert to an extensibile/sparse category bitmapPaul Moore2006-12-03
| | | | | | | | | | | | | | | | The original NetLabel category bitmap was a straight char bitmap which worked fine for the initial release as it only supported 240 bits due to limitations in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that straight char bitmap into an extensibile/sparse bitmap in order to lay the foundation for other CIPSO tag types and protocols. This patch also has a nice side effect in that all of the security attributes passed by NetLabel into the LSM are now in a format which is in the host's native byte/bit ordering which makes the LSM specific code much simpler; look at the changes in security/selinux/ss/ebitmap.c as an example. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [NETFILTER]: remove the reference to ipchains from KconfigPablo Neira Ayuso2006-12-03
| | | | | | | It is time to move on :-) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: Fix PROC_FS=n warningsPatrick McHardy2006-12-03
| | | | | | Fix some unused function/variable warnings. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: remove remaining ASSERT_{READ,WRITE}_LOCKPatrick McHardy2006-12-03
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ebtables: add --snap-arp optionBart De Schuymer2006-12-03
| | | | | | | | | The attached patch adds --snat-arp support, which makes it possible to change the source mac address in both the mac header and the arp header with one rule. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: x_tables: add NFLOG targetPatrick McHardy2006-12-03
| | | | | | | | | | | Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6Patrick McHardy2006-12-03
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nfnetlink_log: remove useless prefix length limitationPatrick McHardy2006-12-03
| | | | | | There is no reason for limiting netlink attributes in size. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nfnetlink_queue: allow changing queue length through netlinkEric Leblond2006-12-03
| | | | | Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ctnetlink: rework conntrack fields dumping logic on eventsPablo Neira Ayuso2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | NEW | UPDATE | DESTROY | ----------------------------------------| tuples | Y | Y | Y | status | Y | Y | N | timeout | Y | Y | N | protoinfo | S | S | N | helper | S | S | N | mark | S | S | N | counters | F | F | Y | Leyend: Y: yes N: no S: iif the field is set F: iif overflow This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to track the helper assignation process, not the changes in the private information held by the helper. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ctnetlink: check for status attribute existence on conntrack ↵Pablo Neira Ayuso2006-12-03
| | | | | | | | | | creation Check that status flags are available in the netlink message received to create a new conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: better NAT handlingPatrick McHardy2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: make header shortcuts optionalPatrick McHardy2006-12-03
| | | | | | | Not every header has a shortcut, so make them optional instead of searching for the same string twice. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: do case insensitive SIP header searchPatrick McHardy2006-12-03
| | | | | | | SIP headers are generally case-insensitive, only SDP headers are case sensitive. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: minor cleanupPatrick McHardy2006-12-03
| | | | | | | | | | - Use enum for header field enumeration - Use numerical value instead of pointer to header info structure to identify headers, unexport ct_sip_hdrs - group SIP and SDP entries in header info structure - remove double forward declaration of ct_sip_get_info Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ip_conntrack: fix NAT helper unload racesPatrick McHardy2006-12-03
| | | | | | | | | | | | The NAT helpr hooks are protected by RCU, but all of the conntrack helpers test and use the global pointers instead of copying them first using rcu_dereference() Also replace synchronize_net() by synchronize_rcu() for clarity since sychronizing only with packet receive processing is insufficient to prevent races. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: conntrack: add '_get' to {ip, nf}_conntrack_expect_findYasuyuki Kozakai2006-12-03
| | | | | | | | We usually uses 'xxx_find_get' for function which increments reference count. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: /proc compatibility with old connection trackingPatrick McHardy2006-12-03
| | | | | | | | | | This patch adds /proc/net/ip_conntrack, /proc/net/ip_conntrack_expect and /proc/net/stat/ip_conntrack files to keep old programs using them working. The /proc/net/ip_conntrack and /proc/net/ip_conntrack_expect files show only IPv4 entries, the /proc/net/stat/ip_conntrack shows global statistics. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: sysctl compatibility with old connection trackingPatrick McHardy2006-12-03
| | | | | | | This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: move conntrack protocol sysctls to individual modulesPatrick McHardy2006-12-03
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: automatic sysctl registation for conntrack protocolsPatrick McHardy2006-12-03
| | | | | | | | Add helper functions for sysctl registration with optional instantiating of common path elements (like net/netfilter) and use it for support for automatic registation of conntrack protocol sysctls. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: move extern declaration to header filesPatrick McHardy2006-12-03
| | | | | | | Using extern in a C file is a bad idea because the compiler can't catch type errors. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack_ftp: fix missing helper mask initilizationPatrick McHardy2006-12-03
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: reduce timer updates in __nf_ct_refresh_acct()Martin Josefsson2006-12-03
| | | | | | | | | | | | Only update the conntrack timer if there's been at least HZ jiffies since the last update. Reduces the number of del_timer/add_timer cycles from one per packet to one per connection per second (plus once for each state change of a connection) Should handle timer wraparounds and connection timeout changes. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: remove unused struct list_head from protocolsMartin Josefsson2006-12-03
| | | | | | | | | Remove unused struct list_head from struct nf_conntrack_l3proto and nf_conntrack_l4proto as all protocols are kept in arrays, not linked lists. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: minor __nf_ct_refresh_acct() whitespace cleanupMartin Josefsson2006-12-03
| | | | | | | Minor whitespace cleanup. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: remove ASSERT_{READ,WRITE}_LOCKMartin Josefsson2006-12-03
| | | | | | | | Remove the usage of ASSERT_READ_LOCK/ASSERT_WRITE_LOCK in nf_conntrack, it didn't do anything, it was just an empty define and it uglified the code. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: more sanity checks in protocol ↵Martin Josefsson2006-12-03
| | | | | | | | | registration/unregistration Add some more sanity checks when registering/unregistering l3/l4 protocols. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: rename struct nf_conntrack_protocolMartin Josefsson2006-12-03
| | | | | | | | | Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets rather confusing with 'nf_conntrack_protocol'. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: More __read_mostly annotationsMartin Josefsson2006-12-03
| | | | | | | | Place rarely written variables in the read-mostly section by using __read_mostly Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: split out protocol handlingMartin Josefsson2006-12-03
| | | | | | | | This patch splits out L3/L4 protocol handling into its own file nf_conntrack_proto.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: split out the event cacheMartin Josefsson2006-12-03
| | | | | | | | This patch splits out the event cache into its own file nf_conntrack_ecache.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: split out helper handlingMartin Josefsson2006-12-03
| | | | | | | | This patch splits out handling of helpers into its own file nf_conntrack_helper.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: split out expectation handlingMartin Josefsson2006-12-03
| | | | | | | | This patch splits out expectation handling into its own file nf_conntrack_expect.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [TCP] Vegas: Increase default alpha to 2 and beta to 4.David S. Miller2006-12-03
| | | | | | | | | This helps Vegas cope better with delayed ACKs, see analysis at: http://www.cs.caltech.edu/%7Eweixl/technical/ns2linux/known_linux/index.html#vegas Signed-off-by: David S. Miller <davem@davemloft.net>
* [DCCP]: Use `unsigned' for packet lengthsGerrit Renker2006-12-03
| | | | | | | | | | | | | | | | | | | | | | This patch implements a suggestion by Ian McDonald and 1) Avoids tests against negative packet lengths by using unsigned int for packet payload lengths in the CCID send_packet()/packet_sent() routines 2) As a consequence, it removes an now unnecessary test with regard to `len > 0' in ccid3_hc_tx_packet_sent: that condition is always true, since * negative packet lengths are avoided * ccid3_hc_tx_send_packet flags an error whenever the payload length is 0. As a consequence, ccid3_hc_tx_packet_sent is never called as all errors returned by ccid_hc_tx_send_packet are caught in dccp_write_xmit 3) Removes the third argument of ccid_hc_tx_send_packet (the `len' parameter), since it is currently always set to skb->len. The code is updated with regard to this parameter change. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP] ccid3: Larger initial windowsGerrit Renker2006-12-03
| | | | | | | | | | | | | | | | | | | | | | This implements the larger-initial-windows feature for CCID 3, as described in section 5 of RFC 4342. When the first feedback packet arrives, the sender can send up to 2..4 packets per RTT, instead of just one. The patch further * reduces the number of timestamping calls by passing the timestamp value (which is computed in one of the calling functions anyway) as argument * renames one constant with a very long name into one which is shorter and resembles the one in RFC 3448 (t_mbi) * simplifies some of the min_t/max_t cases where both `x', `y' have the same type Commiter note: renamed TFRC_t_mbi to TFRC_T_MBI, to follow Linux coding style. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP]: Make {set,get}sockopt(DCCP_SOCKOPT_PACKET_SIZE) return 0Arnaldo Carvalho de Melo2006-12-03
| | | | | | | To reflect the fact that this now is of no effect, not making apps stop working, just be warned in the system log. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP]: Tidy up unused structuresGerrit Renker2006-12-03
| | | | | | | | | | | | | This removes and cleans up unused variables and structures which have become unnecessary following the introduction of the EWMA patch to automatically track the CCID 3 receiver/sender packet sizes `s'. It deprecates the PACKET_SIZE socket option by returning an error code and printing a deprecation warning if an application tries to read or write this socket option. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP] ccid3: Track RX/TX packet size `s' using moving-averageGerrit Renker2006-12-03
| | | | Problem:
* [DCCP] ccid3: Set NoFeedback Timeout according to RFC 3448Gerrit Renker2006-12-03
| | | | | | | | | | | This corrects the setting of the nofeedback timer with regard to RFC 3448 - previously it was not set to max(4*R, 2*s/X) as specified. Using the maximum of 1 second as upper bound (as it was done before) can have detrimental effects, especially if R is small. Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP]: Remove allocation of sysctl numbersGerrit Renker2006-12-03
| | | | | | | | | | | | | | | This is in response to a request sent earlier by Eric W. Biederman and replaces all sysctl numbers for net.dccp.default with CTL_UNNUMBERED. It has been tested to compile and to work. Commiter note: I've removed the use of CTL_UNNUMBERED, not setting .ctl_name sets it to 0, that is the what CTL_UNNUMBERED is, reason is to avoid unneeded source code cluttering. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [INET]: Change protocol field in struct inet_protosw to u16Arnaldo Carvalho de Melo2006-12-03
| | | | | | | | | | | | | | | | | | | | | | [acme@newtoy net-2.6.20]$ pahole /tmp/tcp_ipv6.o inet_protosw /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/protocol.h:69 */ struct inet_protosw { struct list_head list; /* 0 8 */ short unsigned int type; /* 8 2 */ /* XXX 2 bytes hole, try to pack */ int protocol; /* 12 4 */ struct proto * prot; /* 16 4 */ const struct proto_ops * ops; /* 20 4 */ int capability; /* 24 4 */ char no_check; /* 28 1 */ unsigned char flags; /* 29 1 */ }; /* size: 32, sum members: 28, holes: 1, sum holes: 2, padding: 2 */ So that we can kill that hole, protocol can only go all the way to 255 (RAW). Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [TCP]: Renove the __ prefix on the struct tcp_sock membersArnaldo Carvalho de Melo2006-12-03
| | | | | | As this struct is not userland visible at all. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [TCP]: Change tcp_header_len member in tcp_sock to u16Arnaldo Carvalho de Melo2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | | With this we eliminate the last hole in struct tcp_sock. End result: [acme@newtoy net-2.6.20]$ codiff -sV /tmp/tcp.o.before net/ipv4/tcp.o /pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c: struct tcp_sock | -4 tcp_header_len; from: int /* 1000(0) 4(0) */ to: u16 /* 1000(0) 2(0) */ 1 struct changed [acme@newtoy net-2.6.20]$ Now sizeof(tcp_sock) is just... [acme@newtoy net-2.6.20]$ pahole --sizes ../OUTPUT/qemu/net-2.6.20/net/ipv4/tcp.o | grep -w tcp_sock struct tcp_sock: 1500 0 1500 bytes ;-) Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP] ccid3: Consolidate handling of t_RTOGerrit Renker2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch * removes setting t_RTO in ccid3_hc_tx_init (per [RFC 3448, 4.2], t_RTO is undefined until feedback has been received); * makes some trivial changes (updates of comments); * performs a small optimisation by exploiting that the feedback timeout uses the value of t_ipi. The way it is done is safe, because the timeouts appear after the changes to t_ipi, ensuring that up-to-date values are used; * in ccid3_hc_tx_packet_recv, moves the t_rto statement closer to the calculation of the next_tmout. This makes the code clearer to read and is also safe, since t_rto is not updated until the next call of ccid3_hc_tx_packet_recv, and is not read by the functions called via ccid_wait_for_ccid(); * removes a `max' statement in sk_reset_timer, this is not needed since the timeout value is always greater than 1E6 microseconds. * adds `XXX'es to highlight that currently the nofeedback timer is set in a non-standard way Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP] ccid3: Consistently update t_nom, t_ipi, t_deltaGerrit Renker2006-12-03
| | | | | | | | | | | | | | | | | | | | | | This patch: * consolidates updating of parameters (t_nom, t_ipi, t_delta) which need to be updated at the same time, since they are inter-dependent * removes two inline functions which are no longer needed as a result of the above consolidation * resolves a FIXME regarding the re-calculation of t_ipi within the nofeedback timer, in the state where no feedback has previously been received * ties updating these parameters to updating the sending rate X, exploiting that all three parameters in turn depend on X; and using a small optimisation which can reduce the number of required instructions: only update the three parameters when X really changes Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [DCCP] ccid3: Consolidate timer resetsGerrit Renker2006-12-03
| | | | | | | | | | | | | | | | | | | | | | | This patch concerns updating the value of the nofeedback timer when no feedback has been received so far. Since in this case the value of R is still undefined according to [RFC 3448, 4.2], we can not perform step (3) of [RFC 3448, 4.3]. A clarification is provided in [RFC 4342, sec. 5], which states that in these cases the nofeedback timer (still) expires "after two seconds". Many thanks to Ian McDonald for pointing this out and providing the clarification. The patch * implements [RFC 4342, sec. 5] with regard to the above case * consolidates handling timer restart by - adding an appropriate jump label and - initialising the timeout value Acked-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [XFRM]: Convert a few __u8 to proper u8Jamal Hadi Salim2006-12-03
| | | | | | | Caught by the EyeBalls(tm) of Thomas Graf Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Make flush notifier prettier when subpolicy usedJamal Hadi Salim2006-12-03
| | | | | | | Might as well make flush notifier prettier when subpolicy used Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>