aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
Commit message (Collapse)AuthorAge
* [NETFILTER]: nf_conntrack: const annotations in nf_conntrack_sctp, ↵Jan Engelhardt2008-04-14
| | | | | | | nf_nat_proto_gre Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: use bool type in nf_nat_protoJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l4protoJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: use bool type in struct nf_conntrack_l3protoJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack: add tuplehash l3num/protonum accessorsPatrick McHardy2008-04-14
| | | | | | | Add accessors for l3num and protonum and get rid of some overly long expressions. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: kill helper and seq_adjust hooksPatrick McHardy2008-04-14
| | | | | | | | | | | | | | | Connection tracking helpers (specifically FTP) need to be called before NAT sequence numbers adjustments are performed to be able to compare them against previously seen ones. We've introduced two new hooks around 2.6.11 to maintain this ordering when NAT modules were changed to get called from conntrack helpers directly. The cost of netfilter hooks is quite high and sequence number adjustments are only rarely needed however. Add a RCU-protected sequence number adjustment function pointer and call it from IPv4 conntrack after calling the helper. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: don't add NAT extension for confirmed conntracksPatrick McHardy2008-04-14
| | | | | | | | | | | | | | | Adding extensions to confirmed conntracks is not allowed to avoid races on reallocation. Don't setup NAT for confirmed conntracks in case NAT module is loaded late. The has one side-effect, the connections existing before the NAT module was loaded won't enter the bysource hash. The only case where this actually makes a difference is in case of SNAT to a multirange where the IP before NAT is also part of the range. Since old connections don't enter the bysource hash the first new connection from the IP will have a new address selected. This shouldn't matter at all. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: remove obsolete check for ICMP redirectsPatrick McHardy2008-04-14
| | | | | | | | | Locally generated ICMP packets have a reference to the conntrack entry of the original packet manually attached by icmp_send(). Therefore the check for locally originated untracked ICMP redirects can never be true. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: add SCTP protocol supportPatrick McHardy2008-04-14
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: add DCCP protocol supportPatrick McHardy2008-04-14
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: Add partial checksum validation helperPatrick McHardy2008-04-14
| | | | | | | | | | Move the UDP-Lite conntrack checksum validation to a generic helper similar to nf_checksum() and make it fall back to nf_checksum() in case the full packet is to be checksummed and hardware checksums are available. This is to be used by DCCP conntrack, which also needs to verify partial checksums. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: add UDP-Lite supportPatrick McHardy2008-04-14
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: remove unused name from struct nf_nat_protocolPatrick McHardy2008-04-14
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_conntrack_netlink: clean up NAT protocol parsingPatrick McHardy2008-04-14
| | | | | | | | Move responsibility for setting the IP_NAT_RANGE_PROTO_SPECIFIED flag to the NAT protocol, properly propagate errors and get rid of ugly return value convention. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: move NAT ctnetlink helpers to nf_nat_proto_commonPatrick McHardy2008-04-14
| | | | | | | Move to nf_nat_proto_common and rename to nf_nat_proto_... since they're also used by protocols that don't have port numbers. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: fix random mode not to overwrite port roverPatrick McHardy2008-04-14
| | | | | | | The port rover should not get overwritten when using random mode, otherwise other rules will also use more or less random ports. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nf_nat: add helpers for common NAT protocol operationsPatrick McHardy2008-04-14
| | | | | | | | | | | | | | | | | | | | | | | | Add generic ->in_range and ->unique_tuple ops to avoid duplicating them again and again for future NAT modules and save a few bytes of text: net/ipv4/netfilter/nf_nat_proto_tcp.c: tcp_in_range | -62 (removed) tcp_unique_tuple | -259 # 271 -> 12, # inlines: 1 -> 0, size inlines: 7 -> 0 2 functions changed, 321 bytes removed net/ipv4/netfilter/nf_nat_proto_udp.c: udp_in_range | -62 (removed) udp_unique_tuple | -259 # 271 -> 12, # inlines: 1 -> 0, size inlines: 7 -> 0 2 functions changed, 321 bytes removed net/ipv4/netfilter/nf_nat_proto_gre.c: gre_in_range | -62 (removed) 1 function changed, 62 bytes removed vmlinux: 5 functions changed, 704 bytes removed Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: {ip,ip6,arp}_tables: return EAGAIN for invalid SO_GET_ENTRIES sizePatrick McHardy2008-04-14
| | | | | | | | | | | | | | | | | Rule dumping is performed in two steps: first userspace gets the ruleset size using getsockopt(SO_GET_INFO) and allocates memory, then it calls getsockopt(SO_GET_ENTRIES) to actually dump the ruleset. When another process changes the ruleset in between the sizes from the first getsockopt call doesn't match anymore and the kernel aborts. Unfortunately it returns EAGAIN, as for multiple other possible errors, so userspace can't distinguish this case from real errors. Return EAGAIN so userspace can retry the operation. Fixes (with current iptables SVN version) netfilter bugzilla #104. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: Explicitly initialize .priority in arptable_filterJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: remove arpt_(un)register_target indirection macrosJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: remove arpt_target indirection macroJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: remove arpt_table indirection macroJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: annotate rest of nf_nat_* with constJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: annotate {arp,ip,ip6,x}tables with constJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: annotate xtables targets with const and remove castsJan Engelhardt2008-04-14
| | | | | Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: Use non-deprecated __RW_LOCK_UNLOCKED macroRobert P. J. Day2008-04-14
| | | | | Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ip_tables: per-netns FILTER/MANGLE/RAW tables for realAlexey Dobriyan2008-04-14
| | | | | | | | | | | | | | | | | | | | | Commit 9335f047fe61587ec82ff12fbb1220bcfdd32006 aka "[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW" added per-netns _view_ of iptables rules. They were shown to user, but ignored by filtering code. Now that it's possible to at least ping loopback, per-netns tables can affect filtering decisions. netns is taken in case of PRE_ROUTING, LOCAL_IN -- from in device, POST_ROUTING, LOCAL_OUT -- from out device, FORWARD -- from in device which should be equal to out device's netns. This code is relatively new, so BUG_ON was plugged. Wrappers were added to a) keep code the same from CONFIG_NET_NS=n users (overwhelming majority), b) consolidate code in one place -- similar changes will be done in ipv6 and arp netfilter code. Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: {ip,ip6}t_LOG: print MARK value in log outputPatrick McHardy2008-04-14
| | | | | | | | Dump the mark value in log messages similar to nfnetlink_log. This is useful for debugging complex setups where marks are used for routing or traffic classification. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [SKB]: __skb_append = __skb_queue_after Gerrit Renker2008-04-14
| | | | | | | | | This expresses __skb_append in terms of __skb_queue_after, exploiting that __skb_append(old, new, list) = __skb_queue_after(list, old, new). Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Remove owner from tcp_seq_afinfo.Denis V. Lunev2008-04-14
| | | | | | | Move it to tcp_seq_afinfo->seq_fops as should be. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Place file operations directly into tcp_seq_afinfo.Denis V. Lunev2008-04-14
| | | | | | | No need to have separate never-used variable. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Cleanup /proc/tcp[6] creation/removal.Denis V. Lunev2008-04-14
| | | | | | | | Replace seq_open with seq_open_net and remove tcp_seq_release completely. seq_release_net will do this job just fine. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Move seq_ops from tcp_iter_state to tcp_seq_afinfo.Denis V. Lunev2008-04-14
| | | | | | | No need to create seq_operations for each instance of 'netstat'. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: No need to check afinfo != NULL in tcp_proc_(un)register.Denis V. Lunev2008-04-14
| | | | | | | tcp_proc_register/tcp_proc_unregister are called with a static pointer only. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Replace struct net on tcp_iter_state with seq_net_private.Denis V. Lunev2008-04-14
| | | | | Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [INET]: sk_reuse is valboolGerrit Renker2008-04-14
| | | | | | | | | sk_reuse is declared as "unsigned char", but is set as type valbool in net/core/sock.c. There is no other place in net/ where sk->sk_reuse is set to a value > 1, so the test "sk_reuse > 1" can not be true. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* IPV4: use xor rather than multiple ands for route compareStephen Hemminger2008-04-10
| | | | | | | | | | | The comparison in ip_route_input is a hot path, by recoding the C "and" as bit operations, fewer conditional branches get generated so the code should be faster. Maybe someday Gcc will be smart enough to do this? Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Acked-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv4: fib_trie leaf free optimizationStephen Hemminger2008-04-10
| | | | | | | | | Avoid unneeded test in the case where object to be freed has to be a leaf. Don't need to use the generic tnode_free() function, instead just setup leaf to be freed. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv4: fib_trie remove unused argumentStephen Hemminger2008-04-10
| | | | | | | | The trie pointer is passed down to flush_list and flush_leaf but never used. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [Syncookies]: Add support for TCP options via timestamps.Florian Westphal2008-04-10
| | | | | | | | | | | | | | | | | | | | | | | | | Allow the use of SACK and window scaling when syncookies are used and the client supports tcp timestamps. Options are encoded into the timestamp sent in the syn-ack and restored from the timestamp echo when the ack is received. Based on earlier work by Glenn Griffin. This patch avoids increasing the size of structs by encoding TCP options into the least significant bits of the timestamp and by not using any 'timestamp offset'. The downside is that the timestamp sent in the packet after the synack will increase by several seconds. changes since v1: don't duplicate timestamp echo decoding function, put it into ipv4/syncookie.c and have ipv6/syncookies.c use it. Feedback from Glenn Griffin: fix line indented with spaces, kill redundant if () Reviewed-by: Hagen Paul Pfeifer <hagen@jauu.net> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* IPV4: fib_trie use vmalloc for large tnodesStephen Hemminger2008-04-10
| | | | | | | | | | | | | | | Use vmalloc rather than alloc_pages to avoid wasting memory. The problem is that tnode structure has a power of 2 sized array, plus a header. So the current code wastes almost half the memory allocated because it always needs the next bigger size to hold that small header. This is similar to an earlier patch by Eric, but instead of a list and lock, I used a workqueue to handle the fact that vfree can't be done in interrupt context. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* IPV4: route rekey timer can be deferrableStephen Hemminger2008-04-10
| | | | | | | No urgency on the rehash interval timer, so mark it as deferrable. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* IPV4: route use jhash3Stephen Hemminger2008-04-10
| | | | | | | | Since route hash is a triple, use jhash_3words rather doing the mixing directly. This should be as fast and give better distribution. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* IPV4: route inline changesStephen Hemminger2008-04-10
| | | | | | | | Don't mark functions that are large as inline, let compiler decide. Also, use inline rather than __inline__. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETNS]: Use TCP control socket from a correct namespace.Denis V. Lunev2008-04-03
| | | | | Signed-off-by: Denis V.Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETNS]: Create tcp control socket in the each namespace.Denis V. Lunev2008-04-03
| | | | | Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [INET]: uc_ttl assignment in inet_ctl_sock_create is redundant.Denis V. Lunev2008-04-03
| | | | | | | | uc_ttl is initialized in inet(6)_create and never changed except setsockopt ioctl. Remove this assignment. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [ICMP]: Simplify ICMP control socket creation.Denis V. Lunev2008-04-03
| | | | | | | | Replace sock_create_kern with inet_ctl_sock_create. Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETNS]: Inet control socket should not hold a namespace.Denis V. Lunev2008-04-03
| | | | | | | | | | This is a generic requirement, so make inet_ctl_sock_create namespace aware and create a inet_ctl_sock_destroy wrapper around sk_release_kernel. Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [INET]: Let inet_ctl_sock_create return sock rather than socket.Denis V. Lunev2008-04-03
| | | | | | | | All upper protocol layers are already use sock internally. Signed-off-by: Denis V. Lunev <den@openvz.org> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>