| Age | Commit message (Collapse) | Author |
|---|
|
Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
targets to optionally call to the nflog API. They lack a few features,
namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
related to nfnetlink_log, while the ULOG target is only available for IPv4.
Remove those hacks and add a clean way to use nfnetlink_log.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
There is no reason for limiting netlink attributes in size.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
The NAT handling of the SIP helper has a few problems:
- Request headers are only mangled in the reply direction, From/To headers
not at all, which can lead to authentication failures with DNAT in case
the authentication domain is the IP address
- Contact headers in responses are only mangled for REGISTER responses
- Headers may be mangled even though they contain addresses not
participating in the connection, like alternative addresses
- Packets are droppen when domain names are used where the helper expects
IP addresses
This patch takes a different approach, instead of fixed rules what field
to mangle to what content, it adds symetric mapping of From/To/Via/Contact
headers, which allows to deal properly with echoed addresses in responses
and foreign addresses not belonging to the connection.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
SIP headers are generally case-insensitive, only SDP headers are
case sensitive.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
- Use enum for header field enumeration
- Use numerical value instead of pointer to header info structure to
identify headers, unexport ct_sip_hdrs
- group SIP and SDP entries in header info structure
- remove double forward declaration of ct_sip_get_info
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
We usually uses 'xxx_find_get' for function which increments
reference count.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
This patch adds /proc/net/ip_conntrack, /proc/net/ip_conntrack_expect and
/proc/net/stat/ip_conntrack files to keep old programs using them working.
The /proc/net/ip_conntrack and /proc/net/ip_conntrack_expect files show only
IPv4 entries, the /proc/net/stat/ip_conntrack shows global statistics.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
This patch adds an option to keep the connection tracking sysctls visible
under their old names.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Add helper functions for sysctl registration with optional instantiating
of common path elements (like net/netfilter) and use it for support for
automatic registation of conntrack protocol sysctls.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Using extern in a C file is a bad idea because the compiler can't
catch type errors.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Remove unused struct list_head from struct nf_conntrack_l3proto and
nf_conntrack_l4proto as all protocols are kept in arrays, not linked
lists.
Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
registration/unregistration
Add some more sanity checks when registering/unregistering l3/l4 protocols.
Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in
order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets
rather confusing with 'nf_conntrack_protocol'.
Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
This patch splits out the event cache into its own file
nf_conntrack_ecache.c
Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
This patch splits out handling of helpers into its own file
nf_conntrack_helper.c
Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
This patch splits out expectation handling into its own file
nf_conntrack_expect.c
Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
This removes and cleans up unused variables and structures which have become
unnecessary following the introduction of the EWMA patch to automatically track
the CCID 3 receiver/sender packet sizes `s'.
It deprecates the PACKET_SIZE socket option by returning an error code and
printing a deprecation warning if an application tries to read or write this
socket option.
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
This is in response to a request sent earlier by Eric W. Biederman
and replaces all sysctl numbers for net.dccp.default with CTL_UNNUMBERED.
It has been tested to compile and to work.
Commiter note: I've removed the use of CTL_UNNUMBERED, not setting .ctl_name
sets it to 0, that is the what CTL_UNNUMBERED is, reason is
to avoid unneeded source code cluttering.
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
[acme@newtoy net-2.6.20]$ pahole /tmp/tcp_ipv6.o inet_protosw
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/protocol.h:69 */
struct inet_protosw {
struct list_head list; /* 0 8 */
short unsigned int type; /* 8 2 */
/* XXX 2 bytes hole, try to pack */
int protocol; /* 12 4 */
struct proto * prot; /* 16 4 */
const struct proto_ops * ops; /* 20 4 */
int capability; /* 24 4 */
char no_check; /* 28 1 */
unsigned char flags; /* 29 1 */
}; /* size: 32, sum members: 28, holes: 1, sum holes: 2, padding: 2 */
So that we can kill that hole, protocol can only go all the way to 255 (RAW).
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
As this struct is not userland visible at all.
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
With this we eliminate the last hole in struct tcp_sock.
End result:
[acme@newtoy net-2.6.20]$ codiff -sV /tmp/tcp.o.before net/ipv4/tcp.o
/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c:
struct tcp_sock | -4
tcp_header_len;
from: int /* 1000(0) 4(0) */
to: u16 /* 1000(0) 2(0) */
1 struct changed
[acme@newtoy net-2.6.20]$
Now sizeof(tcp_sock) is just...
[acme@newtoy net-2.6.20]$ pahole --sizes ../OUTPUT/qemu/net-2.6.20/net/ipv4/tcp.o | grep -w tcp_sock
struct tcp_sock: 1500 0
1500 bytes ;-)
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
[acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o xfrm_policy
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */
struct xfrm_policy {
struct xfrm_policy * next; /* 0 4 */
struct hlist_node bydst; /* 4 8 */
struct hlist_node byidx; /* 12 8 */
rwlock_t lock; /* 20 36 */
atomic_t refcnt; /* 56 4 */
struct timer_list timer; /* 60 24 */
u8 type; /* 84 1 */
/* XXX 3 bytes hole, try to pack */
u32 priority; /* 88 4 */
u32 index; /* 92 4 */
struct xfrm_selector selector; /* 96 56 */
struct xfrm_lifetime_cfg lft; /* 152 64 */
struct xfrm_lifetime_cur curlft; /* 216 32 */
struct dst_entry * bundles; /* 248 4 */
__u16 family; /* 252 2 */
__u8 action; /* 254 1 */
__u8 flags; /* 255 1 */
__u8 dead; /* 256 1 */
__u8 xfrm_nr; /* 257 1 */
/* XXX 2 bytes hole, try to pack */
struct xfrm_sec_ctx * security; /* 260 4 */
struct xfrm_tmpl xfrm_vec[6]; /* 264 360 */
}; /* size: 624, sum members: 619, holes: 2, sum holes: 5 */
So lets have just one hole instead of two, by moving 'type' to just before 'action',
end result:
[acme@newtoy net-2.6.20]$ codiff -s /tmp/tcp.o.before net/ipv4/tcp.o
/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c:
struct xfrm_policy | -4
1 struct changed
[acme@newtoy net-2.6.20]$
[acme@newtoy net-2.6.20]$ pahole -c 64 net/ipv4/tcp.o xfrm_policy
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */
struct xfrm_policy {
struct xfrm_policy * next; /* 0 4 */
struct hlist_node bydst; /* 4 8 */
struct hlist_node byidx; /* 12 8 */
rwlock_t lock; /* 20 36 */
atomic_t refcnt; /* 56 4 */
struct timer_list timer; /* 60 24 */
u32 priority; /* 84 4 */
u32 index; /* 88 4 */
struct xfrm_selector selector; /* 92 56 */
struct xfrm_lifetime_cfg lft; /* 148 64 */
struct xfrm_lifetime_cur curlft; /* 212 32 */
struct dst_entry * bundles; /* 244 4 */
u16 family; /* 248 2 */
u8 type; /* 250 1 */
u8 action; /* 251 1 */
u8 flags; /* 252 1 */
u8 dead; /* 253 1 */
u8 xfrm_nr; /* 254 1 */
/* XXX 1 byte hole, try to pack */
struct xfrm_sec_ctx * security; /* 256 4 */
struct xfrm_tmpl xfrm_vec[6]; /* 260 360 */
}; /* size: 620, sum members: 619, holes: 1, sum holes: 1 */
Are there any fugly data dependencies here? None that I know.
In the process changed the removed the __ prefixed types, that are just for
userspace visible headers.
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
[acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o hh_cache
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/netdevice.h:190 */
struct hh_cache {
struct hh_cache * hh_next; /* 0 4 */
atomic_t hh_refcnt; /* 4 4 */
__be16 hh_type; /* 8 2 */
/* XXX 2 bytes hole, try to pack */
int hh_len; /* 12 4 */
int (*hh_output)(); /* 16 4 */
rwlock_t hh_lock; /* 20 36 */
long unsigned int hh_data[24]; /* 56 96 */
}; /* size: 152, sum members: 150, holes: 1, sum holes: 2 */
[acme@newtoy net-2.6.20]$ find net -name "*.[ch]" | xargs grep 'hh_len.\+=' | sort -u
net/atm/br2684.c: hh->hh_len = PADLEN + ETH_HLEN;
net/ethernet/eth.c: hh->hh_len = ETH_HLEN;
net/ipv4/ipconfig.c: int hh_len = LL_RESERVED_SPACE(dev);
net/ipv4/ip_output.c: hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
net/ipv4/ip_output.c: int hh_len = LL_RESERVED_SPACE(dev);
net/ipv4/netfilter.c: hh_len = (*pskb)->dst->dev->hard_header_len;
net/ipv4/raw.c: hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
net/ipv6/ip6_output.c: hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
net/ipv6/netfilter/ip6t_REJECT.c: hh_len = (dst->dev->hard_header_len + 15)&~15;
net/ipv6/raw.c: hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
[acme@newtoy net-2.6.20]$
[acme@newtoy net-2.6.20]$ find include -name "*.h" | xargs grep 'define ETH_HLEN'
include/linux/if_ether.h:#define ETH_HLEN 14 /* Total octets in header. */
(((dev)->hard_header_len&~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
[acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o net_device | grep hard_header_len
short unsigned int hard_header_len; /* 106 2 */
[acme@newtoy net-2.6.20]$
So I think we're safe in turning hh_len an u16, end result:
[acme@newtoy net-2.6.20]$ codiff -sV /tmp/tcp.o.before net/ipv4/tcp.o
/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c:
struct hh_cache | -4
hh_len;
from: int /* 12(0) 4(0) */
to: u16 /* 10(0) 2(0) */
1 struct changed
[acme@newtoy net-2.6.20]$
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
We have a hole in:
[acme@newtoy net-2.6.20]$ pahole net/ipv6/tcp_ipv6.o inet_connection_sock_af_ops
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/inet_connection_sock.h:38 */
struct inet_connection_sock_af_ops {
int (*queue_xmit)(); /* 0 4 */
void (*send_check)(); /* 4 4 */
int (*rebuild_header)(); /* 8 4 */
int (*conn_request)(); /* 12 4 */
struct sock * (*syn_recv_sock)(); /* 16 4 */
int (*remember_stamp)(); /* 20 4 */
__u16 net_header_len; /* 24 2 */
/* XXX 2 bytes hole, try to pack */
int (*setsockopt)(); /* 28 4 */
int (*getsockopt)(); /* 32 4 */
int (*compat_setsockopt)(); /* 36 4 */
int (*compat_getsockopt)(); /* 40 4 */
void (*addr2sockaddr)(); /* 44 4 */
int sockaddr_len; /* 48 4 */
}; /* size: 52, sum members: 50, holes: 1, sum holes: 2 */
But we don't need sockaddr_len to be an int:
[acme@newtoy net-2.6.20]$ find net -name "*.[ch]" | xargs grep '\.sockaddr_len.\+=' | sort -u
net/dccp/ipv4.c: .sockaddr_len = sizeof(struct sockaddr_in),
net/dccp/ipv6.c: .sockaddr_len = sizeof(struct sockaddr_in6),
net/ipv4/tcp_ipv4.c: .sockaddr_len = sizeof(struct sockaddr_in),
net/ipv6/tcp_ipv6.c: .sockaddr_len = sizeof(struct sockaddr_in6),
net/sctp/ipv6.c: .sockaddr_len = sizeof(struct sockaddr_in6),
net/sctp/protocol.c: .sockaddr_len = sizeof(struct sockaddr_in),
[acme@newtoy net-2.6.20]$ pahole --sizes net/ipv6/tcp_ipv6.o | grep sockaddr_in
struct sockaddr_in: 16 0
struct sockaddr_in6: 28 0
[acme@newtoy net-2.6.20]$
So I turned sockaddr_len a 'u16', and now:
[acme@newtoy net-2.6.20]$ pahole net/ipv6/tcp_ipv6.o inet_connection_sock_af_ops
/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/inet_connection_sock.h:38 */
struct inet_connection_sock_af_ops {
int (*queue_xmit)(); /* 0 4 */
void (*send_check)(); /* 4 4 */
int (*rebuild_header)(); /* 8 4 */
int (*conn_request)(); /* 12 4 */
struct sock * (*syn_recv_sock)(); /* 16 4 */
int (*remember_stamp)(); /* 20 4 */
u16 net_header_len; /* 24 2 */
u16 sockaddr_len; /* 26 2 */
int (*setsockopt)(); /* 28 4 */
int (*getsockopt)(); /* 32 4 */
int (*compat_setsockopt)(); /* 36 4 */
int (*compat_getsockopt)(); /* 40 4 */
void (*addr2sockaddr)(); /* 44 4 */
}; /* size: 48 */
So we've saved 4 bytes:
[acme@newtoy net-2.6.20]$ codiff -sV /tmp/tcp_ipv6.o.before net/ipv6/tcp_ipv6.o
/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv6/tcp_ipv6.c:
struct inet_connection_sock_af_ops | -4
net_header_len;
from: __u16 /* 24(0) 2(0) */
to: u16 /* 24(0) 2(0) */
sockaddr_len;
from: int /* 48(0) 4(0) */
to: u16 /* 26(0) 2(0) */
1 struct changed
[acme@newtoy net-2.6.20]$
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
This patch consolidates set/getsockopt code between UDP(-Lite) v4 and 6. The
justification is that UDP(-Lite) is a transport-layer protocol and therefore
the socket option code (at least in theory) should be AF-independent.
Furthermore, there is the following code reduplication:
* do_udp{,v6}_getsockopt is 100% identical between v4 and v6
* do_udp{,v6}_setsockopt is identical up to the following differerence
--v4 in contrast to v4 additionally allows the experimental encapsulation
types UDP_ENCAP_ESPINUDP and UDP_ENCAP_ESPINUDP_NON_IKE
--the remainder is identical between v4 and v6
I believe that this difference is of little relevance.
The advantages in not duplicating twice almost completely identical code.
The patch further simplifies the interface of udp{,v6}_push_pending_frames,
since for the second argument (struct udp_sock *up) it always holds that
up = udp_sk(sk); where sk is the first function argument.
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
IPv4, IPv6, and DECNet all use struct rta_cacheinfo in a similiar
way, therefore rtnl_put_cacheinfo() is added to reuse code.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The destination PID is passed directly to netlink_unicast()
respectively netlink_multicast().
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This adds documentation for the TFRC structure fields.
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
|
|
Extends the netlink interface to support the __le16 type and
converts address addition, deletion and, dumping to use the
new netlink interface.
Fixes multiple occasions of possible illegal memory references
due to not validated netlink attributes.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
... into anonymous union of __wsum and __u32 (csum and csum_offset resp.)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
argument passed as __be32
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
kill it
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
switched to taking a pointer to net-endian sctp_addr
and a net-endian port number. Instances and callers
adjusted; interestingly enough, the only calls are
direct calls of specific instances - the method is not
used at all.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Add sctp_chunk->source, sctp_sockaddr_entry->a, sctp_transport->ipaddr
and sctp_transport->saddr, maintain them as net-endian mirrors of
their host-endian counterparts.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Part 1: rename sctp_chunk->source, sctp_sockaddr_entry->a,
sctp_transport->ipaddr and sctp_transport->saddr (to ..._h)
The next patch will reintroduce these fields and keep them as
net-endian mirrors of the original (renamed) ones. Split in
two patches to make sure that we hadn't forgotten any instanes.
Later in the series we'll eliminate uses of host-endian variants
(basically switching users to net-endian counterparts as we
progress through that mess). Then host-endian ones will die.
Other embedded host-endian sctp_addr will be easier to switch
directly, so we leave them alone for now.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
That's going to be a long series. Introduced temporary helpers
doing copy-and-convert for sctp_addr; they are used to kill
flip-in-place in global data structures and will be used
to gradually push host-endian uses of sctp_addr out of existence.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
