aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-01-28[NETFILTER]: nf_conntrack: clean up a few header filesPatrick McHardy
- Remove declarations of non-existing variables and functions - Move helper init/cleanup function declarations to nf_conntrack_helper.h - Remove unneeded __nf_conntrack_attach declaration and make it static Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: kill nf_sysctl.cPatrick McHardy
Since there now is generic support for shared sysctl paths, the only remains are the net/netfilter and net/ipv4/netfilter paths. Move them to net/netfilter/core.c and net/ipv4/netfilter.c and kill nf_sysctl.c. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: remove timeout indirectionPatrick McHardy
Instead of keeping pointers to the timeout values in a table, simply put the timeout values in the table directly. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: replace magic value by symbolic constantPatrick McHardy
Use SCTP_CHUNK_FLAG_T instead of 0x1. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: remove unused ttag field from conntrack dataPatrick McHardy
Spotted by Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: don't take sctp_lock once per chunkPatrick McHardy
Don't take and release the lock once per SCTP chunk, simply hold it the entire time while iterating through the chunks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: rename "newconntrack" variablePatrick McHardy
The name is misleading, it holds the new connection state, so rename it to "newstate". Also rename "oldsctpstate" to "oldstate" for consistency. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: consolidate sctp_packet() error pathsPatrick McHardy
Consolidate error paths and use proper symbolic return value instead of magic values. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: reduce line length furtherPatrick McHardy
Eliminate a few lines over 80 characters by using a local variable to hold the conntrack direction instead of using CTINFO2DIR everywhere. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: reduce line lengthPatrick McHardy
Reduce the length of some overly long lines by renaming all "conntrack" variables to "ct". Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: use proper types for bitopsPatrick McHardy
Use unsigned long instead of char for the bitmap and removed lots of casts. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_sctp: basic cleanupsPatrick McHardy
Reindent switch cases properly, get rid of weird constructs like "!(x == y)", put logical operations on the end of the line instead of the next line, get rid of superfluous braces. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_tcp: remove timeout indirectionPatrick McHardy
Instead of keeping pointers to the timeout values in a table, simply put the timeout values in the table directly. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_{tcp,sctp}: shrink state tablePatrick McHardy
The TCP and SCTP conntrack state transition tables only holds small numbers, but gcc uses 4 byte per entry for the enum. Switching to an u8 reduces the size from 480 to 120 bytes for TCP and from 576 to 144 bytes for SCTP. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: nf_conntrack_{tcp,sctp}: mark state table constPatrick McHardy
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: ipt_REJECT: properly handle IP optionsDenys Vlasenko
The current TCP RST construction reuses the old packet and can't deal with IP options as a consequence of that. Construct the RST from scratch instead. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: {ip,ip6}_tables: remove some inlinesDenys Vlasenko
This patch removes inlines except those which are used by packet matching code and thus are performance-critical. Before: $ size */*/*/ip*tables*.o text data bss dec hex filename 6402 500 16 6918 1b06 net/ipv4/netfilter/ip_tables.o 7130 500 16 7646 1dde net/ipv6/netfilter/ip6_tables.o After: $ size */*/*/ip*tables*.o text data bss dec hex filename 6307 500 16 6823 1aa7 net/ipv4/netfilter/ip_tables.o 7010 500 16 7526 1d66 net/ipv6/netfilter/ip6_tables.o Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Update feature-removal-schedule.txtJan Engelhardt
With all the newly introduced features, there is a lot to remove later on after a compatibility grace period of 2 years. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_iprange match, revision 1Jan Engelhardt
Adds IPv6 support to xt_iprange, making it possible to match on IPv6 address ranges with ip6tables. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Rename ipt_iprange to xt_iprangeJan Engelhardt
This patch moves ipt_iprange to xt_iprange, in preparation for adding IPv6 support to xt_iprange. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Update modules' descriptionsJan Engelhardt
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules, actually describing what the module does and not just "netfilter XYZ target". Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_policy: use the new union nf_inet_addrJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_pkttype: IPv6 multicast address recognitionJan Engelhardt
Signed-off-by: Jan Engelhart <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_pkttype: Add explicit check for IPv4Jan Engelhardt
In the PACKET_LOOPBACK case, the skb data was always interpreted as IPv4, but that is not valid for IPv6, obviously. Fix this by adding an extra condition to check for AF_INET. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_mark match, revision 1Jan Engelhardt
Introduces the xt_mark match revision 1. It uses fixed types, eventually obsoleting revision 0 some day (uses nonfixed types). Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_conntrack match, revision 1Jan Engelhardt
Introduces the xt_conntrack match revision 1. It uses fixed types, the new nf_inet_addr and comes with IPv6 support, thereby completely superseding xt_state. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Extend nf_inet_addr with in{,6}_addrJan Engelhardt
Extend union nf_inet_addr with struct in_addr and in6_addr. Useful because a lot of in-kernel IPv4 and IPv6 functions use in_addr/in6_addr. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_connmark match, revision 1Jan Engelhardt
Introduces the xt_connmark match revision 1. It uses fixed types, eventually obsoleting revision 0 some day (uses nonfixed types). (Unfixed types like "unsigned long" do not play well with mixed user-/kernelspace "bitness", e.g. 32/64, as is common on SPARC64, and need extra compat code.) Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_MARK target, revision 2Jan Engelhardt
Introduces the xt_MARK target revision 2. It uses fixed types, and also uses the more expressive XOR logic. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_CONNMARK target, revision 1Jan Engelhardt
Introduces the xt_CONNMARK target revision 1. It uses fixed types, and also uses the more expressive XOR logic. Futhermore, it allows to selectively pick bits from both the ctmark and the nfmark in the SAVE and RESTORE operations. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Annotate start of kernel fields in NF headersJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_TOS: Properly set the TOS fieldJan Engelhardt
Fix incorrect mask value passed to ipv4_change_dsfield/ipv6_change_dsfield. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: xt_TOS: Change semantic of mask valueJan Engelhardt
This patch changes the behavior of xt_TOS v1 so that the mask value the user supplies means "zero out these bits" rather than "keep these bits". This is more easy on the user, as (I would assume) people keep more bits than zeroing, so, an example: Action: Set bit 0x01. before (&): iptables -j TOS --set-tos 0x01/0xFE after (&~): iptables -j TOS --set-tos 0x01/0x01 This is not too "tragic" with xt_TOS, but where larger fields are used (e.g. proposed xt_MARK v2), `--set-xmar 0x01/0x01` vs. `--set-xmark 0x01/0xFFFFFFFE` really makes a difference. Other target(!) modules, such as xt_TPROXY also use &~ rather than &, so let's get to a common ground. (Since xt_TOS has not yet left the development tree en direction to mainline, the semantic can be changed as proposed without breaking iptables.) Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: remove ipt_TOS.cJan Engelhardt
Commit 88c85d81f74f92371745158aebc5cbf490412002 forgot to remove the old ipt_TOS file (whose code has been merged into xt_DSCP). Remove it now. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Remove some EXPERIMENTAL dependenciesPatrick McHardy
Most of the netfilter modules are not considered experimental anymore, the only ones I want to keep marked as EXPERIMENTAL are: - TCPOPTSTRIP target, which is brand new. - SANE helper, which is quite new. - CLUSTERIP target, which I believe hasn't had much testing despite being in the kernel for quite a long time. - SCTP match and conntrack protocol, which are a mess and need to be reviewed and cleaned up before I would trust them. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETFILTER]: Hide a few more options under NETFILTER_ADVANCEDPatrick McHardy
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPV4]: fib hash|trie initializationStephen Hemminger
Initialization of the slab cache's should be done when IP is initialized to make sure of available memory, and that code can be marked __init. Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPV4] fib_trie: size and statisticsStephen Hemminger
Show number of entries in trie, the size field was being set but never used, but it only counted leaves, not all entries. Refactor the two cases in fib_triestat_seq_show into a single routine. Note: the stat structure was being malloc'd but the stack usage isn't so high (288 bytes) that it is worth the additional complexity. Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[FIB]: Avoid using static variables without proper lockingEric Dumazet
fib_trie_seq_show() uses two helper functions, rtn_scope() and rtn_type() that can write to static storage without locking. Just pass to them a temporary buffer to avoid potential corruption (probably not triggerable but still...) Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETNS]: Process inet_confirm_addr in the correct namespace.Denis V. Lunev
inet_confirm_addr can be called with NULL in_dev from arp_ignore iff scope is RT_SCOPE_LINK. Lets always pass the device and check for RT_SCOPE_LINK scope inside inet_confirm_addr. This let us take network namespace from in_device a need for an additional argument. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPV4]: Remove extra argument from arp_ignore.Denis V. Lunev
arp_ignore has two arguments: dev & in_dev. dev is used for inet_confirm_addr calling only. inet_confirm_addr, in turn, either gets in_dev from the device passed or iterates over all network devices if the device passed is NULL. It seems logical to directly pass in_dev into inet_confirm_addr. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[ARP]: neigh_parms_put(destroy) are essentially local to core/neighbour.c.Denis V. Lunev
Make them static. [ Moved the inline before, instead of after, call sites. -DaveM ] Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[ARP]: Remove forward declaration of neigh_changeaddr.Denis V. Lunev
No need for this. It is declared in the neighbour.h Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[ARP]: Remove overkill checks from neigh_param_alloc.Denis V. Lunev
Valid network device is always passed into neigh_param_alloc, so remove extra checking for dev == NULL. Additionally, cleanup bogus netns assignment. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPV4]: fib_rules_unregister is essentially void.Denis V. Lunev
fib_rules_unregister is called only after successful register and the return code is never checked. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETNS]: Make arp code network namespace consistent.Denis V. Lunev
Some calls in the arp.c have network namespace as an argument. Getting init_net inside these functions is simply inconsistent. Fix this. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[ARP]: Move inet_addr_type call after simple error checks in arp_contructor.Denis V. Lunev
The neighbour entry will be destroyed in the case of error, so it is pointless to perform constly routing table lookup in this case. Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETNS][RAW]: Create the /proc/net/raw(6) in each namespace.Pavel Emelyanov
To do so, just register the proper subsystem and create files in ->init callbacks. No other special per-namespace handling for raw sockets is required. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETNS][RAW]: Eliminate explicit init_net references.Pavel Emelyanov
Happily, in all the rest places (->bind callbacks only), that require the struct net, we have a socket, so get the net from it. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETNS][RAW]: Make /proc/net/raw(6) show per-namespace socket list.Pavel Emelyanov
Pull the struct net pointer up to the showing functions to filter the sockets depending on their namespaces. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>