Linux kernel source tree https://git.amat.us/linux/atom/include/net/netfilter?h=v3.8 2013-01-12T13:12:36Z 2013-01-12T13:12:36Z Pablo Neira Ayuso pablo@netfilter.org 2013-01-10T15:12:01Z urn:sha1:1e47ee8367babe6a5e8adf44a714c7086657b87e canqun zhang reported that we're hitting BUG_ON in the nf_conntrack_destroy path when calling kfree_skb while rmmod'ing the nf_conntrack module. Currently, the nf_ct_destroy hook is being set to NULL in the destroy path of conntrack.init_net. However, this is a problem since init_net may be destroyed before any other existing netns (we cannot assume any specific ordering while releasing existing netns according to what I read in recent emails). Thanks to Gao feng for initial patch to address this issue. Reported-by: canqun zhang <canqunzhang@gmail.com> Acked-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-12-03T14:14:20Z Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-11-30T12:37:26Z urn:sha1:a0ecb85a2c3af73c63b6d44ce82aea52347ccf55 When the route changes (backup default route, VPNs) which affect a masqueraded target, the packets were sent out with the outdated source address. The patch addresses the issue by comparing the outgoing interface directly with the masqueraded interface in the nat table. Events are inefficient in this case, because it'd require adding route events to the network core and then scanning the whole conntrack table and re-checking the route for all entry. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-12-03T14:07:48Z Florian Westphal fw@strlen.de 2012-11-23T06:22:21Z urn:sha1:0360ae412d09bc6f4864c801effcb20bfd84520e We used to have several queueing backends, but nowadays only nfnetlink_queue remains. In light of this there doesn't seem to be a good reason to support per-af registering -- just hook up nfnetlink_queue on module load and remove it on unload. This means that the userspace BIND/UNBIND_PF commands are now obsolete; the kernel will ignore them. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-12-03T14:06:33Z Pablo Neira Ayuso pablo@netfilter.org 2012-11-27T20:30:52Z urn:sha1:04dac0111da7e1d284952cd415162451ffaa094d This patch modifies the conntrack subsystem so that all existing allocated conntrack objects can be found in any of the following places: * the hash table, this is the typical place for alive conntrack objects. * the unconfirmed list, this is the place for newly created conntrack objects that are still traversing the stack. * the dying list, this is where you can find conntrack objects that are dying or that should die anytime soon (eg. once the destroy event is delivered to the conntrackd daemon). Thus, we make sure that we follow the track for all existing conntrack objects. This patch, together with some extension of the ctnetlink interface to dump the content of the dying and unconfirmed lists, will help in case to debug suspected nf_conn object leaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-09-10T19:30:41Z Eric W. Biederman ebiederm@xmission.com 2012-09-07T20:12:54Z urn:sha1:15e473046cb6e5d18a4d0057e61d76315230382b It is a frequent mistake to confuse the netlink port identifier with a process identifier. Try to reduce this confusion by renaming fields that hold port identifiers portid instead of pid. I have carefully avoided changing the structures exported to userspace to avoid changing the userspace API. I have successfully built an allyesconfig kernel with this change. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-09-03T13:34:51Z Pablo Neira Ayuso pablo@netfilter.org 2012-09-03T13:28:30Z urn:sha1:ace1fe1231bdfffd60b5e703aa5b7283fbf98dbd This merges (3f509c6 netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation) to Patrick McHardy's IPv6 NAT changes. 2012-09-03T11:33:03Z Pablo Neira Ayuso pablo@netfilter.org 2012-08-28T00:53:15Z urn:sha1:84b5ee939eba0115739c19c0e01ea903b029c9da This patch adds the new nf_ct_timeout_lookup function to encapsulate the timeout policy attachment that is called in the nf_conntrack_in path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-31T13:50:28Z Pablo Neira Ayuso pablo@netfilter.org 2012-08-29T16:25:49Z urn:sha1:5b423f6a40a0327f9d40bc8b97ce9be266f74368 Existing code assumes that del_timer returns true for alive conntrack entries. However, this is not true if reliable events are enabled. In that case, del_timer may return true for entries that were just inserted in the dying list. Note that packets / ctnetlink may hold references to conntrack entries that were just inserted to such list. This patch fixes the issue by adding an independent timer for event delivery. This increases the size of the ecache extension. Still we can revisit this later and use variable size extensions to allocate this area on demand. Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-08-30T01:00:18Z Patrick McHardy kaber@trash.net 2012-08-26T17:14:14Z urn:sha1:b3f644fc8232ca761da0b5c5ccb6f30b423c4302 Signed-off-by: Patrick McHardy <kaber@trash.net> 2012-08-30T01:00:17Z Patrick McHardy kaber@trash.net 2012-08-26T17:14:12Z urn:sha1:58a317f1061c894d2344c0b6a18ab4a64b69b815 Signed-off-by: Patrick McHardy <kaber@trash.net>