Linux kernel source tree https://git.amat.us/linux/atom/include/net/netns?h=v3.8.9 2012-12-24T11:55:09Z 2012-12-24T11:55:09Z Pablo Neira Ayuso pablo@netfilter.org 2012-12-20T01:54:51Z urn:sha1:10db9069eb5c60195170a4119bdbcbce69a4945f Florian Westphal reported that the removal of the NOTRACK target (9655050 netfilter: remove xt_NOTRACK) is breaking some existing setups. That removal was scheduled for removal since long time ago as described in Documentation/feature-removal-schedule.txt What: xt_NOTRACK Files: net/netfilter/xt_NOTRACK.c When: April 2011 Why: Superseded by xt_CT Still, people may have not notice / may have decided to stick to an old iptables version. I agree with him in that some more conservative approach by spotting some printk to warn users for some time is less agressive. Current iptables 1.4.16.3 already contains the aliasing support that makes it point to the CT target, so upgrading would fix it. Still, the policy so far has been to avoid pushing our users to upgrade. As a solution, this patch recovers the NOTRACK target inside the CT target and it now spots a warning. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-12-16T22:44:12Z Pablo Neira Ayuso pablo@netfilter.org 2012-12-11T04:07:42Z urn:sha1:252b3e8c1bc0c2b20348ae87d67efcd0a8209f72 In (d871bef netfilter: ctnetlink: dump entries from the dying and unconfirmed lists), we assume that all conntrack objects are inserted in any of the existing lists. However, template conntrack objects were not. This results in hitting BUG_ON in the destroy_conntrack path while removing a rule that uses the CT target. This patch fixes the situation by adding the template lists, which is where template conntrack objects reside now. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-10-26T06:22:18Z Neil Horman nhorman@tuxdriver.com 2012-10-24T09:20:03Z urn:sha1:3c68198e75111a905ac2412be12bf7b29099729b Currently sctp allows for the optional use of md5 of sha1 hmac algorithms to generate cookie values when establishing new connections via two build time config options. Theres no real reason to make this a static selection. We can add a sysctl that allows for the dynamic selection of these algorithms at run time, with the default value determined by the corresponding crypto library availability. This comes in handy when, for example running a system in FIPS mode, where use of md5 is disallowed, but SHA1 is permitted. Note: This new sysctl has no corresponding socket option to select the cookie hmac algorithm. I chose not to implement that intentionally, as RFC 6458 contains no option for this value, and I opted not to pollute the socket option namespace. Change notes: v2) * Updated subject to have the proper sctp prefix as per Dave M. * Replaced deafult selection options with new options that allow developers to explicitly select available hmac algs at build time as per suggestion by Vlad Y. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> CC: Vlad Yasevich <vyasevich@gmail.com> CC: "David S. Miller" <davem@davemloft.net> CC: netdev@vger.kernel.org Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-09-28T18:40:49Z David S. Miller davem@davemloft.net 2012-09-28T18:40:49Z urn:sha1:6a06e5e1bb217be077e1f8ee2745b4c5b1aa02db Conflicts: drivers/net/team/team.c drivers/net/usb/qmi_wwan.c net/batman-adv/bat_iv_ogm.c net/ipv4/fib_frontend.c net/ipv4/route.c net/l2tp/l2tp_netlink.c The team, fib_frontend, route, and l2tp_netlink conflicts were simply overlapping changes. qmi_wwan and bat_iv_ogm were of the "use HEAD" variety. With help from Antonio Quartulli. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-09-19T21:23:28Z Amerigo Wang amwang@redhat.com 2012-09-18T16:50:08Z urn:sha1:c038a767cd697238b09f7a4ea5a504b4891774e9 As pointed by Michal, it is necessary to add a new namespace for nf_conntrack_reasm code, this prepares for the second patch. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Kubeček <mkubecek@suse.cz> Cc: David Miller <davem@davemloft.net> Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-09-18T19:57:03Z Nicolas Dichtel nicolas.dichtel@6wind.com 2012-09-10T22:09:44Z urn:sha1:b42664f898c976247f7f609b8bb9c94d7475ca10 This commit prepares the use of rt_genid by both IPv4 and IPv6. Initialization is left in IPv4 part. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-09-03T13:34:51Z Pablo Neira Ayuso pablo@netfilter.org 2012-09-03T13:28:30Z urn:sha1:ace1fe1231bdfffd60b5e703aa5b7283fbf98dbd This merges (3f509c6 netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation) to Patrick McHardy's IPv6 NAT changes. 2012-08-30T01:00:17Z Patrick McHardy kaber@trash.net 2012-08-26T17:14:12Z urn:sha1:58a317f1061c894d2344c0b6a18ab4a64b69b815 Signed-off-by: Patrick McHardy <kaber@trash.net> 2012-08-30T01:00:14Z Patrick McHardy kaber@trash.net 2012-08-26T17:14:06Z urn:sha1:c7232c9979cba684c50b64c513c4a83c9aa70563 Convert the IPv4 NAT implementation to a protocol independent core and address family specific modules. Signed-off-by: Patrick McHardy <kaber@trash.net> 2012-08-24T22:54:37Z David S. Miller davem@davemloft.net 2012-08-24T22:54:37Z urn:sha1:e6acb384807406c1a6ad3ddc91191f7658e63b7a This is an initial merge in of Eric Biederman's work to start adding user namespace support to the networking. Signed-off-by: David S. Miller <davem@davemloft.net>