Linux kernel source tree https://git.amat.us/linux/atom/net/netfilter/xt_socket.c?h=v3.0.62 2011-06-05T23:35:10Z 2011-06-05T23:35:10Z Eric Dumazet eric.dumazet@gmail.com 2011-05-19T13:44:27Z urn:sha1:fb04883371f2cb7867d24783e7d590036dc9b548 Following error is raised (and other similar ones) : net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’: net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’ not in enumerated type ‘enum ip_conntrack_info’ gcc barfs on adding two enum values and getting a not enumerated result : case IP_CT_RELATED+IP_CT_IS_REPLY: Add missing enum values Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: David Miller <davem@davemloft.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2011-02-17T10:32:38Z Florian Westphal fwestphal@astaro.com 2011-02-17T10:32:38Z urn:sha1:d503b30bd648b3cb4e5f50b65d27e389960cc6d9 Assigning a socket in timewait state to skb->sk can trigger kernel oops, e.g. in nfnetlink_log, which does: if (skb->sk) { read_lock_bh(&skb->sk->sk_callback_lock); if (skb->sk->sk_socket && skb->sk->sk_socket->file) ... in the timewait case, accessing sk->sk_callback_lock and sk->sk_socket is invalid. Either all of these spots will need to add a test for sk->sk_state != TCP_TIME_WAIT, or xt_TPROXY must not assign a timewait socket to skb->sk. This does the latter. If a TW socket is found, assign the tproxy nfmark, but skip the skb->sk assignment, thus mimicking behaviour of a '-m socket .. -j MARK/ACCEPT' re-routing rule. The 'SYN to TW socket' case is left unchanged -- we try to redirect to the listener socket. Cc: Balazs Scheidler <bazsi@balabit.hu> Cc: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 2010-10-28T19:59:53Z David S. Miller davem@davemloft.net 2010-10-28T19:59:53Z urn:sha1:089282fb028198169a0f62f8f833ab6d06bdbb3c Otherwise error indications from ipv6_find_hdr() won't be noticed. This required making the protocol argument to extract_icmp6_fields() signed too. Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-10-25T20:58:36Z KOVACS Krisztian hidden@balabit.hu 2010-10-24T23:38:32Z urn:sha1:f6318e558806c925029dc101f14874be9f9fa78f One of the previous tproxy related patches split IPv6 defragmentation and connection tracking, but did not correctly add Kconfig stanzas to handle the new dependencies correctly. This patch fixes that by making the config options mirror the setup we have for IPv4: a distinct config option for defragmentation that is automatically selected by both connection tracking and xt_TPROXY/xt_socket. The patch also changes the #ifdefs enclosing IPv6 specific code in xt_socket and xt_TPROXY: we only compile these in case we have ip6tables support enabled. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: David S. Miller <davem@davemloft.net> 2010-10-21T14:19:42Z Balazs Scheidler bazsi@balabit.hu 2010-10-21T14:19:42Z urn:sha1:b64c9256a9b76fc9f059f71bd08ba88fb0cbba2e The ICMP extraction bits were contributed by Harry Mason. Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2010-10-21T10:45:14Z Balazs Scheidler bazsi@balabit.hu 2010-10-21T10:45:14Z urn:sha1:106e4c26b1529e559d1aae777f11b4f8f7bafc26 Without tproxy redirections an incoming SYN kicks out conflicting TIME_WAIT sockets, in order to handle clients that reuse ports within the TIME_WAIT period. The same mechanism didn't work in case TProxy is involved in finding the proper socket, as the time_wait processing code looked up the listening socket assuming that the listener addr/port matches those of the established connection. This is not the case with TProxy as the listener addr/port is possibly changed with the tproxy rule. Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2010-06-08T14:09:52Z Eric Dumazet eric.dumazet@gmail.com 2010-06-08T14:09:52Z urn:sha1:5bfddbd46a95c978f4d3c992339cbdf4f4b790a3 NOTRACK makes all cpus share a cache line on nf_conntrack_untracked twice per packet. This is bad for performance. __read_mostly annotation is also a bad choice. This patch introduces IPS_UNTRACKED bit so that we can use later a per_cpu untrack structure more easily. A new helper, nf_ct_untracked_get() returns a pointer to nf_conntrack_untracked. Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add IPS_NAT_DONE_MASK bits to untracked status. nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 2010-05-11T16:33:37Z Jan Engelhardt jengelh@medozas.de 2009-07-07T18:42:08Z urn:sha1:62fc8051083a334578c3f4b3488808f210b4565f In future, layer-3 matches will be an xt module of their own, and need to set the fragoff and thoff fields. Adding more pointers would needlessy increase memory requirements (esp. so for 64-bit, where pointers are wider). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 2010-05-11T16:31:17Z Jan Engelhardt jengelh@medozas.de 2009-07-05T17:43:26Z urn:sha1:4b560b447df83368df44bd3712c0c39b1d79ba04 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 2010-03-25T14:00:04Z Jan Engelhardt jengelh@medozas.de 2010-03-19T20:08:16Z urn:sha1:ff67e4e42bd178b1179c4d8e5c1fde18758ce84f Supplement to 1159683ef48469de71dc26f0ee1a9c30d131cf89. Downgrade the log level to INFO for most checkentry messages as they are, IMO, just an extra information to the -EINVAL code that is returned as part of a parameter "constraint violation". Leave errors to real errors, such as being unable to create a LED trigger. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>