linux/net, branch v2.6.20.1

[NETFILTER]: nf_conntrack_h323: fix compile error with CONFIG_IPV6=m, CONFIG_NF_CONNTRACK_H323=y

2007-02-03T03:33:52Z

Fix this by letting NF_CONNTRACK_H323 depend on (IPV6 || IPV6=n). Signed-off-by: Adrian Bunk Signed-off-by: David S. Miller

[NETFILTER]: ctnetlink: fix compile failure with NF_CONNTRACK_MARK=n

2007-02-03T03:33:11Z

CC net/netfilter/nf_conntrack_netlink.o net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_conntrack_event': net/netfilter/nf_conntrack_netlink.c:392: error: 'struct nf_conn' has no member named 'mark' make[3]: *** [net/netfilter/nf_conntrack_netlink.o] Error 1 Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NET_SCHED]: act_ipt: fix regression in ipt action

2007-02-02T08:40:36Z

The x_tables patch broke target module autoloading in the ipt action by replacing the ipt_find_target call (which does autoloading) by xt_find_target (which doesn't do autoloading). Additionally xt_find_target may return ERR_PTR values in case of an error, which are not handled. Use xt_request_find_target, which does both autoloading and ERR_PTR handling properly. Also don't forget to drop the target module reference again when xt_check_target fails. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: xt_hashlimit: fix ip6tables dependency

2007-01-31T05:36:09Z

IP6_NF_IPTABLES=m, CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y results in a linker error since ipv6_find_hdr is defined in ip6_tables.c. Fix similar to Adrian Bunk's H.323 conntrack patch: selecting ip6_tables to be build as module requires hashlimit to be built as module as well. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[SCTP]: Force update of the rto when processing HB-ACK

2007-01-30T22:36:14Z

When processing a HEARTBEAT-ACK it's possible that the transport rto timers will not be updated because a prior T3-RTX processing would have cleared the rto_pending flag on the transport. However, if we received a valid HEARTBEAT-ACK, we want to force update the rto variables, so re-set the rto_pending flag before calling sctp_transport_update_rto(). Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala Signed-off-by: David S. Miller

[IPV6]: fix BUG of ndisc_send_redirect()

2007-01-30T22:33:20Z

When I tested IPv6 redirect function about kernel 2.6.19.1, and found that the kernel can send redirect packets whose target address is global address, and the target is not the actual endpoint of communication. But the criteria conform to RFC2461, the target address defines as following: Target Address An IP address that is a better first hop to use for he ICMP Destination Address. When the target is the actual endpoint of communication, i.e., the destination is a neighbor, the Target Address field MUST contain the same value as the ICMP Destination Address field. Otherwise the target is a better first-hop router and the Target Address MUST be the router's link-local address so that hosts can uniquely identify routers. According to this definition, when a router redirect to a host, the target address either the better first-hop router's link-local address or the same as the ICMP destination address field. But the function of ndisc_send_redirect() in net/ipv6/ndisc.c, does not check the target address correctly. There is another definition about receive Redirect message in RFC2461: 8.1. Validation of Redirect Messages A host MUST silently discard any received Redirect message that does not satisfy all of the following validity checks: ...... - The ICMP Target Address is either a link-local address (when redirected to a router) or the same as the ICMP Destination Address (when redirected to the on-link destination). ...... And the receive redirect function of ndisc_redirect_rcv() implemented this definition, checks the target address correctly. if (ipv6_addr_equal(dest, target)) { on_link = 1; } else if (!(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) { ND_PRINTK2(KERN_WARNING "ICMPv6 Redirect: target address is not link-local.\n"); return; } So, I think the send redirect function must check the target address also. Signed-off-by: Li Yewang Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller

[IPV6]: Fix up some CONFIG typos

2007-01-30T22:30:10Z

Signed-off-by: Neil Horman Signed-off-by: David S. Miller

[NETFILTER]: SIP conntrack: fix out of bounds memory access

2007-01-30T22:25:24Z

When checking for an @-sign in skp_epaddr_len, make sure not to run over the packet boundaries. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: SIP conntrack: fix skipping over user info in SIP headers

2007-01-30T22:24:57Z

When trying to skip over the username in the Contact header, stop at the end of the line if no @ is found to avoid mangling following headers. We don't need to worry about continuation lines because we search inside a SIP URI. Fixes Netfilter Bugzilla #532. Signed-off-by: Lars Immisch Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: xt_connbytes: fix division by zero

2007-01-30T22:24:29Z

When the packet counter of a connection is zero a division by zero occurs in div64_64(). Fix that by using zero as average value, which is correct as long as the packet counter didn't overflow, at which point we have lost anyway. Additionally we're probably going to go back to 64 bit counters in 2.6.21. Based on patch from Jonas Berlin , with suggestions from KOVACS Krisztian . Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller