summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* [ATM]: Kill ipcommon.[ch]David S. Miller2006-12-025-98/+47
| | | | | | | All that remained was skb_migrate() and that was overkill for what the two call sites were trying to do. Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: policer: restore compatibility with old iproute binariesPatrick McHardy2006-12-021-4/+22
| | | | | | | | | | | | | | The tc actions increased the size of struct tc_police, which broke compatibility with old iproute binaries since both the act_police and the old NET_CLS_POLICE code check for an exact size match. Since the new members are not even used, the simple fix is to also accept the size of the old structure. Dumping is not affected since old userspace will receive a bigger structure, which is handled fine. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PKT_SCHED]: Remove unused exports.Adrian Bunk2006-12-022-4/+0
| | | | | | | | | | | This patch removes the following unused EXPORT_SYMBOL's: - sch_api.c: qdisc_lookup - sch_generic.c: __netdev_watchdog_up - sch_generic.c: noop_qdisc_ops - sch_generic.c: qdisc_alloc Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Split ebt_replace into user and kernel variants, annotate.Al Viro2006-12-025-13/+31
| | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Clean ebt_register_table() up.Al Viro2006-12-021-12/+21
| | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Move calls of ebt_verify_pointers() upstream.Al Viro2006-12-021-9/+11
| | | | | | | ... and pass just repl->name to translate_table() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: ebt_check_entry() doesn't need valid_hooksAl Viro2006-12-021-4/+3
| | | | | | | | We can check newinfo->hook_entry[...] instead. Kill unused argument. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Clean ebt_get_udc_positions() up.Al Viro2006-12-021-6/+2
| | | | | | | | Check for valid_hooks is redundant (newinfo->hook_entry[i] will be NULL if bit i is not set). Kill it, kill unused arguments. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Switch ebt_check_entry_size_and_hooks() to use of ↵Al Viro2006-12-021-10/+6
| | | | | | | | | newinfo->hook_entry[] kill unused arguments Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: translate_table(): switch direct uses of repl->hook_info to newinfoAl Viro2006-12-021-5/+5
| | | | | | | | Since newinfo->hook_table[] already has been set up, we can switch to using it instead of repl->{hook_info,valid_hooks}. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Move more stuff into ebt_verify_pointers().Al Viro2006-12-021-19/+19
| | | | | | | | | | | | Take intialization of ->hook_entry[...], ->entries_size and ->nentries over there, pull the check for empty chains into the end of that sucker. Now it's self-contained, so we can move it up in the very beginning of translate_table() *and* we can rely on ->hook_entry[] being properly transliterated after it. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Pull the loop doing __ebt_verify_pointers() into a separate ↵Al Viro2006-12-021-37/+41
| | | | | | | | | | function. It's easier to expand the iterator here *and* we'll be able to move all uses of ebt_replace from translate_table() into this one. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Split ebt_check_entry_size_and_hooksAl Viro2006-12-021-24/+49
| | | | | | | | | | | | | | | | Split ebt_check_entry_size_and_hooks() in two parts - one that does sanity checks on pointers (basically, checks that we can safely use iterator from now on) and the rest of it (looking into details of entry). The loop applying ebt_check_entry_size_and_hooks() is split in two. Populating newinfo->hook_entry[] is done in the first part. Unused arguments killed. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Prevent wraparounds in checks for entry components' sizes.Al Viro2006-12-021-8/+9
| | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Deal with the worst-case behaviour in loop checks.Al Viro2006-12-021-1/+3
| | | | | | | | | No need to revisit a chain we'd already finished with during the check for current hook. It's either instant loop (which we'd just detected) or a duplicate work. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Verify that ebt_entries have zero ->distinguisher.Al Viro2006-12-021-5/+5
| | | | | | | We need that for iterator to work; existing check had been too weak. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [EBTABLES]: Fix wraparounds in ebt_entries verification.Al Viro2006-12-021-7/+16
| | | | | | | | | | | We need to verify that a) we are not too close to the end of buffer to dereference b) next entry we'll be checking won't be _before_ our While we are at it, don't subtract unrelated pointers... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Fix warnings with TCP_MD5SIG disabled.Andrew Morton2006-12-022-6/+6
| | | | | Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Possible cleanups.Adrian Bunk2006-12-025-16/+16
| | | | | | | | | | | | | | | | | | This patch contains the following possible cleanups: - make the following needlessly global functions statis: - ipv4/tcp.c: __tcp_alloc_md5sig_pool() - ipv4/tcp_ipv4.c: tcp_v4_reqsk_md5_lookup() - ipv4/udplite.c: udplite_rcv() - ipv4/udplite.c: udplite_err() - make the following needlessly global structs static: - ipv4/tcp_ipv4.c: tcp_request_sock_ipv4_ops - ipv4/tcp_ipv4.c: tcp_sock_ipv4_specific - ipv6/tcp_ipv6.c: tcp_request_sock_ipv6_ops - net/ipv{4,6}/udplite.c: remove inline's from static functions (gcc should know best when to inline them) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add AF_KEY interface for encapsulation family.Miika Komu2006-12-021-15/+25
| | | | | | Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org>
* [IPSEC]: Add netlink interface for the encapsulation family.Miika Komu2006-12-021-1/+3
| | | | | | | Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add encapsulation family.Miika Komu2006-12-022-0/+3
| | | | | | | Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP] MD5SIG: Kill CONFIG_TCP_MD5SIG_DEBUG.David S. Miller2006-12-022-44/+1
| | | | | | | It just obfuscates the code and adds limited value. And as Adrian Bunk noticed, it lacked Kconfig help text too, so just kill it. Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: Fix endless loops (part 5): netem/tbf/hfsc ->requeue failuresPatrick McHardy2006-12-023-5/+3
| | | | | | | | | | | | When peeking at the next packet in a child qdisc by calling dequeue/requeue, the upper qdisc qlen counter may get out of sync in case the requeue fails. The qdisc and the child qdisc both have their counter decremented, but since no packet is given to the upper qdisc it won't decrement its counter itself. requeue should not fail, so this is mostly for "correctness". Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: Fix endless loops (part 4): HTBPatrick McHardy2006-12-021-7/+17
| | | | | | | | Convert HTB to use qdisc_tree_decrease_len() and add a callback for deactivating a class when its child queue becomes empty. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: Fix endless loops (part 3): HFSCPatrick McHardy2006-12-021-5/+13
| | | | | | | | | | | | | Convert HFSC to use qdisc_tree_decrease_len() and add a callback for deactivating a class when its child queue becomes empty. All queue purging goes through hfsc_purge_queue(), which is used in three cases: grafting, class creation (when a leaf class is turned into an intermediate class by attaching a new class) and class deletion. In all cases qdisc_tree_decrease_len() is needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: Fix endless loops (part 2): "simple" qdiscsPatrick McHardy2006-12-027-10/+22
| | | | | | | | | | | | Convert the "simple" qdiscs to use qdisc_tree_decrease_qlen() where necessary: - all graft operations - destruction of old child qdiscs in prio, red and tbf change operation - purging of queue in sfq change operation Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: Fix endless loops caused by inaccurate qlen counters (part 1)Patrick McHardy2006-12-022-6/+34
| | | | | | | | | | | | | | | | | | | | | | | | There are multiple problems related to qlen adjustment that can lead to an upper qdisc getting out of sync with the real number of packets queued, leading to endless dequeueing attempts by the upper layer code. All qdiscs must maintain an accurate q.qlen counter. There are basically two groups of operations affecting the qlen: operations that propagate down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the root qdisc and operations only affecting a subtree or single qdisc (change, graft, delete class). Since qlen changes during operations from the second group don't propagate to ancestor qdiscs, their qlen values become desynchronized. This patch adds a function to propagate qlen changes up the qdisc tree, optionally calling a callback function to perform qdisc-internal maintenance when the child qdisc becomes empty. The follow-up patches will convert all qdiscs to use this function where necessary. Noticed by Timo Steinbach <tsteinbach@astaro.com>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: Set parent classid in default qdiscsPatrick McHardy2006-12-0211-24/+40
| | | | | | | | Set parent classids in default qdiscs to allow walking up the tree from outside the qdiscs. This is needed by the next patch. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET_SCHED]: sch_htb: perform qlen adjustment immediately in ->deletePatrick McHardy2006-12-021-1/+6
| | | | | | | | | | | qlen adjustment should happen immediately in ->delete and not in the class destroy function because the reference count will not hit zero in ->delete (sch_api holds a reference) but in ->put. Since the qdisc lock is released between deletion of the class and final destruction this creates an externally visible error in the qlen counter. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* Rename class_destroy to avoid namespace conflicts.James Morris2006-12-021-3/+3
| | | | | | | | | | We're seeing increasing namespace conflicts between the global class_destroy() function declared in linux/device.h, and the private function in the SELinux core code. This patch renames the SELinux function to cls_destroy() to avoid this conflict. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: add the ranged tag to the CIPSOv4 protocolPaul Moore2006-12-021-0/+268
| | | | | | | | | | | | | | | Add support for the ranged tag (tag type #5) to the CIPSOv4 protocol. The ranged tag allows for seven, or eight if zero is the lowest category, category ranges to be specified in a CIPSO option. Each range is specified by two unsigned 16 bit fields, each with a maximum value of 65534. The two values specify the start and end of the category range; if the start of the category range is zero then it is omitted. See Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt for more details. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: add the enumerated tag to the CIPSOv4 protocolPaul Moore2006-12-021-0/+233
| | | | | | | | | | | | Add support for the enumerated tag (tag type #2) to the CIPSOv4 protocol. The enumerated tag allows for 15 categories to be specified in a CIPSO option, where each category is an unsigned 16 bit field with a maximum value of 65534. See Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt for more details. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* NetLabel: convert to an extensibile/sparse category bitmapPaul Moore2006-12-028-352/+568
| | | | | | | | | | | | | | | | The original NetLabel category bitmap was a straight char bitmap which worked fine for the initial release as it only supported 240 bits due to limitations in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that straight char bitmap into an extensibile/sparse bitmap in order to lay the foundation for other CIPSO tag types and protocols. This patch also has a nice side effect in that all of the security attributes passed by NetLabel into the LSM are now in a format which is in the host's native byte/bit ordering which makes the LSM specific code much simpler; look at the changes in security/selinux/ss/ebitmap.c as an example. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* [NETFILTER]: remove the reference to ipchains from KconfigPablo Neira Ayuso2006-12-021-1/+1
| | | | | | | It is time to move on :-) Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: Fix PROC_FS=n warningsPatrick McHardy2006-12-022-7/+17
| | | | | | Fix some unused function/variable warnings. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: remove remaining ASSERT_{READ,WRITE}_LOCKPatrick McHardy2006-12-025-18/+0
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ebtables: add --snap-arp optionBart De Schuymer2006-12-024-6/+32
| | | | | | | | | The attached patch adds --snat-arp support, which makes it possible to change the source mac address in both the mac header and the arp header with one rule. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: x_tables: add NFLOG targetPatrick McHardy2006-12-029-16/+123
| | | | | | | | | | | Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6. Currently we have two (unsupported by userspace) hacks in the LOG and ULOG targets to optionally call to the nflog API. They lack a few features, namely the IPv4 and IPv6 LOG targets can not specify a number of arguments related to nfnetlink_log, while the ULOG target is only available for IPv4. Remove those hacks and add a clean way to use nfnetlink_log. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6Patrick McHardy2006-12-028-285/+339
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nfnetlink_log: remove useless prefix length limitationPatrick McHardy2006-12-022-11/+10
| | | | | | There is no reason for limiting netlink attributes in size. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: nfnetlink_queue: allow changing queue length through netlinkEric Leblond2006-12-022-0/+9
| | | | | Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ctnetlink: rework conntrack fields dumping logic on eventsPablo Neira Ayuso2006-12-022-44/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | NEW | UPDATE | DESTROY | ----------------------------------------| tuples | Y | Y | Y | status | Y | Y | N | timeout | Y | Y | N | protoinfo | S | S | N | helper | S | S | N | mark | S | S | N | counters | F | F | Y | Leyend: Y: yes N: no S: iif the field is set F: iif overflow This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to track the helper assignation process, not the changes in the private information held by the helper. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ctnetlink: check for status attribute existence on conntrack ↵Pablo Neira Ayuso2006-12-022-6/+10
| | | | | | | | | | creation Check that status flags are available in the netlink message received to create a new conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: better NAT handlingPatrick McHardy2006-12-023-70/+135
| | | | | | | | | | | | | | | | | | | | | | | The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: make header shortcuts optionalPatrick McHardy2006-12-021-3/+2
| | | | | | | Not every header has a shortcut, so make them optional instead of searching for the same string twice. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: do case insensitive SIP header searchPatrick McHardy2006-12-023-8/+22
| | | | | | | SIP headers are generally case-insensitive, only SDP headers are case sensitive. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: sip conntrack: minor cleanupPatrick McHardy2006-12-023-63/+55
| | | | | | | | | | - Use enum for header field enumeration - Use numerical value instead of pointer to header info structure to identify headers, unexport ct_sip_hdrs - group SIP and SDP entries in header info structure - remove double forward declaration of ct_sip_get_info Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: ip_conntrack: fix NAT helper unload racesPatrick McHardy2006-12-0215-169/+216
| | | | | | | | | | | | The NAT helpr hooks are protected by RCU, but all of the conntrack helpers test and use the global pointers instead of copying them first using rcu_dereference() Also replace synchronize_net() by synchronize_rcu() for clarity since sychronizing only with packet receive processing is insufficient to prevent races. Signed-off-by: Patrick McHardy <kaber@trash.net>
* [NETFILTER]: conntrack: add '_get' to {ip, nf}_conntrack_expect_findYasuyuki Kozakai2006-12-0210-13/+13
| | | | | | | | We usually uses 'xxx_find_get' for function which increments reference count. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>
OpenPOWER on IntegriCloud