- 03 Dec, 2006 40 commits
-
-
Pablo Neira Ayuso authored
| NEW | UPDATE | DESTROY | ----------------------------------------| tuples | Y | Y | Y | status | Y | Y | N | timeout | Y | Y | N | protoinfo | S | S | N | helper | S | S | N | mark | S | S | N | counters | F | F | Y | Leyend: Y: yes N: no S: iif the field is set F: iif overflow This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to track the helper assignation process, not the changes in the private information held by the helper. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
Patrick McHardy <kaber@trash.net>
-
Pablo Neira Ayuso authored
Check that status flags are available in the netlink message received to create a new conntrack. Signed-off-by:
-
Patrick McHardy authored
The NAT handling of the SIP helper has a few problems: - Request headers are only mangled in the reply direction, From/To headers not at all, which can lead to authentication failures with DNAT in case the authentication domain is the IP address - Contact headers in responses are only mangled for REGISTER responses - Headers may be mangled even though they contain addresses not participating in the connection, like alternative addresses - Packets are droppen when domain names are used where the helper expects IP addresses This patch takes a different approach, instead of fixed rules what field to mangle to what content, it adds symetric mapping of From/To/Via/Contact headers, which allows to deal properly with echoed addresses in responses and foreign addresses not belonging to the connection. Signed-off-by: -
Patrick McHardy authored
Not every header has a shortcut, so make them optional instead of searching for the same string twice. Signed-off-by: -
Patrick McHardy authored
SIP headers are generally case-insensitive, only SDP headers are case sensitive. Signed-off-by: -
Patrick McHardy authored
- Use enum for header field enumeration - Use numerical value instead of pointer to header info structure to identify headers, unexport ct_sip_hdrs - group SIP and SDP entries in header info structure - remove double forward declaration of ct_sip_get_info Signed-off-by: -
Patrick McHardy authored
The NAT helpr hooks are protected by RCU, but all of the conntrack helpers test and use the global pointers instead of copying them first using rcu_dereference() Also replace synchronize_net() by synchronize_rcu() for clarity since sychronizing only with packet receive processing is insufficient to prevent races. Signed-off-by: -
Yasuyuki Kozakai authored
We usually uses 'xxx_find_get' for function which increments reference count. Signed-off-by:
Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by:
-
Patrick McHardy authored
This patch adds /proc/net/ip_conntrack, /proc/net/ip_conntrack_expect and /proc/net/stat/ip_conntrack files to keep old programs using them working. The /proc/net/ip_conntrack and /proc/net/ip_conntrack_expect files show only IPv4 entries, the /proc/net/stat/ip_conntrack shows global statistics. Signed-off-by: -
Patrick McHardy authored
This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: -
Patrick McHardy authored
Signed-off-by: -
Patrick McHardy authored
Add helper functions for sysctl registration with optional instantiating of common path elements (like net/netfilter) and use it for support for automatic registation of conntrack protocol sysctls. Signed-off-by: -
Patrick McHardy authored
Using extern in a C file is a bad idea because the compiler can't catch type errors. Signed-off-by: -
Patrick McHardy authored
Signed-off-by: -
Martin Josefsson authored
Only update the conntrack timer if there's been at least HZ jiffies since the last update. Reduces the number of del_timer/add_timer cycles from one per packet to one per connection per second (plus once for each state change of a connection) Should handle timer wraparounds and connection timeout changes. Signed-off-by:
Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by:
-
Martin Josefsson authored
Remove unused struct list_head from struct nf_conntrack_l3proto and nf_conntrack_l4proto as all protocols are kept in arrays, not linked lists. Signed-off-by:
-
Martin Josefsson authored
Minor whitespace cleanup. Signed-off-by:
-
Martin Josefsson authored
Remove the usage of ASSERT_READ_LOCK/ASSERT_WRITE_LOCK in nf_conntrack, it didn't do anything, it was just an empty define and it uglified the code. Signed-off-by:
-
Martin Josefsson authored
Add some more sanity checks when registering/unregistering l3/l4 protocols. Signed-off-by:
-
Martin Josefsson authored
Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets rather confusing with 'nf_conntrack_protocol'. Signed-off-by:
-
Martin Josefsson authored
Place rarely written variables in the read-mostly section by using __read_mostly Signed-off-by:
-
Martin Josefsson authored
This patch splits out L3/L4 protocol handling into its own file nf_conntrack_proto.c Signed-off-by:
-
Martin Josefsson authored
This patch splits out the event cache into its own file nf_conntrack_ecache.c Signed-off-by:
-
Martin Josefsson authored
This patch splits out handling of helpers into its own file nf_conntrack_helper.c Signed-off-by:
-
Martin Josefsson authored
This patch splits out expectation handling into its own file nf_conntrack_expect.c Signed-off-by:
-
David S. Miller authored
This helps Vegas cope better with delayed ACKs, see analysis at: http://www.cs.caltech.edu/%7Eweixl/technical/ns2linux/known_linux/index.html#vegasSigned-off-by:
David S. Miller <davem@davemloft.net>
-
Gerrit Renker authored
This patch implements a suggestion by Ian McDonald and 1) Avoids tests against negative packet lengths by using unsigned int for packet payload lengths in the CCID send_packet()/packet_sent() routines 2) As a consequence, it removes an now unnecessary test with regard to `len > 0' in ccid3_hc_tx_packet_sent: that condition is always true, since * negative packet lengths are avoided * ccid3_hc_tx_send_packet flags an error whenever the payload length is 0. As a consequence, ccid3_hc_tx_packet_sent is never called as all errors returned by ccid_hc_tx_send_packet are caught in dccp_write_xmit 3) Removes the third argument of ccid_hc_tx_send_packet (the `len' parameter), since it is currently always set to skb->len. The code is updated with regard to this parameter change. Signed-off-by:Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by:
Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by:
Arnaldo Carvalho de Melo <acme@mandriva.com>
-
Gerrit Renker authored
This implements the larger-initial-windows feature for CCID 3, as described in section 5 of RFC 4342. When the first feedback packet arrives, the sender can send up to 2..4 packets per RTT, instead of just one. The patch further * reduces the number of timestamping calls by passing the timestamp value (which is computed in one of the calling functions anyway) as argument * renames one constant with a very long name into one which is shorter and resembles the one in RFC 3448 (t_mbi) * simplifies some of the min_t/max_t cases where both `x', `y' have the same type Commiter note: renamed TFRC_t_mbi to TFRC_T_MBI, to follow Linux coding style. Signed-off-by:
-
Arnaldo Carvalho de Melo authored
To reflect the fact that this now is of no effect, not making apps stop working, just be warned in the system log. Signed-off-by: -
Gerrit Renker authored
This removes and cleans up unused variables and structures which have become unnecessary following the introduction of the EWMA patch to automatically track the CCID 3 receiver/sender packet sizes `s'. It deprecates the PACKET_SIZE socket option by returning an error code and printing a deprecation warning if an application tries to read or write this socket option. Signed-off-by:
-
Gerrit Renker authored
Problem:
-
Gerrit Renker authored
This corrects the setting of the nofeedback timer with regard to RFC 3448 - previously it was not set to max(4*R, 2*s/X) as specified. Using the maximum of 1 second as upper bound (as it was done before) can have detrimental effects, especially if R is small. Signed-off-by:
-
Gerrit Renker authored
This is in response to a request sent earlier by Eric W. Biederman and replaces all sysctl numbers for net.dccp.default with CTL_UNNUMBERED. It has been tested to compile and to work. Commiter note: I've removed the use of CTL_UNNUMBERED, not setting .ctl_name sets it to 0, that is the what CTL_UNNUMBERED is, reason is to avoid unneeded source code cluttering. Signed-off-by: -
Arnaldo Carvalho de Melo authored
[acme@newtoy net-2.6.20]$ pahole /tmp/tcp_ipv6.o inet_protosw /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/protocol.h:69 */ struct inet_protosw { struct list_head list; /* 0 8 */ short unsigned int type; /* 8 2 */ /* XXX 2 bytes hole, try to pack */ int protocol; /* 12 4 */ struct proto * prot; /* 16 4 */ const struct proto_ops * ops; /* 20 4 */ int capability; /* 24 4 */ char no_check; /* 28 1 */ unsigned char flags; /* 29 1 */ }; /* size: 32, sum members: 28, holes: 1, sum holes: 2, padding: 2 */ So that we can kill that hole, protocol can only go all the way to 255 (RAW). Signed-off-by: -
Arnaldo Carvalho de Melo authored
As this struct is not userland visible at all. Signed-off-by: -
Arnaldo Carvalho de Melo authored
With this we eliminate the last hole in struct tcp_sock. End result: [acme@newtoy net-2.6.20]$ codiff -sV /tmp/tcp.o.before net/ipv4/tcp.o /pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c: struct tcp_sock | -4 tcp_header_len; from: int /* 1000(0) 4(0) */ to: u16 /* 1000(0) 2(0) */ 1 struct changed [acme@newtoy net-2.6.20]$ Now sizeof(tcp_sock) is just... [acme@newtoy net-2.6.20]$ pahole --sizes ../OUTPUT/qemu/net-2.6.20/net/ipv4/tcp.o | grep -w tcp_sock struct tcp_sock: 1500 0 1500 bytes ;-) Signed-off-by: -
Gerrit Renker authored
This patch * removes setting t_RTO in ccid3_hc_tx_init (per [RFC 3448, 4.2], t_RTO is undefined until feedback has been received); * makes some trivial changes (updates of comments); * performs a small optimisation by exploiting that the feedback timeout uses the value of t_ipi. The way it is done is safe, because the timeouts appear after the changes to t_ipi, ensuring that up-to-date values are used; * in ccid3_hc_tx_packet_recv, moves the t_rto statement closer to the calculation of the next_tmout. This makes the code clearer to read and is also safe, since t_rto is not updated until the next call of ccid3_hc_tx_packet_recv, and is not read by the functions called via ccid_wait_for_ccid(); * removes a `max' statement in sk_reset_timer, this is not needed since the timeout value is always greater than 1E6 microseconds. * adds `XXX'es to highlight that currently the nofeedback timer is set in a non-standard way Signed-off-by:
-
Gerrit Renker authored
This patch: * consolidates updating of parameters (t_nom, t_ipi, t_delta) which need to be updated at the same time, since they are inter-dependent * removes two inline functions which are no longer needed as a result of the above consolidation * resolves a FIXME regarding the re-calculation of t_ipi within the nofeedback timer, in the state where no feedback has previously been received * ties updating these parameters to updating the sending rate X, exploiting that all three parameters in turn depend on X; and using a small optimisation which can reduce the number of required instructions: only update the three parameters when X really changes Signed-off-by:
-
Gerrit Renker authored
This patch concerns updating the value of the nofeedback timer when no feedback has been received so far. Since in this case the value of R is still undefined according to [RFC 3448, 4.2], we can not perform step (3) of [RFC 3448, 4.3]. A clarification is provided in [RFC 4342, sec. 5], which states that in these cases the nofeedback timer (still) expires "after two seconds". Many thanks to Ian McDonald for pointing this out and providing the clarification. The patch * implements [RFC 4342, sec. 5] with regard to the above case * consolidates handling timer restart by - adding an appropriate jump label and - initialising the timeout value Acked-by:
-
Jamal Hadi Salim authored
Caught by the EyeBalls(tm) of Thomas Graf Signed-off-by:
Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by:
-
