firefly-linux-kernel-4.4.55.git
18 years ago[S390] Add dynamic size check for usercopy functions.
Gerald Schaefer [Mon, 4 Dec 2006 14:40:45 +0000 (15:40 +0100)]
[S390] Add dynamic size check for usercopy functions.

Use a wrapper for copy_to/from_user to chose the best usercopy method.
The mvcos instruction is better for sizes greater than 256 bytes, if
mvcos is not available a page table walk is better for sizes greater
than 1024 bytes. Also removed the redundant copy_to/from_user_std_small
functions.

Signed-off-by: Gerald Schaefer <geraldsc@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Use diag260 for memory size detection.
Heiko Carstens [Mon, 4 Dec 2006 14:40:42 +0000 (15:40 +0100)]
[S390] Use diag260 for memory size detection.

Avoid the tprot loop if diag260 works and reports that there are no
holes in memory. The tprot instruction can lead to a significant delay
in the ipl process if the virtual guest has a lot of memory and the
host is under memory pressure.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] pfault code cleanup.
Heiko Carstens [Mon, 4 Dec 2006 14:40:40 +0000 (15:40 +0100)]
[S390] pfault code cleanup.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Cleanup memory_chunk array usage.
Heiko Carstens [Mon, 4 Dec 2006 14:40:38 +0000 (15:40 +0100)]
[S390] Cleanup memory_chunk array usage.

Need this at yet another file and don't want to add yet another
extern...

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Misaligned wait PSW at memory detection.
Heiko Carstens [Mon, 4 Dec 2006 14:40:36 +0000 (15:40 +0100)]
[S390] Misaligned wait PSW at memory detection.

If the memory detection code would ever reach the point where it would
load the wait psw, it would generate a specification exception and the
system would crash at ipl time. This is because of a misaligned wait
psw. It needs to be on a double word boundary instead of a word
boundary.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] cpu shutdown rework
Heiko Carstens [Mon, 4 Dec 2006 14:40:33 +0000 (15:40 +0100)]
[S390] cpu shutdown rework

Let one master cpu kill all other cpus instead of sending an external
interrupt to all other cpus so they can kill themselves.
Simplifies reipl/shutdown functions a lot.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] cpcmd <-> __cpcmd calling issues
Heiko Carstens [Mon, 4 Dec 2006 14:40:30 +0000 (15:40 +0100)]
[S390] cpcmd <-> __cpcmd calling issues

In case of reipl cpcmd gets called when all other cpus are not running
anymore. To prevent deadlocks change __cpcmd so that it doesn't take
any locks and call cpcmd or __cpcmd, whatever is correct in the current
context.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Bad kexec control page allocation.
Heiko Carstens [Mon, 4 Dec 2006 14:40:28 +0000 (15:40 +0100)]
[S390] Bad kexec control page allocation.

KEXEC_CONTROL_MEMORY_LIMIT is an unsigned long value and therefore
should be defined as one. Otherwise the kexec control page can be
allocated above 2GB which will cause a specification exception on the
sam31 instruction in the s390 kexec relocation code.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Reset infrastructure for re-IPL.
Heiko Carstens [Mon, 4 Dec 2006 14:40:26 +0000 (15:40 +0100)]
[S390] Reset infrastructure for re-IPL.

In case of re-IPL and diag308 doesn't work we have to reset all devices
manually and wait synchronously that each reset finished.
This patch adds the necessary infrastucture and the first exploiter of it.

Subsystems that need to add a function that needs to be called at re-IPL
may register/unregister this function via

struct reset_call {
struct reset_call *next;
void (*fn)(void);
};

void register_reset_call(struct reset_call *reset);
void unregister_reset_call(struct reset_call *reset);

When the registered function get called the context is:

- all cpus beside the current one are stopped
- all machine checks and interrupts are disabled
- prefixing is disabled
- a default machine check handler is available for use

The registered functions may not take any locks are sleep.

For the common I/O layer part of this patch:

Introduce a reset_call css_reset that does the following:
- clear all subchannels
- perform a rchp on all channel paths and wait for the resulting
  machine checks
This replaces the calls to clear_all_subchannels() and
cio_reset_channel_paths() for kexec and ccw reipl. reipl_ccw_dev() now
uses reipl_find_schid() to determine the subchannel id for a given
device id.
Also remove cio_reset_channel_paths() and friends since they are not
needed anymore.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Some documentation typos.
Nicolas Kaiser [Mon, 4 Dec 2006 14:40:23 +0000 (15:40 +0100)]
[S390] Some documentation typos.

Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] extmem unbalanced spin_lock.
Heiko Carstens [Mon, 4 Dec 2006 14:40:20 +0000 (15:40 +0100)]
[S390] extmem unbalanced spin_lock.

segment save will exit with a lock held if the passed segment doesn't
exist. Any subsequent call to segment_save will lead to a deadlock.
Fix this and give up the lock before returning.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] return 'count' for successful execution of dasd_eer_enable.
Horst Hummel [Mon, 4 Dec 2006 14:40:18 +0000 (15:40 +0100)]
[S390] return 'count' for successful execution of dasd_eer_enable.

Currently the return value of 'dasd_eer_enable' is returned - even if the
function returned '0'. Now return 'count' for successful execution.

Signed-off-by: Horst Hummel <horst.hummel@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Enhanced handling of failed termination requests.
Horst Hummel [Mon, 4 Dec 2006 14:40:15 +0000 (15:40 +0100)]
[S390] Enhanced handling of failed termination requests.

In case a request timed out and termination did not work, the console was
flooded with retry messages (every 1/10s). Now we use a 5s delay per retry and
generate a more precise message.

Signed-off-by: Horst Hummel <horst.hummel@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Use diag instead of ccw reipl.
Michael Holzheu [Mon, 4 Dec 2006 14:40:13 +0000 (15:40 +0100)]
[S390] Use diag instead of ccw reipl.

Since the diag 308 reipl method is superior to the ccw method, we should
use it whenever it is possible. We can do that, if the user has not
specified a new reipl ccw device and the system has been ipled from
a ccw device.

Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Add MODALIAS= to the uevent for the ap bus.
Cornelia Huck [Mon, 4 Dec 2006 14:40:10 +0000 (15:40 +0100)]
[S390] Add MODALIAS= to the uevent for the ap bus.

Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] 3215 device locking.
Martin Schwidefsky [Mon, 4 Dec 2006 14:40:07 +0000 (15:40 +0100)]
[S390] 3215 device locking.

Remove lock pointer from 3215 device structure. Use get_ccwdev_lock
for each use of the lock in the ccw-device structure.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] No panic for failed reboot
Michael Holzheu [Mon, 4 Dec 2006 14:40:05 +0000 (15:40 +0100)]
[S390] No panic for failed reboot

If reboot fails (e.g. because wrong devno has been specified by the user),
we should just stop all cpus, but should not trigger a kernel panic.

Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] termio <-> termios conversion error handling.
Heiko Carstens [Mon, 4 Dec 2006 14:40:02 +0000 (15:40 +0100)]
[S390] termio <-> termios conversion error handling.

Get rid of our own user_termio_to_kernel_termios() and
kernel_termios_to_user_termio() macros which didn't check for errors
on user space accesses. Instead use the generic functions which
handle this properly.
In addition the generic version of user_termio_to_kernel_termios()
also copies the c_line member which was missing in our variant.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] update interface notes in zcrypt.h
Ralph Wuerthner [Mon, 4 Dec 2006 14:40:00 +0000 (15:40 +0100)]
[S390] update interface notes in zcrypt.h

Signed-off-by: Ralph Wuerthner <rwuerthn@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Add ipl/reipl loadparm attribute.
Michael Holzheu [Mon, 4 Dec 2006 14:39:58 +0000 (15:39 +0100)]
[S390] Add ipl/reipl loadparm attribute.

If multiple kernel images are installed on one DASD, the loadparm can be used
to select the boot configuration. This patch introduces the following two new
sysfs attributes:

/sys/firmware/ipl/loadparm: shows loadparm of current system (ro)
/sys/firmware/reipl/ccw/loadparm: loadparm used for next reboot (rw)

Signed-off-by: Michael Holzheu <holzheu@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Add __must_check to uaccess functions.
Heiko Carstens [Mon, 4 Dec 2006 14:39:55 +0000 (15:39 +0100)]
[S390] Add __must_check to uaccess functions.

Follow other architectures and add __must_check to uaccess functions.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] Remove unused GENERIC_BUST_SPINLOCK from Kconfig.
Heiko Carstens [Mon, 4 Dec 2006 14:39:52 +0000 (15:39 +0100)]
[S390] Remove unused GENERIC_BUST_SPINLOCK from Kconfig.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] handle incorrect values when writing to dasd sysfs attributes.
Horst Hummel [Mon, 4 Dec 2006 14:39:50 +0000 (15:39 +0100)]
[S390] handle incorrect values when writing to dasd sysfs attributes.

When writing to dasd attributes (e.g. readonly), all values besides '1'
are handled like '0'.
Other sysfs-attributes like 'online' are checking for '1' and for '0'
and do not accept other values. Therefore enhanced checking and error
handling in dasd_devmap attribute store functions.

Signed-off-by: Horst Hummel <horst.hummel@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years ago[S390] remove salipl memory detection.
Christian Borntraeger [Mon, 4 Dec 2006 14:39:47 +0000 (15:39 +0100)]
[S390] remove salipl memory detection.

The SALIPL entry point has an needless memory detection routine as we
later check the memory size again. The SALIPL code also uses diagnose
0x060 if we are running under VM, but this diagnose is not compatible
with the 64 bit addressing mode. The solution is to get rid of this
code and rely on the memory detection in the startup code.

Signed-off-by: Christian Borntraeger <cborntra@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
18 years agoRemove long-unmaintained ftape driver subsystem.
Jeff Garzik [Mon, 4 Dec 2006 03:22:41 +0000 (22:22 -0500)]
Remove long-unmaintained ftape driver subsystem.

It's bitrotten, long unmaintained, long hidden under BROKEN_ON_SMP,
etc.  As scheduled in feature-removal-schedule.txt, and ack'd several
times on lkml.

Signed-off-by: Jeff Garzik <jeff@garzik.org>
18 years ago[XFRM]: Fix aevent structuring to be more complete.
Jamal Hadi Salim [Sun, 3 Dec 2006 06:22:25 +0000 (22:22 -0800)]
[XFRM]: Fix aevent structuring to be more complete.

aevents can not uniquely identify an SA. We break the ABI with this
patch, but consensus is that since it is not yet utilized by any
(known) application then it is fine (better do it now than later).

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: xtables: fixes warning on compilation of hashlimit
Yasuyuki Kozakai [Sun, 3 Dec 2006 06:19:01 +0000 (22:19 -0800)]
[NETFILTER]: xtables: fixes warning on compilation of hashlimit

To use ipv6_find_hdr(), IP6_NF_IPTABLES is necessary.

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[ROSE] rose_add_loopback_node: propagate -E
Alexey Dobriyan [Sun, 3 Dec 2006 06:17:48 +0000 (22:17 -0800)]
[ROSE] rose_add_loopback_node: propagate -E

David Binderman's icc logs:
net/rose/rose_route.c(399): remark #593: variable "err" was set but never used

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: fix header inclusions for helpers
Yasuyuki Kozakai [Sun, 3 Dec 2006 06:12:54 +0000 (22:12 -0800)]
[NETFILTER]: nf_conntrack: fix header inclusions for helpers

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: EXPORT_SYMBOL cleanup
Patrick McHardy [Sun, 3 Dec 2006 06:11:25 +0000 (22:11 -0800)]
[NETFILTER]: nf_conntrack: EXPORT_SYMBOL cleanup

- move EXPORT_SYMBOL next to exported symbol
- use EXPORT_SYMBOL_GPL since this is what the original code used

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: Mark old IPv4-only connection tracking scheduled for removal
Patrick McHardy [Sun, 3 Dec 2006 06:11:01 +0000 (22:11 -0800)]
[NETFILTER]: Mark old IPv4-only connection tracking scheduled for removal

Also remove the references to "new connection tracking" from Kconfig.
After some short stabilization period of the new connection tracking
helpers/NAT code the old one will be removed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_nat: add SNMP NAT helper port
Patrick McHardy [Sun, 3 Dec 2006 06:10:34 +0000 (22:10 -0800)]
[NETFILTER]: nf_nat: add SNMP NAT helper port

Add nf_conntrack port of the SNMP NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack/nf_nat: add TFTP helper port
Patrick McHardy [Sun, 3 Dec 2006 06:10:18 +0000 (22:10 -0800)]
[NETFILTER]: nf_conntrack/nf_nat: add TFTP helper port

Add IPv4 and IPv6 capable nf_conntrack port of the TFTP conntrack/NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port
Patrick McHardy [Sun, 3 Dec 2006 06:09:57 +0000 (22:09 -0800)]
[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port

Add IPv4 and IPv6 capable nf_conntrack port of the SIP conntrack/NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port
Patrick McHardy [Sun, 3 Dec 2006 06:09:41 +0000 (22:09 -0800)]
[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port

Add nf_conntrack port of the PPtP conntrack/NAT helper. Since there seems
to be no IPv6-capable PPtP implementation the helper only support IPv4.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: add NetBIOS name service helper port
Patrick McHardy [Sun, 3 Dec 2006 06:09:24 +0000 (22:09 -0800)]
[NETFILTER]: nf_conntrack: add NetBIOS name service helper port

Add nf_conntrack port of the NetBIOS name service conntrack helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port
Patrick McHardy [Sun, 3 Dec 2006 06:09:06 +0000 (22:09 -0800)]
[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port

Add nf_conntrack port of the IRC conntrack/NAT helper. Since DCC doesn't
support IPv6 yet, the helper is still IPv4 only.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port
Patrick McHardy [Sun, 3 Dec 2006 06:08:46 +0000 (22:08 -0800)]
[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port

Add IPv4 and IPv6 capable nf_conntrack port of the H.323 conntrack/NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack/nf_nat: add amanda helper port
Patrick McHardy [Sun, 3 Dec 2006 06:08:26 +0000 (22:08 -0800)]
[NETFILTER]: nf_conntrack/nf_nat: add amanda helper port

Add IPv4 and IPv6 capable nf_conntrack port of the Amanda conntrack/NAT helper.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: add helper function for expectation initialization
Patrick McHardy [Sun, 3 Dec 2006 06:08:01 +0000 (22:08 -0800)]
[NETFILTER]: nf_conntrack: add helper function for expectation initialization

Expectation address masks need to be differently initialized depending
on the address family, create helper function to avoid cluttering up
the code too much.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_nat: add FTP NAT helper port
Jozsef Kadlecsik [Sun, 3 Dec 2006 06:07:44 +0000 (22:07 -0800)]
[NETFILTER]: nf_nat: add FTP NAT helper port

Add FTP NAT helper.

Split out from Jozsef's big nf_nat patch with a few small fixes by myself.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: Add NAT support for nf_conntrack
Jozsef Kadlecsik [Sun, 3 Dec 2006 06:07:13 +0000 (22:07 -0800)]
[NETFILTER]: Add NAT support for nf_conntrack

Add NAT support for nf_conntrack. Joint work of Jozsef Kadlecsik,
Yasuyuki Kozakai, Martin Josefsson and myself.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: add module aliases to IPv4 conntrack names
Patrick McHardy [Sun, 3 Dec 2006 06:06:05 +0000 (22:06 -0800)]
[NETFILTER]: nf_conntrack: add module aliases to IPv4 conntrack names

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: Kconfig: improve conntrack selection
Patrick McHardy [Sun, 3 Dec 2006 06:05:46 +0000 (22:05 -0800)]
[NETFILTER]: Kconfig: improve conntrack selection

Improve the connection tracking selection (well, the user experience,
not really the aesthetics) by offering one option to enable connection
tracking and a choice between the implementations.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: automatic helper assignment for expectations
Patrick McHardy [Sun, 3 Dec 2006 06:05:25 +0000 (22:05 -0800)]
[NETFILTER]: nf_conntrack: automatic helper assignment for expectations

Some helpers (namely H.323) manually assign further helpers to expected
connections. This is not possible with nf_conntrack anymore since we
need to know whether a helper is used at allocation time.

Handle the helper assignment centrally, which allows to perform the
correct allocation and as a nice side effect eliminates the need
for the H.323 helper to fiddle with nf_conntrack_lock.

Mid term the allocation scheme really needs to be redesigned since
we do both the helper and expectation lookup _twice_ for every new
connection.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: endian annotations
Patrick McHardy [Sun, 3 Dec 2006 06:05:08 +0000 (22:05 -0800)]
[NETFILTER]: nf_conntrack: endian annotations

Resync with Al Viro's ip_conntrack annotations and fix a missed
spot in ip_nat_proto_icmp.c.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: fix helper structure alignment
Patrick McHardy [Sun, 3 Dec 2006 06:04:50 +0000 (22:04 -0800)]
[NETFILTER]: nf_conntrack: fix helper structure alignment

Adding the alignment to the size doesn't make any sense, what it
should do is align the size of the conntrack structure to the
alignment requirements of the helper structure and return an
aligned pointer in nfct_help().

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: nf_conntrack: fix NF_CONNTRACK_PROC_COMPAT dependency
Patrick McHardy [Sun, 3 Dec 2006 06:04:24 +0000 (22:04 -0800)]
[NETFILTER]: nf_conntrack: fix NF_CONNTRACK_PROC_COMPAT dependency

NF_CONNTRACK_PROC_COMPAT depends on NF_CONNTRACK_IPV4, not NF_CONNTRACK.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Accept wildcard delimiters in in[46]_pton
Patrick McHardy [Sun, 3 Dec 2006 06:04:04 +0000 (22:04 -0800)]
[NET]: Accept wildcard delimiters in in[46]_pton

Accept -1 as delimiter to abort parsing without an error at the first
unknown character. This is needed by the upcoming nf_conntrack SIP
helper, where addresses are delimited by either '\r' or '\n' characters.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[PKT_SCHED] act_gact: division by zero
Kim Nordlund [Sat, 2 Dec 2006 04:21:44 +0000 (20:21 -0800)]
[PKT_SCHED] act_gact: division by zero

Not returning -EINVAL, because someone might want to use the value
zero in some future gact_prob algorithm?

Signed-off-by: Kim Nordlund <kim.nordlund@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NETFILTER]: Kill ip_queue from feature removal schedule.
Patrick McHardy [Sat, 2 Dec 2006 04:10:13 +0000 (20:10 -0800)]
[NETFILTER]: Kill ip_queue from feature removal schedule.

We really can't remove ip_queue. Many users use this, there is no binary
compatible interface and even the compat replacement for the originally
statically linked library doesn't work. There is also no real necessity
to remove the code, so the feature-removal-schedule entry should be
removed instead.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[GENETLINK]: Add cmd dump completion.
Jamal Hadi Salim [Sat, 2 Dec 2006 04:07:42 +0000 (20:07 -0800)]
[GENETLINK]: Add cmd dump completion.

Remove assumption that generic netlink commands cannot have dump
completion callbacks.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[ATM]: Kill ipcommon.[ch]
David S. Miller [Fri, 1 Dec 2006 05:05:23 +0000 (21:05 -0800)]
[ATM]: Kill ipcommon.[ch]

All that remained was skb_migrate() and that was overkill
for what the two call sites were trying to do.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: policer: restore compatibility with old iproute binaries
Patrick McHardy [Fri, 1 Dec 2006 03:54:05 +0000 (19:54 -0800)]
[NET_SCHED]: policer: restore compatibility with old iproute binaries

The tc actions increased the size of struct tc_police, which broke
compatibility with old iproute binaries since both the act_police
and the old NET_CLS_POLICE code check for an exact size match.

Since the new members are not even used, the simple fix is to also
accept the size of the old structure. Dumping is not affected since
old userspace will receive a bigger structure, which is handled fine.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[PKT_SCHED]: Remove unused exports.
Adrian Bunk [Fri, 1 Dec 2006 03:50:36 +0000 (19:50 -0800)]
[PKT_SCHED]: Remove unused exports.

This patch removes the following unused EXPORT_SYMBOL's:
- sch_api.c: qdisc_lookup
- sch_generic.c: __netdev_watchdog_up
- sch_generic.c: noop_qdisc_ops
- sch_generic.c: qdisc_alloc

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Split ebt_replace into user and kernel variants, annotate.
Al Viro [Fri, 1 Dec 2006 03:28:48 +0000 (19:28 -0800)]
[EBTABLES]: Split ebt_replace into user and kernel variants, annotate.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Clean ebt_register_table() up.
Al Viro [Fri, 1 Dec 2006 03:28:25 +0000 (19:28 -0800)]
[EBTABLES]: Clean ebt_register_table() up.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Move calls of ebt_verify_pointers() upstream.
Al Viro [Fri, 1 Dec 2006 03:28:08 +0000 (19:28 -0800)]
[EBTABLES]: Move calls of ebt_verify_pointers() upstream.

... and pass just repl->name to translate_table()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: ebt_check_entry() doesn't need valid_hooks
Al Viro [Fri, 1 Dec 2006 03:27:48 +0000 (19:27 -0800)]
[EBTABLES]: ebt_check_entry() doesn't need valid_hooks

We can check newinfo->hook_entry[...] instead.
Kill unused argument.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Clean ebt_get_udc_positions() up.
Al Viro [Fri, 1 Dec 2006 03:27:32 +0000 (19:27 -0800)]
[EBTABLES]: Clean ebt_get_udc_positions() up.

Check for valid_hooks is redundant (newinfo->hook_entry[i] will
be NULL if bit i is not set).  Kill it, kill unused arguments.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Switch ebt_check_entry_size_and_hooks() to use of newinfo->hook_entry[]
Al Viro [Fri, 1 Dec 2006 03:27:13 +0000 (19:27 -0800)]
[EBTABLES]: Switch ebt_check_entry_size_and_hooks() to use of newinfo->hook_entry[]

kill unused arguments

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: translate_table(): switch direct uses of repl->hook_info to newinfo
Al Viro [Fri, 1 Dec 2006 03:26:53 +0000 (19:26 -0800)]
[EBTABLES]: translate_table(): switch direct uses of repl->hook_info to newinfo

Since newinfo->hook_table[] already has been set up, we can switch to using
it instead of repl->{hook_info,valid_hooks}.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Move more stuff into ebt_verify_pointers().
Al Viro [Fri, 1 Dec 2006 03:26:35 +0000 (19:26 -0800)]
[EBTABLES]: Move more stuff into ebt_verify_pointers().

Take intialization of ->hook_entry[...], ->entries_size and ->nentries
over there, pull the check for empty chains into the end of that sucker.

Now it's self-contained, so we can move it up in the very beginning of
translate_table() *and* we can rely on ->hook_entry[] being properly
transliterated after it.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Pull the loop doing __ebt_verify_pointers() into a separate function.
Al Viro [Fri, 1 Dec 2006 03:26:14 +0000 (19:26 -0800)]
[EBTABLES]: Pull the loop doing __ebt_verify_pointers() into a separate function.

It's easier to expand the iterator here *and* we'll be able to move all
uses of ebt_replace from translate_table() into this one.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Split ebt_check_entry_size_and_hooks
Al Viro [Fri, 1 Dec 2006 03:25:51 +0000 (19:25 -0800)]
[EBTABLES]: Split ebt_check_entry_size_and_hooks

Split ebt_check_entry_size_and_hooks() in two parts - one that does
sanity checks on pointers (basically, checks that we can safely
use iterator from now on) and the rest of it (looking into details
of entry).

The loop applying ebt_check_entry_size_and_hooks() is split in two.

Populating newinfo->hook_entry[] is done in the first part.

Unused arguments killed.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Prevent wraparounds in checks for entry components' sizes.
Al Viro [Fri, 1 Dec 2006 03:25:21 +0000 (19:25 -0800)]
[EBTABLES]: Prevent wraparounds in checks for entry components' sizes.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Deal with the worst-case behaviour in loop checks.
Al Viro [Fri, 1 Dec 2006 03:24:49 +0000 (19:24 -0800)]
[EBTABLES]: Deal with the worst-case behaviour in loop checks.

No need to revisit a chain we'd already finished with during
the check for current hook.  It's either instant loop (which
we'd just detected) or a duplicate work.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Verify that ebt_entries have zero ->distinguisher.
Al Viro [Fri, 1 Dec 2006 03:24:12 +0000 (19:24 -0800)]
[EBTABLES]: Verify that ebt_entries have zero ->distinguisher.

We need that for iterator to work; existing check had been too weak.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[EBTABLES]: Fix wraparounds in ebt_entries verification.
Al Viro [Fri, 1 Dec 2006 03:22:42 +0000 (19:22 -0800)]
[EBTABLES]: Fix wraparounds in ebt_entries verification.

We need to verify that
a) we are not too close to the end of buffer to dereference
b) next entry we'll be checking won't be _before_ our

While we are at it, don't subtract unrelated pointers...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[TCP]: Fix warnings with TCP_MD5SIG disabled.
Andrew Morton [Fri, 1 Dec 2006 03:16:28 +0000 (19:16 -0800)]
[TCP]: Fix warnings with TCP_MD5SIG disabled.

Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET]: Possible cleanups.
Adrian Bunk [Fri, 1 Dec 2006 01:22:29 +0000 (17:22 -0800)]
[NET]: Possible cleanups.

This patch contains the following possible cleanups:
- make the following needlessly global functions statis:
  - ipv4/tcp.c: __tcp_alloc_md5sig_pool()
  - ipv4/tcp_ipv4.c: tcp_v4_reqsk_md5_lookup()
  - ipv4/udplite.c: udplite_rcv()
  - ipv4/udplite.c: udplite_err()
- make the following needlessly global structs static:
  - ipv4/tcp_ipv4.c: tcp_request_sock_ipv4_ops
  - ipv4/tcp_ipv4.c: tcp_sock_ipv4_specific
  - ipv6/tcp_ipv6.c: tcp_request_sock_ipv6_ops
- net/ipv{4,6}/udplite.c: remove inline's from static functions
                          (gcc should know best when to inline them)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPSEC]: Add AF_KEY interface for encapsulation family.
Miika Komu [Fri, 1 Dec 2006 00:41:50 +0000 (16:41 -0800)]
[IPSEC]: Add AF_KEY interface for encapsulation family.

Signed-off-by: Miika Komu <miika@iki.fi>
Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi>
Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org>
18 years ago[IPSEC]: Add netlink interface for the encapsulation family.
Miika Komu [Fri, 1 Dec 2006 00:40:51 +0000 (16:40 -0800)]
[IPSEC]: Add netlink interface for the encapsulation family.

Signed-off-by: Miika Komu <miika@iki.fi>
Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi>
Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[IPSEC]: Add encapsulation family.
Miika Komu [Fri, 1 Dec 2006 00:40:43 +0000 (16:40 -0800)]
[IPSEC]: Add encapsulation family.

Signed-off-by: Miika Komu <miika@iki.fi>
Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi>
Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[TCP] MD5SIG: Kill CONFIG_TCP_MD5SIG_DEBUG.
David S. Miller [Fri, 1 Dec 2006 00:35:01 +0000 (16:35 -0800)]
[TCP] MD5SIG: Kill CONFIG_TCP_MD5SIG_DEBUG.

It just obfuscates the code and adds limited value.  And as Adrian
Bunk noticed, it lacked Kconfig help text too, so just kill it.

Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: Fix endless loops (part 5): netem/tbf/hfsc ->requeue failures
Patrick McHardy [Thu, 30 Nov 2006 01:37:42 +0000 (17:37 -0800)]
[NET_SCHED]: Fix endless loops (part 5): netem/tbf/hfsc ->requeue failures

When peeking at the next packet in a child qdisc by calling dequeue/requeue,
the upper qdisc qlen counter may get out of sync in case the requeue fails.
The qdisc and the child qdisc both have their counter decremented, but since
no packet is given to the upper qdisc it won't decrement its counter itself.

requeue should not fail, so this is mostly for "correctness".

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: Fix endless loops (part 4): HTB
Patrick McHardy [Thu, 30 Nov 2006 01:37:05 +0000 (17:37 -0800)]
[NET_SCHED]: Fix endless loops (part 4): HTB

Convert HTB to use qdisc_tree_decrease_len() and add a callback
for deactivating a class when its child queue becomes empty.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: Fix endless loops (part 3): HFSC
Patrick McHardy [Thu, 30 Nov 2006 01:36:43 +0000 (17:36 -0800)]
[NET_SCHED]: Fix endless loops (part 3): HFSC

Convert HFSC to use qdisc_tree_decrease_len() and add a callback
for deactivating a class when its child queue becomes empty.

All queue purging goes through hfsc_purge_queue(), which is used in
three cases: grafting, class creation (when a leaf class is turned
into an intermediate class by attaching a new class) and class
deletion. In all cases qdisc_tree_decrease_len() is needed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs
Patrick McHardy [Thu, 30 Nov 2006 01:36:20 +0000 (17:36 -0800)]
[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs

Convert the "simple" qdiscs to use qdisc_tree_decrease_qlen() where
necessary:

- all graft operations
- destruction of old child qdiscs in prio, red and tbf change operation
- purging of queue in sfq change operation

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: Fix endless loops caused by inaccurate qlen counters (part 1)
Patrick McHardy [Thu, 30 Nov 2006 01:35:48 +0000 (17:35 -0800)]
[NET_SCHED]: Fix endless loops caused by inaccurate qlen counters (part 1)

There are multiple problems related to qlen adjustment that can lead
to an upper qdisc getting out of sync with the real number of packets
queued, leading to endless dequeueing attempts by the upper layer code.

All qdiscs must maintain an accurate q.qlen counter. There are basically
two groups of operations affecting the qlen: operations that propagate
down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the
root qdisc and operations only affecting a subtree or single qdisc
(change, graft, delete class). Since qlen changes during operations from
the second group don't propagate to ancestor qdiscs, their qlen values
become desynchronized.

This patch adds a function to propagate qlen changes up the qdisc tree,
optionally calling a callback function to perform qdisc-internal
maintenance when the child qdisc becomes empty. The follow-up patches
will convert all qdiscs to use this function where necessary.

Noticed by Timo Steinbach <tsteinbach@astaro.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: Set parent classid in default qdiscs
Patrick McHardy [Thu, 30 Nov 2006 01:35:18 +0000 (17:35 -0800)]
[NET_SCHED]: Set parent classid in default qdiscs

Set parent classids in default qdiscs to allow walking up the tree
from outside the qdiscs. This is needed by the next patch.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years ago[NET_SCHED]: sch_htb: perform qlen adjustment immediately in ->delete
Patrick McHardy [Thu, 30 Nov 2006 01:34:50 +0000 (17:34 -0800)]
[NET_SCHED]: sch_htb: perform qlen adjustment immediately in ->delete

qlen adjustment should happen immediately in ->delete and not in the
class destroy function because the reference count will not hit zero in
->delete (sch_api holds a reference) but in ->put. Since the qdisc
lock is released between deletion of the class and final destruction
this creates an externally visible error in the qlen counter.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
18 years agoRename class_destroy to avoid namespace conflicts.
James Morris [Wed, 29 Nov 2006 21:50:27 +0000 (16:50 -0500)]
Rename class_destroy to avoid namespace conflicts.

We're seeing increasing namespace conflicts between the global
class_destroy() function declared in linux/device.h, and the private
function in the SELinux core code.  This patch renames the SELinux
function to cls_destroy() to avoid this conflict.

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
18 years agoNetLabel: add the ranged tag to the CIPSOv4 protocol
Paul Moore [Wed, 29 Nov 2006 18:18:20 +0000 (13:18 -0500)]
NetLabel: add the ranged tag to the CIPSOv4 protocol

Add support for the ranged tag (tag type #5) to the CIPSOv4 protocol.

The ranged tag allows for seven, or eight if zero is the lowest category,
category ranges to be specified in a CIPSO option.  Each range is specified by
two unsigned 16 bit fields, each with a maximum value of 65534.  The two values
specify the start and end of the category range; if the start of the category
range is zero then it is omitted.

See Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt for more details.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
18 years agoNetLabel: add the enumerated tag to the CIPSOv4 protocol
Paul Moore [Wed, 29 Nov 2006 18:18:19 +0000 (13:18 -0500)]
NetLabel: add the enumerated tag to the CIPSOv4 protocol

Add support for the enumerated tag (tag type #2) to the CIPSOv4 protocol.

The enumerated tag allows for 15 categories to be specified in a CIPSO option,
where each category is an unsigned 16 bit field with a maximum value of 65534.

See Documentation/netlabel/draft-ietf-cipso-ipsecurity-01.txt for more details.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
18 years agoNetLabel: convert to an extensibile/sparse category bitmap
Paul Moore [Wed, 29 Nov 2006 18:18:18 +0000 (13:18 -0500)]
NetLabel: convert to an extensibile/sparse category bitmap

The original NetLabel category bitmap was a straight char bitmap which worked
fine for the initial release as it only supported 240 bits due to limitations
in the CIPSO restricted bitmap tag (tag type 0x01).  This patch converts that
straight char bitmap into an extensibile/sparse bitmap in order to lay the
foundation for other CIPSO tag types and protocols.

This patch also has a nice side effect in that all of the security attributes
passed by NetLabel into the LSM are now in a format which is in the host's
native byte/bit ordering which makes the LSM specific code much simpler; look
at the changes in security/selinux/ss/ebitmap.c as an example.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
18 years ago[NETFILTER]: remove the reference to ipchains from Kconfig
Pablo Neira Ayuso [Wed, 29 Nov 2006 01:35:43 +0000 (02:35 +0100)]
[NETFILTER]: remove the reference to ipchains from Kconfig

It is time to move on :-)

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: Fix PROC_FS=n warnings
Patrick McHardy [Wed, 29 Nov 2006 01:35:42 +0000 (02:35 +0100)]
[NETFILTER]: Fix PROC_FS=n warnings

Fix some unused function/variable warnings.

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: remove remaining ASSERT_{READ,WRITE}_LOCK
Patrick McHardy [Wed, 29 Nov 2006 01:35:41 +0000 (02:35 +0100)]
[NETFILTER]: remove remaining ASSERT_{READ,WRITE}_LOCK

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: ebtables: add --snap-arp option
Bart De Schuymer [Wed, 29 Nov 2006 01:35:40 +0000 (02:35 +0100)]
[NETFILTER]: ebtables: add --snap-arp option

The attached patch adds --snat-arp support, which makes it possible to
change the source mac address in both the mac header and the arp header
with one rule.

Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: x_tables: add NFLOG target
Patrick McHardy [Wed, 29 Nov 2006 01:35:38 +0000 (02:35 +0100)]
[NETFILTER]: x_tables: add NFLOG target

Add new NFLOG target to allow use of nfnetlink_log for both IPv4 and IPv6.
Currently we have two (unsupported by userspace) hacks in the LOG and ULOG
targets to optionally call to the nflog API. They lack a few features,
namely the IPv4 and IPv6 LOG targets can not specify a number of arguments
related to nfnetlink_log, while the ULOG target is only available for IPv4.
Remove those hacks and add a clean way to use nfnetlink_log.

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6
Patrick McHardy [Wed, 29 Nov 2006 01:35:36 +0000 (02:35 +0100)]
[NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: nfnetlink_log: remove useless prefix length limitation
Patrick McHardy [Wed, 29 Nov 2006 01:35:34 +0000 (02:35 +0100)]
[NETFILTER]: nfnetlink_log: remove useless prefix length limitation

There is no reason for limiting netlink attributes in size.

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink
Eric Leblond [Wed, 29 Nov 2006 01:35:33 +0000 (02:35 +0100)]
[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink

Signed-off-by: Eric Leblond <eric@inl.fr>
Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: ctnetlink: rework conntrack fields dumping logic on events
Pablo Neira Ayuso [Wed, 29 Nov 2006 01:35:32 +0000 (02:35 +0100)]
[NETFILTER]: ctnetlink: rework conntrack fields dumping logic on events

               |   NEW   | UPDATE  | DESTROY |
     ----------------------------------------|
     tuples    |    Y    |    Y    |    Y    |
     status    |    Y    |    Y    |    N    |
     timeout   |    Y    |    Y    |    N    |
     protoinfo |    S    |    S    |    N    |
     helper    |    S    |    S    |    N    |
     mark      |    S    |    S    |    N    |
     counters  |    F    |    F    |    Y    |

 Leyend:
         Y: yes
         N: no
         S: iif the field is set
 F: iif overflow

This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to
track the helper assignation process, not the changes in the private
information held by the helper.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: ctnetlink: check for status attribute existence on conntrack creation
Pablo Neira Ayuso [Wed, 29 Nov 2006 01:35:31 +0000 (02:35 +0100)]
[NETFILTER]: ctnetlink: check for status attribute existence on conntrack creation

Check that status flags are available in the netlink message received
to create a new conntrack.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: sip conntrack: better NAT handling
Patrick McHardy [Wed, 29 Nov 2006 01:35:30 +0000 (02:35 +0100)]
[NETFILTER]: sip conntrack: better NAT handling

The NAT handling of the SIP helper has a few problems:

- Request headers are only mangled in the reply direction, From/To headers
  not at all, which can lead to authentication failures with DNAT in case
  the authentication domain is the IP address

- Contact headers in responses are only mangled for REGISTER responses

- Headers may be mangled even though they contain addresses not
  participating in the connection, like alternative addresses

- Packets are droppen when domain names are used where the helper expects
  IP addresses

This patch takes a different approach, instead of fixed rules what field
to mangle to what content, it adds symetric mapping of From/To/Via/Contact
headers, which allows to deal properly with echoed addresses in responses
and foreign addresses not belonging to the connection.

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: sip conntrack: make header shortcuts optional
Patrick McHardy [Wed, 29 Nov 2006 01:35:28 +0000 (02:35 +0100)]
[NETFILTER]: sip conntrack: make header shortcuts optional

Not every header has a shortcut, so make them optional instead
of searching for the same string twice.

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: sip conntrack: do case insensitive SIP header search
Patrick McHardy [Wed, 29 Nov 2006 01:35:27 +0000 (02:35 +0100)]
[NETFILTER]: sip conntrack: do case insensitive SIP header search

SIP headers are generally case-insensitive, only SDP headers are
case sensitive.

Signed-off-by: Patrick McHardy <kaber@trash.net>
18 years ago[NETFILTER]: sip conntrack: minor cleanup
Patrick McHardy [Wed, 29 Nov 2006 01:35:26 +0000 (02:35 +0100)]
[NETFILTER]: sip conntrack: minor cleanup

- Use enum for header field enumeration
- Use numerical value instead of pointer to header info structure to
  identify headers, unexport ct_sip_hdrs
- group SIP and SDP entries in header info structure
- remove double forward declaration of ct_sip_get_info

Signed-off-by: Patrick McHardy <kaber@trash.net>