summaryrefslogtreecommitdiffstats
path: root/net
AgeCommit message (Collapse)AuthorFilesLines
2012-06-20batman-adv: Prefix send non-static functions with batadv_Sven Eckelmann11-41/+46
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix routing non-static functions with batadv_Sven Eckelmann7-74/+80
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix ring_buffer non-static functions with batadv_Sven Eckelmann3-11/+13
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix originator non-static functions with batadv_Sven Eckelmann13-131/+134
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix icmp-socket non-static functions with batadv_Sven Eckelmann5-11/+11
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix hash non-static functions with batadv_Sven Eckelmann6-16/+16
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix hard-interface non-static functions with batadv_Sven Eckelmann6-41/+43
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix gateway-common non-static functions with batadv_Sven Eckelmann4-12/+16
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix gateway-client non-static functions with batadv_Sven Eckelmann10-46/+51
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix bridge_loop_avoidance non-static functions with batadv_Sven Eckelmann8-58/+62
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix bitarray non-static functions with batadv_Sven Eckelmann4-11/+11
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix bat_sysfs non-static functions with batadv_Sven Eckelmann5-20/+21
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix bat_debugfs non-static functions with batadv_Sven Eckelmann5-16/+17
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-20batman-adv: Prefix bat_algo non-static functions with batadv_Sven Eckelmann3-3/+3
batman-adv can be compiled as part of the kernel instead of an module. In that case the linker will see all non-static symbols of batman-adv and all other non-static symbols of the kernel. This could lead to symbol collisions. A prefix for the batman-adv symbols that defines their private namespace avoids such a problem. Reported-by: David Miller <davem@davemloft.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-19ipv4: Early TCP socket demux.David S. Miller6-22/+104
Input packet processing for local sockets involves two major demuxes. One for the route and one for the socket. But we can optimize this down to one demux for certain kinds of local sockets. Currently we only do this for established TCP sockets, but it could at least in theory be expanded to other kinds of connections. If a TCP socket is established then it's identity is fully specified. This means that whatever input route was used during the three-way handshake must work equally well for the rest of the connection since the keys will not change. Once we move to established state, we cache the receive packet's input route to use later. Like the existing cached route in sk->sk_dst_cache used for output packets, we have to check for route invalidations using dst->obsolete and dst->ops->check(). Early demux occurs outside of a socket locked section, so when a route invalidation occurs we defer the fixup of sk->sk_rx_dst until we are actually inside of established state packet processing and thus have the socket locked. Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-19inet: Sanitize inet{,6} protocol demux.David S. Miller8-45/+31
Don't pretend that inet_protos[] and inet6_protos[] are hashes, thay are just a straight arrays. Remove all unnecessary hash masking. Document MAX_INET_PROTOS. Use RAW_HTABLE_SIZE when appropriate. Reported-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-19Merge branch 'master' of git://gitorious.org/linux-can/linux-can-nextDavid S. Miller2-31/+135
Marc Kleine-Budde says: ==================== here is our second pull request for net-next. In this series Federico Vaga adds a pci driver for c_can/d_can hardware using the existing generic c_can driver. The remaining 6 patches are by Oliver Hartkopp. He adds CANFD support to the CAN stack while keeping binary compatibility for existing applications. CANFD is an extension to the existing CAN standard, it allows longer CAN frames and/or higher data rates. There's no real hardware available yet, but this series adds CANFD support to the vcan driver. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-19Merge branch 'for-davem' of ↵David S. Miller27-1451/+2555
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next John Linville says: ==================== This is a sizeable batch of updates intended for 3.6... The bulk of the changes here are Bluetooth. Gustavo says: Here goes the first Bluetooth pull request for 3.6, we have queued quite a lot of work. Andrei Emeltchenko added the AMP Manager code, a lot of work is needed, but the first bit are already there. This code is disabled by default. Mat Martineau changed the whole L2CAP ERTM state machine code, replacing the old one with a new implementation. Besides that we had lot of coding style fixes (to follow net rules), more l2cap core separation from socket and many clean ups and fixed all over the tree. Along with the above, there is a healthy dose of ath9k, iwlwifi, and other driver updates. There is also another pull from the wireless tree to resolve some merge issues. I also fixed-up some merge discrepencies between net-next and wireless-next. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-19canfd: add support for CAN FD in CAN_RAW socketsOliver Hartkopp1-4/+46
- introduce a new sockopt CAN_RAW_FD_FRAMES to allow CAN FD frames - handle CAN frames and CAN FD frames simultaneously when enabled Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2012-06-19canfd: add support for CAN FD in PF_CAN coreOliver Hartkopp1-27/+82
- handle ETH_P_CAN and ETH_P_CANFD skbuffs - update sanity checks for CAN and CAN FD - make sure the CAN frame can pass the selected CAN netdevice on send - bump core version and abi version to indicate the new CAN FD support Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2012-06-19canfd: add new data structures and constantsOliver Hartkopp1-0/+7
- add new struct canfd_frame - check identical element offsets in struct can_frame and struct canfd_frame - new ETH_P_CANFD definition to tag CAN FD skbs correctly - add CAN_MTU and CANFD_MTU definitions for easy frame and mode detection - add CAN[FD]_MAX_[DLC|DLEN] helper constants to remove hard coded values - update existing struct can_frame with helper constants and comments Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2012-06-19Merge branch 'master' of ↵John W. Linville27-1451/+2555
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem Conflicts: drivers/net/wireless/iwlwifi/dvm/testmode.c drivers/net/wireless/iwlwifi/pcie/trans.c
2012-06-18Merge branch 'master' of git://1984.lsi.us.es/nf-nextDavid S. Miller6-67/+144
Pablo says: ==================== The following patchset provides fixes for issues that were recently introduced by my new cthelper infrastructure. They have been spotted by Randy Dunlap, Andrew Morton and Dan Carpenter. The patches provide: * compilation fixes if CONFIG_NF_CONNTRACK is disabled: I moved all the conntrack code from nfnetlink_queue.c to nfnetlink_queue_ct.c to avoid peppering the entire code with lots of ifdefs. I needed to rename nfnetlink_queue.c to nfnetlink_queue_core.c to get it working with the Makefile tweaks I've added. * fix NULL pointer dereference via ctnetlink while trying to change the helper for an existing conntrack entry. I don't find any reasonable use case for changing the helper from one to another in run-time. Thus, now ctnetlink returns -EOPNOTSUPP for this operation. * fix possible out-of-bound zeroing of the conntrack extension area due to the helper automatic assignation routine. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-19netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabledPablo Neira Ayuso5-47/+121
In "9cb0176 netfilter: add glue code to integrate nfnetlink_queue and ctnetlink" the compilation with NF_CONNTRACK disabled is broken. This patch fixes this issue. I have moved the conntrack part into nfnetlink_queue_ct.c to avoid peppering the entire nfnetlink_queue.c code with ifdefs. I also needed to rename nfnetlink_queue.c to nfnetlink_queue_pkt.c to update the net/netfilter/Makefile to support conditional compilation of the conntrack integration. This patch also adds CONFIG_NETFILTER_QUEUE_CT in case you want to explicitly disable the integration between nf_conntrack and nfnetlink_queue. Reported-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-06-19netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unsetPablo Neira Ayuso2-9/+13
This patch fixes the compilation of net/netfilter/nfnetlink_cthelper.c if CONFIG_NF_CONNTRACK is not set. This patch also moves the definition of the cthelper infrastructure to the scope of NF_CONNTRACK things. I have also renamed NETFILTER_NETLINK_CTHELPER by NF_CT_NETLINK_HELPER, to use similar names to other nf_conntrack_netlink extensions. Better now that this has been only for two days in David's tree. Two new dependencies have been added: * NF_CT_NETLINK * NETFILTER_NETLINK_QUEUE Since these infrastructure requires both ctnetlink and nfqueue. Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-06-19netfilter: nf_ct_helper: disable automatic helper re-assignment of different ↵Pablo Neira Ayuso1-1/+7
type This patch modifies __nf_ct_try_assign_helper in a way that invalidates support for the following scenario: 1) attach the helper A for first time when the conntrack is created 2) attach new (different) helper B due to changes the reply tuple caused by NAT eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers loaded, which seems to be a quite unorthodox scenario. I can provide a more elaborated patch to support this scenario but explicit helper attachment provides a better solution for this since now the use can attach the helpers consistently, without relying on the automatic helper lookup magic. This patch fixes a possible out of bound zeroing of the conntrack helper extension if the helper B uses more memory for its private data than helper A. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-06-19netfilter: ctnetlink: fix NULL dereference while trying to change helperPablo Neira Ayuso1-10/+3
The patch 1afc56794e03: "netfilter: nf_ct_helper: implement variable length helper private data" from Jun 7, 2012, leads to the following Smatch complaint: net/netfilter/nf_conntrack_netlink.c:1231 ctnetlink_change_helper() error: we previously assumed 'help->helper' could be null (see line 1228) This NULL dereference can be triggered with the following sequence: 1) attach the helper for first time when the conntrack is created. 2) remove the helper module or detach the helper from the conntrack via ctnetlink. 3) attach helper again (the same or different one, no matter) to the that existing conntrack again via ctnetlink. This patch fixes the problem by removing the use case that allows you to re-assign again a helper for one conntrack entry via ctnetlink since I cannot find any practical use for it. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-06-18batman-adv: only store changed gw_bandwidth valuesMarek Lindner1-0/+3
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: fix locking in hash_add()Matthias Schiffer1-9/+6
To ensure an entry isn't added twice all comparisons have to be protected by the hash line write spinlock. This doesn't really hurt as the case that it is tried to add an element already present to the hash shouldn't occur very often, so in most cases the lock would have have to be taken anyways. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> Acked-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: use DBG_ALL in log_level sysfs definitionAntonio Quartulli1-1/+1
Each time a new log level is added the developer must change either the DBG_ALL enum definition and the hard coded value in the bat_sysfs.c for the log_level attribute max value. This is extremely error prone. With this patch the code directly uses DBG_ALL in the sysfs definition Signed-off-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: turn tt commit code into routing protocol agnostic APIMarek Lindner5-104/+118
Prior to this patch the translation table code made assumptions about how the routing protocol works and where its buffers are stored (to directly modify them). Each protocol now calls the tt code with the relevant pointers, thereby abstracting the code. Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Acked-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: fix visualization output without neighbors on the primary interfaceMatthias Schiffer1-7/+14
The primary entry and the corresponding secondary entries are missing when there are no neighbors on the primary interface. This also causes the TT entries to miss and makes nodes with multiply secondary interface fall apart since there is no way to see they are related without a primary entry. Fix this by always emitting a primary entry. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: don't bother flipping ->tt_crcAl Viro2-9/+3
Keep it net-endian Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: don't bother flipping ->tt_dataAl Viro3-12/+10
just keep it net-endian all along Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [lindner_marek@yahoo.de: fix checkpatch warnings] Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: Return error codes instead of -1 on failuresSven Eckelmann10-48/+58
Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: keep batman_ogm_packet ->seqno net-endian all alongAl Viro2-12/+12
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: trivial endianness annotationsAl Viro2-9/+9
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: get rid of pointless cast in memcpy()Al Viro1-1/+1
memcpy() arguments are void *, precisely to avoid that kind of pointless casts. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: return added entries instead of number of possibly added entriesMarek Lindner1-1/+1
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Acked-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: ignore trailing CR when comparing protocol namesMarek Lindner1-3/+8
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: avoid characters requiring shell escapes in protocol namesMarek Lindner2-2/+2
Reported-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: Add get_ethtool_stats() supportMartin Hundebøll7-3/+138
Added additional counters in a bat_stats structure, which are exported through the ethtool api. The counters are specific to batman-adv and includes: forwarded packets and bytes management packets and bytes (aggregated OGMs at this point) translation table packets New counters are added by extending "enum bat_counters" in types.h and adding corresponding descriptive string(s) to bat_counters_strings in soft-iface.c. Counters are increased by calling batadv_add_counter() and incremented by one by calling batadv_inc_counter(). Signed-off-by: Martin Hundebøll <martin@hundeboll.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: convert bat_priv->tt_crc from atomic_t to uint16_tAntonio Quartulli3-4/+3
In the code we neever need to atomically check and set the bat_priv->tt_crc field value. It is simply set and read once in different pieces of the code. Therefore this field can be safely be converted from atomic_t to uint16_t. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Antonio Quartulli <ordex@autistici.org> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: Initialize lockdep class keys for hashesSven Eckelmann3-0/+26
The hash for claim and backbone hash in the bridge loop avoidance code receive the same key because they are getting initialized by hash_new with the same key. Lockdep will create a backtrace when they are used recursively. This can be avoided by reinitializing the key directly after the hash_new. Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: fix skb->data assignmentAntonio Quartulli1-0/+2
skb_linearize(skb) possibly rearranges the skb internal data and then changes the skb->data pointer value. For this reason any other pointer in the code that was assigned skb->data before invoking skb_linearise(skb) must be re-assigned. In the current tt_query message handling code this is not done and therefore, in case of skb linearization, the pointer used to handle the packet header ends up in pointing to poisoned memory. The packet is then dropped but the translation-table mechanism is corrupted. Signed-off-by: Antonio Quartulli <ordex@autistici.org> Cc: <stable@vger.kernel.org> Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-18batman-adv: update internal version numberSven Eckelmann1-1/+1
Signed-off-by: Sven Eckelmann <sven@narfation.org>
2012-06-17ipv4: Cap ADVMSS metric in the FIB rather than the routing cache.David S. Miller2-3/+6
It makes no sense to execute this limit test every time we create a routing cache entry. We can't simply error out on these things since we've silently accepted and truncated them forever. Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-16Merge branch 'master' of git://1984.lsi.us.es/nf-nextDavid S. Miller25-144/+1116
Pablo says: ==================== This is the second batch of Netfilter updates for net-next. It contains the kernel changes for the new user-space connection tracking helper infrastructure. More details on this infrastructure are provides here: http://lwn.net/Articles/500196/ Still, I plan to provide some official documentation through the conntrack-tools user manual on how to setup user-space utilities for this. So far, it provides two helper in user-space, one for NFSv3 and another for Oracle/SQLnet/TNS. Yet in my TODO list. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-16netfilter: add user-space connection tracking helper infrastructurePablo Neira Ayuso6-25/+768
There are good reasons to supports helpers in user-space instead: * Rapid connection tracking helper development, as developing code in user-space is usually faster. * Reliability: A buggy helper does not crash the kernel. Moreover, we can monitor the helper process and restart it in case of problems. * Security: Avoid complex string matching and mangling in kernel-space running in privileged mode. Going further, we can even think about running user-space helpers as a non-root process. * Extensibility: It allows the development of very specific helpers (most likely non-standard proprietary protocols) that are very likely not to be accepted for mainline inclusion in the form of kernel-space connection tracking helpers. This patch adds the infrastructure to allow the implementation of user-space conntrack helpers by means of the new nfnetlink subsystem `nfnetlink_cthelper' and the existing queueing infrastructure (nfnetlink_queue). I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into two pieces. This change is required not to break NAT sequence adjustment and conntrack confirmation for traffic that is enqueued to our user-space conntrack helpers. Basic operation, in a few steps: 1) Register user-space helper by means of `nfct': nfct helper add ftp inet tcp [ It must be a valid existing helper supported by conntrack-tools ] 2) Add rules to enable the FTP user-space helper which is used to track traffic going to TCP port 21. For locally generated packets: iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp For non-locally generated packets: iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp 3) Run the test conntrackd in helper mode (see example files under doc/helper/conntrackd.conf conntrackd 4) Generate FTP traffic going, if everything is OK, then conntrackd should create expectations (you can check that with `conntrack': conntrack -E expect [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp [DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp This confirms that our test helper is receiving packets including the conntrack information, and adding expectations in kernel-space. The user-space helper can also store its private tracking information in the conntrack structure in the kernel via the CTA_HELP_INFO. The kernel will consider this a binary blob whose layout is unknown. This information will be included in the information that is transfered to user-space via glue code that integrates nfnetlink_queue and ctnetlink. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-06-16netfilter: ctnetlink: add CTA_HELP_INFO attributePablo Neira Ayuso1-5/+18
This attribute can be used to modify and to dump the internal protocol information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>