lex Badics <alex.bad...@balabit.com>
Signed-off-by: KOVACS Krisztian <hid...@balabit.com>
---
net/ipv4/tcp_input.c | 1 +
net/ipv4/tcp_ipv4.c | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3ebf45b..1fb2e82 100644
---
+#define DRV_MODULE_VERSION 1.5
+#define DRV_MODULE_RELDATE 4 Jan 2007
Erm, 2008?
#define CAS_DEF_MSG_ENABLE \
(NETIF_MSG_DRV | \
--
1.5.4.rc2.17.g257f
--
KOVACS Krisztian
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message
fa4f0774d7c6cccb4d1fda76b91dd8eddcb2dd6a?
I don't really see how the buffer count for a page used as a fragment gets
decreased when the skb is freed.
--
KOVACS Krisztian
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org
Hi David,
On Sunday 14 October 2007, David Miller wrote:
From: KOVACS Krisztian [EMAIL PROTECTED]
Date: Sat, 13 Oct 2007 19:28:57 +0200
This is the fifth round of transparent proxying patches following
recent discussion on netfilter-devel [1,2].
The aim of the patchset is to make non
Add iptables 'socket' match, which matches packets for which a TCP/UDP
socket lookup succeeds.
Signed-off-by: Jan Engelhardt [EMAIL PROTECTED]
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/netfilter/Kconfig | 14 ++
net/netfilter/Makefile|1
net/netfilter
[EMAIL PROTECTED]
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/netfilter/xt_TPROXY.h | 14
net/netfilter/Kconfig | 14
net/netfilter/Makefile |1
net/netfilter/xt_TPROXY.c | 113 +++
4
Use the socket cached in the TPROXY target if it's present.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/ipv4/tcp_ipv4.c |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index fb471b0..90ee2ca 100644
--- a/net
Use the socket cached in the TPROXY target if it's present.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/ipv4/udp.c |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 053d5c4..6592689 100644
--- a/net/ipv4/udp.c
Add basic usage instructions to Documentation/networking.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
Documentation/networking/tproxy.txt | 62 +++
1 files changed, 62 insertions(+), 0 deletions(-)
diff --git a/Documentation/networking/tproxy.txt
b
://marc.info/?l=linux-netdevm=118065358510836w=2
[4]
http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
--
KOVACS Krisztian
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http
and
non-transparent connections differently.
Signed-off-by: Julian Anastasov [EMAIL PROTECTED]
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
Acked-by: Patrick McHardy [EMAIL PROTECTED]
---
include/net/flow.h |1 +
net/ipv4/route.c | 20 +---
2 files changed, 14 insertions
This patch introduces the IP_TRANSPARENT socket option: enabling that will make
the IPv4 routing omit the non-local source address check on output. Setting
IP_TRANSPARENT requires NET_ADMIN capability.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
Acked-by: Patrick McHardy [EMAIL PROTECTED
Setting IP_TRANSPARENT is not really useful without allowing non-local
binds for the socket. To make user-space code simpler we allow these binds
even if IP_TRANSPARENT is set but IP_FREEBIND is not.
Signed-off-by: Tóth László Attila [EMAIL PROTECTED]
Acked-by: Patrick McHardy [EMAIL PROTECTED]
Set FLOWI_FLAG_ANYSRC in flowi-flags if the socket has the
transparent socket option set. This way we selectively enable certain
connections with non-local source addresses to be routed.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/route.h |4
1 files changed, 4
extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/inet_sock.h |2 +-
include/net/tcp.h
The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/udp.h |4
net/ipv4/udp.c|8
2 files changed, 12 insertions(+), 0
Netfilter connection tracking requires all IPv4 packets to be defragmented.
Both the socket match and the TPROXY target depend on this functionality, so
this patch separates the Netfilter IPv4 defrag hooks into a separate module.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net
The iptables tproxy core is a module that contains the common routines used by
various tproxy related modules (TPROXY target and socket match)
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/netfilter/nf_tproxy_core.h | 32 +++
net/netfilter/Kconfig
doing
the route lookup for those replies. Transparent replies are enabled if
the listening socket has the transparent socket flag set.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/inet_sock.h |8 +++-
include/net/ip.h|9 +
net/ipv4
a flowi flag which makes omitting this check
possible.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
Signed-off-by: Julian Anastasov [EMAIL PROTECTED]
---
include/net/flow.h |1 +
net/ipv4/route.c | 20 +---
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git
for the flowi flag,
eg. FLOWI_FLAG_ANYSRC or something better?
You're right, _TRANSPARENT was a bad idea. I'm not very good at
choosing names.
So what about this one?
Loosen source address check on IPv4 output
From: KOVACS Krisztian [EMAIL PROTECTED]
ip_route_output() contains a check to make
Hi,
On Friday 18 May 2007 11:05, David Miller wrote:
From: Julian Anastasov [EMAIL PROTECTED]
Date: Fri, 18 May 2007 11:40:54 +0300 (EEST)
On Thu, 17 May 2007, Patrick McHardy wrote:
In any case some better solution than the current one needs to be
found, allowing users to send
Hi,
These patches are my second try at providing Linux 2.2-like transparent
proxying support for Linux 2.6.
Major changes since the first version:
- iptable_tproxy now does IPv4 fragment reassembly (necessary for
processing TCP/UDP header)
- The removal of the source address check in
are used only by
the iptables tproxy code, and that code uses exclusively these
entries, simply flagging these entries as DST_DIVERTED is OK. All
other cache lookup paths skip diverted entries, while our new
ip_divert_local() function uses exclusively diverted dst entries.
Signed-off-by: KOVACS
extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/inet_sock.h |1 +
include/net/tcp.h
-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/ipv4/tcp_ipv4.c | 13 ++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0ba74bb..536db7b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1647,9 +1647,16 @@ int
-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/ipv4/udp.c | 11 +--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ce6c460..1d15edc 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1226,8 +1226,15 @@ int __udp4_lib_rcv(struct
and
non-transparent connections differently.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/flow.h |1 +
net/ipv4/route.c |8 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/net/flow.h b/include/net/flow.h
index ce4b10d..9eb91f2 100644
This patch introduces the IP_TRANSPARENT socket option: enabling that will make
the IPv4 routing omit the non-local source address check on output. Setting
IP_TRANSPARENT requires NET_ADMIN capability.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/in.h
Set FLOWI_FLAG_TRANSPARENT in flowi-flags if the socket has the
transparent socket option set. This way we selectively enable certain
connections with non-local source addresses to be routed.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/route.h |4
1 files changed
when doing
the route lookup for those replies. Transparent replies are enabled if
the listening socket has the transparent socket flag set.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/ip.h|3 +++
include/net/request_sock.h |3 ++-
net/ipv4
We would like to be able to match on whether or not a given packet has
been diverted by tproxy. To make this possible we need a flag in
sk_buff.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/skbuff.h |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git
The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/udp.h |4
net/ipv4/udp.c|8
2 files changed, 12 insertions
is necessary.)
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/netfilter_ipv4.h |1
include/linux/netfilter_ipv4/ip_tproxy.h | 20 ++
include/net/ip.h |3
net/ipv4/netfilter/Kconfig | 10 +
net/ipv4/netfilter/Makefile
The TPROXY target implements redirection of non-local TCP/UDP traffic
to local sockets. It is simply a wrapper around functionality exported
from iptable_tproxy.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/netfilter_ipv4/ipt_TPROXY.h |9 +++
net/ipv4/netfilter
Implements an iptables module which matches packets which have the
tproxy flag set, that is, packets diverted in the tproxy table.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/netfilter/Kconfig |9 +
net/netfilter/Makefile|1 +
net/netfilter/xt_tproxy.c | 77
Hi,
While reading TCP minisock code I've found this suspiciously looking
code fragment:
- 8 -
struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock
*req, struct sk_buff *skb)
{
struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC);
if (newsk !=
On Wednesday 10 January 2007 07:47, Patrick McHardy wrote:
KOVACS Krisztian wrote:
ip_route_output() contains a check to make sure that no flows with
non-local source IP addresses are routed. Unfortunately this check
makes it completely impossible to use non-local bound sockets
Hi,
On Wednesday 10 January 2007 13:19, Patrick McHardy wrote:
Of course it's true that doing early lookups and storing that
reference in the skb widens the window considerably, but I think this
race is already handled. Or is there anything I don't see?
You're right, it seems to be
Hi,
On Wednesday 10 January 2007 13:32, Patrick McHardy wrote:
How exactly are dynamic ports handled? Do you just add a catch-all rule
that filters based on socket lookups?
In that case you could do something like this:
ip route add local default dev lo scope host table 1
ip rule add
Hi,
On Wednesday 10 January 2007 07:47, Patrick McHardy wrote:
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 537b976..bb1158a 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2498,11 +2498,6 @@ #endif
ZERONET(oldflp-fl4_src))
Hi,
On Wednesday 10 January 2007 07:46, Patrick McHardy wrote:
+ rcu_read_lock();
+ for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
+rth = rcu_dereference(rth-u.rt_next)) {
+ if (rth-fl.fl4_dst == iph-daddr
+ rth-fl.fl4_src ==
Hi Evgeniy,
On Wednesday 03 January 2007 18:23, Evgeniy Polyakov wrote:
Out of curiosity, would you use netchannels [1] if the implementation
will be much broader? Since what you have created works exactly like
netchannels netfilter NAT target (although it does not change ports,
but it can
Hi,
On Wednesday 03 January 2007 20:33, Lennert Buytenhek wrote:
I'd also love to see the old tproxy API go away entirely. It was
always a bit of a pain to use.
It's gone with these patches: all you need is to bind() to foreign
addresses, like in the Linux 2.2 days.
--
Regards,
The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/udp.h |4
net/ipv4/udp.c|8
2 files changed, 12 insertions
are used only by
the iptables tproxy code, and that code uses exclusively these
entries, simply flagging these entries as DST_DIVERTED is OK. All
other cache lookup paths skip diverted entries, while our new
ip_divert_local() function uses exclusively diverted dst entries.
Signed-off-by: KOVACS
Implements an iptables module which matches packets which have the
tproxy flag set, that is, packets diverted in the tproxy table.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/netfilter/Kconfig |9 +
net/netfilter/Makefile|1 +
net/netfilter/xt_tproxy.c | 77
The TPROXY target implements redirection of non-local TCP/UDP traffic
to local sockets. It is simply a wrapper around functionality exported
from iptable_tproxy.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/netfilter_ipv4/ipt_TPROXY.h |9 +++
net/ipv4/netfilter
extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/net/inet_sock.h |1 +
include/net/tcp.h
We would like to be able to match on whether or not a given packet has
been diverted by tproxy. To make this possible we need a flag in
sk_buff.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
include/linux/skbuff.h |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git
to the multicast-specific code
path as that is the only real user of the interface data looked up.
Signed-off-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/ipv4/route.c | 13 +
1 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 537b976
The following set of patches implement transparent proxying support
loosely modeled on the Linux 2.2 transparent proxying functionality.
In the last few years we've been maintaining a set of patches
implementing Netfilter NAT to provide similar functionality. However,
as time passed, more and
-by: KOVACS Krisztian [EMAIL PROTECTED]
---
net/ipv4/tcp_ipv4.c | 13 ++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index bf7a224..7828aec 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1647,9 +1647,16 @@ int
Hi,
On Friday 01 December 2006 15:37, jamal wrote:
struct xfrm_aevent_id {
struct xfrm_usersa_id sa_id;
__u32 flags;
};
I could add the two items mentioned above in it and break the ABI.
This may sound dangerous, but the usage of this
Hi,
On Tuesday 11 April 2006 05.02, jamal wrote:
Ok, if both you can provide feedback on the attached patch (untested but
compiles) I will make any necessary changes, test and push this +
documentation to Dave.
Looks ok, although I only had a quick look at it.
--
Regards,
Krisztian
Hi,
On Friday 07 April 2006 15:15, jamal wrote:
Ok, I built on Herbert's suggestion and tried to be a little
clever/accurate. Instead of a flag i introduce a variable that stores
the jiffy point when the timer is killed. If we fall anywhere to the
right or at exact point of the next point
Hi,
On Thursday 06 April 2006 17:18, jamal wrote:
On Fri, 2006-07-04 at 00:30 +1000, Herbert Xu wrote:
If so I see what you mean but I think a better solution is to just
set a flag when the XFRM_REPLAY_TIMEOUT fires and nothing has
changed. Then when you get XFRM_REPLAY_UPDATE you can
Hi,
On Sunday 12 March 2006 23.29, Stjepan Gros wrote:
setkey command behaves strangely when SPD is large. Either because I'm
doing something wrong or because there is a bug. I believe it's a bug,
but who knows... Anyway, after 529 items it simply stops displaying
items from SPD with a
Hi,
On Monday 30 January 2006 22:33, jamal wrote:
We implemented partial ISAKMP SA synchronization in racoon. That
Unfortunately this would also mean dependency on racoon. Is there any
other way to do it without having to change racoon? example the phase1
scripts or racoonctl?
It seems
Hi,
On Monday 30 January 2006 14.14, jamal wrote:
[...]
To put it simple: I don't think PF_KEY is worth the hassle unless
someone comes up with an open source software utilizing that interface.
I agree. And if you look at something like sasyncd, it is obvious you
dont need it if what
Hi,
On Saturday 28 January 2006 13:45, jamal wrote:
+extern u32 sysctl_xfrm_aevent_etime;
+extern u32 sysctl_xfrm_aevent_rseqth;
Why do we need these defaults? I'd rather see these be removed and
just have the user-space KM always set the values (if it needs
aevent).
This is
Hi,
On Friday 05 August 2005 12.50, Patrick McHardy wrote:
Is there already userspace code which uses this feature somewhere?
AFAIK Ulrich has a patch for OpenSWAN, and we (Balabit) have a patch
for racoon. Unfortunately this racoon version is available only as a
commercial product.
--
Hi,
2005-08-04, cs keltezéssel 12.56-kor Ulrich Weber ezt írta:
thanks for revising Patrick! Attached is the updated patch.
Sorry had no time yet to remove the sysctl variables.
It will follow in a few weeks if I have more time :)
Ulrich, I already have some code which supports per-state
63 matches
Mail list logo
