-off-by: Alex Badics
Signed-off-by: KOVACS Krisztian
---
net/ipv4/tcp_input.c | 1 +
net/ipv4/tcp_ipv4.c | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3ebf45b..1fb2e82 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.
E_NAME ": "
> -#define DRV_MODULE_VERSION "1.4"
> -#define DRV_MODULE_RELDATE "1 July 2004"
> +#define DRV_MODULE_VERSION "1.5"
> +#define DRV_MODULE_RELDATE "4 Jan 2007"
Erm, 2008?
> #define CAS_DEF_MSG_ENABLE \
> (NETIF_MSG_
us about all this cas_page_t wrappers.
Commit fa4f0774d7c6cccb4d1fda76b91dd8eddcb2dd6a?
I don't really see how the buffer count for a page used as a fragment gets
decreased when the skb is freed.
--
KOVACS Krisztian
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body o
Hi David,
On Sunday 14 October 2007, David Miller wrote:
> From: KOVACS Krisztian <[EMAIL PROTECTED]>
> Date: Sat, 13 Oct 2007 19:28:57 +0200
>
> > This is the fifth round of transparent proxying patches following
> > recent discussion on netfilter-devel [1,2].
> &g
The iptables tproxy core is a module that contains the common routines used by
various tproxy related modules (TPROXY target and socket match)
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/netfilter/nf_tproxy_core.h | 32 +++
net/netfilter/K
The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/udp.h |4
net/ipv4/udp.c|8
2 files changed, 12 inse
Netfilter connection tracking requires all IPv4 packets to be defragmented.
Both the socket match and the TPROXY target depend on this functionality, so
this patch separates the Netfilter IPv4 defrag hooks into a separate module.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
i
extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/inet_sock.h |2 +-
inclu
Setting IP_TRANSPARENT is not really useful without allowing non-local
binds for the socket. To make user-space code simpler we allow these binds
even if IP_TRANSPARENT is set but IP_FREEBIND is not.
Signed-off-by: Tóth László Attila <[EMAIL PROTECTED]>
Acked-by: Patrick McHardy <[EMAIL PROTECTED]
Set FLOWI_FLAG_ANYSRC in flowi->flags if the socket has the
transparent socket option set. This way we selectively enable certain
connections with non-local source addresses to be routed.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/route.h |4
1 files c
when doing
the route lookup for those replies. Transparent replies are enabled if
the listening socket has the transparent socket flag set.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/inet_sock.h |8 +++-
include/net/ip.h|9
This patch introduces the IP_TRANSPARENT socket option: enabling that will make
the IPv4 routing omit the non-local source address check on output. Setting
IP_TRANSPARENT requires NET_ADMIN capability.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
Acked-by: Patrick McHardy <[EMAIL
l=netfilter-devel&m=119135774918622&w=2
[3] http://marc.info/?l=linux-netdev&m=118065358510836&w=2
[4]
http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch
--
KOVACS Krisztian
-
To unsubscribe from this list: send the line "unsubscribe netdev"
non-transparent connections differently.
Signed-off-by: Julian Anastasov <[EMAIL PROTECTED]>
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
Acked-by: Patrick McHardy <[EMAIL PROTECTED]>
---
include/net/flow.h |1 +
net/ipv4/route.c | 20 +---
2
Use the socket cached in the TPROXY target if it's present.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/udp.c |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 053d5c4..6592689 100644
--- a/net
Add basic usage instructions to Documentation/networking.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
Documentation/networking/tproxy.txt | 62 +++
1 files changed, 62 insertions(+), 0 deletions(-)
diff --git a/Documentation/networking/tpro
hardt <[EMAIL PROTECTED]>
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_TPROXY.h | 14
net/netfilter/Kconfig | 14
net/netfilter/Makefile |1
net/netfilter/xt_TPROXY.c
Use the socket cached in the TPROXY target if it's present.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/tcp_ipv4.c |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index fb471b0..90ee2ca 1
Add iptables 'socket' match, which matches packets for which a TCP/UDP
socket lookup succeeds.
Signed-off-by: Jan Engelhardt <[EMAIL PROTECTED]>
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/netfilter/Kconfig | 14 ++
net/netfilter/Makefile
sly makes using
such addresses impossible.
This patch introduces a flowi flag which makes omitting this check
possible.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
Signed-off-by: Julian Anastasov <[EMAIL PROTECTED]>
---
include/net/flow.h |1 +
net/ipv4/route.c | 20 ++
he flow index compare routine.
> Then we can use some more generic name, only for the flowi flag,
> eg. FLOWI_FLAG_ANYSRC or something better?
You're right, _TRANSPARENT was a bad idea. I'm not very good at
choosing names.
So what about this one?
Loosen source
Hi,
On Friday 18 May 2007 11:05, David Miller wrote:
> From: Julian Anastasov <[EMAIL PROTECTED]>
> Date: Fri, 18 May 2007 11:40:54 +0300 (EEST)
>
> > On Thu, 17 May 2007, Patrick McHardy wrote:
> > > In any case some better solution than the current one needs to be
> > > found, allowing users
Implements an iptables module which matches packets which have the
tproxy flag set, that is, packets diverted in the tproxy table.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/netfilter/Kconfig |9 +
net/netfilter/Makefile|1 +
net/netfilter/xt_tp
The TPROXY target implements redirection of non-local TCP/UDP traffic
to local sockets. It is simply a wrapper around functionality exported
from iptable_tproxy.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linux/netfilter_ipv4/ipt_TPROXY.h |9 +++
net/ipv4/net
ication is necessary.)
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linux/netfilter_ipv4.h |1
include/linux/netfilter_ipv4/ip_tproxy.h | 20 ++
include/net/ip.h |3
net/ipv4/netfilter/Kconfig | 10 +
net/ipv4/ne
We would like to be able to match on whether or not a given packet has
been diverted by tproxy. To make this possible we need a flag in
sk_buff.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linux/skbuff.h |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/udp.h |4
net/ipv4/udp.c|8
2 files changed, 12 inse
flag when doing
the route lookup for those replies. Transparent replies are enabled if
the listening socket has the transparent socket flag set.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/ip.h|3 +++
include/net/request_sock.h |3 ++
Set FLOWI_FLAG_TRANSPARENT in flowi->flags if the socket has the
transparent socket option set. This way we selectively enable certain
connections with non-local source addresses to be routed.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/route.h |4
This patch introduces the IP_TRANSPARENT socket option: enabling that will make
the IPv4 routing omit the non-local source address check on output. Setting
IP_TRANSPARENT requires NET_ADMIN capability.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linu
: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/udp.c | 11 +--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ce6c460..1d15edc 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1226,8 +1226,15 @@ int __udp4_lib_rcv(
non-transparent connections differently.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/flow.h |1 +
net/ipv4/route.c |8 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/net/flow.h b/include/net/flow.h
index ce4b10d..9eb91f2
: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/tcp_ipv4.c | 13 ++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0ba74bb..536db7b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1647,9 +1
extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/inet_sock.h |1 +
inclu
st entries are used only by
the iptables tproxy code, and that code uses exclusively these
entries, simply flagging these entries as DST_DIVERTED is OK. All
other cache lookup paths skip diverted entries, while our new
ip_divert_local() function uses exclusively diverted dst entries.
Signed-off-
Hi,
These patches are my second try at providing Linux 2.2-like transparent
proxying support for Linux 2.6.
Major changes since the first version:
- iptable_tproxy now does IPv4 fragment reassembly (necessary for
processing TCP/UDP header)
- The removal of the source address check in ip_rou
Hi,
While reading TCP minisock code I've found this suspiciously looking
code fragment:
- 8< -
struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock
*req, struct sk_buff *skb)
{
struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC);
if (newsk != NULL
On Wednesday 10 January 2007 07:47, Patrick McHardy wrote:
> KOVACS Krisztian wrote:
> > ip_route_output() contains a check to make sure that no flows with
> > non-local source IP addresses are routed. Unfortunately this check
> > makes it completely impossible to use non-loca
Hi,
On Wednesday 10 January 2007 13:19, Patrick McHardy wrote:
> > Of course it's true that doing early lookups and storing that
> > reference in the skb widens the window considerably, but I think this
> > race is already handled. Or is there anything I don't see?
>
> You're right, it seems
Hi,
On Wednesday 10 January 2007 13:32, Patrick McHardy wrote:
> How exactly are dynamic ports handled? Do you just add a catch-all rule
> that filters based on socket lookups?
>
> In that case you could do something like this:
>
> ip route add local default dev lo scope host table 1
> ip rule
Hi,
On Wednesday 10 January 2007 07:46, Patrick McHardy wrote:
> > + rcu_read_lock();
> > + for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
> > +rth = rcu_dereference(rth->u.rt_next)) {
> > + if (rth->fl.fl4_dst == iph->daddr &&
> > + rth->fl.fl4_
Hi,
On Wednesday 10 January 2007 07:47, Patrick McHardy wrote:
> > diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> > index 537b976..bb1158a 100644
> > --- a/net/ipv4/route.c
> > +++ b/net/ipv4/route.c
> > @@ -2498,11 +2498,6 @@ #endif
> > ZERONET(oldflp->fl4_src))
> >
Hi Evgeniy,
On Wednesday 03 January 2007 18:23, Evgeniy Polyakov wrote:
> Out of curiosity, would you use netchannels [1] if the implementation
> will be much broader? Since what you have created works exactly like
> netchannels netfilter NAT target (although it does not change ports,
> but it
Hi,
On Wednesday 03 January 2007 20:33, Lennert Buytenhek wrote:
> I'd also love to see the old tproxy API go away entirely. It was
> always a bit of a pain to use.
It's gone with these patches: all you need is to bind() to foreign
addresses, like in the Linux 2.2 days.
--
Regards,
Kr
multicast-specific code
path as that is the only real user of the interface data looked up.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/route.c | 13 +
1 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 5
: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/tcp_ipv4.c | 13 ++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index bf7a224..7828aec 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1647,9 +1
We would like to be able to match on whether or not a given packet has
been diverted by tproxy. To make this possible we need a flag in
sk_buff.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linux/skbuff.h |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/ipv4/udp.c | 11 +--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index cfff930..1b348f5 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1225,8 +1225,15 @@ int __udp4_lib_rcv(
extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/inet_sock.h |1 +
inclu
The following set of patches implement transparent proxying support
loosely modeled on the Linux 2.2 transparent proxying functionality.
In the last few years we've been maintaining a set of patches
implementing Netfilter NAT to provide similar functionality. However,
as time passed, more and more
it is not
necessary to have the IP_FREEBIND socket option enabled for the
target socket, redirection takes place even for "regular"
sockets. This way no modification of the application is necessary.)
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linu
Implements an iptables module which matches packets which have the
tproxy flag set, that is, packets diverted in the tproxy table.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
net/netfilter/Kconfig |9 +
net/netfilter/Makefile|1 +
net/netfilter/xt_tp
The TPROXY target implements redirection of non-local TCP/UDP traffic
to local sockets. It is simply a wrapper around functionality exported
from iptable_tproxy.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/linux/netfilter_ipv4/ipt_TPROXY.h |9 +++
net/ipv4/net
st entries are used only by
the iptables tproxy code, and that code uses exclusively these
entries, simply flagging these entries as DST_DIVERTED is OK. All
other cache lookup paths skip diverted entries, while our new
ip_divert_local() function uses exclusively diverted dst entries.
Signed-off-
The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.
Signed-off-by: KOVACS Krisztian <[EMAIL PROTECTED]>
---
include/net/udp.h |4
net/ipv4/udp.c|8
2 files changed, 12 inse
Hi,
On Friday 01 December 2006 15:37, jamal wrote:
> struct xfrm_aevent_id {
> struct xfrm_usersa_id sa_id;
> __u32 flags;
> };
>
> I could add the two items mentioned above in it and break the ABI.
> This may sound dangerous, but the usage of
Hi,
On Tuesday 11 April 2006 05.02, jamal wrote:
> Ok, if both you can provide feedback on the attached patch (untested but
> compiles) I will make any necessary changes, test and push this +
> documentation to Dave.
Looks ok, although I only had a quick look at it.
--
Regards,
Krisztia
Hi,
On Friday 07 April 2006 15:15, jamal wrote:
> Ok, I built on Herbert's suggestion and tried to be a little
> clever/accurate. Instead of a flag i introduce a variable that stores
> the jiffy point when the timer is killed. If we fall anywhere to the
> right or at exact point of the next poi
Hi,
On Thursday 06 April 2006 17:18, jamal wrote:
> On Fri, 2006-07-04 at 00:30 +1000, Herbert Xu wrote:
> > If so I see what you mean but I think a better solution is to just
> > set a flag when the XFRM_REPLAY_TIMEOUT fires and nothing has
> > changed. Then when you get XFRM_REPLAY_UPDATE you
Hi,
On Sunday 12 March 2006 23.29, Stjepan Gros wrote:
> setkey command behaves strangely when SPD is large. Either because I'm
> doing something wrong or because there is a bug. I believe it's a bug,
> but who knows... Anyway, after 529 items it simply stops displaying
> items from SPD with a
Hi,
On Monday 30 January 2006 22:33, jamal wrote:
> > We implemented partial ISAKMP SA synchronization in racoon. That
> Unfortunately this would also mean dependency on racoon. Is there any
> other way to do it without having to change racoon? example the phase1
> scripts or racoonctl?
> It
Hi,
On Monday 30 January 2006 14.14, jamal wrote:
[...]
> > To put it simple: I don't think PF_KEY is worth the hassle unless
> > someone comes up with an open source software utilizing that interface.
>
> I agree. And if you look at something like sasyncd, it is obvious you
> dont need it if
Hi,
On Saturday 28 January 2006 13:45, jamal wrote:
> > > +extern u32 sysctl_xfrm_aevent_etime;
> > > +extern u32 sysctl_xfrm_aevent_rseqth;
> >
> > Why do we need these defaults? I'd rather see these be removed and
> > just have the user-space KM always set the values (if it needs
> > aevent).
Hi,
On Friday 05 August 2005 12.50, Patrick McHardy wrote:
> Is there already userspace code which uses this feature somewhere?
AFAIK Ulrich has a patch for OpenSWAN, and we (Balabit) have a patch
for racoon. Unfortunately this racoon version is available only as a
commercial product.
--
Hi,
2005-08-04, cs keltezéssel 12.56-kor Ulrich Weber ezt írta:
> thanks for revising Patrick! Attached is the updated patch.
> Sorry had no time yet to remove the sysctl variables.
> It will follow in a few weeks if I have more time :)
Ulrich, I already have some code which supports per-sta
65 matches
Mail list logo
