tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
+262
-126
-9
Documentation/feature-removal-schedule.txt
-9
Documentation/feature-removal-schedule.txt
···
303
303
304
304
---------------------------
305
305
306
-
What: CONFIG_NF_CT_ACCT
307
-
When: 2.6.29
308
-
Why: Accounting can now be enabled/disabled without kernel recompilation.
309
-
Currently used only to set a default value for a feature that is also
310
-
controlled by a kernel/module/sysfs/sysctl parameter.
311
-
Who: Krzysztof Piotr Oledzki <ole@ans.pl>
312
-
313
-
---------------------------
314
-
315
306
What: sysfs ui for changing p4-clockmod parameters
316
307
When: September 2009
317
308
Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
+1
-2
Documentation/kernel-parameters.txt
+1
-2
Documentation/kernel-parameters.txt
···
1597
1597
[NETFILTER] Enable connection tracking flow accounting
1598
1598
0 to disable accounting
1599
1599
1 to enable accounting
1600
-
Default value depends on CONFIG_NF_CT_ACCT that is
1601
-
going to be removed in 2.6.29.
1600
+
Default value is 0.
1602
1601
1603
1602
nfsaddrs= [NFS]
1604
1603
See Documentation/filesystems/nfs/nfsroot.txt.
+2
include/linux/ip_vs.h
+2
include/linux/ip_vs.h
···
19
19
*/
20
20
#define IP_VS_SVC_F_PERSISTENT 0x0001 /* persistent port */
21
21
#define IP_VS_SVC_F_HASHED 0x0002 /* hashed entry */
22
+
#define IP_VS_SVC_F_ONEPACKET 0x0004 /* one-packet scheduling */
22
23
23
24
/*
24
25
* Destination Server Flags
···
86
85
#define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */
87
86
#define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */
88
87
#define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */
88
+
#define IP_VS_CONN_F_ONE_PACKET 0x2000 /* forward only one packet */
89
89
90
90
#define IP_VS_SCHEDNAME_MAXLEN 16
91
91
#define IP_VS_IFNAME_MAXLEN 16
+2
-1
include/linux/netfilter_ipv4/ipt_LOG.h
+2
-1
include/linux/netfilter_ipv4/ipt_LOG.h
···
7
7
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
8
8
#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
9
9
#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
10
-
#define IPT_LOG_MASK 0x1f
10
+
#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */
11
+
#define IPT_LOG_MASK 0x2f
11
12
12
13
struct ipt_log_info {
13
14
unsigned char level;
+2
-1
include/linux/netfilter_ipv6/ip6t_LOG.h
+2
-1
include/linux/netfilter_ipv6/ip6t_LOG.h
···
7
7
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
8
8
#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
9
9
#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
10
-
#define IP6T_LOG_MASK 0x1f
10
+
#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */
11
+
#define IP6T_LOG_MASK 0x2f
11
12
12
13
struct ip6t_log_info {
13
14
unsigned char level;
+12
include/net/netfilter/nf_conntrack_acct.h
+12
include/net/netfilter/nf_conntrack_acct.h
···
45
45
extern unsigned int
46
46
seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir);
47
47
48
+
/* Check if connection tracking accounting is enabled */
49
+
static inline bool nf_ct_acct_enabled(struct net *net)
50
+
{
51
+
return net->ct.sysctl_acct != 0;
52
+
}
53
+
54
+
/* Enable/disable connection tracking accounting */
55
+
static inline void nf_ct_set_acct(struct net *net, bool enable)
56
+
{
57
+
net->ct.sysctl_acct = enable;
58
+
}
59
+
48
60
extern int nf_conntrack_acct_init(struct net *net);
49
61
extern void nf_conntrack_acct_fini(struct net *net);
50
62
-2
include/net/netfilter/nf_nat_rule.h
-2
include/net/netfilter/nf_nat_rule.h
+22
-9
net/bridge/br_netfilter.c
+22
-9
net/bridge/br_netfilter.c
···
55
55
static int brnf_filter_vlan_tagged __read_mostly = 0;
56
56
static int brnf_filter_pppoe_tagged __read_mostly = 0;
57
57
#else
58
+
#define brnf_call_iptables 1
59
+
#define brnf_call_ip6tables 1
60
+
#define brnf_call_arptables 1
58
61
#define brnf_filter_vlan_tagged 0
59
62
#define brnf_filter_pppoe_tagged 0
60
63
#endif
···
547
544
const struct net_device *out,
548
545
int (*okfn)(struct sk_buff *))
549
546
{
547
+
struct net_bridge_port *p;
548
+
struct net_bridge *br;
550
549
struct iphdr *iph;
551
550
__u32 len = nf_bridge_encap_header_len(skb);
552
551
553
552
if (unlikely(!pskb_may_pull(skb, len)))
554
553
goto out;
555
554
555
+
p = br_port_get_rcu(in);
556
+
if (p == NULL)
557
+
goto out;
558
+
br = p->br;
559
+
556
560
if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
557
561
IS_PPPOE_IPV6(skb)) {
558
-
#ifdef CONFIG_SYSCTL
559
-
if (!brnf_call_ip6tables)
562
+
if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
560
563
return NF_ACCEPT;
561
-
#endif
564
+
562
565
nf_bridge_pull_encap_header_rcsum(skb);
563
566
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
564
567
}
565
-
#ifdef CONFIG_SYSCTL
566
-
if (!brnf_call_iptables)
568
+
569
+
if (!brnf_call_iptables && !br->nf_call_iptables)
567
570
return NF_ACCEPT;
568
-
#endif
569
571
570
572
if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
571
573
!IS_PPPOE_IP(skb))
···
723
715
const struct net_device *out,
724
716
int (*okfn)(struct sk_buff *))
725
717
{
718
+
struct net_bridge_port *p;
719
+
struct net_bridge *br;
726
720
struct net_device **d = (struct net_device **)(skb->cb);
727
721
728
-
#ifdef CONFIG_SYSCTL
729
-
if (!brnf_call_arptables)
722
+
p = br_port_get_rcu(out);
723
+
if (p == NULL)
730
724
return NF_ACCEPT;
731
-
#endif
725
+
br = p->br;
726
+
727
+
if (!brnf_call_arptables && !br->nf_call_arptables)
728
+
return NF_ACCEPT;
732
729
733
730
if (skb->protocol != htons(ETH_P_ARP)) {
734
731
if (!IS_VLAN_ARP(skb))
+3
net/bridge/br_private.h
+3
net/bridge/br_private.h
+72
net/bridge/br_sysfs_br.c
+72
net/bridge/br_sysfs_br.c
···
611
611
show_multicast_startup_query_interval,
612
612
store_multicast_startup_query_interval);
613
613
#endif
614
+
#ifdef CONFIG_BRIDGE_NETFILTER
615
+
static ssize_t show_nf_call_iptables(
616
+
struct device *d, struct device_attribute *attr, char *buf)
617
+
{
618
+
struct net_bridge *br = to_bridge(d);
619
+
return sprintf(buf, "%u\n", br->nf_call_iptables);
620
+
}
621
+
622
+
static int set_nf_call_iptables(struct net_bridge *br, unsigned long val)
623
+
{
624
+
br->nf_call_iptables = val ? true : false;
625
+
return 0;
626
+
}
627
+
628
+
static ssize_t store_nf_call_iptables(
629
+
struct device *d, struct device_attribute *attr, const char *buf,
630
+
size_t len)
631
+
{
632
+
return store_bridge_parm(d, buf, len, set_nf_call_iptables);
633
+
}
634
+
static DEVICE_ATTR(nf_call_iptables, S_IRUGO | S_IWUSR,
635
+
show_nf_call_iptables, store_nf_call_iptables);
636
+
637
+
static ssize_t show_nf_call_ip6tables(
638
+
struct device *d, struct device_attribute *attr, char *buf)
639
+
{
640
+
struct net_bridge *br = to_bridge(d);
641
+
return sprintf(buf, "%u\n", br->nf_call_ip6tables);
642
+
}
643
+
644
+
static int set_nf_call_ip6tables(struct net_bridge *br, unsigned long val)
645
+
{
646
+
br->nf_call_ip6tables = val ? true : false;
647
+
return 0;
648
+
}
649
+
650
+
static ssize_t store_nf_call_ip6tables(
651
+
struct device *d, struct device_attribute *attr, const char *buf,
652
+
size_t len)
653
+
{
654
+
return store_bridge_parm(d, buf, len, set_nf_call_ip6tables);
655
+
}
656
+
static DEVICE_ATTR(nf_call_ip6tables, S_IRUGO | S_IWUSR,
657
+
show_nf_call_ip6tables, store_nf_call_ip6tables);
658
+
659
+
static ssize_t show_nf_call_arptables(
660
+
struct device *d, struct device_attribute *attr, char *buf)
661
+
{
662
+
struct net_bridge *br = to_bridge(d);
663
+
return sprintf(buf, "%u\n", br->nf_call_arptables);
664
+
}
665
+
666
+
static int set_nf_call_arptables(struct net_bridge *br, unsigned long val)
667
+
{
668
+
br->nf_call_arptables = val ? true : false;
669
+
return 0;
670
+
}
671
+
672
+
static ssize_t store_nf_call_arptables(
673
+
struct device *d, struct device_attribute *attr, const char *buf,
674
+
size_t len)
675
+
{
676
+
return store_bridge_parm(d, buf, len, set_nf_call_arptables);
677
+
}
678
+
static DEVICE_ATTR(nf_call_arptables, S_IRUGO | S_IWUSR,
679
+
show_nf_call_arptables, store_nf_call_arptables);
680
+
#endif
614
681
615
682
static struct attribute *bridge_attrs[] = {
616
683
&dev_attr_forward_delay.attr,
···
711
644
&dev_attr_multicast_query_interval.attr,
712
645
&dev_attr_multicast_query_response_interval.attr,
713
646
&dev_attr_multicast_startup_query_interval.attr,
647
+
#endif
648
+
#ifdef CONFIG_BRIDGE_NETFILTER
649
+
&dev_attr_nf_call_iptables.attr,
650
+
&dev_attr_nf_call_ip6tables.attr,
651
+
&dev_attr_nf_call_arptables.attr,
714
652
#endif
715
653
NULL
716
654
};
+40
-14
net/ipv4/netfilter/ipt_LOG.c
+40
-14
net/ipv4/netfilter/ipt_LOG.c
···
13
13
#include <linux/module.h>
14
14
#include <linux/spinlock.h>
15
15
#include <linux/skbuff.h>
16
+
#include <linux/if_arp.h>
16
17
#include <linux/ip.h>
17
18
#include <net/icmp.h>
18
19
#include <net/udp.h>
···
364
363
/* maxlen = 230+ 91 + 230 + 252 = 803 */
365
364
}
366
365
366
+
static void dump_mac_header(const struct nf_loginfo *info,
367
+
const struct sk_buff *skb)
368
+
{
369
+
struct net_device *dev = skb->dev;
370
+
unsigned int logflags = 0;
371
+
372
+
if (info->type == NF_LOG_TYPE_LOG)
373
+
logflags = info->u.log.logflags;
374
+
375
+
if (!(logflags & IPT_LOG_MACDECODE))
376
+
goto fallback;
377
+
378
+
switch (dev->type) {
379
+
case ARPHRD_ETHER:
380
+
printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
381
+
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
382
+
ntohs(eth_hdr(skb)->h_proto));
383
+
return;
384
+
default:
385
+
break;
386
+
}
387
+
388
+
fallback:
389
+
printk("MAC=");
390
+
if (dev->hard_header_len &&
391
+
skb->mac_header != skb->network_header) {
392
+
const unsigned char *p = skb_mac_header(skb);
393
+
unsigned int i;
394
+
395
+
printk("%02x", *p++);
396
+
for (i = 1; i < dev->hard_header_len; i++, p++)
397
+
printk(":%02x", *p);
398
+
}
399
+
printk(" ");
400
+
}
401
+
367
402
static struct nf_loginfo default_loginfo = {
368
403
.type = NF_LOG_TYPE_LOG,
369
404
.u = {
···
441
404
}
442
405
#endif
443
406
444
-
if (in && !out) {
445
-
/* MAC logging for input chain only. */
446
-
printk("MAC=");
447
-
if (skb->dev && skb->dev->hard_header_len &&
448
-
skb->mac_header != skb->network_header) {
449
-
int i;
450
-
const unsigned char *p = skb_mac_header(skb);
451
-
for (i = 0; i < skb->dev->hard_header_len; i++,p++)
452
-
printk("%02x%c", *p,
453
-
i==skb->dev->hard_header_len - 1
454
-
? ' ':':');
455
-
} else
456
-
printk(" ");
457
-
}
407
+
/* MAC logging for input path only. */
408
+
if (in && !out)
409
+
dump_mac_header(loginfo, skb);
458
410
459
411
dump_packet(loginfo, skb, 0);
460
412
printk("\n");
+4
-2
net/ipv4/netfilter/ipt_NETMAP.c
+4
-2
net/ipv4/netfilter/ipt_NETMAP.c
···
48
48
49
49
NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
50
50
par->hooknum == NF_INET_POST_ROUTING ||
51
-
par->hooknum == NF_INET_LOCAL_OUT);
51
+
par->hooknum == NF_INET_LOCAL_OUT ||
52
+
par->hooknum == NF_INET_LOCAL_IN);
52
53
ct = nf_ct_get(skb, &ctinfo);
53
54
54
55
netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
···
78
77
.table = "nat",
79
78
.hooks = (1 << NF_INET_PRE_ROUTING) |
80
79
(1 << NF_INET_POST_ROUTING) |
81
-
(1 << NF_INET_LOCAL_OUT),
80
+
(1 << NF_INET_LOCAL_OUT) |
81
+
(1 << NF_INET_LOCAL_IN),
82
82
.checkentry = netmap_tg_check,
83
83
.me = THIS_MODULE
84
84
};
+6
-4
net/ipv4/netfilter/nf_nat_rule.c
+6
-4
net/ipv4/netfilter/nf_nat_rule.c
···
28
28
29
29
#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
30
30
(1 << NF_INET_POST_ROUTING) | \
31
-
(1 << NF_INET_LOCAL_OUT))
31
+
(1 << NF_INET_LOCAL_OUT) | \
32
+
(1 << NF_INET_LOCAL_IN))
32
33
33
34
static const struct xt_table nat_table = {
34
35
.name = "nat",
···
46
45
enum ip_conntrack_info ctinfo;
47
46
const struct nf_nat_multi_range_compat *mr = par->targinfo;
48
47
49
-
NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING);
48
+
NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
49
+
par->hooknum == NF_INET_LOCAL_IN);
50
50
51
51
ct = nf_ct_get(skb, &ctinfo);
52
52
···
101
99
return 0;
102
100
}
103
101
104
-
unsigned int
102
+
static unsigned int
105
103
alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
106
104
{
107
105
/* Force range to this IP; let proto decide mapping for
···
143
141
.target = ipt_snat_target,
144
142
.targetsize = sizeof(struct nf_nat_multi_range_compat),
145
143
.table = "nat",
146
-
.hooks = 1 << NF_INET_POST_ROUTING,
144
+
.hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN),
147
145
.checkentry = ipt_snat_checkentry,
148
146
.family = AF_INET,
149
147
};
+1
-7
net/ipv4/netfilter/nf_nat_standalone.c
+1
-7
net/ipv4/netfilter/nf_nat_standalone.c
···
131
131
if (!nf_nat_initialized(ct, maniptype)) {
132
132
unsigned int ret;
133
133
134
-
if (hooknum == NF_INET_LOCAL_IN)
135
-
/* LOCAL_IN hook doesn't have a chain! */
136
-
ret = alloc_null_binding(ct, hooknum);
137
-
else
138
-
ret = nf_nat_rule_find(skb, hooknum, in, out,
139
-
ct);
140
-
134
+
ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
141
135
if (ret != NF_ACCEPT)
142
136
return ret;
143
137
} else
+53
-28
net/ipv6/netfilter/ip6t_LOG.c
+53
-28
net/ipv6/netfilter/ip6t_LOG.c
···
373
373
printk("MARK=0x%x ", skb->mark);
374
374
}
375
375
376
+
static void dump_mac_header(const struct nf_loginfo *info,
377
+
const struct sk_buff *skb)
378
+
{
379
+
struct net_device *dev = skb->dev;
380
+
unsigned int logflags = 0;
381
+
382
+
if (info->type == NF_LOG_TYPE_LOG)
383
+
logflags = info->u.log.logflags;
384
+
385
+
if (!(logflags & IP6T_LOG_MACDECODE))
386
+
goto fallback;
387
+
388
+
switch (dev->type) {
389
+
case ARPHRD_ETHER:
390
+
printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
391
+
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
392
+
ntohs(eth_hdr(skb)->h_proto));
393
+
return;
394
+
default:
395
+
break;
396
+
}
397
+
398
+
fallback:
399
+
printk("MAC=");
400
+
if (dev->hard_header_len &&
401
+
skb->mac_header != skb->network_header) {
402
+
const unsigned char *p = skb_mac_header(skb);
403
+
unsigned int len = dev->hard_header_len;
404
+
unsigned int i;
405
+
406
+
if (dev->type == ARPHRD_SIT &&
407
+
(p -= ETH_HLEN) < skb->head)
408
+
p = NULL;
409
+
410
+
if (p != NULL) {
411
+
printk("%02x", *p++);
412
+
for (i = 1; i < len; i++)
413
+
printk(":%02x", p[i]);
414
+
}
415
+
printk(" ");
416
+
417
+
if (dev->type == ARPHRD_SIT) {
418
+
const struct iphdr *iph =
419
+
(struct iphdr *)skb_mac_header(skb);
420
+
printk("TUNNEL=%pI4->%pI4 ", &iph->saddr, &iph->daddr);
421
+
}
422
+
} else
423
+
printk(" ");
424
+
}
425
+
376
426
static struct nf_loginfo default_loginfo = {
377
427
.type = NF_LOG_TYPE_LOG,
378
428
.u = {
···
450
400
prefix,
451
401
in ? in->name : "",
452
402
out ? out->name : "");
453
-
if (in && !out) {
454
-
unsigned int len;
455
-
/* MAC logging for input chain only. */
456
-
printk("MAC=");
457
-
if (skb->dev && (len = skb->dev->hard_header_len) &&
458
-
skb->mac_header != skb->network_header) {
459
-
const unsigned char *p = skb_mac_header(skb);
460
-
int i;
461
403
462
-
if (skb->dev->type == ARPHRD_SIT &&
463
-
(p -= ETH_HLEN) < skb->head)
464
-
p = NULL;
465
-
466
-
if (p != NULL) {
467
-
for (i = 0; i < len; i++)
468
-
printk("%02x%s", p[i],
469
-
i == len - 1 ? "" : ":");
470
-
}
471
-
printk(" ");
472
-
473
-
if (skb->dev->type == ARPHRD_SIT) {
474
-
const struct iphdr *iph =
475
-
(struct iphdr *)skb_mac_header(skb);
476
-
printk("TUNNEL=%pI4->%pI4 ",
477
-
&iph->saddr, &iph->daddr);
478
-
}
479
-
} else
480
-
printk(" ");
481
-
}
404
+
/* MAC logging for input path only. */
405
+
if (in && !out)
406
+
dump_mac_header(loginfo, skb);
482
407
483
408
dump_packet(loginfo, skb, skb_network_offset(skb), 1);
484
409
printk("\n");
+1
-23
net/netfilter/Kconfig
+1
-23
net/netfilter/Kconfig
···
40
40
41
41
if NF_CONNTRACK
42
42
43
-
config NF_CT_ACCT
44
-
bool "Connection tracking flow accounting"
45
-
depends on NETFILTER_ADVANCED
46
-
help
47
-
If this option is enabled, the connection tracking code will
48
-
keep per-flow packet and byte counters.
49
-
50
-
Those counters can be used for flow-based accounting or the
51
-
`connbytes' match.
52
-
53
-
Please note that currently this option only sets a default state.
54
-
You may change it at boot time with nf_conntrack.acct=0/1 kernel
55
-
parameter or by loading the nf_conntrack module with acct=0/1.
56
-
57
-
You may also disable/enable it on a running system with:
58
-
sysctl net.netfilter.nf_conntrack_acct=0/1
59
-
60
-
This option will be removed in 2.6.29.
61
-
62
-
If unsure, say `N'.
63
-
64
43
config NF_CONNTRACK_MARK
65
44
bool 'Connection mark tracking support'
66
45
depends on NETFILTER_ADVANCED
···
494
515
To compile it as a module, choose M here. If unsure, say N.
495
516
496
517
config NETFILTER_XT_TARGET_TEE
497
-
tristate '"TEE" - packet cloning to alternate destiantion'
518
+
tristate '"TEE" - packet cloning to alternate destination'
498
519
depends on NETFILTER_ADVANCED
499
520
depends on (IPV6 || IPV6=n)
500
521
depends on !NF_CONNTRACK || NF_CONNTRACK
···
609
630
tristate '"connbytes" per-connection counter match support'
610
631
depends on NF_CONNTRACK
611
632
depends on NETFILTER_ADVANCED
612
-
select NF_CT_ACCT
613
633
help
614
634
This option adds a `connbytes' match, which allows you to match the
615
635
number of bytes and/or packets for each direction within a connection.
+7
-3
net/netfilter/ipvs/ip_vs_conn.c
+7
-3
net/netfilter/ipvs/ip_vs_conn.c
···
158
158
unsigned hash;
159
159
int ret;
160
160
161
+
if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
162
+
return 0;
163
+
161
164
/* Hash by protocol, client address and port */
162
165
hash = ip_vs_conn_hashkey(cp->af, cp->protocol, &cp->caddr, cp->cport);
163
166
···
362
359
*/
363
360
void ip_vs_conn_put(struct ip_vs_conn *cp)
364
361
{
365
-
/* reset it expire in its timeout */
366
-
mod_timer(&cp->timer, jiffies+cp->timeout);
362
+
unsigned long t = (cp->flags & IP_VS_CONN_F_ONE_PACKET) ?
363
+
0 : cp->timeout;
364
+
mod_timer(&cp->timer, jiffies+t);
367
365
368
366
__ip_vs_conn_put(cp);
369
367
}
···
657
653
/*
658
654
* unhash it if it is hashed in the conn table
659
655
*/
660
-
if (!ip_vs_conn_unhash(cp))
656
+
if (!ip_vs_conn_unhash(cp) && !(cp->flags & IP_VS_CONN_F_ONE_PACKET))
661
657
goto expire_later;
662
658
663
659
/*
+16
-4
net/netfilter/ipvs/ip_vs_core.c
+16
-4
net/netfilter/ipvs/ip_vs_core.c
···
194
194
struct ip_vs_dest *dest;
195
195
struct ip_vs_conn *ct;
196
196
__be16 dport; /* destination port to forward */
197
+
__be16 flags;
197
198
union nf_inet_addr snet; /* source network of the client,
198
199
after masking */
199
200
···
341
340
dport = ports[1];
342
341
}
343
342
343
+
flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
344
+
&& iph.protocol == IPPROTO_UDP)?
345
+
IP_VS_CONN_F_ONE_PACKET : 0;
346
+
344
347
/*
345
348
* Create a new connection according to the template
346
349
*/
···
352
347
&iph.saddr, ports[0],
353
348
&iph.daddr, ports[1],
354
349
&dest->addr, dport,
355
-
0,
350
+
flags,
356
351
dest);
357
352
if (cp == NULL) {
358
353
ip_vs_conn_put(ct);
···
382
377
struct ip_vs_conn *cp = NULL;
383
378
struct ip_vs_iphdr iph;
384
379
struct ip_vs_dest *dest;
385
-
__be16 _ports[2], *pptr;
380
+
__be16 _ports[2], *pptr, flags;
386
381
387
382
ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
388
383
pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
···
412
407
return NULL;
413
408
}
414
409
410
+
flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
411
+
&& iph.protocol == IPPROTO_UDP)?
412
+
IP_VS_CONN_F_ONE_PACKET : 0;
413
+
415
414
/*
416
415
* Create a connection entry.
417
416
*/
···
423
414
&iph.saddr, pptr[0],
424
415
&iph.daddr, pptr[1],
425
416
&dest->addr, dest->port ? dest->port : pptr[1],
426
-
0,
417
+
flags,
427
418
dest);
428
419
if (cp == NULL)
429
420
return NULL;
···
473
464
if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
474
465
int ret, cs;
475
466
struct ip_vs_conn *cp;
467
+
__u16 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
468
+
iph.protocol == IPPROTO_UDP)?
469
+
IP_VS_CONN_F_ONE_PACKET : 0;
476
470
union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
477
471
478
472
ip_vs_service_put(svc);
···
486
474
&iph.saddr, pptr[0],
487
475
&iph.daddr, pptr[1],
488
476
&daddr, 0,
489
-
IP_VS_CONN_F_BYPASS,
477
+
IP_VS_CONN_F_BYPASS | flags,
490
478
NULL);
491
479
if (cp == NULL)
492
480
return NF_DROP;
+6
-4
net/netfilter/ipvs/ip_vs_ctl.c
+6
-4
net/netfilter/ipvs/ip_vs_ctl.c
···
1864
1864
svc->scheduler->name);
1865
1865
else
1866
1866
#endif
1867
-
seq_printf(seq, "%s %08X:%04X %s ",
1867
+
seq_printf(seq, "%s %08X:%04X %s %s ",
1868
1868
ip_vs_proto_name(svc->protocol),
1869
1869
ntohl(svc->addr.ip),
1870
1870
ntohs(svc->port),
1871
-
svc->scheduler->name);
1871
+
svc->scheduler->name,
1872
+
(svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
1872
1873
} else {
1873
-
seq_printf(seq, "FWM %08X %s ",
1874
-
svc->fwmark, svc->scheduler->name);
1874
+
seq_printf(seq, "FWM %08X %s %s",
1875
+
svc->fwmark, svc->scheduler->name,
1876
+
(svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
1875
1877
}
1876
1878
1877
1879
if (svc->flags & IP_VS_SVC_F_PERSISTENT)
+1
-13
net/netfilter/nf_conntrack_acct.c
+1
-13
net/netfilter/nf_conntrack_acct.c
···
17
17
#include <net/netfilter/nf_conntrack_extend.h>
18
18
#include <net/netfilter/nf_conntrack_acct.h>
19
19
20
-
#ifdef CONFIG_NF_CT_ACCT
21
-
#define NF_CT_ACCT_DEFAULT 1
22
-
#else
23
-
#define NF_CT_ACCT_DEFAULT 0
24
-
#endif
25
-
26
-
static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
20
+
static int nf_ct_acct __read_mostly;
27
21
28
22
module_param_named(acct, nf_ct_acct, bool, 0644);
29
23
MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
···
108
114
net->ct.sysctl_acct = nf_ct_acct;
109
115
110
116
if (net_eq(net, &init_net)) {
111
-
#ifdef CONFIG_NF_CT_ACCT
112
-
printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use\n");
113
-
printk(KERN_WARNING "nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or\n");
114
-
printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
115
-
#endif
116
-
117
117
ret = nf_ct_extend_register(&acct_extend);
118
118
if (ret < 0) {
119
119
printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
+1
net/netfilter/xt_IDLETIMER.c
+1
net/netfilter/xt_IDLETIMER.c
+10
net/netfilter/xt_connbytes.c
+10
net/netfilter/xt_connbytes.c
···
112
112
if (ret < 0)
113
113
pr_info("cannot load conntrack support for proto=%u\n",
114
114
par->family);
115
+
116
+
/*
117
+
* This filter cannot function correctly unless connection tracking
118
+
* accounting is enabled, so complain in the hope that someone notices.
119
+
*/
120
+
if (!nf_ct_acct_enabled(par->net)) {
121
+
pr_warning("Forcing CT accounting to be enabled\n");
122
+
nf_ct_set_acct(par->net, true);
123
+
}
124
+
115
125
return ret;
116
126
}
117
127