- 21 Oct, 2010 12 commits
-
-
Balazs Scheidler authored
The REDIRECT target and the older TProxy versions used the primary address of the incoming interface as the default value of the --on-ip parameter. This was unintentionally changed during the initial TProxy submission and caused confusion among users. Since IPv6 has no notion of primary address, we just select the first address on the list: this way the socket lookup finds wildcard bound sockets properly and we cannot really do better without the user telling us the IPv6 address of the proxy. This is implemented for both IPv4 and IPv6. Signed-off-by:
Balazs Scheidler <bazsi@balabit.hu> Signed-off-by:
KOVACS Krisztian <hidden@balabit.hu> Signed-off-by:
Patrick McHardy <kaber@trash.net>
-
Balazs Scheidler authored
The ICMP extraction bits were contributed by Harry Mason. Signed-off-by:
-
Balazs Scheidler authored
This requires a new revision as the old target structure was IPv4 specific. Signed-off-by:
-
Balazs Scheidler authored
Signed-off-by:
-
Balazs Scheidler authored
Signed-off-by:
-
Balazs Scheidler authored
Support for IPV6_RECVORIGDSTADDR sockopt for UDP sockets were contributed by Harry Mason. Signed-off-by:
-
Balazs Scheidler authored
Just like with IPv4, we need access to the UDP hash table to look up local sockets, but instead of exporting the global udp_table, export a lookup function. Signed-off-by:
-
Balazs Scheidler authored
The parameters for various UDP lookup functions were non-const, even though they could be const. TProxy has some const references and instead of downcasting it, I added const specifiers along the path. Signed-off-by:
-
Balazs Scheidler authored
Like with IPv4, TProxy needs IPv6 defragmentation but does not require connection tracking. Since defragmentation was coupled with conntrack, I split off the two, creating an nf_defrag_ipv6 module, similar to the already existing nf_defrag_ipv4. Signed-off-by:
-
Balazs Scheidler authored
When __inet_inherit_port() is called on a tproxy connection the wrong locks are held for the inet_bind_bucket it is added to. __inet_inherit_port() made an implicit assumption that the listener's port number (and thus its bind bucket). Unfortunately, if you're using the TPROXY target to redirect skbs to a transparent proxy that assumption is not true anymore and things break. This patch adds code to __inet_inherit_port() so that it can handle this case by looking up or creating a new bind bucket for the child socket and updates callers of __inet_inherit_port() to gracefully handle __inet_inherit_port() failing. Reported by and original patch from Stephen Buck <stephen.buck@exinda.com>. See http://marc.info/?t=128169268200001&r=1&w=2 for the original discussion. Signed-off-by:
-
Balazs Scheidler authored
Also, inline this function as the lookup_type is always a literal and inlining removes branches performed at runtime. Signed-off-by:
-
Balazs Scheidler authored
Without tproxy redirections an incoming SYN kicks out conflicting TIME_WAIT sockets, in order to handle clients that reuse ports within the TIME_WAIT period. The same mechanism didn't work in case TProxy is involved in finding the proper socket, as the time_wait processing code looked up the listening socket assuming that the listener addr/port matches those of the established connection. This is not the case with TProxy as the listener addr/port is possibly changed with the tproxy rule. Signed-off-by:
-
- 19 Oct, 2010 3 commits
-
-
Eduardo Blanco authored
Lists were initialized after the module was registered. Multiple ipvsadm processes at module load triggered a race condition that resulted in a null pointer dereference in do_ip_vs_get_ctl(). As a result, __ip_vs_mutex was left locked preventing all further ipvsadm commands. Signed-off-by:
Eduardo J. Blanco <ejblanco@google.com> Signed-off-by:
Simon Horman <horms@verge.net.au>
-
Hans Schillstrom authored
IPv6 encapsulation uses a bad source address for the tunnel. i.e. VIP will be used as local-addr and encap. dst addr. Decapsulation will not accept this. Example LVS (eth1 2003::2:0:1/96, VIP 2003::2:0:100) (eth0 2003::1:0:1/96) RS (ethX 2003::1:0:5/96) tcpdump 2003::2:0:100 > 2003::1:0:5: IP6 (hlim 63, next-header TCP (6) payload length: 40) 2003::3:0:10.50991 > 2003::2:0:100.http: Flags [S], cksum 0x7312 (correct), seq 3006460279, win 5760, options [mss 1440,sackOK,TS val 1904932 ecr 0,nop,wscale 3], length 0 In Linux IPv6 impl. you can't have a tunnel with an any cast address receiving packets (I have not tried to interpret RFC 2473) To have receive capabilities the tunnel must have: - Local address set as multicast addr or an unicast addr - Remote address set as an unicast addr. - Loop back addres or Link local address are not allowed. This causes us to setup a tunnel in the Real Server with the LVS as the remote address, here you can't use the VIP address since it's used inside the tunnel. Solution Use outgoing interface IPv6 address (match against the destination). i.e. use ip6_route_output() to look up the route cache and then use ipv6_dev_get_saddr(...) to set the source address of the encapsulated packet. Additionally, cache the results in new destination fields: dst_cookie and dst_saddr and properly check the returned dst from ip6_route_output. We now add xfrm_lookup call only for the tunneling method where the source address is a local one. Signed-off-by:
Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by:
-
Pablo Neira Ayuso authored
This patch allows to listen to events that inform about expectations destroyed. Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
-
- 18 Oct, 2010 2 commits
-
-
Nick Bowler authored
The ebt_ip6.h and ebt_nflog.h headers are not not known to Kbuild and therefore not installed by make headers_install. Fix that up. Signed-off-by:
Nick Bowler <nbowler@elliptictech.com> Signed-off-by:
-
Randy Dunlap authored
Fix netfilter kconfig unmet dependencies warning & spell out "compatible" while there. warning: (IP_NF_TARGET_TTL && NET && INET && NETFILTER && IP_NF_IPTABLES && NETFILTER_ADVANCED || IP6_NF_TARGET_HL && NET && INET && IPV6 && NETFILTER && IP6_NF_IPTABLES && NETFILTER_ADVANCED) selects NETFILTER_XT_TARGET_HL which has unmet direct dependencies ((IP_NF_MANGLE || IP6_NF_MANGLE) && NETFILTER_ADVANCED) Signed-off-by:
Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by:
-
- 13 Oct, 2010 6 commits
-
-
Simon Horman authored
ip_vs_dbg_callid() and IP_VS_DEBUG_CALLID() are only needed it CONFIG_IP_VS_DEBUG is defined. This resolves the following build warning when CONFIG_IP_VS_DEBUG is not defined. net/netfilter/ipvs/ip_vs_pe_sip.c:11: warning: 'ip_vs_dbg_callid' defined but not used Reported-by:
-
Jan Engelhardt authored
Signed-off-by:Jan Engelhardt <jengelh@medozas.de>
-
Jan Engelhardt authored
Unification of struct *_error_target was forgotten in v2.6.16-1689-g1e30a014. Signed-off-by:
-
Jan Engelhardt authored
-
Jan Engelhardt authored
Signed-off-by: -
Jan Engelhardt authored
Many of the used macros are just there for userspace compatibility. Substitute the in-kernel code to directly use the terminal macro and stuff the defines into #ifndef __KERNEL__ sections. Signed-off-by:
-
- 04 Oct, 2010 17 commits
-
-
Patrick McHardy authored
Forgot to add xt_log.h in commit a8defca0 (netfilter: ipt_LOG: add bufferisation to call printk() once) Signed-off-by:
-
Changli Gao authored
Since we register nf hooks, matches and targets in order, we'd better unregister them in the reverse order. Signed-off-by:
Changli Gao <xiaosuo@gmail.com> Signed-off-by:
-
Nicolas Kaiser authored
Remove duplicated include. Signed-off-by:
Nicolas Kaiser <nikai@nikai.net> Signed-off-by:
-
Eric Dumazet authored
ipt_LOG & ip6t_LOG use lot of calls to printk() and use a lock in a hope several cpus wont mix their output in syslog. printk() being very expensive [1], its better to call it once, on a prebuilt and complete line. Also, with mixed IPv4 and IPv6 trafic, separate IPv4/IPv6 locks dont avoid garbage. I used an allocation of a 1024 bytes structure, sort of seq_printf() but with a fixed size limit. Use a static buffer if dynamic allocation failed. Emit a once time alert if buffer size happens to be too short. [1]: printk() has various features like printk_delay()... Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
-
Stephen Hemminger authored
The functions nf_nat_proto_find_get and nf_nat_proto_put are only used internally in nf_nat_core. This might break some out of tree NAT module. Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Signed-off-by:
-
Simon Horman authored
Add the SIP callid as a key for persistence. This allows multiple connections from the same IP address to be differentiated on the basis of the callid. When used in conjunction with the persistence mask, it allows connections from different IP addresses to be aggregated on the basis of the callid. It is envisaged that a persistence mask of 0.0.0.0 will be a useful setting. That is, ignore the source IP address when checking for persistence. It is envisaged that this option will be used in conjunction with one-packet scheduling. This only works with UDP and cannot be made to work with TCP within the current framework. Signed-off-by:
Julian Anastasov <ja@ssi.bg>
-
Simon Horman authored
Fall back to normal persistence handling if the persistence engine fails to recognise a packet. This way, at least the packet will go somewhere. It is envisaged that iptables could be used to block packets such if this is not desired although nf_conntrack_sip would likely need to be enhanced first. Signed-off-by:
-
Simon Horman authored
Allow the persistence engine of a virtual service to be set, edited and unset. This feature only works with the netlink user-space interface. Signed-off-by:
-
Simon Horman authored
This is based heavily on the scheduler management code Signed-off-by:
-
Simon Horman authored
This shouldn't break compatibility with userspace as the new data is at the end of the line. I have confirmed that this doesn't break ipvsadm, the main (only?) user-space user of this data. Signed-off-by:
-
Simon Horman authored
Signed-off-by:
-
Simon Horman authored
In general NULL arguments aren't passed by the few callers that exist, so don't test for them. The exception is to make passing NULL to ip_vs_unbind_scheduler() a noop. Signed-off-by:
-
Simon Horman authored
This simplifies caller logic sightly. Signed-off-by:
-
Simon Horman authored
Signed-off-by:
-
Simon Horman authored
Compact ip_vs_sched_persist() by setting up parameters and calling functions once. Signed-off-by:
-
Simon Horman authored
Signed-off-by:
-
Simon Horman authored
Signed-off-by:
-
