Commit e490c1de authored by David S. Miller's avatar David S. Miller
parents 0a17d8c7 4df53d8b
...@@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net> ...@@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net>
--------------------------- ---------------------------
What: CONFIG_NF_CT_ACCT
When: 2.6.29
Why: Accounting can now be enabled/disabled without kernel recompilation.
Currently used only to set a default value for a feature that is also
controlled by a kernel/module/sysfs/sysctl parameter.
Who: Krzysztof Piotr Oledzki <ole@ans.pl>
---------------------------
What: sysfs ui for changing p4-clockmod parameters What: sysfs ui for changing p4-clockmod parameters
When: September 2009 When: September 2009
Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
......
...@@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file ...@@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file
[NETFILTER] Enable connection tracking flow accounting [NETFILTER] Enable connection tracking flow accounting
0 to disable accounting 0 to disable accounting
1 to enable accounting 1 to enable accounting
Default value depends on CONFIG_NF_CT_ACCT that is Default value is 0.
going to be removed in 2.6.29.
nfsaddrs= [NFS] nfsaddrs= [NFS]
See Documentation/filesystems/nfs/nfsroot.txt. See Documentation/filesystems/nfs/nfsroot.txt.
......
...@@ -19,6 +19,7 @@ ...@@ -19,6 +19,7 @@
*/ */
#define IP_VS_SVC_F_PERSISTENT 0x0001 /* persistent port */ #define IP_VS_SVC_F_PERSISTENT 0x0001 /* persistent port */
#define IP_VS_SVC_F_HASHED 0x0002 /* hashed entry */ #define IP_VS_SVC_F_HASHED 0x0002 /* hashed entry */
#define IP_VS_SVC_F_ONEPACKET 0x0004 /* one-packet scheduling */
/* /*
* Destination Server Flags * Destination Server Flags
...@@ -85,6 +86,7 @@ ...@@ -85,6 +86,7 @@
#define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */ #define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */
#define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */ #define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */
#define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */ #define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */
#define IP_VS_CONN_F_ONE_PACKET 0x2000 /* forward only one packet */
#define IP_VS_SCHEDNAME_MAXLEN 16 #define IP_VS_SCHEDNAME_MAXLEN 16
#define IP_VS_IFNAME_MAXLEN 16 #define IP_VS_IFNAME_MAXLEN 16
......
...@@ -7,7 +7,8 @@ ...@@ -7,7 +7,8 @@
#define IPT_LOG_IPOPT 0x04 /* Log IP options */ #define IPT_LOG_IPOPT 0x04 /* Log IP options */
#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ #define IPT_LOG_UID 0x08 /* Log UID owning local socket */
#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ #define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
#define IPT_LOG_MASK 0x1f #define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */
#define IPT_LOG_MASK 0x2f
struct ipt_log_info { struct ipt_log_info {
unsigned char level; unsigned char level;
......
...@@ -7,7 +7,8 @@ ...@@ -7,7 +7,8 @@
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */ #define IP6T_LOG_IPOPT 0x04 /* Log IP options */
#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ #define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ #define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
#define IP6T_LOG_MASK 0x1f #define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */
#define IP6T_LOG_MASK 0x2f
struct ip6t_log_info { struct ip6t_log_info {
unsigned char level; unsigned char level;
......
...@@ -45,6 +45,18 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) ...@@ -45,6 +45,18 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
extern unsigned int extern unsigned int
seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir);
/* Check if connection tracking accounting is enabled */
static inline bool nf_ct_acct_enabled(struct net *net)
{
return net->ct.sysctl_acct != 0;
}
/* Enable/disable connection tracking accounting */
static inline void nf_ct_set_acct(struct net *net, bool enable)
{
net->ct.sysctl_acct = enable;
}
extern int nf_conntrack_acct_init(struct net *net); extern int nf_conntrack_acct_init(struct net *net);
extern void nf_conntrack_acct_fini(struct net *net); extern void nf_conntrack_acct_fini(struct net *net);
......
...@@ -12,6 +12,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb, ...@@ -12,6 +12,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
struct nf_conn *ct); struct nf_conn *ct);
extern unsigned int
alloc_null_binding(struct nf_conn *ct, unsigned int hooknum);
#endif /* _NF_NAT_RULE_H */ #endif /* _NF_NAT_RULE_H */
...@@ -55,6 +55,9 @@ static int brnf_call_arptables __read_mostly = 1; ...@@ -55,6 +55,9 @@ static int brnf_call_arptables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 0; static int brnf_filter_vlan_tagged __read_mostly = 0;
static int brnf_filter_pppoe_tagged __read_mostly = 0; static int brnf_filter_pppoe_tagged __read_mostly = 0;
#else #else
#define brnf_call_iptables 1
#define brnf_call_ip6tables 1
#define brnf_call_arptables 1
#define brnf_filter_vlan_tagged 0 #define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0 #define brnf_filter_pppoe_tagged 0
#endif #endif
...@@ -544,25 +547,30 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb, ...@@ -544,25 +547,30 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
struct net_bridge_port *p;
struct net_bridge *br;
struct iphdr *iph; struct iphdr *iph;
__u32 len = nf_bridge_encap_header_len(skb); __u32 len = nf_bridge_encap_header_len(skb);
if (unlikely(!pskb_may_pull(skb, len))) if (unlikely(!pskb_may_pull(skb, len)))
goto out; goto out;
p = br_port_get_rcu(in);
if (p == NULL)
goto out;
br = p->br;
if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
IS_PPPOE_IPV6(skb)) { IS_PPPOE_IPV6(skb)) {
#ifdef CONFIG_SYSCTL if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
if (!brnf_call_ip6tables)
return NF_ACCEPT; return NF_ACCEPT;
#endif
nf_bridge_pull_encap_header_rcsum(skb); nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn); return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
} }
#ifdef CONFIG_SYSCTL
if (!brnf_call_iptables) if (!brnf_call_iptables && !br->nf_call_iptables)
return NF_ACCEPT; return NF_ACCEPT;
#endif
if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) && if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
!IS_PPPOE_IP(skb)) !IS_PPPOE_IP(skb))
...@@ -715,12 +723,17 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb, ...@@ -715,12 +723,17 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
struct net_bridge_port *p;
struct net_bridge *br;
struct net_device **d = (struct net_device **)(skb->cb); struct net_device **d = (struct net_device **)(skb->cb);
#ifdef CONFIG_SYSCTL p = br_port_get_rcu(out);
if (!brnf_call_arptables) if (p == NULL)
return NF_ACCEPT;
br = p->br;
if (!brnf_call_arptables && !br->nf_call_arptables)
return NF_ACCEPT; return NF_ACCEPT;
#endif
if (skb->protocol != htons(ETH_P_ARP)) { if (skb->protocol != htons(ETH_P_ARP)) {
if (!IS_VLAN_ARP(skb)) if (!IS_VLAN_ARP(skb))
......
...@@ -176,6 +176,9 @@ struct net_bridge ...@@ -176,6 +176,9 @@ struct net_bridge
unsigned long feature_mask; unsigned long feature_mask;
#ifdef CONFIG_BRIDGE_NETFILTER #ifdef CONFIG_BRIDGE_NETFILTER
struct rtable fake_rtable; struct rtable fake_rtable;
bool nf_call_iptables;
bool nf_call_ip6tables;
bool nf_call_arptables;
#endif #endif
unsigned long flags; unsigned long flags;
#define BR_SET_MAC_ADDR 0x00000001 #define BR_SET_MAC_ADDR 0x00000001
......
...@@ -611,6 +611,73 @@ static DEVICE_ATTR(multicast_startup_query_interval, S_IRUGO | S_IWUSR, ...@@ -611,6 +611,73 @@ static DEVICE_ATTR(multicast_startup_query_interval, S_IRUGO | S_IWUSR,
show_multicast_startup_query_interval, show_multicast_startup_query_interval,
store_multicast_startup_query_interval); store_multicast_startup_query_interval);
#endif #endif
#ifdef CONFIG_BRIDGE_NETFILTER
static ssize_t show_nf_call_iptables(
struct device *d, struct device_attribute *attr, char *buf)
{
struct net_bridge *br = to_bridge(d);
return sprintf(buf, "%u\n", br->nf_call_iptables);
}
static int set_nf_call_iptables(struct net_bridge *br, unsigned long val)
{
br->nf_call_iptables = val ? true : false;
return 0;
}
static ssize_t store_nf_call_iptables(
struct device *d, struct device_attribute *attr, const char *buf,
size_t len)
{
return store_bridge_parm(d, buf, len, set_nf_call_iptables);
}
static DEVICE_ATTR(nf_call_iptables, S_IRUGO | S_IWUSR,
show_nf_call_iptables, store_nf_call_iptables);
static ssize_t show_nf_call_ip6tables(
struct device *d, struct device_attribute *attr, char *buf)
{
struct net_bridge *br = to_bridge(d);
return sprintf(buf, "%u\n", br->nf_call_ip6tables);
}
static int set_nf_call_ip6tables(struct net_bridge *br, unsigned long val)
{
br->nf_call_ip6tables = val ? true : false;
return 0;
}
static ssize_t store_nf_call_ip6tables(
struct device *d, struct device_attribute *attr, const char *buf,
size_t len)
{
return store_bridge_parm(d, buf, len, set_nf_call_ip6tables);
}
static DEVICE_ATTR(nf_call_ip6tables, S_IRUGO | S_IWUSR,
show_nf_call_ip6tables, store_nf_call_ip6tables);
static ssize_t show_nf_call_arptables(
struct device *d, struct device_attribute *attr, char *buf)
{
struct net_bridge *br = to_bridge(d);
return sprintf(buf, "%u\n", br->nf_call_arptables);
}
static int set_nf_call_arptables(struct net_bridge *br, unsigned long val)
{
br->nf_call_arptables = val ? true : false;
return 0;
}
static ssize_t store_nf_call_arptables(
struct device *d, struct device_attribute *attr, const char *buf,
size_t len)
{
return store_bridge_parm(d, buf, len, set_nf_call_arptables);
}
static DEVICE_ATTR(nf_call_arptables, S_IRUGO | S_IWUSR,
show_nf_call_arptables, store_nf_call_arptables);
#endif
static struct attribute *bridge_attrs[] = { static struct attribute *bridge_attrs[] = {
&dev_attr_forward_delay.attr, &dev_attr_forward_delay.attr,
...@@ -644,6 +711,11 @@ static struct attribute *bridge_attrs[] = { ...@@ -644,6 +711,11 @@ static struct attribute *bridge_attrs[] = {
&dev_attr_multicast_query_interval.attr, &dev_attr_multicast_query_interval.attr,
&dev_attr_multicast_query_response_interval.attr, &dev_attr_multicast_query_response_interval.attr,
&dev_attr_multicast_startup_query_interval.attr, &dev_attr_multicast_startup_query_interval.attr,
#endif
#ifdef CONFIG_BRIDGE_NETFILTER
&dev_attr_nf_call_iptables.attr,
&dev_attr_nf_call_ip6tables.attr,
&dev_attr_nf_call_arptables.attr,
#endif #endif
NULL NULL
}; };
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/if_arp.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <net/icmp.h> #include <net/icmp.h>
#include <net/udp.h> #include <net/udp.h>
...@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info, ...@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info,
/* maxlen = 230+ 91 + 230 + 252 = 803 */ /* maxlen = 230+ 91 + 230 + 252 = 803 */
} }
static void dump_mac_header(const struct nf_loginfo *info,
const struct sk_buff *skb)
{
struct net_device *dev = skb->dev;
unsigned int logflags = 0;
if (info->type == NF_LOG_TYPE_LOG)
logflags = info->u.log.logflags;
if (!(logflags & IPT_LOG_MACDECODE))
goto fallback;
switch (dev->type) {
case ARPHRD_ETHER:
printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
ntohs(eth_hdr(skb)->h_proto));
return;
default:
break;
}
fallback:
printk("MAC=");
if (dev->hard_header_len &&
skb->mac_header != skb->network_header) {
const unsigned char *p = skb_mac_header(skb);
unsigned int i;
printk("%02x", *p++);
for (i = 1; i < dev->hard_header_len; i++, p++)
printk(":%02x", *p);
}
printk(" ");
}
static struct nf_loginfo default_loginfo = { static struct nf_loginfo default_loginfo = {
.type = NF_LOG_TYPE_LOG, .type = NF_LOG_TYPE_LOG,
.u = { .u = {
...@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf, ...@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf,
} }
#endif #endif
if (in && !out) { /* MAC logging for input path only. */
/* MAC logging for input chain only. */ if (in && !out)
printk("MAC="); dump_mac_header(loginfo, skb);
if (skb->dev && skb->dev->hard_header_len &&
skb->mac_header != skb->network_header) {
int i;
const unsigned char *p = skb_mac_header(skb);
for (i = 0; i < skb->dev->hard_header_len; i++,p++)
printk("%02x%c", *p,
i==skb->dev->hard_header_len - 1
? ' ':':');
} else
printk(" ");
}
dump_packet(loginfo, skb, 0); dump_packet(loginfo, skb, 0);
printk("\n"); printk("\n");
......
...@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING || NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_POST_ROUTING || par->hooknum == NF_INET_POST_ROUTING ||
par->hooknum == NF_INET_LOCAL_OUT); par->hooknum == NF_INET_LOCAL_OUT ||
par->hooknum == NF_INET_LOCAL_IN);
ct = nf_ct_get(skb, &ctinfo); ct = nf_ct_get(skb, &ctinfo);
netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip); netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
...@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = { ...@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = {
.table = "nat", .table = "nat",
.hooks = (1 << NF_INET_PRE_ROUTING) | .hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) | (1 << NF_INET_POST_ROUTING) |
(1 << NF_INET_LOCAL_OUT), (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg_check, .checkentry = netmap_tg_check,
.me = THIS_MODULE .me = THIS_MODULE
}; };
......
...@@ -28,7 +28,8 @@ ...@@ -28,7 +28,8 @@
#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \ #define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
(1 << NF_INET_POST_ROUTING) | \ (1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT)) (1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_LOCAL_IN))
static const struct xt_table nat_table = { static const struct xt_table nat_table = {
.name = "nat", .name = "nat",
...@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
const struct nf_nat_multi_range_compat *mr = par->targinfo; const struct nf_nat_multi_range_compat *mr = par->targinfo;
NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING); NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
par->hooknum == NF_INET_LOCAL_IN);
ct = nf_ct_get(skb, &ctinfo); ct = nf_ct_get(skb, &ctinfo);
...@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par) ...@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
return 0; return 0;
} }
unsigned int static unsigned int
alloc_null_binding(struct nf_conn *ct, unsigned int hooknum) alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
{ {
/* Force range to this IP; let proto decide mapping for /* Force range to this IP; let proto decide mapping for
...@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = { ...@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
.target = ipt_snat_target, .target = ipt_snat_target,
.targetsize = sizeof(struct nf_nat_multi_range_compat), .targetsize = sizeof(struct nf_nat_multi_range_compat),
.table = "nat", .table = "nat",
.hooks = 1 << NF_INET_POST_ROUTING, .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN),
.checkentry = ipt_snat_checkentry, .checkentry = ipt_snat_checkentry,
.family = AF_INET, .family = AF_INET,
}; };
......
...@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum, ...@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum,
if (!nf_nat_initialized(ct, maniptype)) { if (!nf_nat_initialized(ct, maniptype)) {
unsigned int ret; unsigned int ret;
if (hooknum == NF_INET_LOCAL_IN) ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
/* LOCAL_IN hook doesn't have a chain! */
ret = alloc_null_binding(ct, hooknum);
else
ret = nf_nat_rule_find(skb, hooknum, in, out,
ct);
if (ret != NF_ACCEPT) if (ret != NF_ACCEPT)
return ret; return ret;
} else } else
......
...@@ -373,6 +373,56 @@ static void dump_packet(const struct nf_loginfo *info, ...@@ -373,6 +373,56 @@ static void dump_packet(const struct nf_loginfo *info,
printk("MARK=0x%x ", skb->mark); printk("MARK=0x%x ", skb->mark);
} }
static void dump_mac_header(const struct nf_loginfo *info,
const struct sk_buff *skb)
{
struct net_device *dev = skb->dev;
unsigned int logflags = 0;
if (info->type == NF_LOG_TYPE_LOG)
logflags = info->u.log.logflags;
if (!(logflags & IP6T_LOG_MACDECODE))
goto fallback;
switch (dev->type) {
case ARPHRD_ETHER:
printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
ntohs(eth_hdr(skb)->h_proto));
return;
default:
break;
}
fallback:
printk("MAC=");
if (dev->hard_header_len &&
skb->mac_header != skb->network_header) {
const unsigned char *p = skb_mac_header(skb);
unsigned int len = dev->hard_header_len;
unsigned int i;
if (dev->type == ARPHRD_SIT &&
(p -= ETH_HLEN) < skb->head)
p = NULL;
if (p != NULL) {
printk("%02x", *p++);
for (i = 1; i < len; i++)
printk(":%02x", p[i]);
}
printk(" ");
if (dev->type == ARPHRD_SIT) {
const struct iphdr *iph =
(struct iphdr *)skb_mac_header(skb);
printk("TUNNEL=%pI4->%pI4 ", &iph->saddr, &iph->daddr);
}
} else
printk(" ");
}
static struct nf_loginfo default_loginfo = { static struct nf_loginfo default_loginfo = {
.type = NF_LOG_TYPE_LOG, .type = NF_LOG_TYPE_LOG,
.u = { .u = {
...@@ -400,35 +450,10 @@ ip6t_log_packet(u_int8_t pf, ...@@ -400,35 +450,10 @@ ip6t_log_packet(u_int8_t pf,
prefix, prefix,
in ? in->name : "", in ? in->name : "",
out ? out->name : ""); out ? out->name : "");
if (in && !out) {
unsigned int len;
/* MAC logging for input chain only. */
printk("MAC=");
if (skb->dev && (len = skb->dev->hard_header_len) &&
skb->mac_header != skb->network_header) {
const unsigned char *p = skb_mac_header(skb);
int i;
if (skb->dev->type == ARPHRD_SIT &&
(p -= ETH_HLEN) < skb->head)
p = NULL;
if (p != NULL) {
for (i = 0; i < len; i++)
printk("%02x%s", p[i],
i == len - 1 ? "" : ":");
}
printk(" ");
if (skb->dev->type == ARPHRD_SIT) { /* MAC logging for input path only. */
const struct iphdr *iph = if (in && !out)
(struct iphdr *)skb_mac_header(skb); dump_mac_header(loginfo, skb);
printk("TUNNEL=%pI4->%pI4 ",
&iph->saddr, &iph->daddr);
}
} else
printk(" ");
}
dump_packet(loginfo, skb, skb_network_offset(skb), 1); dump_packet(loginfo, skb, skb_network_offset(skb), 1);
printk("\n"); printk("\n");
......
...@@ -40,27 +40,6 @@ config NF_CONNTRACK ...@@ -40,27 +40,6 @@ config NF_CONNTRACK
if NF_CONNTRACK if NF_CONNTRACK
config NF_CT_ACCT
bool "Connection tracking flow accounting"
depends on NETFILTER_ADVANCED
help
If this option is enabled, the connection tracking code will
keep per-flow packet and byte counters.
Those counters can be used for flow-based accounting or the
`connbytes' match.
Please note that currently this option only sets a default state.
You may change it at boot time with nf_conntrack.acct=0/1 kernel
parameter or by loading the nf_conntrack module with acct=0/1.
You may also disable/enable it on a running system with:
sysctl net.netfilter.nf_conntrack_acct=0/1
This option will be removed in 2.6.29.
If unsure, say `N'.
config NF_CONNTRACK_MARK config NF_CONNTRACK_MARK
bool 'Connection mark tracking support' bool 'Connection mark tracking support'
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
...@@ -515,7 +494,7 @@ config NETFILTER_XT_TARGET_RATEEST ...@@ -515,7 +494,7 @@ config NETFILTER_XT_TARGET_RATEEST
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_TEE config NETFILTER_XT_TARGET_TEE
tristate '"TEE" - packet cloning to alternate destiantion' tristate '"TEE" - packet cloning to alternate destination'
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
depends on (IPV6 || IPV6=n) depends on (IPV6 || IPV6=n)
depends on !NF_CONNTRACK || NF_CONNTRACK depends on !NF_CONNTRACK || NF_CONNTRACK
...@@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES ...@@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support' tristate '"connbytes" per-connection counter match support'
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
select NF_CT_ACCT
help help
This option adds a `connbytes' match, which allows you to match the This option adds a `connbytes' match, which allows you to match the
number of bytes and/or packets for each direction within a connection. number of bytes and/or packets for each direction within a connection.
......
...@@ -158,6 +158,9 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp) ...@@ -158,6 +158,9 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
unsigned hash; unsigned hash;
int ret; int ret;
if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
return 0;
/* Hash by protocol, client address and port */ /* Hash by protocol, client address and port */
hash = ip_vs_conn_hashkey(cp->af, cp->protocol, &cp->caddr, cp->cport); hash = ip_vs_conn_hashkey(cp->af, cp->protocol, &cp->caddr, cp->cport);
...@@ -359,8 +362,9 @@ struct ip_vs_conn *ip_vs_conn_out_get ...@@ -359,8 +362,9 @@ struct ip_vs_conn *ip_vs_conn_out_get
*/ */
void ip_vs_conn_put(struct ip_vs_conn *cp) void ip_vs_conn_put(struct ip_vs_conn *cp)
{ {
/* reset it expire in its timeout */ unsigned long t = (cp->flags & IP_VS_CONN_F_ONE_PACKET) ?
mod_timer(&cp->timer, jiffies+cp->timeout); 0 : cp->timeout;
mod_timer(&cp->timer, jiffies+t);
__ip_vs_conn_put(cp); __ip_vs_conn_put(cp);
} }
...@@ -653,7 +657,7 @@ static void ip_vs_conn_expire(unsigned long data) ...@@ -653,7 +657,7 @@ static void ip_vs_conn_expire(unsigned long data)
/* /*
* unhash it if it is hashed in the conn table * unhash it if it is hashed in the conn table
*/ */
if (!ip_vs_conn_unhash(cp)) if (!ip_vs_conn_unhash(cp) && !(cp->flags & IP_VS_CONN_F_ONE_PACKET))
goto expire_later; goto expire_later;
/* /*
......
...@@ -194,6 +194,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc, ...@@ -194,6 +194,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
struct ip_vs_dest *dest; struct ip_vs_dest *dest;
struct ip_vs_conn *ct; struct ip_vs_conn *ct;
__be16 dport; /* destination port to forward */ __be16 dport; /* destination port to forward */
__be16 flags;
union nf_inet_addr snet; /* source network of the client, union nf_inet_addr snet; /* source network of the client,
after masking */ after masking */
...@@ -340,6 +341,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc, ...@@ -340,6 +341,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
dport = ports[1]; dport = ports[1];
} }
flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
&& iph.protocol == IPPROTO_UDP)?
IP_VS_CONN_F_ONE_PACKET : 0;
/* /*
* Create a new connection according to the template * Create a new connection according to the template
*/ */
...@@ -347,7 +352,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc, ...@@ -347,7 +352,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
&iph.saddr, ports[0], &iph.saddr, ports[0],
&iph.daddr, ports[1], &iph.daddr, ports[1],
&dest->addr, dport, &dest->addr, dport,
0, flags,
dest); dest);
if (cp == NULL) { if (cp == NULL) {
ip_vs_conn_put(ct); ip_vs_conn_put(ct);
...@@ -377,7 +382,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb) ...@@ -377,7 +382,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
struct ip_vs_conn *cp = NULL; struct ip_vs_conn *cp = NULL;
struct ip_vs_iphdr iph; struct ip_vs_iphdr iph;
struct ip_vs_dest *dest; struct ip_vs_dest *dest;
__be16 _ports[2], *pptr; __be16 _ports[2], *pptr, flags;
ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph); ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports); pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
...@@ -407,6 +412,10 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb) ...@@ -407,6 +412,10 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
return NULL; return NULL;
} }
flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
&& iph.protocol == IPPROTO_UDP)?
IP_VS_CONN_F_ONE_PACKET : 0;
/* /*
* Create a connection entry. * Create a connection entry.
*/ */
...@@ -414,7 +423,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb) ...@@ -414,7 +423,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
&iph.saddr, pptr[0], &iph.saddr, pptr[0],
&iph.daddr, pptr[1], &iph.daddr, pptr[1],
&dest->addr, dest->port ? dest->port : pptr[1], &dest->addr, dest->port ? dest->port : pptr[1],
0, flags,
dest); dest);
if (cp == NULL) if (cp == NULL)
return NULL; return NULL;
...@@ -464,6 +473,9 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, ...@@ -464,6 +473,9 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) { if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
int ret, cs; int ret, cs;
struct ip_vs_conn *cp; struct ip_vs_conn *cp;
__u16 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
iph.protocol == IPPROTO_UDP)?
IP_VS_CONN_F_ONE_PACKET : 0;
union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } }; union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
ip_vs_service_put(svc); ip_vs_service_put(svc);
...@@ -474,7 +486,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb, ...@@ -474,7 +486,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
&iph.saddr, pptr[0], &iph.saddr, pptr[0],
&iph.daddr, pptr[1], &iph.daddr, pptr[1],
&daddr, 0, &daddr, 0,
IP_VS_CONN_F_BYPASS, IP_VS_CONN_F_BYPASS | flags,
NULL); NULL);
if (cp == NULL) if (cp == NULL)
return NF_DROP; return NF_DROP;
......
...@@ -1864,14 +1864,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v) ...@@ -1864,14 +1864,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
svc->scheduler->name); svc->scheduler->name);
else else
#endif #endif
seq_printf(seq, "%s %08X:%04X %s ", seq_printf(seq, "%s %08X:%04X %s %s ",
ip_vs_proto_name(svc->protocol), ip_vs_proto_name(svc->protocol),
ntohl(svc->addr.ip), ntohl(svc->addr.ip),
ntohs(svc->port), ntohs(svc->port),
svc->scheduler->name); svc->scheduler->name,
(svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
} else { } else {
seq_printf(seq, "FWM %08X %s ", seq_printf(seq, "FWM %08X %s %s",
svc->fwmark, svc->scheduler->name); svc->fwmark, svc->scheduler->name,
(svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
} }
if (svc->flags & IP_VS_SVC_F_PERSISTENT) if (svc->flags & IP_VS_SVC_F_PERSISTENT)
......
...@@ -17,13 +17,7 @@ ...@@ -17,13 +17,7 @@
#include <net/netfilter/nf_conntrack_extend.h> #include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_acct.h> #include <net/netfilter/nf_conntrack_acct.h>
#ifdef CONFIG_NF_CT_ACCT static int nf_ct_acct __read_mostly;
#define NF_CT_ACCT_DEFAULT 1
#else
#define NF_CT_ACCT_DEFAULT 0
#endif
static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
module_param_named(acct, nf_ct_acct, bool, 0644); module_param_named(acct, nf_ct_acct, bool, 0644);
MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting."); MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
...@@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net) ...@@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net)
net->ct.sysctl_acct = nf_ct_acct; net->ct.sysctl_acct = nf_ct_acct;
if (net_eq(net, &init_net)) { if (net_eq(net, &init_net)) {
#ifdef CONFIG_NF_CT_ACCT
printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use\n");
printk(KERN_WARNING "nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or\n");
printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
#endif
ret = nf_ct_extend_register(&acct_extend); ret = nf_ct_extend_register(&acct_extend);
if (ret < 0) { if (ret < 0) {
printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
......
...@@ -36,6 +36,7 @@ ...@@ -36,6 +36,7 @@
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_IDLETIMER.h> #include <linux/netfilter/xt_IDLETIMER.h>
#include <linux/kdev_t.h>
#include <linux/kobject.h> #include <linux/kobject.h>
#include <linux/workqueue.h> #include <linux/workqueue.h>
#include <linux/sysfs.h> #include <linux/sysfs.h>
......
...@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par) ...@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
if (ret < 0) if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n", pr_info("cannot load conntrack support for proto=%u\n",
par->family); par->family);
/*
* This filter cannot function correctly unless connection tracking
* accounting is enabled, so complain in the hope that someone notices.
*/
if (!nf_ct_acct_enabled(par->net)) {
pr_warning("Forcing CT accounting to be enabled\n");
nf_ct_set_acct(par->net, true);
}
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment