pm24.git/include/linux/netfilter, branch v3.4-rc3

netfilter: ipset: avoid use of kernel-only types

2012-03-26T19:06:30Z

When using the xt_set.h header in userspace, one will get these gcc reports: ipset/ip_set.h:184:1: error: unknown type name "u16" In file included from libxt_SET.c:21:0: netfilter/xt_set.h:61:2: error: unknown type name "u32" netfilter/xt_set.h:62:2: error: unknown type name "u32" Signed-off-by: Jan Engelhardt Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso

netfilter: xt_CT: allow to attach timeout policy + glue code

2012-03-07T16:41:28Z

This patch allows you to attach the timeout policy via the CT target, it adds a new revision of the target to ensure backward compatibility. Moreover, it also contains the glue code to stick the timeout object defined via nfnetlink_cttimeout to the given flow. Example usage (it requires installing the nfct tool and libnetfilter_cttimeout): 1) create the timeout policy: nfct timeout add tcp-policy0 inet tcp \ established 1000 close 10 time_wait 10 last_ack 10 2) attach the timeout policy to the packet: iptables -I PREROUTING -t raw -p tcp -j CT --timeout tcp-policy0 You have to install the following user-space software: a) libnetfilter_cttimeout: git://git.netfilter.org/libnetfilter_cttimeout b) nfct: git://git.netfilter.org/nfct You also have to get iptables with -j CT --timeout support. Signed-off-by: Pablo Neira Ayuso

netfilter: add cttimeout infrastructure for fine timeout tuning

2012-03-07T16:41:22Z

This patch adds the infrastructure to add fine timeout tuning over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT subsystem to create/delete/dump timeout objects that contain some specific timeout policy for one flow. The follow up patches will allow you attach timeout policy object to conntrack via the CT target and the conntrack extension infrastructure. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_ct_tcp: move retransmission and unacknowledged timeout to array

2012-03-07T16:41:15Z

This patch moves the retransmission and unacknowledged timeouts to the tcp_timeouts array. This change is required by follow-up patches. Signed-off-by: Pablo Neira Ayuso

netfilter: merge ipt_LOG and ip6_LOG into xt_LOG

2012-03-07T16:40:49Z

ipt_LOG and ip6_LOG have a lot of common code, merge them to reduce duplicate code. Signed-off-by: Richard Weinberger Signed-off-by: Pablo Neira Ayuso

netfilter: ctnetlink: allow to set expectfn for expectations

2012-03-07T16:40:46Z

This patch allows you to set expectfn which is specifically used by the NAT side of most of the existing conntrack helpers. I have added a symbol map that uses a string as key to look up for the function that is attached to the expectation object. This is the best solution I came out with to solve this issue. Signed-off-by: Pablo Neira Ayuso

netfilter: ctnetlink: add NAT support for expectations

2012-03-07T16:40:44Z

This patch adds the missing bits to create expectations that are created in NAT setups.

netfilter: ctnetlink: allow to set expectation class

2012-03-07T16:40:42Z

This patch allows you to set the expectation class. Signed-off-by: Pablo Neira Ayuso

netfilter: ipset: hash:net,iface timeout bug fixed

2012-03-07T16:40:37Z

Timed out entries were still matched till the garbage collector purged them out. The fix is verified in the testsuite. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso

netfilter: ipset: Exceptions support added to hash:net types

2012-03-07T16:40:35Z

The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso