Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Patrick McHardy <kaber <at> trash.net>
Subject: [NETFILTER 00/33]: Netfilter Update
Newsgroups: gmane.comp.security.firewalls.netfilter.devel
Date: Wednesday 29th November 2006 02:08:43 UTC (over 10 years ago)
Hi Dave,

following is a large netfilter update for 2.6.20. It contains some
cleanup of the nf_conntrack code and nf_conntrack sysctl/proc
compatibility with ip_conntrack, which both move a lot of code
around. Besides that there are some small enhancements for
nfnetlink_queue, nfnetlink_log and ctnetlink, a port of the hashlimit
match to xtables, a new NFLOG target for using the address family
independant nfnetlink_log mechanism, a set of patches to clean up
the SIP helper and fix multiple issues with the NAT helper, and a
few assorted fixes.

These patches contain all NAT unrelated parts from my nf_nat tree,
which is now down to about 10 patches adding NAT support and
ports of all helpers. I hope to get them ready for submission within
a week.

Please apply, thanks.

PS: You can (hopefully) also pull these changes from
http://people.netfilter.org/~kaber/nf-2.6.20.git


 include/linux/netfilter.h                             |   10 
 include/linux/netfilter/Kbuild                        |    2 
 include/linux/netfilter/nfnetlink_log.h               |    2 
 include/linux/netfilter/nfnetlink_queue.h             |    1 
 include/linux/netfilter/xt_NFLOG.h                    |   18 
 include/linux/netfilter/xt_hashlimit.h                |   40 
 include/linux/netfilter_bridge/ebt_nat.h              |    1 
 include/linux/netfilter_bridge/ebtables.h             |    4 
 include/linux/netfilter_ipv4/ip_conntrack.h           |    2 
 include/linux/netfilter_ipv4/ip_conntrack_sip.h       |   36 
 include/linux/netfilter_ipv4/ipt_LOG.h                |    2 
 include/linux/netfilter_ipv4/ipt_hashlimit.h          |   42 
 include/linux/netfilter_ipv6/ip6t_LOG.h               |    2 
 include/net/netfilter/ipv4/nf_conntrack_ipv4.h        |    7 
 include/net/netfilter/ipv6/nf_conntrack_ipv6.h        |   25 
 include/net/netfilter/nf_conntrack.h                  |  135 ---
 include/net/netfilter/nf_conntrack_core.h             |   20 
 include/net/netfilter/nf_conntrack_ecache.h           |   95 ++
 include/net/netfilter/nf_conntrack_expect.h           |   74 +
 include/net/netfilter/nf_conntrack_helper.h           |   20 
 include/net/netfilter/nf_conntrack_l3proto.h          |   15 
 include/net/netfilter/nf_conntrack_l4proto.h          |  146 +++
 include/net/netfilter/nf_conntrack_protocol.h         |  129 ---
 net/Kconfig                                           |    2 
 net/bridge/netfilter/ebt_mark.c                       |    6 
 net/bridge/netfilter/ebt_snat.c                       |   27 
 net/ipv4/netfilter/Kconfig                            |   25 
 net/ipv4/netfilter/Makefile                           |    6 
 net/ipv4/netfilter/ip_conntrack_amanda.c              |    9 
 net/ipv4/netfilter/ip_conntrack_core.c                |    8 
 net/ipv4/netfilter/ip_conntrack_ftp.c                 |    8 
 net/ipv4/netfilter/ip_conntrack_helper_h323.c         |  164 ++-
 net/ipv4/netfilter/ip_conntrack_helper_pptp.c         |   33 
 net/ipv4/netfilter/ip_conntrack_irc.c                 |   12 
 net/ipv4/netfilter/ip_conntrack_netlink.c             |   61 -
 net/ipv4/netfilter/ip_conntrack_proto_gre.c           |    2 
 net/ipv4/netfilter/ip_conntrack_sip.c                 |  126 +-
 net/ipv4/netfilter/ip_conntrack_standalone.c          |    6 
 net/ipv4/netfilter/ip_conntrack_tftp.c                |    6 
 net/ipv4/netfilter/ip_nat_amanda.c                    |    9 
 net/ipv4/netfilter/ip_nat_ftp.c                       |    9 
 net/ipv4/netfilter/ip_nat_helper_h323.c               |   58 -
 net/ipv4/netfilter/ip_nat_helper_pptp.c               |   29 
 net/ipv4/netfilter/ip_nat_irc.c                       |    9 
 net/ipv4/netfilter/ip_nat_sip.c                       |  223 ++---
 net/ipv4/netfilter/ip_nat_tftp.c                      |    9 
 net/ipv4/netfilter/ipt_CLUSTERIP.c                    |   25 
 net/ipv4/netfilter/ipt_LOG.c                          |    9 
 net/ipv4/netfilter/ipt_hashlimit.c                    |  733
-----------------
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c        |  156 +--
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c |  412 +++++++++
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c          |   54 +
 net/ipv6/netfilter/ip6_queue.c                        |    2 
 net/ipv6/netfilter/ip6t_LOG.c                         |    9 
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c        |   99 --
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c        |   38 
 net/netfilter/Kconfig                                 |   25 
 net/netfilter/Makefile                                |   13 
 net/netfilter/core.c                                  |    4 
 net/netfilter/nf_conntrack_core.c                     |  620
+-------------
 net/netfilter/nf_conntrack_ecache.c                   |   93 ++
 net/netfilter/nf_conntrack_expect.c                   |  370 ++++++++
 net/netfilter/nf_conntrack_ftp.c                      |   12 
 net/netfilter/nf_conntrack_helper.c                   |  158 +++
 net/netfilter/nf_conntrack_l3proto_generic.c          |    7 
 net/netfilter/nf_conntrack_netlink.c                  |  118 +-
 net/netfilter/nf_conntrack_proto.c                    |  486 ++++++++++-
 net/netfilter/nf_conntrack_proto_generic.c            |   47 +
 net/netfilter/nf_conntrack_proto_sctp.c               |  195 ++--
 net/netfilter/nf_conntrack_proto_tcp.c                |  262 +++++-
 net/netfilter/nf_conntrack_proto_udp.c                |   82 +
 net/netfilter/nf_conntrack_standalone.c               |  385 --------
 net/netfilter/nf_sysctl.c                             |  134 +++
 net/netfilter/nfnetlink_log.c                         |   19 
 net/netfilter/nfnetlink_queue.c                       |    8 
 net/netfilter/xt_CONNMARK.c                           |    3 
 net/netfilter/xt_NFLOG.c                              |   86 ++
 net/netfilter/xt_hashlimit.c                          |  772
++++++++++++++++++
 78 files changed, 4310 insertions(+), 2801 deletions(-)

Bart De Schuymer:
      [NETFILTER]: ebtables: add --snap-arp option

Eric Leblond:
      [NETFILTER]: nfnetlink_queue: allow changing queue length through
netlink

Martin Josefsson:
      [NETFILTER]: nf_conntrack: split out expectation handling
      [NETFILTER]: nf_conntrack: split out helper handling
      [NETFILTER]: nf_conntrack: split out the event cache
      [NETFILTER]: nf_conntrack: split out protocol handling
      [NETFILTER]: More __read_mostly annotations
      [NETFILTER]: nf_conntrack: rename struct nf_conntrack_protocol
      [NETFILTER]: nf_conntrack: more sanity checks in protocol
registration/unregistration
      [NETFILTER]: nf_conntrack: remove ASSERT_{READ,WRITE}_LOCK
      [NETFILTER]: nf_conntrack: minor __nf_ct_refresh_acct() whitespace
cleanup
      [NETFILTER]: nf_conntrack: remove unused struct list_head from
protocols
      [NETFILTER]: nf_conntrack: reduce timer updates in
__nf_ct_refresh_acct()

Pablo Neira Ayuso:
      [NETFILTER]: ctnetlink: check for status attribute existence on
conntrack creation
      [NETFILTER]: ctnetlink: rework conntrack fields dumping logic on
events
      [NETFILTER]: remove the reference to ipchains from Kconfig

Patrick McHardy:
      [NETFILTER]: nf_conntrack_ftp: fix missing helper mask initilization
      [NETFILTER]: nf_conntrack: move extern declaration to header files
      [NETFILTER]: nf_conntrack: automatic sysctl registation for conntrack
protocols
      [NETFILTER]: nf_conntrack: move conntrack protocol sysctls to
individual modules
      [NETFILTER]: nf_conntrack: sysctl compatibility with old connection
tracking
      [NETFILTER]: nf_conntrack: /proc compatibility with old connection
tracking
      [NETFILTER]: ip_conntrack: fix NAT helper unload races
      [NETFILTER]: sip conntrack: minor cleanup
      [NETFILTER]: sip conntrack: do case insensitive SIP header search
      [NETFILTER]: sip conntrack: make header shortcuts optional
      [NETFILTER]: sip conntrack: better NAT handling
      [NETFILTER]: nfnetlink_log: remove useless prefix length limitation
      [NETFILTER]: x_tables: add port of hashlimit match for IPv4 and IPv6
      [NETFILTER]: x_tables: add NFLOG target
      [NETFILTER]: remove remaining ASSERT_{READ,WRITE}_LOCK
      [NETFILTER]: Fix PROC_FS=n warnings

Yasuyuki Kozakai:
      [NETFILTER]: conntrack: add '_get' to {ip, nf}_conntrack_expect_find
 
CD: 3ms