Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
kernel-fxtec-pro1x/include/net/netfilter
History
Pablo Neira Ayuso 3d058d7bc2 netfilter: rework user-space expectation helper support 
This partially reworks bc01befdcf
which added userspace expectation support.

This patch removes the nf_ct_userspace_expect_list since now we
force to use the new iptables CT target feature to add the helper
extension for conntracks that have attached expectations from
userspace.

A new version of the proof-of-concept code to implement userspace
helpers from userspace is available at:

http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-POC.tar.bz2

This patch also modifies the CT target to allow to set the
conntrack's userspace helper status flags. This flag is used
to tell the conntrack system to explicitly allocate the helper
extension.

This helper extension is useful to link the userspace expectations
with the master conntrack that is being tracked from one userspace
helper.

This feature fixes a problem in the current approach of the
userspace helper support. Basically, if the master conntrack that
has got a userspace expectation vanishes, the expectations point to
one invalid memory address. Thus, triggering an oops in the
expectation deletion event path.

I decided not to add a new revision of the CT target because
I only needed to add a new flag for it. I'll document in this
issue in the iptables manpage. I have also changed the return
value from EINVAL to EOPNOTSUPP if one flag not supported is
specified. Thus, in the future adding new features that only
require a new flag can be added without a new revision.

There is no official code using this in userspace (apart from
the proof-of-concept) that uses this infrastructure but there
will be some by beginning 2012.

Reported-by: Sam Roberts <vieuxtech@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-12-23 14:36:39 +01:00
..
ipv4
ipv6 netfilter: fix compilation when conntrack is disabled but tproxy is enabled 2011-01-12 20:25:08 +01:00
nf_conntrack.h nf_conntrack.h: fix up fallout from implicit moduleparam.h presence 2011-10-31 19:32:33 -04:00
nf_conntrack_acct.h netfilter: nf_conntrack: use atomic64 for accounting counters 2011-12-18 01:19:19 +01:00
nf_conntrack_core.h
nf_conntrack_ecache.h netfilter: nf_conntrack: make event callback registration per-netns 2011-11-22 00:34:47 +01:00
nf_conntrack_expect.h netfilter: rework user-space expectation helper support 2011-12-23 14:36:39 +01:00
nf_conntrack_extend.h netfilter: nf_conntrack_tstamp: add flow-based timestamp extension 2011-01-19 16:00:07 +01:00
nf_conntrack_helper.h netfilter: nf_conntrack: nf_conntrack snmp helper 2011-01-18 18:12:24 +01:00
nf_conntrack_l3proto.h netfilter: add __rcu annotations 2010-11-15 18:17:21 +01:00
nf_conntrack_l4proto.h
nf_conntrack_timestamp.h netfilter: nf_conntrack: fix linker error with NF_CONNTRACK_TIMESTAMP=n 2011-01-20 20:46:52 +01:00
nf_conntrack_tuple.h netfilter: export NAT definitions through linux/netfilter_ipv4/nf_nat.h 2011-11-01 09:19:52 +01:00
nf_conntrack_zones.h
nf_log.h treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
nf_nat.h netfilter: export NAT definitions through linux/netfilter_ipv4/nf_nat.h 2011-11-01 09:19:52 +01:00
nf_nat_core.h netfilter: nf_nat: fix conversion to non-atomic bit ops 2011-01-18 15:02:48 +01:00
nf_nat_helper.h
nf_nat_protocol.h
nf_nat_rule.h
nf_queue.h
nf_tproxy_core.h netfilter: tproxy: do not assign timewait sockets to skb->sk 2011-02-17 11:32:38 +01:00
nfnetlink_log.h
xt_log.h
xt_rateest.h