[netfilter-cvslog] r3243 - in trunk/patch-o-matic-ng: . ctstat raw
tcp-window-tracking
/C=DE/ST=Berlin/L=Berlin/O=Netfilter
/C=DE/ST=Berlin/L=Berlin/O=Netfilter
Wed Oct 20 17:27:17 CEST 2004
Author: /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge at netfilter.org
Date: 2004-10-20 17:27:16 +0200 (Wed, 20 Oct 2004)
New Revision: 3243
Removed:
trunk/patch-o-matic-ng/README.updates
trunk/patch-o-matic-ng/TODO
trunk/patch-o-matic-ng/conntrack-seqfile/
trunk/patch-o-matic-ng/convert2pomng.sh
trunk/patch-o-matic-ng/ctstat/help
trunk/patch-o-matic-ng/ctstat/info
trunk/patch-o-matic-ng/ctstat/linux-2.4.patch
trunk/patch-o-matic-ng/ctstat/linux-2.4/
trunk/patch-o-matic-ng/ctstat/linux-2.6.patch
trunk/patch-o-matic-ng/ctstat/linux-2.6/
trunk/patch-o-matic-ng/expect-optimize/
trunk/patch-o-matic-ng/expect-slab-cache/
trunk/patch-o-matic-ng/ip_conntrack_count/
trunk/patch-o-matic-ng/ipt_helper-any/
trunk/patch-o-matic-ng/pom26convert
trunk/patch-o-matic-ng/raw/linux-2.6.patch
trunk/patch-o-matic-ng/raw/linux-2.6/
trunk/patch-o-matic-ng/sctp-conntrack-nat/
trunk/patch-o-matic-ng/tcp-window-tracking/linux-2.6.patch
trunk/patch-o-matic-ng/updates/
trunk/patch-o-matic-ng/xover/
Modified:
trunk/patch-o-matic-ng/Netfilter_POM.pm
trunk/patch-o-matic-ng/README
Log:
large restructuring/removal of pom-ng following up to the devel workshop
Modified: trunk/patch-o-matic-ng/Netfilter_POM.pm
===================================================================
--- trunk/patch-o-matic-ng/Netfilter_POM.pm 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/Netfilter_POM.pm 2004-10-20 15:27:16 UTC (rev 3243)
@@ -210,24 +210,6 @@
my($type, $proj, $ver, $bingo, $match);
my $best_match = 0;
- # Special case for updates
- if ($patchlet->{basedir} =~ m,/updates$,) {
- # Every patch in updates is a patchlet
- foreach $proj (keys %{$patchlet->{patch}}) {
- # No dependecy? Check patch itself.
- next unless defined $patchlet->{info}->{depends};
- # The first updates patch at the same branch can always be
- # applied, thanks to the checkings in init.
- $ver = (keys %{$patchlet->{patch}->{$proj}})[0];
- next unless $patchlet->{patch}->{$proj}->{$ver} =~
- /$self->{projects}->{$proj}->{branch}/;
- $patchlet->{patch}->{$proj}->{best} =
- $patchlet->{patch}->{$proj}->{$ver};
- $best_match = 1;
- }
- }
- goto FOUND if $best_match;
-
# Search best (nearest) match
foreach $type (qw(patch files ladds)) {
next unless exists $patchlet->{$type};
@@ -562,13 +544,6 @@
}
$patchlet->{patch}->{$project}->{$version} = [ $patchlet->{name} ];
- # Implicit dependency between updates
- if ($version =~ /$self->{projects}->{$project}->{branch}/) {
- push(@{$self->{updates}->{$project}}, $patchlet->{name});
- $patchlet->{info}->{depends} = [ @{$self->{updates}->{$project}} ];
- pop(@{$patchlet->{info}->{depends}});
- }
-
# print Dumper $patchlet;
print '.';
return $patchlet;
@@ -970,16 +945,6 @@
my $pomdir = $self->{POM}->{PATH};
my($patchdir, $patch, @patchlets);
- $patchdir = "$pomdir/updates";
- opendir(INDIR, $patchdir)
- or croak "Unable to open $patchdir: $!";
- @patchlets = sort grep(/\.patch$/, readdir(INDIR));
- closedir(INDIR);
- foreach $patch (@patchlets) {
- $self->{patchlets}->{$patch} =
- $self->parse_update("$patchdir/$patch");
- }
-
$patchdir = $pomdir;
opendir(INDIR, $patchdir)
or croak "Unable to open $patchdir: $!";
@@ -1052,11 +1017,6 @@
$self->{flags}->{$_}++;
}
- # Load updates for global version checking
- opendir(INDIR, "$paths->{POM}/updates")
- or croak "Unable to open $paths->{POM}/updates: $!";
- my @updates = grep(/\.patch$/, sort readdir(INDIR));
- closedir(INDIR);
# Load config file
open(CONF, "$paths->{POM}/config")
@@ -1084,17 +1044,6 @@
}
croak "Your $proj version $self->{projects}->{$proj}->{VERSION} is unknown for patch-o-matic"
unless $self->{projects}->{$proj}->{branch};
- my(@oldest) = map { /^\d+_${proj}-([\d\.]+)\.patch$/ ? $_ = $1 : () } @updates;
- # Make sure we can handle update versions
- check_versions @oldest;
- # Real ordering according to the versions
- @oldest = sort oldest_version @oldest;
- ($oldest) = grep($_ =~ /$self->{projects}->{$proj}->{branch}/, @oldest);
- # Correct version number
- $oldest =~ s/(\d+)$/$1-1/e;
- if (!($oldest && $self->version_compare($proj, '>=', $oldest))) {
- croak "Your $proj version $self->{projects}->{$proj}->{VERSION} is too old and not supported";
- }
}
$self->{applied} = [];
return $self;
Modified: trunk/patch-o-matic-ng/README
===================================================================
--- trunk/patch-o-matic-ng/README 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/README 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,9 +1,9 @@
README:
- This is the patch-o-matic distribution by the netfilter project
+ This is the patch-o-matic-ng distribution by the netfilter project
(http://www.netfilter.org/)
As of iptables-1.2.7, patch-o-matic is distributed as a seperate
- package, available from ftp://ftp.netfilter.org/pub/patch-o-matic.
+ package, available from ftp://ftp.netfilter.org/pub/patch-o-matic-ng.
================================================================
@@ -60,5 +60,5 @@
Please direct any usage questions to the netfilter mailinglist:
-netfilter at lists.netfilter.org.
+ netfilter at lists.netfilter.org
Deleted: trunk/patch-o-matic-ng/README.updates
===================================================================
--- trunk/patch-o-matic-ng/README.updates 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/README.updates 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,50 +0,0 @@
-The updates directory in patch-o-matic-ng
-
-The updates directory plays the role of the 'submitted'
-category of the patches from the former patch-o-matic,
-from updates and bugfixes point of view.
-
-We put patches (and only patches) in updates, which are
-
-- full updates between kernel releases
-- bugfixes and hotfixes, which must be pushed into the
- actual kernel releases as fast as possible.
-
-The patches in updates follows the naming convention
-
- x_project-n.m.l[-foo].patch
-
-where the components mean:
-
- x serial number among the patches
- project project name like 'linux', 'iptables'
- n.m.l project release for which the patch
- is valid
- foo arbitrary text for bugfix patches
-
-Please note, name convention for incremental patches
-follow the natural one: the incremental patch
-01_linux-2.4.3.patch is against the kernel tree of
-2.4.2, while the update patch 02_linux-2.4.3-foo.patch
-is against 2.4.3. (Therefore incremental patch versions
-are automatically decremented by one internally in
-Netfilter_POM.pm.)
-
-The version number of the patch with the lowest serial
-number gives the oldest release of the project which
-is supported by pom-ng. Patches in the same branch of
-a project are implicitly dependent, i.e. if we have
-
- 01_linux-2.4.3.patch
- 02_linux-2.4.4.patch
- 03_linux-2.4.4-foo.patch
- 04_linux-2.4.4-bar.patch
-
-in the 2.4 branch of linux, then patch
-04_linux-2.4.4-bar.patch can be applied only when all
-previous *linux-2.4* patches were applied in order.
-
-Project branches are defined in the config file with
-Perl regexp patterns:
-
-Branch: project id qr/<regexp>/
Deleted: trunk/patch-o-matic-ng/TODO
===================================================================
--- trunk/patch-o-matic-ng/TODO 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/TODO 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,13 +0,0 @@
-x convert ipv6 patches
-x merge 'help' and 'configure.help' into one source file that would
- automatically generate Configure.help for 2.4/2.6 on demand
-x add Kconfig files (generate from Config.in)
-x convert old dependencies
-x implement recursive dependency resolving
-x don't print directly from Netfilter_POM, let frontend do the printing
-- make $plets a global Netfilter_POM variable and use perlOO interface
- ($plets gets passed automatically as first argument)
-- add loop check to recursive functions dependencies_fulfilled() and
- apply_dependencies()
-x check if is pptp patch is really the current one from pom-old
-x update webpage generation scripts
Deleted: trunk/patch-o-matic-ng/convert2pomng.sh
===================================================================
--- trunk/patch-o-matic-ng/convert2pomng.sh 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/convert2pomng.sh 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,67 +0,0 @@
-#!/bin/bash
-
-CVS=echo
-#CVS=`which cvs`
-
-REPOSITORY=$1
-NAME=$2
-NEWNAME=$3
-
-PREFIX=patch-o-matic/$REPOSITORY/$NAME.patch
-DESTDIR=patch-o-matic-ng/$NEWNAME
-
-mkdir $DESTDIR
-$CVS add $DESTDIR
-
-# strip Author and Version from help file
-cat $PREFIX.help | egrep -v Author:\|Status: > $DESTDIR/help
-$CVS add $DESTDIR/help
-
-# generate info
-cat $PREFIX.help | grep Author: > $DESTDIR/info
-cat $PREFIX.help | grep Status: >> $DESTDIR/info
-echo Repository: $REPOSITORY >> $DESTDIR/info
-$CVS add $DESTDIR/info
-
-# ugly trick, don't know if we need all diectories yet. but we try
-# to rmdir them later, which fails in case they are not empty anymore
-TRYDIRS="linux/net/ipv4/netfilter linux/include/linux/netfilter_ipv4 linux/net/ipv6/netfilter linux/include/linux/netfilter_ipv6"
-for d in $TRYDIRS; do
- mkdir -p $DESTDIR/$d
-done
-
-for f in $PREFIX.makefile*; do
- postfix=$(echo "${f##$PREFIX.makefile}" | sed -e s/-/_/)
- newfile=$DESTDIR/linux/net/ipv4/netfilter/Makefile.ladd$postfix
- cp $f $newfile
-done
-
-for f in $PREFIX.config.in*; do
- postfix=$(echo "${f##$PREFIX.config.in}" | sed -e s/-/_/)
- newfile=$DESTDIR/linux/net/ipv4/netfilter/Config.in.ladd$postfix
- cp $f $newfile
-done
-
-for f in $PREFIX.ip_conntrack.h*; do
- postfix=$(echo "${f##$PREFIX.ip_conntrack.h}" | sed -e s/-/_/)
- newfile=$DESTDIR/linux/include/linux/netfilter_ipv4/ip_conntrack.h.ladd$postfix
- cp $f $newfile
-done
-
-for d in $TRYDIRS; do
- rmdir -p $DESTDIR/$d
-done
-
-cp $PREFIX $DESTDIR/linux.patch
-patch -d $DESTDIR/linux -p1 -i ../linux.patch -r /dev/null -b
-find $DESTDIR/linux -name \*.orig -exec rm -f \{\} \;
-
-# add to CVS
-NEWFILES=`find $DESTDIR/linux \! -path \*CVS\*`
-for f in $NEWFILES; do
- $CVS add $f
-done
-
-# we need to deal with patch and configure.help manually
-cp $PREFIX.configure.help $DESTDIR/configure.help
-
Deleted: trunk/patch-o-matic-ng/ctstat/help
===================================================================
--- trunk/patch-o-matic-ng/ctstat/help 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/ctstat/help 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,17 +0,0 @@
-
-This adds some statistics to ip_conntrack.
-It's a total ripoff of rtstat by Robert Olsson.
-
-The statistics-counters are per cpu.
-
-You need the ctstat utility which you can find here:
-http://people.netfilter.org/~gandalf/ctstat/ctstat.c
-
-Normal vmstat-like one line per second output:
-
-ctstat -i 1
-
-Help:
-
-ctstat -h
-
Deleted: trunk/patch-o-matic-ng/ctstat/info
===================================================================
--- trunk/patch-o-matic-ng/ctstat/info 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/ctstat/info 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,4 +0,0 @@
-Author: Martin Josefsson <gandalf at wlug.westbo.se>
-Status: Works when the planets align into the shape of tux, and only then
-Repository: pending
-Depends: conntrack-seqfile, expect-slab-cache, module_parm
Deleted: trunk/patch-o-matic-ng/ctstat/linux-2.4.patch
===================================================================
--- trunk/patch-o-matic-ng/ctstat/linux-2.4.patch 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/ctstat/linux-2.4.patch 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,261 +0,0 @@
-Binary files linux-2.4.22.raw/net/ipv4/netfilter/.ip_conntrack_standalone.c.rej.swp and linux-2.4.22/net/ipv4/netfilter/.ip_conntrack_standalone.c.rej.swp differ
-diff -x '*.orig' -x '*.rej' -urNp linux-2.4.22.raw/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.22/net/ipv4/netfilter/ip_conntrack_core.c
---- linux-2.4.22.raw/net/ipv4/netfilter/ip_conntrack_core.c 2003-11-15 22:29:29.000000000 +0100
-+++ linux-2.4.22/net/ipv4/netfilter/ip_conntrack_core.c 2003-11-15 22:30:32.000000000 +0100
-@@ -61,11 +61,13 @@ LIST_HEAD(protocol_list);
- static LIST_HEAD(helpers);
- unsigned int ip_conntrack_htable_size = 0;
- int ip_conntrack_max = 0;
--static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
-+atomic_t ip_conntrack_count = ATOMIC_INIT(0);
- struct list_head *ip_conntrack_hash;
- static kmem_cache_t *ip_conntrack_cachep;
- struct ip_conntrack ip_conntrack_untracked;
-
-+struct ip_conntrack_stat ip_conntrack_stat[NR_CPUS];
-+
- extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
-
- static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr,
-@@ -180,6 +182,7 @@ destroy_expect(struct ip_conntrack_expec
- IP_NF_ASSERT(!timer_pending(&exp->timeout));
-
- kfree(exp);
-+ ip_conntrack_stat[smp_processor_id()].expect_delete++;
- }
-
-
-@@ -348,12 +351,15 @@ destroy_conntrack(struct nf_conntrack *n
- DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
- kmem_cache_free(ip_conntrack_cachep, ct);
- atomic_dec(&ip_conntrack_count);
-+ ip_conntrack_stat[smp_processor_id()].delete++;
- }
-
- static void death_by_timeout(unsigned long ul_conntrack)
- {
- struct ip_conntrack *ct = (void *)ul_conntrack;
-
-+ ip_conntrack_stat[smp_processor_id()].delete_list++;
-+
- WRITE_LOCK(&ip_conntrack_lock);
- clean_from_lists(ct);
- WRITE_UNLOCK(&ip_conntrack_lock);
-@@ -376,13 +382,18 @@ __ip_conntrack_find(const struct ip_conn
- {
- struct ip_conntrack_tuple_hash *h;
- unsigned int hash = hash_conntrack(tuple);
-+ unsigned int cpu = smp_processor_id();
-
- MUST_BE_READ_LOCKED(&ip_conntrack_lock);
-- h = LIST_FIND(&ip_conntrack_hash[hash],
-- conntrack_tuple_cmp,
-- struct ip_conntrack_tuple_hash *,
-- tuple, ignored_conntrack);
-- return h;
-+ list_for_each_entry(h, &ip_conntrack_hash[hash], list) {
-+ if (conntrack_tuple_cmp(h, tuple, ignored_conntrack)) {
-+ ip_conntrack_stat[cpu].found++;
-+ return h;
-+ }
-+ ip_conntrack_stat[cpu].searched++;
-+ }
-+
-+ return NULL;
- }
-
- /* Find a connection corresponding to a tuple. */
-@@ -476,10 +487,12 @@ __ip_conntrack_confirm(struct nf_ct_info
- atomic_inc(&ct->ct_general.use);
- set_bit(IPS_CONFIRMED_BIT, &ct->status);
- WRITE_UNLOCK(&ip_conntrack_lock);
-+ ip_conntrack_stat[smp_processor_id()].insert++;
- return NF_ACCEPT;
- }
-
- WRITE_UNLOCK(&ip_conntrack_lock);
-+ ip_conntrack_stat[smp_processor_id()].insert_failed++;
- return NF_DROP;
- }
-
-@@ -614,6 +627,7 @@ static int early_drop(struct list_head *
- if (del_timer(&h->ctrack->timeout)) {
- death_by_timeout((unsigned long)h->ctrack);
- dropped = 1;
-+ ip_conntrack_stat[smp_processor_id()].early_drop++;
- }
- ip_conntrack_put(h->ctrack);
- return dropped;
-@@ -738,12 +752,16 @@ init_conntrack(const struct ip_conntrack
- LIST_DELETE(&ip_conntrack_expect_list, expected);
- expected->expectant->expecting--;
- nf_conntrack_get(&master_ct(conntrack)->infos[0]);
-- }
-+ ip_conntrack_stat[smp_processor_id()].expect_new++;
-+ } else
-+ ip_conntrack_stat[smp_processor_id()].new++;
-+
- atomic_inc(&ip_conntrack_count);
- WRITE_UNLOCK(&ip_conntrack_lock);
-
- if (expected && expected->expectfn)
- expected->expectfn(conntrack);
-+
- return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
- }
-
-@@ -840,29 +858,38 @@ unsigned int ip_conntrack_in(unsigned in
- #endif
-
- /* Previously seen (loopback or untracked)? Ignore. */
-- if ((*pskb)->nfct)
-+ if ((*pskb)->nfct) {
-+ ip_conntrack_stat[smp_processor_id()].ignore++;
- return NF_ACCEPT;
-+ }
-
- proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
-
- /* It may be an icmp error... */
- if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
-- && icmp_error_track(*pskb, &ctinfo, hooknum))
-+ && icmp_error_track(*pskb, &ctinfo, hooknum)) {
-+ ip_conntrack_stat[smp_processor_id()].icmp_error++;
- return NF_ACCEPT;
-+ }
-
-- if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo)))
-+ if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
- /* Not valid part of a connection */
-+ ip_conntrack_stat[smp_processor_id()].invalid++;
- return NF_ACCEPT;
-+ }
-
-- if (IS_ERR(ct))
-+ if (IS_ERR(ct)) {
- /* Too stressed to deal. */
-+ ip_conntrack_stat[smp_processor_id()].drop++;
- return NF_DROP;
-+ }
-
- IP_NF_ASSERT((*pskb)->nfct);
-
- ret = proto->packet(ct, (*pskb)->nh.iph, (*pskb)->len, ctinfo);
- if (ret == -1) {
- /* Invalid */
-+ ip_conntrack_stat[smp_processor_id()].invalid++;
- nf_conntrack_put((*pskb)->nfct);
- (*pskb)->nfct = NULL;
- return NF_ACCEPT;
-@@ -873,6 +900,7 @@ unsigned int ip_conntrack_in(unsigned in
- ct, ctinfo);
- if (ret == -1) {
- /* Invalid */
-+ ip_conntrack_stat[smp_processor_id()].invalid++;
- nf_conntrack_put((*pskb)->nfct);
- (*pskb)->nfct = NULL;
- return NF_ACCEPT;
-@@ -1056,6 +1084,8 @@ int ip_conntrack_expect_related(struct i
-
- WRITE_UNLOCK(&ip_conntrack_lock);
-
-+ ip_conntrack_stat[smp_processor_id()].expect_create++;
-+
- return ret;
- }
-
-diff -x '*.orig' -x '*.rej' -urNp linux-2.4.22.raw/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.22/net/ipv4/netfilter/ip_conntrack_standalone.c
---- linux-2.4.22.raw/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-11-15 22:29:29.000000000 +0100
-+++ linux-2.4.22/net/ipv4/netfilter/ip_conntrack_standalone.c 2003-11-15 22:32:33.000000000 +0100
-@@ -40,6 +40,9 @@
- struct module *ip_conntrack_module = THIS_MODULE;
- MODULE_LICENSE("GPL");
-
-+extern atomic_t ip_conntrack_count;
-+extern struct ip_conntrack_stat ip_conntrack_stat[NR_CPUS];
-+
- static int kill_proto(const struct ip_conntrack *i, void *data)
- {
- return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
-@@ -180,6 +183,46 @@ list_conntracks(char *buffer, char **sta
- return len;
- }
-
-+static int ip_conntrack_get_stat(char *buffer, char **start, off_t offset, int length)
-+{
-+ unsigned int nr_conntracks = atomic_read(&ip_conntrack_count);
-+ int i, lcpu;
-+ int len = 0;
-+
-+ for (lcpu = 0; lcpu < smp_num_cpus; lcpu++) {
-+ i = cpu_logical_map(lcpu);
-+
-+ len += sprintf(buffer+len, "%08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x \n",
-+ nr_conntracks,
-+ ip_conntrack_stat[i].searched,
-+ ip_conntrack_stat[i].found,
-+ ip_conntrack_stat[i].new,
-+ ip_conntrack_stat[i].invalid,
-+ ip_conntrack_stat[i].ignore,
-+ ip_conntrack_stat[i].delete,
-+ ip_conntrack_stat[i].delete_list,
-+ ip_conntrack_stat[i].insert,
-+ ip_conntrack_stat[i].insert_failed,
-+ ip_conntrack_stat[i].drop,
-+ ip_conntrack_stat[i].early_drop,
-+ ip_conntrack_stat[i].icmp_error,
-+
-+ ip_conntrack_stat[i].expect_new,
-+ ip_conntrack_stat[i].expect_create,
-+ ip_conntrack_stat[i].expect_delete
-+ );
-+ }
-+ len -= offset;
-+
-+ if (len > length)
-+ len = length;
-+ if (len < 0)
-+ len = 0;
-+
-+ *start = buffer + offset;
-+ return len;
-+}
-+
- static unsigned int ip_confirm(unsigned int hooknum,
- struct sk_buff **pskb,
- const struct net_device *in,
-@@ -363,7 +406,7 @@ static ctl_table ip_ct_net_table[] = {
- #endif
- static int init_or_cleanup(int init)
- {
-- struct proc_dir_entry *proc;
-+ struct proc_dir_entry *proc, *procstat;
- int ret = 0;
-
- if (!init) goto cleanup;
-@@ -376,10 +419,15 @@ static int init_or_cleanup(int init)
- if (!proc) goto cleanup_init;
- proc->owner = THIS_MODULE;
-
-+ procstat = proc_net_create("ip_conntrack_stat", 0, ip_conntrack_get_stat);
-+ if (!procstat)
-+ goto cleanup_proc;
-+ procstat->owner = THIS_MODULE;
-+
- ret = nf_register_hook(&ip_conntrack_defrag_ops);
- if (ret < 0) {
- printk("ip_conntrack: can't register pre-routing defrag hook.\n");
-- goto cleanup_proc;
-+ goto cleanup_procstat;
- }
- ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
- if (ret < 0) {
-@@ -431,6 +479,8 @@ static int init_or_cleanup(int init)
- nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
- cleanup_defragops:
- nf_unregister_hook(&ip_conntrack_defrag_ops);
-+ cleanup_procstat:
-+ proc_net_remove("ip_conntrack_stat");
- cleanup_proc:
- proc_net_remove("ip_conntrack");
- cleanup_init:
Deleted: trunk/patch-o-matic-ng/ctstat/linux-2.6.patch
===================================================================
--- trunk/patch-o-matic-ng/ctstat/linux-2.6.patch 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/ctstat/linux-2.6.patch 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,324 +0,0 @@
-diff -Nru --exclude-from /space/home/laforge/scripts/dontdiff --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.8-rc2-nfpending-seqfile/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.8-rc2-nfpending-ctstat/net/ipv4/netfilter/ip_conntrack_core.c
---- linux-2.6.8-rc2-nfpending-seqfile/net/ipv4/netfilter/ip_conntrack_core.c 2004-07-22 14:06:34.131506000 -0400
-+++ linux-2.6.8-rc2-nfpending-ctstat/net/ipv4/netfilter/ip_conntrack_core.c 2004-07-22 14:54:52.912824936 -0400
-@@ -35,6 +35,7 @@
- #include <linux/random.h>
- #include <linux/jhash.h>
- #include <linux/err.h>
-+#include <linux/percpu.h>
- #include <linux/moduleparam.h>
-
- /* This rwlock protects the main hash table, protocol/helper/expected
-@@ -58,7 +59,7 @@
-
- DECLARE_RWLOCK(ip_conntrack_lock);
- DECLARE_RWLOCK(ip_conntrack_expect_tuple_lock);
--static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
-+atomic_t ip_conntrack_count = ATOMIC_INIT(0);
-
- void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack) = NULL;
- LIST_HEAD(ip_conntrack_expect_list);
-@@ -71,6 +72,8 @@
- static kmem_cache_t *ip_conntrack_expect_cachep;
- struct ip_conntrack ip_conntrack_untracked;
-
-+DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
-+
- extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
-
- static inline int proto_cmpfn(const struct ip_conntrack_protocol *curr,
-@@ -179,6 +182,7 @@
- IP_NF_ASSERT(!timer_pending(&exp->timeout));
-
- kmem_cache_free(ip_conntrack_expect_cachep, exp);
-+ __get_cpu_var(ip_conntrack_stat).expect_delete++;
- }
-
- inline void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
-@@ -347,12 +351,15 @@
- DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
- kmem_cache_free(ip_conntrack_cachep, ct);
- atomic_dec(&ip_conntrack_count);
-+ __get_cpu_var(ip_conntrack_stat).delete++;
- }
-
- static void death_by_timeout(unsigned long ul_conntrack)
- {
- struct ip_conntrack *ct = (void *)ul_conntrack;
-
-+ __get_cpu_var(ip_conntrack_stat).delete_list++;
-+
- WRITE_LOCK(&ip_conntrack_lock);
- clean_from_lists(ct);
- WRITE_UNLOCK(&ip_conntrack_lock);
-@@ -375,13 +382,19 @@
- {
- struct ip_conntrack_tuple_hash *h;
- unsigned int hash = hash_conntrack(tuple);
-+ /* use per_cpu() to avoid multiple calls to smp_processor_id() */
-+ unsigned int cpu = smp_processor_id();
-
- MUST_BE_READ_LOCKED(&ip_conntrack_lock);
-- h = LIST_FIND(&ip_conntrack_hash[hash],
-- conntrack_tuple_cmp,
-- struct ip_conntrack_tuple_hash *,
-- tuple, ignored_conntrack);
-- return h;
-+ list_for_each_entry(h, &ip_conntrack_hash[hash], list) {
-+ if (conntrack_tuple_cmp(h, tuple, ignored_conntrack)) {
-+ per_cpu(ip_conntrack_stat, cpu).found++;
-+ return h;
-+ }
-+ per_cpu(ip_conntrack_stat, cpu).searched++;
-+ }
-+
-+ return NULL;
- }
-
- /* Find a connection corresponding to a tuple. */
-@@ -475,10 +488,12 @@
- atomic_inc(&ct->ct_general.use);
- set_bit(IPS_CONFIRMED_BIT, &ct->status);
- WRITE_UNLOCK(&ip_conntrack_lock);
-+ __get_cpu_var(ip_conntrack_stat).insert++;
- return NF_ACCEPT;
- }
-
- WRITE_UNLOCK(&ip_conntrack_lock);
-+ __get_cpu_var(ip_conntrack_stat).insert_failed++;
- return NF_DROP;
- }
-
-@@ -522,6 +537,7 @@
- if (del_timer(&h->ctrack->timeout)) {
- death_by_timeout((unsigned long)h->ctrack);
- dropped = 1;
-+ __get_cpu_var(ip_conntrack_stat).early_drop++;
- }
- ip_conntrack_put(h->ctrack);
- return dropped;
-@@ -644,11 +660,16 @@
-
- if (expected->expectfn)
- expected->expectfn(conntrack);
-+
-+ __get_cpu_var(ip_conntrack_stat).expect_new++;
-
- goto ret;
-- } else
-+ } else {
- conntrack->helper = ip_ct_find_helper(&repl_tuple);
-
-+ __get_cpu_var(ip_conntrack_stat).new++;
-+ }
-+
- end: atomic_inc(&ip_conntrack_count);
- WRITE_UNLOCK(&ip_conntrack_lock);
-
-@@ -749,8 +770,10 @@
- #endif
-
- /* Previously seen (loopback or untracked)? Ignore. */
-- if ((*pskb)->nfct)
-+ if ((*pskb)->nfct) {
-+ __get_cpu_var(ip_conntrack_stat).ignore++;
- return NF_ACCEPT;
-+ }
-
- proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
-
-@@ -758,16 +781,22 @@
- * inverse of the return code tells to the netfilter
- * core what to do with the packet. */
- if (proto->error != NULL
-- && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0)
-+ && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
-+ __get_cpu_var(ip_conntrack_stat).icmp_error++;
- return -ret;
-+ }
-
-- if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo)))
-+ if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
- /* Not valid part of a connection */
-+ __get_cpu_var(ip_conntrack_stat).invalid++;
- return NF_ACCEPT;
-+ }
-
-- if (IS_ERR(ct))
-+ if (IS_ERR(ct)) {
- /* Too stressed to deal. */
-+ __get_cpu_var(ip_conntrack_stat).drop++;
- return NF_DROP;
-+ }
-
- IP_NF_ASSERT((*pskb)->nfct);
-
-@@ -776,6 +805,7 @@
- /* Invalid */
- nf_conntrack_put((*pskb)->nfct);
- (*pskb)->nfct = NULL;
-+ __get_cpu_var(ip_conntrack_stat).invalid++;
- return NF_ACCEPT;
- }
-
-@@ -783,6 +813,7 @@
- ret = ct->helper->help(*pskb, ct, ctinfo);
- if (ret == -1) {
- /* Invalid */
-+ __get_cpu_var(ip_conntrack_stat).invalid++;
- nf_conntrack_put((*pskb)->nfct);
- (*pskb)->nfct = NULL;
- return NF_ACCEPT;
-@@ -986,6 +1017,8 @@
-
- WRITE_UNLOCK(&ip_conntrack_lock);
-
-+ __get_cpu_var(ip_conntrack_stat).expect_create++;
-+
- return ret;
- }
-
-diff -Nru --exclude-from /space/home/laforge/scripts/dontdiff --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.8-rc2-nfpending-seqfile/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.8-rc2-nfpending-ctstat/net/ipv4/netfilter/ip_conntrack_standalone.c
---- linux-2.6.8-rc2-nfpending-seqfile/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-07-22 14:30:44.548009856 -0400
-+++ linux-2.6.8-rc2-nfpending-ctstat/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-07-22 15:04:33.545555344 -0400
-@@ -21,6 +21,7 @@
- #include <linux/skbuff.h>
- #include <linux/proc_fs.h>
- #include <linux/seq_file.h>
-+#include <linux/percpu.h>
- #ifdef CONFIG_SYSCTL
- #include <linux/sysctl.h>
- #endif
-@@ -44,6 +45,9 @@
-
- MODULE_LICENSE("GPL");
-
-+extern atomic_t ip_conntrack_count;
-+DECLARE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
-+
- static int kill_proto(const struct ip_conntrack *i, void *data)
- {
- return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
-@@ -283,6 +287,86 @@
- .release = seq_release
- };
-
-+static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos)
-+{
-+ int cpu;
-+
-+ for (cpu = *pos; cpu < NR_CPUS; ++cpu) {
-+ if (!cpu_possible(cpu))
-+ continue;
-+ *pos = cpu;
-+ return &per_cpu(ip_conntrack_stat, cpu);
-+ }
-+
-+ return NULL;
-+}
-+
-+static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
-+{
-+ int cpu;
-+
-+ for (cpu = *pos + 1; cpu < NR_CPUS; ++cpu) {
-+ if (!cpu_possible(cpu))
-+ continue;
-+ *pos = cpu;
-+ return &per_cpu(ip_conntrack_stat, cpu);
-+ }
-+
-+ return NULL;
-+}
-+
-+static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
-+{
-+}
-+
-+static int ct_cpu_seq_show(struct seq_file *seq, void *v)
-+{
-+ unsigned int nr_conntracks = atomic_read(&ip_conntrack_count);
-+ struct ip_conntrack_stat *st = v;
-+
-+ seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
-+ "%08x %08x %08x %08x %08x %08x %08x %08x \n",
-+ nr_conntracks,
-+ st->searched,
-+ st->found,
-+ st->new,
-+ st->invalid,
-+ st->ignore,
-+ st->delete,
-+ st->delete_list,
-+ st->insert,
-+ st->insert_failed,
-+ st->drop,
-+ st->early_drop,
-+ st->icmp_error,
-+
-+ st->expect_new,
-+ st->expect_create,
-+ st->expect_delete
-+ );
-+ return 0;
-+}
-+
-+static struct seq_operations ct_cpu_seq_ops = {
-+ .start = ct_cpu_seq_start,
-+ .next = ct_cpu_seq_next,
-+ .stop = ct_cpu_seq_stop,
-+ .show = ct_cpu_seq_show,
-+};
-+
-+static int ct_cpu_seq_open(struct inode *inode, struct file *file)
-+{
-+ return seq_open(file, &ct_cpu_seq_ops);
-+}
-+
-+static struct file_operations ct_cpu_seq_fops = {
-+ .owner = THIS_MODULE,
-+ .open = ct_cpu_seq_open,
-+ .read = seq_read,
-+ .llseek = seq_lseek,
-+ .release = seq_release_private,
-+};
-+
- static unsigned int ip_confirm(unsigned int hooknum,
- struct sk_buff **pskb,
- const struct net_device *in,
-@@ -608,7 +692,7 @@
- #endif
- static int init_or_cleanup(int init)
- {
-- struct proc_dir_entry *proc, *proc_exp;
-+ struct proc_dir_entry *proc, *proc_exp, *proc_stat;
- int ret = 0;
-
- if (!init) goto cleanup;
-@@ -625,10 +709,16 @@
- if (!proc_exp) goto cleanup_proc;
- proc_exp->proc_fops = &exp_file_ops;
-
-+ proc_stat = proc_net_fops_create("ip_conntrack_stat", S_IRUGO,
-+ &ct_cpu_seq_fops);
-+ if (!proc_stat)
-+ goto cleanup_proc_exp;
-+ proc_stat->owner = THIS_MODULE;
-+
- ret = nf_register_hook(&ip_conntrack_defrag_ops);
- if (ret < 0) {
- printk("ip_conntrack: can't register pre-routing defrag hook.\n");
-- goto cleanup_proc_exp;
-+ goto cleanup_proc_stat;
- }
- ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
- if (ret < 0) {
-@@ -680,6 +770,8 @@
- nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
- cleanup_defragops:
- nf_unregister_hook(&ip_conntrack_defrag_ops);
-+ cleanup_proc_stat:
-+ proc_net_remove("ip_conntrack_stat");
- cleanup_proc_exp:
- proc_net_remove("ip_conntrack_exp");
- cleanup_proc:
Deleted: trunk/patch-o-matic-ng/pom26convert
===================================================================
--- trunk/patch-o-matic-ng/pom26convert 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/pom26convert 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,126 +0,0 @@
-#!/bin/bash
-#Copyright 2003 William Stearns <wstearns at pobox.com>
-#Released under the GPL
-#Many thanks to all the Netfilter team for their great work.
-#Version 0.1
-
-if [ -z "$1" ]; then
- echo 'Usage:'
- echo -e "\t$0 pompatch1.patch [pompatch2.patch]..."
- echo
- echo This converts the associated .config.in and
- echo .configure.help files over to pom patches for
- echo the 2.6 kernel\'s Kconfig files. The results
- echo may need a bit of manual tweaking.
- echo Assume this program will wipe out and replace any
- echo .patch.Kconfig files in the current directory.
- echo Exiting.
- exit 1
-fi
-
-debug () {
- :
- #echo "$*" >&2
-}
-
-DropFirstLine () {
- read ALine
- while read ALine ; do
- echo "$ALine"
- done
-}
-
-ParseCILine () {
- #echo Y${*}Y
- #The first object on the line is the option type.
- case "$1" in
- dep_tristate)
- Type="tristate"
- ;;
- tristate)
- Type="tristate"
- ;;
- bool)
- Type="bool"
- ;;
- *)
- echo "Unknown config.in line type: X${1}X"
- #echo Exiting
- #exit 1
- ;;
- esac
- shift
-
- #Now, we keep grabbing words until we get to CONFIG_ or $CONFIG_
- #(which are the option names and dependencies)
- DescString=''
- OptionName=''
- Depends=''
- while [ -n "$1" ]; do
- case "$1" in
- CONFIG_*|\$CONFIG_*)
- if [ -z "$OptionName" ]; then
- OptionName="`echo $1 | sed -e 's/^CONFIG_//' -e 's/^$CONFIG_//'`"
- else
- if [ -z "$Depends" ]; then
- Depends="`echo $1 | sed -e 's/^CONFIG_//' -e 's/^$CONFIG_//'`"
- else
- Depends="$Depends && `echo $1 | sed -e 's/^CONFIG_//' -e 's/^$CONFIG_//'`"
- fi
- fi
- ;;
- *)
- DescString="$DescString $1"
- ;;
- esac
- shift
- done
- #echo -e "Type $Type\tOptionName $OptionName\tDepends $Depends\tDesc $DescString"
-
- echo "config $OptionName"
- echo -e "\t$Type $DescString"
- if [ -n "$Depends" ]; then
- echo -e "\tdepends on $Depends"
- fi
-}
-
-
-for OnePatch in $* ; do
- if [ -f "$OnePatch.config.in" ]; then
- debug "$OnePatch has config.in, good"
-
- rm -f $OnePatch.Kconfig
-
- #Grab each of the tristate/bool lines from the 2.4 .config.in
- #files and convert them over to Kconfig blocks.
- for OneCI in $OnePatch.config.in* ; do
- if [ "`cat $OneCI | DropFirstLine | egrep '(^\W*if|^\W*fi|^\W*define_tristate|^\W*else|^\W*#)' | wc -l`" -gt 0 ]; then
- echo "Warning: $OneCI has other lines, please merge these by hand" >&2
- cat $OneCI | DropFirstLine | egrep '(^\W*if|^\W*fi|^\W*define_tristate|^\W*else|^\W*#)' | sed -e 's/^/ /' >&2
- fi
-
- cat $OneCI | \
- DropFirstLine | \
- grep -v '^\W*if ' | \
- grep -v '^\W*fi' | \
- grep -v '^\W*define_tristate' | \
- grep -v '^\W*else' | \
- sed -e 's/#.*//' | \
- grep -v '^\W*$' | \
- ( while read ALine ; do
- ParseCILine $ALine
- done ) >>$OnePatch.Kconfig
- done
-
- else
- if [ -f "$OnePatch.configure.help" ]; then
- echo "$OnePatch has no config.in, but it has a configure.help. What do I do? Skipping" >&2
- else
- debug "$OnePatch has no config.in or configure.help, skipping"
- fi
- fi
-done
-
-
-
-
Deleted: trunk/patch-o-matic-ng/raw/linux-2.6.patch
===================================================================
--- trunk/patch-o-matic-ng/raw/linux-2.6.patch 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/raw/linux-2.6.patch 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,264 +0,0 @@
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4/ip_conntrack.h
---- linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4/ip_conntrack.h 2004-01-09 08:00:03.000000000 +0100
-+++ linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4/ip_conntrack.h 2004-02-17 07:59:25.000000000 +0100
-@@ -251,6 +251,9 @@
- /* Call me when a conntrack is destroyed. */
- extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
-
-+/* Fake conntrack entry for untracked connections */
-+extern struct ip_conntrack ip_conntrack_untracked;
-+
- /* Returns new sk_buff, or NULL */
- struct sk_buff *
- ip_ct_gather_frags(struct sk_buff *skb);
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4/ipt_conntrack.h linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4/ipt_conntrack.h
---- linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4/ipt_conntrack.h 2004-01-09 07:59:55.000000000 +0100
-+++ linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4/ipt_conntrack.h 2004-02-17 07:59:25.000000000 +0100
-@@ -10,6 +10,7 @@
-
- #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
- #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
-+#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
-
- /* flags, invflags: */
- #define IPT_CONNTRACK_STATE 0x01
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4/ipt_state.h linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4/ipt_state.h
---- linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4/ipt_state.h 2004-01-09 07:59:56.000000000 +0100
-+++ linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4/ipt_state.h 2004-02-17 07:59:25.000000000 +0100
-@@ -4,6 +4,8 @@
- #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
- #define IPT_STATE_INVALID (1 << 0)
-
-+#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
-+
- struct ipt_state_info
- {
- unsigned int statemask;
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4.h linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4.h
---- linux-2.6.2-rc2-nf-log/include/linux/netfilter_ipv4.h 2004-01-09 07:59:56.000000000 +0100
-+++ linux-2.6.2-rc2-raw/include/linux/netfilter_ipv4.h 2004-02-17 07:59:25.000000000 +0100
-@@ -51,6 +51,8 @@
-
- enum nf_ip_hook_priorities {
- NF_IP_PRI_FIRST = INT_MIN,
-+ NF_IP_PRI_CONNTRACK_DEFRAG = -400,
-+ NF_IP_PRI_RAW = -300,
- NF_IP_PRI_SELINUX_FIRST = -225,
- NF_IP_PRI_CONNTRACK = -200,
- NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.2-rc2-raw/net/ipv4/netfilter/ip_conntrack_core.c
---- linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ip_conntrack_core.c 2004-01-09 07:59:02.000000000 +0100
-+++ linux-2.6.2-rc2-raw/net/ipv4/netfilter/ip_conntrack_core.c 2004-02-17 07:59:25.000000000 +0100
-@@ -63,6 +63,7 @@
- static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
- struct list_head *ip_conntrack_hash;
- static kmem_cache_t *ip_conntrack_cachep;
-+struct ip_conntrack ip_conntrack_untracked;
-
- extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
-
-@@ -790,6 +791,15 @@
- int set_reply;
- int ret;
-
-+ /* Never happen */
-+ if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
-+ if (net_ratelimit()) {
-+ printk(KERN_ERR "ip_conntrack_in: Frag of proto %u (hook=%u)\n",
-+ (*pskb)->nh.iph->protocol, hooknum);
-+ }
-+ return NF_DROP;
-+ }
-+
- /* FIXME: Do this right please. --RR */
- (*pskb)->nfcache |= NFC_UNKNOWN;
-
-@@ -808,18 +818,10 @@
- }
- #endif
-
-- /* Previously seen (loopback)? Ignore. Do this before
-- fragment check. */
-+ /* Previously seen (loopback or untracked)? Ignore. */
- if ((*pskb)->nfct)
- return NF_ACCEPT;
-
-- /* Gather fragments. */
-- if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
-- *pskb = ip_ct_gather_frags(*pskb);
-- if (!*pskb)
-- return NF_STOLEN;
-- }
--
- proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
-
- /* It may be an icmp error... */
-@@ -1419,6 +1421,18 @@
-
- /* For use by ipt_REJECT */
- ip_ct_attach = ip_conntrack_attach;
-+
-+ /* Set up fake conntrack:
-+ - to never be deleted, not in any hashes */
-+ atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
-+ /* - and look it like as a confirmed connection */
-+ set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
-+ /* - and prepare the ctinfo field for REJECT & NAT. */
-+ ip_conntrack_untracked.infos[IP_CT_NEW].master =
-+ ip_conntrack_untracked.infos[IP_CT_RELATED].master =
-+ ip_conntrack_untracked.infos[IP_CT_RELATED + IP_CT_IS_REPLY].master =
-+ &ip_conntrack_untracked.ct_general;
-+
- return ret;
-
- err_free_hash:
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.2-rc2-raw/net/ipv4/netfilter/ip_conntrack_standalone.c
---- linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-01-09 07:59:27.000000000 +0100
-+++ linux-2.6.2-rc2-raw/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-02-17 07:59:25.000000000 +0100
-@@ -186,6 +186,26 @@
- return ip_conntrack_confirm(*pskb);
- }
-
-+static unsigned int ip_conntrack_defrag(unsigned int hooknum,
-+ struct sk_buff **pskb,
-+ const struct net_device *in,
-+ const struct net_device *out,
-+ int (*okfn)(struct sk_buff *))
-+{
-+ /* Previously seen (loopback)? Ignore. Do this before
-+ fragment check. */
-+ if ((*pskb)->nfct)
-+ return NF_ACCEPT;
-+
-+ /* Gather fragments. */
-+ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
-+ *pskb = ip_ct_gather_frags(*pskb);
-+ if (!*pskb)
-+ return NF_STOLEN;
-+ }
-+ return NF_ACCEPT;
-+}
-+
- static unsigned int ip_refrag(unsigned int hooknum,
- struct sk_buff **pskb,
- const struct net_device *in,
-@@ -228,6 +248,14 @@
-
- /* Connection tracking may drop packets, but never alters them, so
- make it the first hook. */
-+static struct nf_hook_ops ip_conntrack_defrag_ops = {
-+ .hook = ip_conntrack_defrag,
-+ .owner = THIS_MODULE,
-+ .pf = PF_INET,
-+ .hooknum = NF_IP_PRE_ROUTING,
-+ .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
-+};
-+
- static struct nf_hook_ops ip_conntrack_in_ops = {
- .hook = ip_conntrack_in,
- .owner = THIS_MODULE,
-@@ -236,6 +264,14 @@
- .priority = NF_IP_PRI_CONNTRACK,
- };
-
-+static struct nf_hook_ops ip_conntrack_defrag_local_out_ops = {
-+ .hook = ip_conntrack_defrag,
-+ .owner = THIS_MODULE,
-+ .pf = PF_INET,
-+ .hooknum = NF_IP_LOCAL_OUT,
-+ .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
-+};
-+
- static struct nf_hook_ops ip_conntrack_local_out_ops = {
- .hook = ip_conntrack_local,
- .owner = THIS_MODULE,
-@@ -368,10 +404,20 @@
- if (!proc) goto cleanup_init;
- proc->owner = THIS_MODULE;
-
-+ ret = nf_register_hook(&ip_conntrack_defrag_ops);
-+ if (ret < 0) {
-+ printk("ip_conntrack: can't register pre-routing defrag hook.\n");
-+ goto cleanup_proc;
-+ }
-+ ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
-+ if (ret < 0) {
-+ printk("ip_conntrack: can't register local_out defrag hook.\n");
-+ goto cleanup_defragops;
-+ }
- ret = nf_register_hook(&ip_conntrack_in_ops);
- if (ret < 0) {
- printk("ip_conntrack: can't register pre-routing hook.\n");
-- goto cleanup_proc;
-+ goto cleanup_defraglocalops;
- }
- ret = nf_register_hook(&ip_conntrack_local_out_ops);
- if (ret < 0) {
-@@ -409,6 +455,10 @@
- nf_unregister_hook(&ip_conntrack_local_out_ops);
- cleanup_inops:
- nf_unregister_hook(&ip_conntrack_in_ops);
-+ cleanup_defraglocalops:
-+ nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
-+ cleanup_defragops:
-+ nf_unregister_hook(&ip_conntrack_defrag_ops);
- cleanup_proc:
- proc_net_remove("ip_conntrack");
- cleanup_init:
-@@ -500,5 +550,6 @@
- EXPORT_SYMBOL(ip_conntrack_expect_list);
- EXPORT_SYMBOL(ip_conntrack_lock);
- EXPORT_SYMBOL(ip_conntrack_hash);
-+EXPORT_SYMBOL(ip_conntrack_untracked);
- EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
- EXPORT_SYMBOL_GPL(ip_conntrack_put);
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ip_nat_core.c linux-2.6.2-rc2-raw/net/ipv4/netfilter/ip_nat_core.c
---- linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ip_nat_core.c 2004-01-09 07:59:10.000000000 +0100
-+++ linux-2.6.2-rc2-raw/net/ipv4/netfilter/ip_nat_core.c 2004-02-17 07:59:25.000000000 +0100
-@@ -1010,6 +1010,10 @@
- /* FIXME: Man, this is a hack. <SIGH> */
- IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
- ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
-+
-+ /* Initialize fake conntrack so that NAT will skip it */
-+ ip_conntrack_untracked.nat.info.initialized |=
-+ (1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST);
-
- return 0;
- }
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ipt_conntrack.c linux-2.6.2-rc2-raw/net/ipv4/netfilter/ipt_conntrack.c
---- linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ipt_conntrack.c 2004-01-09 08:00:02.000000000 +0100
-+++ linux-2.6.2-rc2-raw/net/ipv4/netfilter/ipt_conntrack.c 2004-02-17 07:59:25.000000000 +0100
-@@ -29,11 +29,13 @@
-
- #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
-
-- if (ct)
-- statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
-- else
-- statebit = IPT_CONNTRACK_STATE_INVALID;
--
-+ if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
-+ statebit = IPT_CONNTRACK_STATE_UNTRACKED;
-+ else if (ct)
-+ statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
-+ else
-+ statebit = IPT_CONNTRACK_STATE_INVALID;
-+
- if(sinfo->flags & IPT_CONNTRACK_STATE) {
- if (ct) {
- if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip !=
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ipt_state.c linux-2.6.2-rc2-raw/net/ipv4/netfilter/ipt_state.c
---- linux-2.6.2-rc2-nf-log/net/ipv4/netfilter/ipt_state.c 2004-01-09 08:00:13.000000000 +0100
-+++ linux-2.6.2-rc2-raw/net/ipv4/netfilter/ipt_state.c 2004-02-17 07:59:25.000000000 +0100
-@@ -23,7 +23,9 @@
- enum ip_conntrack_info ctinfo;
- unsigned int statebit;
-
-- if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
-+ if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
-+ statebit = IPT_STATE_UNTRACKED;
-+ else if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
- statebit = IPT_STATE_INVALID;
- else
- statebit = IPT_STATE_BIT(ctinfo);
Deleted: trunk/patch-o-matic-ng/tcp-window-tracking/linux-2.6.patch
===================================================================
--- trunk/patch-o-matic-ng/tcp-window-tracking/linux-2.6.patch 2004-10-20 14:58:20 UTC (rev 3242)
+++ trunk/patch-o-matic-ng/tcp-window-tracking/linux-2.6.patch 2004-10-20 15:27:16 UTC (rev 3243)
@@ -1,1304 +0,0 @@
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.6-ct_error_api-udp/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.6-tcp-win2/include/linux/netfilter_ipv4/ip_conntrack.h
---- linux-2.6.6-ct_error_api-udp/include/linux/netfilter_ipv4/ip_conntrack.h 2004-06-18 07:48:03.000000000 +0200
-+++ linux-2.6.6-tcp-win2/include/linux/netfilter_ipv4/ip_conntrack.h 2004-06-18 08:02:09.000000000 +0200
-@@ -249,6 +249,11 @@
- unsigned long extra_jiffies);
-
- /* These are for NAT. Icky. */
-+/* Update TCP window tracking data when NAT mangles the packet */
-+extern int ip_conntrack_tcp_update(struct sk_buff *skb,
-+ struct ip_conntrack *conntrack,
-+ int dir);
-+
- /* Call me when a conntrack is destroyed. */
- extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
-
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.6-ct_error_api-udp/include/linux/netfilter_ipv4/ip_conntrack_tcp.h linux-2.6.6-tcp-win2/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
---- linux-2.6.6-ct_error_api-udp/include/linux/netfilter_ipv4/ip_conntrack_tcp.h 2004-05-10 04:32:28.000000000 +0200
-+++ linux-2.6.6-tcp-win2/include/linux/netfilter_ipv4/ip_conntrack_tcp.h 2004-06-18 08:02:49.000000000 +0200
-@@ -4,25 +4,44 @@
-
- enum tcp_conntrack {
- TCP_CONNTRACK_NONE,
-- TCP_CONNTRACK_ESTABLISHED,
- TCP_CONNTRACK_SYN_SENT,
- TCP_CONNTRACK_SYN_RECV,
-+ TCP_CONNTRACK_ESTABLISHED,
- TCP_CONNTRACK_FIN_WAIT,
-- TCP_CONNTRACK_TIME_WAIT,
-- TCP_CONNTRACK_CLOSE,
- TCP_CONNTRACK_CLOSE_WAIT,
- TCP_CONNTRACK_LAST_ACK,
-+ TCP_CONNTRACK_TIME_WAIT,
-+ TCP_CONNTRACK_CLOSE,
- TCP_CONNTRACK_LISTEN,
-- TCP_CONNTRACK_MAX
-+ TCP_CONNTRACK_MAX,
-+ TCP_CONNTRACK_IGNORE
-+};
-+
-+/* Window scaling is advertised by the sender */
-+#define IP_CT_TCP_STATE_FLAG_WINDOW_SCALE 0x01
-+
-+/* SACK is permitted by the sender */
-+#define IP_CT_TCP_FLAG_SACK_PERM 0x02
-+
-+struct ip_ct_tcp_state {
-+ u_int32_t td_end; /* max of seq + len */
-+ u_int32_t td_maxend; /* max of ack + max(win, 1) */
-+ u_int32_t td_maxwin; /* max(win) */
-+ u_int8_t td_scale; /* window scale factor */
-+ u_int8_t loose; /* used when connection picked up from the middle */
-+ u_int8_t flags; /* per direction state flags */
- };
-
- struct ip_ct_tcp
- {
-- enum tcp_conntrack state;
--
-- /* Poor man's window tracking: sequence number of valid ACK
-- handshake completion packet */
-- u_int32_t handshake_ack;
-+ struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */
-+ u_int8_t state; /* state of the connection (enum tcp_conntrack) */
-+ /* For detecting stale connections */
-+ u_int8_t last_dir; /* Direction of the last packet (enum ip_conntrack_dir) */
-+ u_int8_t retrans; /* Number of retransmitted packets */
-+ u_int8_t last_index; /* Index of the last packet */
-+ u_int32_t last_seq; /* Last sequence number seen in dir */
-+ u_int32_t last_end; /* Last seq + len */
- };
-
- #endif /* _IP_CONNTRACK_TCP_H */
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.6-ct_error_api-udp/include/linux/sysctl.h linux-2.6.6-tcp-win2/include/linux/sysctl.h
---- linux-2.6.6-ct_error_api-udp/include/linux/sysctl.h 2004-06-18 15:01:33.000000000 +0200
-+++ linux-2.6.6-tcp-win2/include/linux/sysctl.h 2004-06-18 15:20:31.000000000 +0200
-@@ -407,6 +407,10 @@
- NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT=13,
- NET_IPV4_NF_CONNTRACK_BUCKETS=14,
- NET_IPV4_NF_CONNTRACK_LOG_INVALID=15,
-+ NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS=16,
-+ NET_IPV4_NF_CONNTRACK_TCP_LOOSE=17,
-+ NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL=18,
-+ NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS=19,
- };
-
- /* /proc/sys/net/ipv6 */
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.6-ct_error_api-udp/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.6-tcp-win2/net/ipv4/netfilter/ip_conntrack_core.c
---- linux-2.6.6-ct_error_api-udp/net/ipv4/netfilter/ip_conntrack_core.c 2004-06-18 07:27:57.000000000 +0200
-+++ linux-2.6.6-tcp-win2/net/ipv4/netfilter/ip_conntrack_core.c 2004-06-18 08:04:30.000000000 +0200
-@@ -771,11 +771,12 @@
- IP_NF_ASSERT((*pskb)->nfct);
-
- ret = proto->packet(ct, *pskb, ctinfo);
-- if (ret == -1) {
-- /* Invalid */
-+ if (ret < 0) {
-+ /* Invalid: inverse of the return code tells
-+ * to the netfilter core what to do. */
- nf_conntrack_put((*pskb)->nfct);
- (*pskb)->nfct = NULL;
-- return NF_ACCEPT;
-+ return -ret;
- }
-
- if (ret != NF_DROP && ct->helper) {
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.6-ct_error_api-udp/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-2.6.6-tcp-win2/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
---- linux-2.6.6-ct_error_api-udp/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-06-18 07:36:32.000000000 +0200
-+++ linux-2.6.6-tcp-win2/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2004-06-18 15:43:54.000000000 +0200
-@@ -4,8 +4,22 @@
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
-+ *
-+ * Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>:
-+ * - Real stateful connection tracking
-+ * - Modified state transitions table
-+ * - Window scaling support added
-+ * - SACK support added
-+ *
-+ * Willy Tarreau:
-+ * - State table bugfixes
-+ * - More robust state changes
-+ * - Tuning timer parameters
-+ *
-+ * version 2.2
- */
-
-+#include <linux/config.h>
- #include <linux/types.h>
- #include <linux/sched.h>
- #include <linux/timer.h>
-@@ -14,16 +28,18 @@
- #include <linux/in.h>
- #include <linux/ip.h>
- #include <linux/tcp.h>
--#include <linux/string.h>
-+#include <linux/spinlock.h>
-
- #include <net/tcp.h>
-
-+#include <linux/netfilter.h>
- #include <linux/netfilter_ipv4/ip_conntrack.h>
- #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
- #include <linux/netfilter_ipv4/lockhelp.h>
-
- #if 0
- #define DEBUGP printk
-+#define DEBUGP_VARS
- #else
- #define DEBUGP(format, args...)
- #endif
-@@ -31,90 +47,251 @@
- /* Protects conntrack->proto.tcp */
- static DECLARE_RWLOCK(tcp_lock);
-
-+/* "Be conservative in what you do,
-+ be liberal in what you accept from others."
-+ If it's non-zero, we mark only out of window RST segments as INVALID. */
-+int ip_ct_tcp_be_liberal = 0;
-+
-+/* When connection is picked up from the middle, how many packets are required
-+ to pass in each direction when we assume we are in sync - if any side uses
-+ window scaling, we lost the game.
-+ If it is set to zero, we disable picking up already established
-+ connections. */
-+int ip_ct_tcp_loose = 3;
-+
-+/* Max number of the retransmitted packets without receiving an (acceptable)
-+ ACK from the destination. If this number is reached, a shorter timer
-+ will be started. */
-+int ip_ct_tcp_max_retrans = 3;
-+
- /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
- closely. They're more complex. --RR */
-
--/* Actually, I believe that neither ipmasq (where this code is stolen
-- from) nor ipfilter do it exactly right. A new conntrack machine taking
-- into account packet loss (which creates uncertainty as to exactly
-- the conntrack of the connection) is required. RSN. --RR */
--
- static const char *tcp_conntrack_names[] = {
- "NONE",
-- "ESTABLISHED",
- "SYN_SENT",
- "SYN_RECV",
-+ "ESTABLISHED",
- "FIN_WAIT",
-- "TIME_WAIT",
-- "CLOSE",
- "CLOSE_WAIT",
- "LAST_ACK",
-+ "TIME_WAIT",
-+ "CLOSE",
- "LISTEN"
- };
-
--#define SECS *HZ
-+#define SECS * HZ
- #define MINS * 60 SECS
- #define HOURS * 60 MINS
- #define DAYS * 24 HOURS
-
--unsigned long ip_ct_tcp_timeout_syn_sent = 2 MINS;
--unsigned long ip_ct_tcp_timeout_syn_recv = 60 SECS;
--unsigned long ip_ct_tcp_timeout_established = 5 DAYS;
--unsigned long ip_ct_tcp_timeout_fin_wait = 2 MINS;
--unsigned long ip_ct_tcp_timeout_close_wait = 60 SECS;
--unsigned long ip_ct_tcp_timeout_last_ack = 30 SECS;
--unsigned long ip_ct_tcp_timeout_time_wait = 2 MINS;
--unsigned long ip_ct_tcp_timeout_close = 10 SECS;
-+unsigned long ip_ct_tcp_timeout_syn_sent = 2 MINS;
-+unsigned long ip_ct_tcp_timeout_syn_recv = 60 SECS;
-+unsigned long ip_ct_tcp_timeout_established = 5 DAYS;
-+unsigned long ip_ct_tcp_timeout_fin_wait = 2 MINS;
-+unsigned long ip_ct_tcp_timeout_close_wait = 10 MINS;
-+unsigned long ip_ct_tcp_timeout_last_ack = 90 SECS;
-+unsigned long ip_ct_tcp_timeout_time_wait = 2 MINS;
-+unsigned long ip_ct_tcp_timeout_close = 90 SECS;
-+
-+/* RFC1122 says the R2 limit should be at least 100 seconds.
-+ Linux uses 15 packets as limit, which corresponds
-+ to ~13-30min depending on RTO. */
-+unsigned long ip_ct_tcp_timeout_max_retrans = 5 MINS;
-
- static unsigned long * tcp_timeouts[]
--= { 0, /* TCP_CONNTRACK_NONE */
-- &ip_ct_tcp_timeout_established, /* TCP_CONNTRACK_ESTABLISHED, */
-- &ip_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */
-- &ip_ct_tcp_timeout_syn_recv, /* TCP_CONNTRACK_SYN_RECV, */
-- &ip_ct_tcp_timeout_fin_wait, /* TCP_CONNTRACK_FIN_WAIT, */
-- &ip_ct_tcp_timeout_time_wait, /* TCP_CONNTRACK_TIME_WAIT, */
-- &ip_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */
-- &ip_ct_tcp_timeout_close_wait, /* TCP_CONNTRACK_CLOSE_WAIT, */
-- &ip_ct_tcp_timeout_last_ack, /* TCP_CONNTRACK_LAST_ACK, */
-- 0, /* TCP_CONNTRACK_LISTEN */
-- };
--
-+= { 0, /* TCP_CONNTRACK_NONE */
-+ &ip_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */
-+ &ip_ct_tcp_timeout_syn_recv, /* TCP_CONNTRACK_SYN_RECV, */
-+ &ip_ct_tcp_timeout_established, /* TCP_CONNTRACK_ESTABLISHED, */
-+ &ip_ct_tcp_timeout_fin_wait, /* TCP_CONNTRACK_FIN_WAIT, */
-+ &ip_ct_tcp_timeout_close_wait, /* TCP_CONNTRACK_CLOSE_WAIT, */
-+ &ip_ct_tcp_timeout_last_ack, /* TCP_CONNTRACK_LAST_ACK, */
-+ &ip_ct_tcp_timeout_time_wait, /* TCP_CONNTRACK_TIME_WAIT, */
-+ &ip_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */
-+ 0, /* TCP_CONNTRACK_LISTEN */
-+};
-+
- #define sNO TCP_CONNTRACK_NONE
--#define sES TCP_CONNTRACK_ESTABLISHED
- #define sSS TCP_CONNTRACK_SYN_SENT
- #define sSR TCP_CONNTRACK_SYN_RECV
-+#define sES TCP_CONNTRACK_ESTABLISHED
- #define sFW TCP_CONNTRACK_FIN_WAIT
--#define sTW TCP_CONNTRACK_TIME_WAIT
--#define sCL TCP_CONNTRACK_CLOSE
- #define sCW TCP_CONNTRACK_CLOSE_WAIT
- #define sLA TCP_CONNTRACK_LAST_ACK
-+#define sTW TCP_CONNTRACK_TIME_WAIT
-+#define sCL TCP_CONNTRACK_CLOSE
- #define sLI TCP_CONNTRACK_LISTEN
- #define sIV TCP_CONNTRACK_MAX
-+#define sIG TCP_CONNTRACK_IGNORE
-+
-+/* What TCP flags are set from RST/SYN/FIN/ACK. */
-+enum tcp_bit_set {
-+ TCP_SYN_SET,
-+ TCP_SYNACK_SET,
-+ TCP_FIN_SET,
-+ TCP_ACK_SET,
-+ TCP_RST_SET,
-+ TCP_NONE_SET,
-+};
-
--static enum tcp_conntrack tcp_conntracks[2][5][TCP_CONNTRACK_MAX] = {
-+/*
-+ * The TCP state transition table needs a few words...
-+ *
-+ * We are the man in the middle. All the packets go through us
-+ * but might get lost in transit to the destination.
-+ * It is assumed that the destinations can't receive segments
-+ * we haven't seen.
-+ *
-+ * The checked segment is in window, but our windows are *not*
-+ * equivalent with the ones of the sender/receiver. We always
-+ * try to guess the state of the current sender.
-+ *
-+ * The meaning of the states are:
-+ *
-+ * NONE: initial state
-+ * SYN_SENT: SYN-only packet seen
-+ * SYN_RECV: SYN-ACK packet seen
-+ * ESTABLISHED: ACK packet seen
-+ * FIN_WAIT: FIN packet seen
-+ * CLOSE_WAIT: ACK seen (after FIN)
-+ * LAST_ACK: FIN seen (after FIN)
-+ * TIME_WAIT: last ACK seen
-+ * CLOSE: closed connection
-+ *
-+ * LISTEN state is not used.
-+ *
-+ * Packets marked as IGNORED (sIG):
-+ * if they may be either invalid or valid
-+ * and the receiver may send back a connection
-+ * closing RST or a SYN/ACK.
-+ *
-+ * Packets marked as INVALID (sIV):
-+ * if they are invalid
-+ * or we do not support the request (simultaneous open)
-+ */
-+static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
- {
--/* ORIGINAL */
--/* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI */
--/*syn*/ {sSS, sES, sSS, sSR, sSS, sSS, sSS, sSS, sSS, sLI },
--/*fin*/ {sTW, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI },
--/*ack*/ {sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES },
--/*rst*/ {sCL, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL },
--/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
-+/* ORIGINAL */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sIV },
-+/*
-+ * sNO -> sSS Initialize a new connection
-+ * sSS -> sSS Retransmitted SYN
-+ * sSR -> sIG Late retransmitted SYN?
-+ * sES -> sIG Error: SYNs in window outside the SYN_SENT state
-+ * are errors. Receiver will reply with RST
-+ * and close the connection.
-+ * Or we are not in sync and hold a dead connection.
-+ * sFW -> sIG
-+ * sCW -> sIG
-+ * sLA -> sIG
-+ * sTW -> sSS Reopened connection (RFC 1122).
-+ * sCL -> sSS
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },
-+/*
-+ * A SYN/ACK from the client is always invalid:
-+ * - either it tries to set up a simultaneous open, which is
-+ * not supported;
-+ * - or the firewall has just been inserted between the two hosts
-+ * during the session set-up. The SYN will be retransmitted
-+ * by the true client (or it'll time out).
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
-+/*
-+ * sNO -> sIV Too late and no reason to do anything...
-+ * sSS -> sIV Client migth not send FIN in this state:
-+ * we enforce waiting for a SYN/ACK reply first.
-+ * sSR -> sFW Close started.
-+ * sES -> sFW
-+ * sFW -> sLA FIN seen in both directions, waiting for
-+ * the last ACK.
-+ * Migth be a retransmitted FIN as well...
-+ * sCW -> sLA
-+ * sLA -> sLA Retransmitted FIN. Remain in the same state.
-+ * sTW -> sTW
-+ * sCL -> sCL
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
-+/*
-+ * sNO -> sES Assumed.
-+ * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
-+ * sSR -> sES Established state is reached.
-+ * sES -> sES :-)
-+ * sFW -> sCW Normal close request answered by ACK.
-+ * sCW -> sCW
-+ * sLA -> sTW Last ACK detected.
-+ * sTW -> sTW Retransmitted last ACK. Remain in the same state.
-+ * sCL -> sCL
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },
-+/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
- },
- {
--/* REPLY */
--/* sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI */
--/*syn*/ {sSR, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR },
--/*fin*/ {sCL, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI },
--/*ack*/ {sCL, sES, sSS, sSR, sFW, sTW, sCL, sCW, sCL, sLI },
--/*rst*/ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sLA, sLI },
--/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
-+/* REPLY */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*syn*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },
-+/*
-+ * sNO -> sIV Never reached.
-+ * sSS -> sIV Simultaneous open, not supported
-+ * sSR -> sIV Simultaneous open, not supported.
-+ * sES -> sIV Server may not initiate a connection.
-+ * sFW -> sIV
-+ * sCW -> sIV
-+ * sLA -> sIV
-+ * sTW -> sIV Reopened connection, but server may not do it.
-+ * sCL -> sIV
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIV },
-+/*
-+ * sSS -> sSR Standard open.
-+ * sSR -> sSR Retransmitted SYN/ACK.
-+ * sES -> sIG Late retransmitted SYN/ACK?
-+ * sFW -> sIG
-+ * sCW -> sIG
-+ * sLA -> sIG
-+ * sTW -> sIG
-+ * sCL -> sIG
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
-+/*
-+ * sSS -> sIV Server might not send FIN in this state.
-+ * sSR -> sFW Close started.
-+ * sES -> sFW
-+ * sFW -> sLA FIN seen in both directions.
-+ * sCW -> sLA
-+ * sLA -> sLA Retransmitted FIN.
-+ * sTW -> sTW
-+ * sCL -> sCL
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*ack*/ { sIV, sIV, sIV, sES, sCW, sCW, sTW, sTW, sCL, sIV },
-+/*
-+ * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
-+ * sSR -> sIV Simultaneous open.
-+ * sES -> sES :-)
-+ * sFW -> sCW Normal close request answered by ACK.
-+ * sCW -> sCW
-+ * sLA -> sTW Last ACK detected.
-+ * sTW -> sTW Retransmitted last ACK.
-+ * sCL -> sCL
-+ */
-+/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
-+/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },
-+/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
- }
- };
-
- static int tcp_pkt_to_tuple(const struct sk_buff *skb,
-- unsigned int dataoff,
-- struct ip_conntrack_tuple *tuple)
-+ unsigned int dataoff,
-+ struct ip_conntrack_tuple *tuple)
- {
- struct tcphdr hdr;
-
-@@ -158,99 +335,720 @@
- return sprintf(buffer, "%s ", tcp_conntrack_names[state]);
- }
-
--static unsigned int get_conntrack_index(const struct tcphdr *tcph)
-+static inline unsigned int get_conntrack_index(const struct tcphdr *tcph)
- {
-- if (tcph->rst) return 3;
-- else if (tcph->syn) return 0;
-- else if (tcph->fin) return 1;
-- else if (tcph->ack) return 2;
-- else return 4;
-+ if (tcph->rst) return TCP_RST_SET;
-+ else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
-+ else if (tcph->fin) return TCP_FIN_SET;
-+ else if (tcph->ack) return TCP_ACK_SET;
-+ else return TCP_NONE_SET;
- }
-
--/* Returns verdict for packet, or -1 for invalid. */
--static int tcp_packet(struct ip_conntrack *conntrack,
-- const struct sk_buff *skb,
-- enum ip_conntrack_info ctinfo)
-+/* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
-+ in IP Filter' by Guido van Rooij.
-+
-+ http://www.nluug.nl/events/sane2000/papers.html
-+ http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
-+
-+ The boundaries and the conditions are slightly changed:
-+
-+ td_maxend = max(sack + max(win,1)) seen in reply packets
-+ td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
-+ td_end = max(seq + len) seen in sent packets
-+
-+ I. Upper bound for valid data: seq + len <= sender.td_maxend
-+ II. Lower bound for valid data: seq >= sender.td_end - receiver.td_maxwin
-+ III. Upper bound for valid ack: sack <= receiver.td_end
-+ IV. Lower bound for valid ack: ack >= receiver.td_end - MAXACKWINDOW
-+
-+ where sack is the highest right edge of sack block found in the packet.
-+
-+ The upper bound limit for a valid ack is not ignored -
-+ we doesn't have to deal with fragments.
-+*/
-+
-+static inline __u32 segment_seq_plus_len(__u32 seq,
-+ size_t len,
-+ struct iphdr *iph,
-+ struct tcphdr *tcph)
- {
-- enum tcp_conntrack newconntrack, oldtcpstate;
-- struct tcphdr tcph;
-+ return (seq + len - (iph->ihl + tcph->doff)*4
-+ + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
-+}
-
-- if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &tcph, sizeof(tcph)) != 0)
-- return -1;
-- if (skb->len < skb->nh.iph->ihl * 4 + tcph.doff * 4)
-- return -1;
-+/* Fixme: what about big packets? */
-+#define MAXACKWINCONST 66000
-+#define MAXACKWINDOW(sender) \
-+ ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
-+ : MAXACKWINCONST)
-
-- /* If only reply is a RST, we can consider ourselves not to
-- have an established connection: this is a fairly common
-- problem case, so we can delete the conntrack
-- immediately. --RR */
-- if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && tcph.rst) {
-- if (del_timer(&conntrack->timeout))
-- conntrack->timeout.function((unsigned long)conntrack);
-- return NF_ACCEPT;
-+/*
-+ * Simplified tcp_parse_options routine from tcp_input.c
-+ */
-+static void tcp_options(struct tcphdr *tcph,
-+ struct ip_ct_tcp_state *state)
-+{
-+ unsigned char *ptr = (unsigned char *)(tcph + 1);
-+ int length = (tcph->doff*4) - sizeof(struct tcphdr);
-+
-+ state->td_scale =
-+ state->flags = 0;
-+
-+ while (length > 0) {
-+ int opcode=*ptr++;
-+ int opsize;
-+
-+ switch (opcode) {
-+ case TCPOPT_EOL:
-+ return;
-+ case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
-+ length--;
-+ continue;
-+ default:
-+ opsize=*ptr++;
-+ if (opsize < 2) /* "silly options" */
-+ return;
-+ if (opsize > length)
-+ break; /* don't parse partial options */
-+
-+ if (opcode == TCPOPT_SACK_PERM
-+ && opsize == TCPOLEN_SACK_PERM)
-+ state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
-+ else if (opcode == TCPOPT_WINDOW
-+ && opsize == TCPOLEN_WINDOW) {
-+ state->td_scale = *(u_int8_t *)ptr;
-+
-+ if (state->td_scale > 14) {
-+ /* See RFC1323 */
-+ state->td_scale = 14;
-+ }
-+ state->flags |=
-+ IP_CT_TCP_STATE_FLAG_WINDOW_SCALE;
-+ }
-+ ptr += opsize - 2;
-+ length -= opsize;
-+ }
-+ }
-+}
-+
-+static void tcp_sack(struct tcphdr *tcph, __u32 *sack)
-+{
-+ __u32 tmp;
-+ unsigned char *ptr;
-+ int length = (tcph->doff*4) - sizeof(struct tcphdr);
-+
-+ /* Fast path for timestamp-only option */
-+ if (length == TCPOLEN_TSTAMP_ALIGNED*4
-+ && *(__u32 *)(tcph + 1) ==
-+ __constant_ntohl((TCPOPT_NOP << 24)
-+ | (TCPOPT_NOP << 16)
-+ | (TCPOPT_TIMESTAMP << 8)
-+ | TCPOLEN_TIMESTAMP))
-+ return;
-+
-+ ptr = (unsigned char *)(tcph + 1);
-+ while (length > 0) {
-+ int opcode=*ptr++;
-+ int opsize, i;
-+
-+ switch (opcode) {
-+ case TCPOPT_EOL:
-+ return;
-+ case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
-+ length--;
-+ continue;
-+ default:
-+ opsize=*ptr++;
-+ if (opsize < 2) /* "silly options" */
-+ return;
-+ if (opsize > length)
-+ break; /* don't parse partial options */
-+
-+ if (opcode == TCPOPT_SACK
-+ && opsize >= (TCPOLEN_SACK_BASE
-+ + TCPOLEN_SACK_PERBLOCK)
-+ && !((opsize - TCPOLEN_SACK_BASE)
-+ % TCPOLEN_SACK_PERBLOCK)) {
-+ for (i = 0;
-+ i < (opsize - TCPOLEN_SACK_BASE);
-+ i += TCPOLEN_SACK_PERBLOCK) {
-+ tmp = ntohl(*((u_int32_t *)(ptr+i)+1));
-+
-+ if (after(tmp, *sack))
-+ *sack = tmp;
-+ }
-+ return;
-+ }
-+ ptr += opsize - 2;
-+ length -= opsize;
-+ }
-+ }
-+}
-+
-+static int tcp_in_window(struct ip_ct_tcp *state,
-+ enum ip_conntrack_dir dir,
-+ unsigned int *index,
-+ const struct sk_buff *skb,
-+ struct iphdr *iph,
-+ struct tcphdr *tcph)
-+{
-+ struct ip_ct_tcp_state *sender = &state->seen[dir];
-+ struct ip_ct_tcp_state *receiver = &state->seen[!dir];
-+ __u32 seq, ack, sack, end, win, swin;
-+ int res;
-+
-+ /*
-+ * Get the required data from the packet.
-+ */
-+ seq = ntohl(tcph->seq);
-+ ack = sack = ntohl(tcph->ack_seq);
-+ win = ntohs(tcph->window);
-+ end = segment_seq_plus_len(seq, skb->len, iph, tcph);
-+
-+ if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
-+ tcp_sack(tcph, &sack);
-+
-+ DEBUGP("tcp_in_window: START\n");
-+ DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
-+ "seq=%u ack=%u sack=%u win=%u end=%u\n",
-+ NIPQUAD(iph->saddr), ntohs(tcph->source),
-+ NIPQUAD(iph->daddr), ntohs(tcph->dest),
-+ seq, ack, sack, win, end);
-+ DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
-+ "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
-+ sender->td_end, sender->td_maxend, sender->td_maxwin,
-+ sender->td_scale,
-+ receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
-+ receiver->td_scale);
-+
-+ if (sender->td_end == 0) {
-+ /*
-+ * Initialize sender data.
-+ */
-+ if (tcph->syn && tcph->ack) {
-+ /*
-+ * Outgoing SYN-ACK in reply to a SYN.
-+ */
-+ sender->td_end =
-+ sender->td_maxend = end;
-+ sender->td_maxwin = (win == 0 ? 1 : win);
-+
-+ tcp_options(tcph, sender);
-+ /*
-+ * RFC 1323:
-+ * Both sides must send the Window Scale option
-+ * to enable window scaling in either direction.
-+ */
-+ if (!(sender->flags & IP_CT_TCP_STATE_FLAG_WINDOW_SCALE
-+ && receiver->flags & IP_CT_TCP_STATE_FLAG_WINDOW_SCALE))
-+ sender->td_scale =
-+ receiver->td_scale = 0;
-+ } else {
-+ /*
-+ * We are in the middle of a connection,
-+ * its history is lost for us.
-+ * Let's try to use the data from the packet.
-+ */
-+ sender->td_end = end;
-+ sender->td_maxwin = (win == 0 ? 1 : win);
-+ sender->td_maxend = end + sender->td_maxwin;
-+ }
-+ } else if (state->state == TCP_CONNTRACK_SYN_SENT
-+ && dir == IP_CT_DIR_ORIGINAL
-+ && after(end, sender->td_end)) {
-+ /*
-+ * RFC 793: "if a TCP is reinitialized ... then it need
-+ * not wait at all; it must only be sure to use sequence
-+ * numbers larger than those recently used."
-+ */
-+ sender->td_end =
-+ sender->td_maxend = end;
-+ sender->td_maxwin = (win == 0 ? 1 : win);
-+
-+ tcp_options(tcph, sender);
-+ }
-+
-+ if (!(tcph->ack)) {
-+ /*
-+ * If there is no ACK, just pretend it was set and OK.
-+ */
-+ ack = sack = receiver->td_end;
-+ } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
-+ (TCP_FLAG_ACK|TCP_FLAG_RST))
-+ && (ack == 0)) {
-+ /*
-+ * Broken TCP stacks, that set ACK in RST packets as well
-+ * with zero ack value.
-+ */
-+ ack = sack = receiver->td_end;
-+ }
-+
-+ if (seq == end)
-+ /*
-+ * Packets contains no data: we assume it is valid
-+ * and check the ack value only.
-+ */
-+ seq = end = sender->td_end;
-+
-+ DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
-+ "seq=%u ack=%u sack =%u win=%u end=%u trim=%u\n",
-+ NIPQUAD(iph->saddr), ntohs(tcph->source),
-+ NIPQUAD(iph->daddr), ntohs(tcph->dest),
-+ seq, ack, sack, win, end,
-+ after(end, sender->td_maxend) && before(seq, sender->td_maxend)
-+ ? sender->td_maxend : end);
-+ DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
-+ "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
-+ sender->td_end, sender->td_maxend, sender->td_maxwin,
-+ sender->td_scale,
-+ receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
-+ receiver->td_scale);
-+
-+ /* Ignore data over the right edge of the receiver's window. */
-+ if (after(end, sender->td_maxend) &&
-+ before(seq, sender->td_maxend)) {
-+ end = sender->td_maxend;
-+ if (*index == TCP_FIN_SET)
-+ *index = TCP_ACK_SET;
-+ }
-+ DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
-+ before(end, sender->td_maxend + 1)
-+ || before(seq, sender->td_maxend + 1),
-+ after(seq, sender->td_end - receiver->td_maxwin - 1)
-+ || after(end, sender->td_end - receiver->td_maxwin - 1),
-+ before(sack, receiver->td_end + 1),
-+ after(ack, receiver->td_end - MAXACKWINDOW(sender)));
-+
-+ if (sender->loose || receiver->loose ||
-+ (before(end, sender->td_maxend + 1) &&
-+ after(seq, sender->td_end - receiver->td_maxwin - 1) &&
-+ before(sack, receiver->td_end + 1) &&
-+ after(ack, receiver->td_end - MAXACKWINDOW(sender)))) {
-+ /*
-+ * Take into account window scaling (RFC 1323).
-+ */
-+ if (!tcph->syn)
-+ win <<= sender->td_scale;
-+
-+ /*
-+ * Update sender data.
-+ */
-+ swin = win + (sack - ack);
-+ if (sender->td_maxwin < swin)
-+ sender->td_maxwin = swin;
-+ if (after(end, sender->td_end))
-+ sender->td_end = end;
-+ if (after(sack + win, receiver->td_maxend - 1)) {
-+ receiver->td_maxend = sack + win;
-+ if (win == 0)
-+ receiver->td_maxend++;
-+ }
-+
-+ /*
-+ * Check retransmissions.
-+ */
-+ if (*index == TCP_ACK_SET) {
-+ if (state->last_dir == dir
-+ && state->last_seq == seq
-+ && state->last_end == end)
-+ state->retrans++;
-+ else {
-+ state->last_dir = dir;
-+ state->last_seq = seq;
-+ state->last_end = end;
-+ state->retrans = 0;
-+ }
-+ }
-+ /*
-+ * Close the window of disabled window tracking :-)
-+ */
-+ if (sender->loose)
-+ sender->loose--;
-+
-+ res = 1;
-+ } else {
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: %s ",
-+ before(end, sender->td_maxend + 1) ?
-+ after(seq, sender->td_end - receiver->td_maxwin - 1) ?
-+ before(ack, receiver->td_end + 1) ?
-+ after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
-+ : "ACK is under the lower bound (possibly overly delayed ACK)"
-+ : "ACK is over the upper bound (ACKed data has never seen yet)"
-+ : "SEQ is under the lower bound (retransmitted already ACKed data)"
-+ : "SEQ is over the upper bound (over the window of the receiver)");
-+
-+ res = ip_ct_tcp_be_liberal && !tcph->rst;
- }
-
-+ DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
-+ "receiver end=%u maxend=%u maxwin=%u\n",
-+ res, sender->td_end, sender->td_maxend, sender->td_maxwin,
-+ receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
-+
-+ return res;
-+}
-+
-+#ifdef CONFIG_IP_NF_NAT_NEEDED
-+/* Update sender->td_end after NAT successfully mangled the packet */
-+int ip_conntrack_tcp_update(struct sk_buff *skb,
-+ struct ip_conntrack *conntrack,
-+ int dir)
-+{
-+ struct iphdr *iph = skb->nh.iph;
-+ struct tcphdr *tcph = (void *)skb->nh.iph + skb->nh.iph->ihl*4;
-+ __u32 end;
-+#ifdef DEBUGP_VARS
-+ struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[dir];
-+ struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[!dir];
-+#endif
-+
-+ end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, iph, tcph);
-+
- WRITE_LOCK(&tcp_lock);
-- oldtcpstate = conntrack->proto.tcp.state;
-- newconntrack
-- = tcp_conntracks
-- [CTINFO2DIR(ctinfo)]
-- [get_conntrack_index(&tcph)][oldtcpstate];
--
-- /* Invalid */
-- if (newconntrack == TCP_CONNTRACK_MAX) {
-- DEBUGP("ip_conntrack_tcp: Invalid dir=%i index=%u conntrack=%u\n",
-- CTINFO2DIR(ctinfo), get_conntrack_index(&tcph),
-- conntrack->proto.tcp.state);
-- WRITE_UNLOCK(&tcp_lock);
-- return -1;
-+ /*
-+ * We have to worry for the ack in the reply packet only...
-+ */
-+ if (after(end, conntrack->proto.tcp.seen[dir].td_end))
-+ conntrack->proto.tcp.seen[dir].td_end = end;
-+ conntrack->proto.tcp.last_end = end;
-+ WRITE_UNLOCK(&tcp_lock);
-+ DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
-+ "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
-+ sender->td_end, sender->td_maxend, sender->td_maxwin,
-+ sender->td_scale,
-+ receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
-+ receiver->td_scale);
-+
-+ return 1;
-+}
-+
-+EXPORT_SYMBOL(ip_conntrack_tcp_update);
-+#endif
-+
-+#define TH_FIN 0x01
-+#define TH_SYN 0x02
-+#define TH_RST 0x04
-+#define TH_PUSH 0x08
-+#define TH_ACK 0x10
-+#define TH_URG 0x20
-+#define TH_ECE 0x40
-+#define TH_CWR 0x80
-+
-+/* table of valid flag combinations - ECE and CWR are always valid */
-+static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
-+{
-+ [TH_SYN] = 1,
-+ [TH_SYN|TH_ACK] = 1,
-+ [TH_RST] = 1,
-+ [TH_RST|TH_ACK] = 1,
-+ [TH_RST|TH_ACK|TH_PUSH] = 1,
-+ [TH_FIN|TH_ACK] = 1,
-+ [TH_ACK] = 1,
-+ [TH_ACK|TH_PUSH] = 1,
-+ [TH_ACK|TH_URG] = 1,
-+ [TH_ACK|TH_URG|TH_PUSH] = 1,
-+ [TH_FIN|TH_ACK|TH_PUSH] = 1,
-+ [TH_FIN|TH_ACK|TH_URG] = 1,
-+ [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1,
-+};
-+
-+/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
-+static int tcp_error(struct sk_buff *skb,
-+ enum ip_conntrack_info *ctinfo,
-+ unsigned int hooknum)
-+{
-+ struct iphdr *iph = skb->nh.iph;
-+ struct tcphdr tcph;
-+ unsigned int tcplen = skb->len - iph->ihl * 4;
-+ u_int8_t tcpflags;
-+
-+ /* Smaller that minimal TCP header? */
-+ if (skb_copy_bits(skb, iph->ihl * 4, &tcph, sizeof(tcph)) != 0) {
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: short packet ");
-+ return -NF_ACCEPT;
- }
-
-- conntrack->proto.tcp.state = newconntrack;
-+ /* Not whole TCP header or malformed packet */
-+ if (tcph.doff*4 < sizeof(struct tcphdr) || tcplen < tcph.doff*4) {
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: truncated/malformed packet ");
-+ return -NF_ACCEPT;
-+ }
-
-- /* Poor man's window tracking: record SYN/ACK for handshake check */
-- if (oldtcpstate == TCP_CONNTRACK_SYN_SENT
-- && CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY
-- && tcph.syn && tcph.ack) {
-- conntrack->proto.tcp.handshake_ack
-- = htonl(ntohl(tcph.seq) + 1);
-- goto out;
-+ /* Checksum invalid? Ignore.
-+ * We skip checking packets on the outgoing path
-+ * because the semantic of CHECKSUM_HW is different there
-+ * and moreover root might send raw packets.
-+ */
-+ /* FIXME: Source route IP option packets --RR */
-+ if (hooknum == NF_IP_PRE_ROUTING
-+ && csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
-+ skb->ip_summed == CHECKSUM_HW ? skb->csum
-+ : skb_checksum(skb, iph->ihl*4, tcplen, 0))) {
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: bad TCP checksum ");
-+ return -NF_ACCEPT;
- }
-
-- /* Set ASSURED if we see valid ack in ESTABLISHED after SYN_RECV */
-- if (oldtcpstate == TCP_CONNTRACK_SYN_RECV
-- && CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL
-- && tcph.ack && !tcph.syn
-- && tcph.ack_seq == conntrack->proto.tcp.handshake_ack)
-- set_bit(IPS_ASSURED_BIT, &conntrack->status);
-+ /* Check TCP flags. */
-+ tcpflags = (((u_int8_t *)&tcph)[13] & ~(TH_ECE|TH_CWR));
-+ if (!tcp_valid_flags[tcpflags]) {
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: invalid TCP flag combination ");
-+ return -NF_ACCEPT;
-+ }
-
--out: WRITE_UNLOCK(&tcp_lock);
-- ip_ct_refresh(conntrack, *tcp_timeouts[newconntrack]);
-+ return NF_ACCEPT;
-+}
-+
-+static inline void copy_whole_tcp_header(const struct sk_buff *skb,
-+ unsigned char *buff)
-+{
-+ struct iphdr *iph = skb->nh.iph;
-+ struct tcphdr *tcph = (struct tcphdr *)buff;
-+
-+ /* tcp_error guarantees for us that the packet is not malformed */
-+ skb_copy_bits(skb, iph->ihl * 4, buff, sizeof(*tcph));
-+ skb_copy_bits(skb, iph->ihl * 4 + sizeof(*tcph),
-+ buff + sizeof(*tcph),
-+ tcph->doff * 4 - sizeof(*tcph));
-+}
-+
-+/* Returns verdict for packet, or -1 for invalid. */
-+static int tcp_packet(struct ip_conntrack *conntrack,
-+ const struct sk_buff *skb,
-+ enum ip_conntrack_info ctinfo)
-+{
-+ enum tcp_conntrack new_state, old_state;
-+ enum ip_conntrack_dir dir;
-+ struct iphdr *iph = skb->nh.iph;
-+ unsigned char buff[15 * 4];
-+ struct tcphdr *tcph = (struct tcphdr *)buff;
-+ unsigned long timeout;
-+ unsigned int index;
-+
-+ copy_whole_tcp_header(skb, buff);
-+
-+ WRITE_LOCK(&tcp_lock);
-+ old_state = conntrack->proto.tcp.state;
-+ dir = CTINFO2DIR(ctinfo);
-+ index = get_conntrack_index(tcph);
-+ new_state = tcp_conntracks[dir][index][old_state];
-+
-+ switch (new_state) {
-+ case TCP_CONNTRACK_IGNORE:
-+ /* Either SYN in ORIGINAL, or SYN/ACK in REPLY direction. */
-+ if (index == TCP_SYNACK_SET
-+ && conntrack->proto.tcp.last_index == TCP_SYN_SET
-+ && conntrack->proto.tcp.last_dir != dir
-+ && after(ntohl(tcph->ack_seq),
-+ conntrack->proto.tcp.last_seq)) {
-+ /* This SYN/ACK acknowledges a SYN that we earlier
-+ * ignored as invalid. This means that the client and
-+ * the server are both in sync, while the firewall is
-+ * not. We kill this session and block the SYN/ACK so
-+ * that the client cannot but retransmit its SYN and
-+ * thus initiate a clean new session.
-+ */
-+ WRITE_UNLOCK(&tcp_lock);
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: killing out of sync session ");
-+ if (del_timer(&conntrack->timeout))
-+ conntrack->timeout.function((unsigned long)
-+ conntrack);
-+ return -NF_DROP;
-+ }
-+ conntrack->proto.tcp.last_index = index;
-+ conntrack->proto.tcp.last_dir = dir;
-+ conntrack->proto.tcp.last_seq = ntohl(tcph->seq);
-+
-+ WRITE_UNLOCK(&tcp_lock);
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: invalid SYN (ignored) ");
-+ return NF_ACCEPT;
-+ case TCP_CONNTRACK_MAX:
-+ /* Invalid packet */
-+ DEBUGP("ip_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
-+ dir, get_conntrack_index(tcph),
-+ old_state);
-+ WRITE_UNLOCK(&tcp_lock);
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: invalid state ");
-+ return -NF_ACCEPT;
-+ case TCP_CONNTRACK_SYN_SENT:
-+ if (old_state >= TCP_CONNTRACK_TIME_WAIT) {
-+ /* Attempt to reopen a closed connection.
-+ * Delete this connection and look up again. */
-+ WRITE_UNLOCK(&tcp_lock);
-+ if (del_timer(&conntrack->timeout))
-+ conntrack->timeout.function((unsigned long)
-+ conntrack);
-+ return -NF_REPEAT;
-+ }
-+ break;
-+ case TCP_CONNTRACK_CLOSE:
-+ if (index == TCP_RST_SET
-+ && test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
-+ && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET
-+ && after(ntohl(tcph->ack_seq),
-+ conntrack->proto.tcp.last_seq)) {
-+ /* Ignore RST closing down invalid SYN
-+ we had let trough. */
-+ WRITE_UNLOCK(&tcp_lock);
-+ if (LOG_INVALID(IPPROTO_TCP))
-+ nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-+ "ip_ct_tcp: invalid RST (ignored) ");
-+ return NF_ACCEPT;
-+ }
-+ /* Just fall trough */
-+ default:
-+ /* Keep compilers happy. */
-+ break;
-+ }
-+
-+ if (!tcp_in_window(&conntrack->proto.tcp, dir, &index,
-+ skb, iph, tcph)) {
-+ WRITE_UNLOCK(&tcp_lock);
-+ return -NF_ACCEPT;
-+ }
-+ /* From now on we have got in-window packets */
-+
-+ /* If FIN was trimmed off, we don't change state. */
-+ conntrack->proto.tcp.last_index = index;
-+ new_state = tcp_conntracks[dir][index][old_state];
-+
-+ DEBUGP("tcp_conntracks: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
-+ "syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
-+ NIPQUAD(iph->saddr), ntohs(tcph->source),
-+ NIPQUAD(iph->daddr), ntohs(tcph->dest),
-+ (tcph->syn ? 1 : 0), (tcph->ack ? 1 : 0),
-+ (tcph->fin ? 1 : 0), (tcph->rst ? 1 : 0),
-+ old_state, new_state);
-+
-+ conntrack->proto.tcp.state = new_state;
-+ timeout = conntrack->proto.tcp.retrans >= ip_ct_tcp_max_retrans
-+ && *tcp_timeouts[new_state] > ip_ct_tcp_timeout_max_retrans
-+ ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
-+ WRITE_UNLOCK(&tcp_lock);
-+
-+ if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) {
-+ /* If only reply is a RST, we can consider ourselves not to
-+ have an established connection: this is a fairly common
-+ problem case, so we can delete the conntrack
-+ immediately. --RR */
-+ if (tcph->rst) {
-+ if (del_timer(&conntrack->timeout))
-+ conntrack->timeout.function((unsigned long)
-+ conntrack);
-+ return NF_ACCEPT;
-+ }
-+ } else if (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
-+ && (old_state == TCP_CONNTRACK_SYN_RECV
-+ || old_state == TCP_CONNTRACK_ESTABLISHED)
-+ && new_state == TCP_CONNTRACK_ESTABLISHED) {
-+ /* Set ASSURED if we see see valid ack in ESTABLISHED
-+ after SYN_RECV or a valid answer for a picked up
-+ connection. */
-+ set_bit(IPS_ASSURED_BIT, &conntrack->status);
-+ }
-+ ip_ct_refresh(conntrack, timeout);
-
- return NF_ACCEPT;
- }
-
- /* Called when a new connection for this protocol found. */
--static int tcp_new(struct ip_conntrack *conntrack, const struct sk_buff *skb)
-+static int tcp_new(struct ip_conntrack *conntrack,
-+ const struct sk_buff *skb)
- {
-- enum tcp_conntrack newconntrack;
-- struct tcphdr tcph;
-+ enum tcp_conntrack new_state;
-+ struct iphdr *iph = skb->nh.iph;
-+ unsigned char buff[15 * 4];
-+ struct tcphdr *tcph = (struct tcphdr *)buff;
-+#ifdef DEBUGP_VARS
-+ struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[0];
-+ struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[1];
-+#endif
-
-- if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &tcph, sizeof(tcph)) != 0)
-- return -1;
-+ copy_whole_tcp_header(skb, buff);
-
- /* Don't need lock here: this conntrack not in circulation yet */
-- newconntrack
-- = tcp_conntracks[0][get_conntrack_index(&tcph)]
-+ new_state
-+ = tcp_conntracks[0][get_conntrack_index(tcph)]
- [TCP_CONNTRACK_NONE];
-
- /* Invalid: delete conntrack */
-- if (newconntrack == TCP_CONNTRACK_MAX) {
-- DEBUGP("ip_conntrack_tcp: invalid new deleting.\n");
-+ if (new_state >= TCP_CONNTRACK_MAX) {
-+ DEBUGP("ip_ct_tcp: invalid new deleting.\n");
- return 0;
- }
-
-- conntrack->proto.tcp.state = newconntrack;
-+ if (new_state == TCP_CONNTRACK_SYN_SENT) {
-+ /* SYN packet */
-+ conntrack->proto.tcp.seen[0].td_end =
-+ segment_seq_plus_len(ntohl(tcph->seq), skb->len,
-+ iph, tcph);
-+ conntrack->proto.tcp.seen[0].td_maxwin = ntohs(tcph->window);
-+ if (conntrack->proto.tcp.seen[0].td_maxwin == 0)
-+ conntrack->proto.tcp.seen[0].td_maxwin = 1;
-+ conntrack->proto.tcp.seen[0].td_maxend =
-+ conntrack->proto.tcp.seen[0].td_end;
-+
-+ tcp_options(tcph, &conntrack->proto.tcp.seen[0]);
-+ conntrack->proto.tcp.seen[1].flags = 0;
-+ conntrack->proto.tcp.seen[0].loose =
-+ conntrack->proto.tcp.seen[1].loose = 0;
-+ } else if (ip_ct_tcp_loose == 0) {
-+ /* Don't try to pick up connections. */
-+ return 0;
-+ } else {
-+ /*
-+ * We are in the middle of a connection,
-+ * its history is lost for us.
-+ * Let's try to use the data from the packet.
-+ */
-+ conntrack->proto.tcp.seen[0].td_end =
-+ segment_seq_plus_len(ntohl(tcph->seq), skb->len,
-+ iph, tcph);
-+ conntrack->proto.tcp.seen[0].td_maxwin = ntohs(tcph->window);
-+ if (conntrack->proto.tcp.seen[0].td_maxwin == 0)
-+ conntrack->proto.tcp.seen[0].td_maxwin = 1;
-+ conntrack->proto.tcp.seen[0].td_maxend =
-+ conntrack->proto.tcp.seen[0].td_end +
-+ conntrack->proto.tcp.seen[0].td_maxwin;
-+ conntrack->proto.tcp.seen[0].td_scale = 0;
-+
-+ /* We assume SACK. Should we assume window scaling too? */
-+ conntrack->proto.tcp.seen[0].flags =
-+ conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM;
-+ conntrack->proto.tcp.seen[0].loose =
-+ conntrack->proto.tcp.seen[1].loose = ip_ct_tcp_loose;
-+ }
-+
-+ conntrack->proto.tcp.seen[1].td_end = 0;
-+ conntrack->proto.tcp.seen[1].td_maxend = 0;
-+ conntrack->proto.tcp.seen[1].td_maxwin = 1;
-+ conntrack->proto.tcp.seen[1].td_scale = 0;
-+
-+ /* tcp_packet will set them */
-+ conntrack->proto.tcp.state = TCP_CONNTRACK_NONE;
-+ conntrack->proto.tcp.last_index = TCP_NONE_SET;
-+
-+ DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
-+ "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
-+ sender->td_end, sender->td_maxend, sender->td_maxwin,
-+ sender->td_scale,
-+ receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
-+ receiver->td_scale);
- return 1;
- }
-
-@@ -259,7 +1059,7 @@
- struct tcphdr tcph;
- unsigned int datalen;
-
-- if (skb_copy_bits(skb, skb->nh.iph->ihl * 4, &tcph, sizeof(tcph)) != 0)
-+ if (skb_copy_bits(skb, iph->ihl * 4, &tcph, sizeof(tcph)) != 0)
- return 0;
- datalen = skb->len - iph->ihl*4 - tcph.doff*4;
-
-@@ -277,4 +1077,5 @@
- .packet = tcp_packet,
- .new = tcp_new,
- .exp_matches_pkt = tcp_exp_matches_pkt,
-+ .error = tcp_error,
- };
-diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.6-ct_error_api-udp/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.6-tcp-win2/net/ipv4/netfilter/ip_conntrack_standalone.c
---- linux-2.6.6-ct_error_api-udp/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-06-18 15:02:57.000000000 +0200
-+++ linux-2.6.6-tcp-win2/net/ipv4/netfilter/ip_conntrack_standalone.c 2004-06-18 15:24:17.000000000 +0200
-@@ -322,6 +322,10 @@
- extern unsigned long ip_ct_tcp_timeout_last_ack;
- extern unsigned long ip_ct_tcp_timeout_time_wait;
- extern unsigned long ip_ct_tcp_timeout_close;
-+extern unsigned long ip_ct_tcp_timeout_max_retrans;
-+extern int ip_ct_tcp_loose;
-+extern int ip_ct_tcp_be_liberal;
-+extern int ip_ct_tcp_max_retrans;
-
- /* From ip_conntrack_proto_udp.c */
- extern unsigned long ip_ct_udp_timeout;
-@@ -464,6 +468,38 @@
- .extra1 = &log_invalid_proto_min,
- .extra2 = &log_invalid_proto_max,
- },
-+ {
-+ .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS,
-+ .procname = "ip_conntrack_tcp_timeout_max_retrans",
-+ .data = &ip_ct_tcp_timeout_max_retrans,
-+ .maxlen = sizeof(unsigned int),
-+ .mode = 0644,
-+ .proc_handler = &proc_dointvec_jiffies,
-+ },
-+ {
-+ .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_LOOSE,
-+ .procname = "ip_conntrack_tcp_loose",
-+ .data = &ip_ct_tcp_loose,
-+ .maxlen = sizeof(unsigned int),
-+ .mode = 0644,
-+ .proc_handler = &proc_dointvec,
-+ },
-+ {
-+ .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL,
-+ .procname = "ip_conntrack_tcp_be_liberal",
-+ .data = &ip_ct_tcp_be_liberal,
-+ .maxlen = sizeof(unsigned int),
-+ .mode = 0644,
-+ .proc_handler = &proc_dointvec,
-+ },
-+ {
-+ .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS,
-+ .procname = "ip_conntrack_tcp_max_retrans",
-+ .data = &ip_ct_tcp_max_retrans,
-+ .maxlen = sizeof(unsigned int),
-+ .mode = 0644,
-+ .proc_handler = &proc_dointvec,
-+ },
- { .ctl_name = 0 }
- };
-
More information about the netfilter-cvslog
mailing list