[netfilter-cvslog] r4354 - in branches/netfilter-ha: .
linux-2.6-multigroup/ct_sync linux-2.6-multigroup/patches
hidden at netfilter.org
hidden at netfilter.org
Thu Oct 13 18:22:55 CEST 2005
Author: hidden at netfilter.org
Date: 2005-10-13 18:22:52 +0200 (Thu, 13 Oct 2005)
New Revision: 4354
Added:
branches/netfilter-ha/linux-2.6-multigroup/
Removed:
branches/netfilter-ha/linux-2.6-multigroup/patches/conntrack_alloc.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/ct_notifier_pkt.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_find.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_nat_helpers.patch
Modified:
branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync.h
branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_main.c
branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_proto.c
branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_proto.h
branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_sock.c
branches/netfilter-ha/linux-2.6-multigroup/ct_sync/cts_buff.h
branches/netfilter-ha/linux-2.6-multigroup/patches/conntrack_hash_manip.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/ct_sync_config_and_makefile.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_clean_from_lists.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_helpers.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_nat_lock_and_hash.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/inet_pton6.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/netfilter_sysfs.patch
branches/netfilter-ha/linux-2.6-multigroup/patches/series
Log:
Update the -actact code for Linux 2.6.14 and its integrated notifier
support. A couple of things are missing from this port, therefore
the separate branch:
- Has no "real" active-active support, timestamps are omitted from
structures, this is left for implementation after the multi-group
mode is working
- The layer 2 drop functionality is missing, since I've not yet
ported the pf_packet patch to 2.6.14 yet.
Copied: branches/netfilter-ha/linux-2.6-multigroup (from rev 4346, branches/netfilter-ha/linux-2.6-actact)
Modified: branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync.h
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync.h 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync.h 2005-10-13 16:22:52 UTC (rev 4354)
@@ -57,7 +57,7 @@
{
__u8 version; /* version number */
__u8 pkttype; /* type of packet: sync/NACK */
- __u8 __reserved1; /* vers1: id of sender node */
+ __u8 __reserved1; /* in version 1: id of the sender node */
__u8 count; /* number of msgs in packet */
__u16 pktseq; /* packet sequence number */
__u16 minseq; /* min seqno master has */
@@ -80,7 +80,7 @@
enum ct_sync_pkt_flag_t
{
CT_SYNC_PKT_F_RECOVER = 0x01, /* recovery packet */
- CT_SYNC_PKT_F_ACTACT = 0x02, /* packet part of act-act */
+ CT_SYNC_PKT_F_ACTACT = 0x02, /* packet part of act-act sync */
};
/* CT_SYNC_PKT_MASTER_ANNOUNCE payload */
@@ -150,8 +150,12 @@
/* conntrack helper */
char helper[CT_SYNC_CTHELPERSIZE]; /* conntrack helper name */
- union ip_conntrack_help help; /* conntrack helper specific info */
+/* FIXME */
+#if 0
+ union ip_conntrack_help help; /* conntrack helper specific info */
+#endif
+
unsigned int expecting; /* number of siblings */
struct ip_conntrack_tuple master_ct_tuple; /* master ct tuple */
@@ -161,11 +165,6 @@
/* NAT */
#ifdef CONFIG_IP_NF_NAT_NEEDED
- int nat_initialized;
- __u8 nat_num_manips;
- struct ip_nat_info_manip nat_manips[IP_NAT_MAX_MANIPS];
- char nat_helper[CT_SYNC_NATHELPERSIZE];
- union ip_conntrack_nat_help nat_help;
struct ip_nat_seq nat_seq[IP_CT_DIR_MAX];
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
char nat_masq_iface[IFNAMSIZ];
@@ -187,9 +186,8 @@
struct ip_conntrack_tuple tuple, mask; /* expectation tuple and mask */
__u32 seq; /* sequence number */
union ip_conntrack_expect_proto proto; /* protocol specific info */
+#if 0
union ip_conntrack_expect_help help; /* expectation helper specific info */
-#ifdef CONFIG_IP_NF_CT_SYNC_ACTACT
- struct timespec timestamp;
#endif
};
Modified: branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_main.c
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_main.c 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_main.c 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,7 +1,7 @@
/*
* Connection tracking state replication for Netfilter
*
- * (C) 2002-2004, KOVACS Krisztian <hidden at sch.bme.hu>
+ * (C) 2002-2005, KOVACS Krisztian <hidden at sch.bme.hu>
* (C) 2003-2005, Harald Welte <laforge at netfilter.org>
* (C) 2004, BalaBit IT Ltd. <www.balabit.com>
*
@@ -36,7 +36,6 @@
#include <linux/netdevice.h>
#include <linux/netlink.h>
-#include <linux/netfilter_packet.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
@@ -63,11 +62,11 @@
#define CT_SYNC_DUMP_TUPLE(x)
#endif
-#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_conntrack_lock)
-#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_conntrack_lock)
+#define ASSERT_READ_LOCK(x)
+#define ASSERT_WRITE_LOCK(x)
#include <linux/netfilter_ipv4/listhelp.h>
-#define CT_SYNC_VERSION "0.6.52"
+#define CT_SYNC_VERSION "0.25"
MODULE_LICENSE("GPL");
MODULE_AUTHOR("KOVACS Krisztian <hidden at sch.bme.hu>, Harald Welte <laforge at netfilter.org>");
@@ -79,10 +78,6 @@
static int notrack = 1;
module_param(notrack, int, 0000);
-
-DEFINE_PER_CPU(struct ct_sync_stat, ct_sync_stats);
-
-
struct ct_sync_instance;
struct cts_inst_attribute {
@@ -94,6 +89,8 @@
static struct cts_inst_attribute create_attr;
+DEFINE_PER_CPU(struct ct_sync_stat, ct_sync_stats);
+
/* one instance */
struct ct_sync_instance
{
@@ -146,6 +143,7 @@
* FILLING CTSYNC MESSAGES WITH DATA
***********************************************************************/
+#if 0
static int
fill_expectmsg(void *buff, __u8 event,
struct ip_conntrack *master,
@@ -188,13 +186,16 @@
return 0;
}
+#endif
static int
fill_ctmsg(void *buff, __u8 event, struct ip_conntrack *ct, __u8 flags)
{
struct ct_sync_msghdr *hdr = buff;
struct ct_sync_conntrack *sct = buff + sizeof(*hdr);
-#ifdef CONFIG_IP_NF_TARGET_MASQUERADE
+
+#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \
+ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
struct net_device *masq_dev;
#endif
@@ -205,9 +206,6 @@
hdr->resource = CT_SYNC_RES_CONNTRACK;
hdr->len = __constant_htons(sizeof(*sct));
hdr->flags = flags;
-#ifdef CONFIG_IP_NF_CT_SYNC_ACTACT
- memcpy(&hdr->timestamp, &ct->timestamp, sizeof(hdr->timestamp));
-#endif
//CT_SYNC_DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
//CT_SYNC_DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
@@ -222,7 +220,9 @@
sct->expires = ct->timeout.expires - jiffies;
if (unlikely(ct->helper != NULL)) {
strncpy(sct->helper, ct->helper->name, sizeof(sct->helper));
+#if 0
memcpy(&sct->help, &ct->help, sizeof(sct->help));
+#endif
} else
sct->helper[0] = '\0';
@@ -242,13 +242,11 @@
memcpy(&sct->proto, &ct->proto, sizeof(sct->proto));
#ifdef CONFIG_IP_NF_NAT_NEEDED
- if (likely(ct->nat.info.initialized)) {
+ if (likely(ct->status & IPS_NAT_DONE_MASK)) {
const struct ip_nat_info *nat = &ct->nat.info;
- sct->nat_initialized = nat->initialized;
- sct->nat_num_manips = nat->num_manips;
- memcpy(sct->nat_manips, &nat->manips,
- (nat->num_manips * sizeof(struct ip_nat_info_manip)));
+/* FIXME */
+#if 0
if (unlikely(nat->helper != NULL)) {
strncpy(sct->nat_helper, nat->helper->name,
sizeof(sct->nat_helper));
@@ -256,19 +254,26 @@
sizeof(sct->nat_help));
} else
sct->nat_helper[0] = '\0';
+#endif
memcpy(&sct->nat_seq, &nat->seq, sizeof(sct->nat_seq));
-#ifdef CONFIG_IP_NF_TARGET_MASQUERADE
- if ((masq_dev = dev_get_by_index(ct->nat.masq_index)) != NULL) {
- memcpy(&sct->nat_masq_iface, &masq_dev->name, sizeof(masq_dev->name));
- dev_put(masq_dev);
- } else {
- CT_SYNC_ERR("unable to find device for masq_index %u\n", ct->nat.masq_index);
- sct->nat_masq_iface[0] = '\0';
+#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \
+ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
+ if (ct->nat.masq_index) {
+ masq_dev = dev_get_by_index(ct->nat.masq_index);
+ if (masq_dev) {
+ memcpy(sct->nat_masq_iface, masq_dev->name,
+ sizeof(masq_dev->name));
+ dev_put(masq_dev);
+ } else {
+ CT_SYNC_ERR("unable to find device for "
+ "masq_index %u\n",
+ ct->nat.masq_index);
+ sct->nat_masq_iface[0] = '\0';
+ }
}
#endif
- } else
- sct->nat_initialized = 0;
+ }
#endif /* CONFIG_IP_NF_NAT_NEEDED */
#ifdef CONFIG_IP_NF_CONNTRACK_MARK
@@ -303,10 +308,12 @@
return -1;
}
- CT_SYNC_ASSERT(memcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
- &sct->orig, sizeof(sct->orig)) == 0);
- CT_SYNC_ASSERT(memcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple,
- &sct->reply, sizeof(sct->reply)) == 0);
+ CT_SYNC_ASSERT(ip_ct_tuple_equal(
+ &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+ &sct->orig));
+ CT_SYNC_ASSERT(ip_ct_tuple_equal(
+ &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
+ &sct->reply));
/* we should proceed with the update. only parts of an existing
* (confirmed) entry can be updated:
@@ -324,30 +331,15 @@
ct->mark = (unsigned long) sct->mark;
#endif
/* if conntrack has a helper, update helper info */
+#if 0
if (ct->helper)
memcpy(&ct->help, &sct->help, sizeof(ct->help));
-#ifdef CONFIG_IP_NF_NAT_NEEDED
+#endif
/* if there is a nat helper present, update helper info */
+#if 0
if (sct->nat_initialized && ct->nat.info.initialized &&
ct->nat.info.helper)
memcpy(&ct->nat.help, &sct->nat_help, sizeof(ct->nat.help));
-
- /* if there are more manips initialized in sct than in ct, update ct */
- if (unlikely(sct->nat_num_manips > ct->nat.info.num_manips)) {
- int m;
- for (m = ct->nat.info.num_manips; m < sct->nat_num_manips; m++) {
- memcpy(ct->nat.info.manips[m], sct->nat_manips[m],
- sizeof(struct ip_nat_info_manip));
- }
- ct->nat.info.num_manips = sct->nat_num_manips;
-
- WRITE_LOCK(&ip_nat_lock);
- if (ct->nat.info.initialized)
- replace_in_hashes(ct, &ct->nat.info);
- else
- place_in_hashes(ct, &ct->nat.info);
- WRITE_UNLOCK(&ip_nat_lock);
- }
#endif
} else {
#ifdef CONFIG_IP_NF_NAT_NEEDED
@@ -373,7 +365,7 @@
struct ip_conntrack_helper *helper;
sct->helper[CT_SYNC_CTHELPERSIZE - 1] = '\0';
- READ_LOCK(&ip_conntrack_lock);
+ read_lock_bh(&ip_conntrack_lock);
helper = __ip_ct_find_helper_by_name(sct->helper);
if (unlikely(!helper)) {
CT_SYNC_ERR("Unknown conntrack helper `%s', "
@@ -381,34 +373,32 @@
ct->helper = NULL;
} else {
ct->helper = helper;
+#if 0
memcpy(&ct->help, &sct->help, sizeof(ct->help));
+#endif
}
- READ_UNLOCK(&ip_conntrack_lock);
+ read_unlock_bh(&ip_conntrack_lock);
}
#ifdef CONFIG_IP_NF_NAT_NEEDED
/* NAT */
INIT_LIST_HEAD(&nat->bysource);
- INIT_LIST_HEAD(&nat->byipsproto);
- if (likely(sct->nat_initialized &&
- sct->nat_num_manips <= IP_NAT_MAX_MANIPS)) {
-#ifdef CONFIG_IP_NF_TARGET_MASQUERADE
+ if (likely(sct->status & IPS_NAT_DONE_MASK)) {
+#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \
+ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
struct net_device *masq_dev;
#endif
- nat->initialized = sct->nat_initialized;
/* do not set .conntrack, place_in_hashes will do */
- nat->num_manips = sct->nat_num_manips;
- memcpy(&nat->manips, sct->nat_manips,
- (sct->nat_num_manips * sizeof(struct ip_nat_info_manip)));
/* NAT helper, if present */
+#if 0
if (unlikely(sct->nat_helper[0] != '\0')) {
struct ip_nat_helper *helper;
/* look up nat helper */
sct->nat_helper[CT_SYNC_NATHELPERSIZE - 1] = '\0';
- READ_LOCK(&ip_nat_lock);
+ read_lock_bh(&ip_nat_lock);
helper = __ip_nat_find_helper_by_name(sct->nat_helper);
if (unlikely(!helper)) {
CT_SYNC_ERR("Unknown NAT helper `%s', ignoring\n", sct->nat_helper);
@@ -419,17 +409,25 @@
memcpy(&ct->nat.help, &sct->nat_help,
sizeof(ct->nat.help));
}
- READ_UNLOCK(&ip_nat_lock);
+ read_unlock_bh(&ip_nat_lock);
memcpy(&nat->seq, &sct->nat_seq, sizeof(nat->seq));
}
+#endif
-#ifdef CONFIG_IP_NF_TARGET_MASQUERADE
- if ((masq_dev = dev_get_by_name(sct->nat_masq_iface)) != NULL) {
- ct->nat.masq_index = masq_dev->ifindex;
- dev_put(masq_dev);
+#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \
+ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
+ if (sct->nat_masq_iface[0] != '\0') {
+ masq_dev = dev_get_by_name(sct->nat_masq_iface);
+ if (masq_dev) {
+ ct->nat.masq_index = masq_dev->ifindex;
+ dev_put(masq_dev);
+ } else {
+ CT_SYNC_ERR("no ifindex for dev %s\n",
+ sct->nat_masq_iface);
+ ct->nat.masq_index = 0;
+ }
} else {
- /* FIXME: is 0 a valid ifindex? */
- CT_SYNC_ERR("unable to get ifindex for device %s\n", sct->nat_masq_iface);
+ /* no masquerading for this connection */
ct->nat.masq_index = 0;
}
#endif
@@ -437,26 +435,23 @@
#endif /* CONFIG_IP_NF_NAT_NEEDED */
/* add to hash tables */
- WRITE_LOCK(&ip_conntrack_lock);
+ write_lock_bh(&ip_conntrack_lock);
if (!__ip_conntrack_find(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, NULL)
&& !__ip_conntrack_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple, NULL)) {
/* put in conntrack hash */
- __ip_conntrack_hash_insert(ct);
+ _ip_conntrack_hash_insert(ct);
atomic_inc(&ct->ct_general.use);
#ifdef CONFIG_IP_NF_NAT_NEEDED
- /* put in NAT hashes if necessary */
- if (ct->nat.info.initialized) {
- WRITE_LOCK(&ip_nat_lock);
- place_in_hashes(ct, &ct->nat.info);
- WRITE_UNLOCK(&ip_nat_lock);
- }
+ /* put in NAT hash if necessary */
+ if (likely(ct->status & IPS_NAT_DONE_MASK))
+ ip_nat_hash_insert(ct);
#endif
} else {
CT_SYNC_ERR("want to put conntrack in hash but is already there\n");
}
- WRITE_UNLOCK(&ip_conntrack_lock);
+ write_unlock_bh(&ip_conntrack_lock);
} /* if (new) */
CT_SYNC_LEAVE();
@@ -471,9 +466,9 @@
CT_SYNC_ENTER();
del_timer(&ct->timeout);
- WRITE_LOCK(&ip_conntrack_lock);
+ write_lock_bh(&ip_conntrack_lock);
ip_conntrack_clean_from_lists(ct);
- WRITE_UNLOCK(&ip_conntrack_lock);
+ write_unlock_bh(&ip_conntrack_lock);
ip_conntrack_put(ct);
CT_SYNC_LEAVE();
@@ -485,7 +480,7 @@
_start_ct_timer(const struct ip_conntrack_tuple_hash *h,
unsigned int *num, unsigned int *started)
{
- struct ip_conntrack *ct = h->ctrack;
+ struct ip_conntrack *ct = tuplehash_to_ctrack(h);
if (DIRECTION(h))
return 0;
@@ -513,7 +508,7 @@
CT_SYNC_ENTER();
- WRITE_LOCK(&ip_conntrack_lock);
+ write_lock_bh(&ip_conntrack_lock);
for (i = 0; i < ip_conntrack_htable_size; i++) {
if (LIST_FIND(&ip_conntrack_hash[i], _start_ct_timer,
@@ -522,7 +517,7 @@
break;
}
- WRITE_UNLOCK(&ip_conntrack_lock);
+ write_unlock_bh(&ip_conntrack_lock);
CT_SYNC_INFO("started timer of %u (total %u) conntrack entries\n",
num_started, num_entries);
@@ -532,10 +527,10 @@
static inline int
_stop_ct_timer(const struct ip_conntrack_tuple_hash *h,
- unsigned int *num, unsigned int *stopped,
- struct ct_sync_instance *ctsi)
+ unsigned int *num, unsigned int *stopped,
+ struct ct_sync_instance *ctsi)
{
- struct ip_conntrack *ct = h->ctrack;
+ struct ip_conntrack *ct = tuplehash_to_ctrack(h);
if (DIRECTION(h))
return 0;
@@ -544,7 +539,7 @@
if (is_confirmed(ct)
#ifdef CONFIG_IP_NF_CONNTRACK_SYNC_MARKED
/* stop timer only if this is a synchronized connection */
- && test_bit(ctsi->config.cmarkbit, &ct->mark)
+ && test_bit(ctsi->config.cmarkbit, (unsigned long *)&ct->mark)
#endif
) {
if (del_timer(&ct->timeout))
@@ -563,7 +558,7 @@
CT_SYNC_ENTER();
- WRITE_LOCK(&ip_conntrack_lock);
+ write_lock_bh(&ip_conntrack_lock);
for (i = 0; i < ip_conntrack_htable_size; i++) {
if (LIST_FIND(&ip_conntrack_hash[i], _stop_ct_timer,
@@ -572,7 +567,7 @@
break;
}
- WRITE_UNLOCK(&ip_conntrack_lock);
+ write_unlock_bh(&ip_conntrack_lock);
CT_SYNC_INFO("stopped timer of %u (total %u) conntrack entries\n",
num_stopped, num_entries);
@@ -585,19 +580,6 @@
* MESSAGE PROCESSING FUNCTIONS
***********************************************************************/
-static inline int timespec_after(struct timespec *current,
- struct timespec *after)
-{
- if (after->tv_sec > current->tv_sec)
- return 1;
-
- if (after->tv_sec == current->tv_sec
- && after->tv_nsec > current->tv_nsec)
- return 1;
-
- return 0;
-}
-
/* process messages */
static int
ct_sync_msg_process_update_ct(struct ct_sync_msghdr *msghdr,
@@ -622,17 +604,7 @@
h = ip_conntrack_find_get(&sct->orig, NULL);
if (h) {
- ct = h->ctrack;
-
-#ifdef CONFIG_IP_NF_CT_SYNC_ACTACT
- if (!timespec_after(&ct->last_update, msghdr->timestamp)) {
- CTS_STAT_INC(rx.upd_outdated);
- CT_SYNC_DEBUG("Update older than current state for ");
- CT_SYNC_DUMP_TUPLE(&sct->orig);
- CT_SYNC_LEAVE();
- return -1;
- }
-#endif
+ ct = tuplehash_to_ctrack(h);
} else {
CT_SYNC_DEBUG("Conntrack entry not found, creating.\n");
ct = ip_conntrack_alloc(&dummy_tuple, &dummy_tuple);
@@ -684,23 +656,11 @@
h = ip_conntrack_find_get(t, NULL);
if (h) {
- struct ip_conntrack *ct = h->ctrack;
+ struct ip_conntrack *ct = tuplehash_to_ctrack(h);
-#ifdef CONFIG_IP_NF_CT_SYNC_ACTACT
- if (!timespec_after(&ct->last_update, msghdr->timestamp)) {
- CTS_STAT_INC(rx.del_outdated);
- CT_SYNC_DEBUG("Update older than current state for ");
- CT_SYNC_DUMP_TUPLE(&sct->orig);
- CT_SYNC_LEAVE();
- return -1;
- }
-#endif
-
+ _ct_sync_remove_conntrack(ct);
CT_SYNC_DEBUG("Deleting conntrack: ");
CT_SYNC_DUMP_TUPLE(t);
-
- _ct_sync_remove_conntrack(ct);
-
ip_conntrack_put(ct);
} else {
CTS_STAT_INC(rx.del_nothere);
@@ -713,12 +673,11 @@
return 0;
}
+#ifdef FIXME
static int
ct_sync_msg_process_updateexpect(void *data, u16 len)
{
-#if 0
struct ct_sync_expect *exp = (struct ct_sync_expect *)data;
-#endif
CT_SYNC_ENTER();
@@ -749,8 +708,8 @@
return -1;
}
#if 0
- READ_LOCK(&ip_conntrack_lock);
- WRITE_LOCK(&ip_conntrack_expect_tuple_lock);
+ read_lock_bh(&ip_conntrack_lock);
+ write_lock_bh(&ip_conntrack_expect_tuple_lock);
exp = LIST_FIND(&ip_conntrack_expect_list, expect_cmp,
struct ip_conntrack_expect *, exp->tuple);
if (!exp || !exp->expectant)
@@ -761,12 +720,13 @@
__unexpect_related(exp);
unlock_out:
- WRITE_UNLOCK(&ip_conntrack_expect_tuple_lock);
- READ_UNLOCK(&ip_conntrack_lock);
+ write_unlock_bh(&ip_conntrack_expect_tuple_lock);
+ read_unlock_bh(&ip_donntrack_lock);
#endif
CT_SYNC_LEAVE();
return 0;
}
+#endif
/* process incoming message in slave mode */
static int
@@ -799,6 +759,7 @@
break;
}
break;
+#ifdef FIXME
case CT_SYNC_RES_EXPECT:
switch(msghdr->type) {
case CT_SYNC_MSG_UPDATE:
@@ -811,6 +772,7 @@
break;
}
break;
+#endif
default:
CT_SYNC_DEBUG("Invalid resource while being SLAVE: %d.\n",
msghdr->resource);
@@ -827,11 +789,10 @@
struct ct_sync_pkthdr *pkthdr)
{
int ret;
- u16 pktseq = ntohs(pkthdr->pktseq);
CT_SYNC_ENTER();
- CT_SYNC_DEBUG("seq: %u\n", pktseq);
+ CT_SYNC_DEBUG("seq: %u\n", ntohs(pkthdr->pktseq));
switch (pkthdr->pkttype) {
case CT_SYNC_PKT_SYNC:
@@ -1046,11 +1007,9 @@
static inline int
_send_initsync(const struct ip_conntrack_tuple_hash *h, unsigned int *num,
- struct cts_protoh *cph)
+ struct ct_sync_instance *ctsi)
{
- struct ip_conntrack *ct = h->ctrack;
- struct ct_sync_instance *ctsi =
- container_of(cph, struct ct_sync_instance, protoh);
+ struct ip_conntrack *ct = tuplehash_to_ctrack(h);
if (DIRECTION(h))
return 0;
@@ -1058,19 +1017,19 @@
if (likely(is_confirmed(ct)
#ifdef CONFIG_IP_NF_CONNTRACK_SYNC_MARKED
/* send only if this is a synchronized connection */
- && test_bit(ctsi->config.cmarkbit, &ct->mark)
+ && test_bit(ctsi->config.cmarkbit, (unsigned long *)&ct->mark)
#endif
)) {
char *buff;
struct cts_buff *csb;
- buff = cts_proto_want_enqueue(cph, &csb,
+ buff = cts_proto_want_enqueue(ctsi->protoh, &csb,
CTMSG_SIZEOF(struct ct_sync_conntrack));
if (unlikely(!buff)) {
CT_SYNC_ERR("unable to store create event\n");
return 1;
}
fill_ctmsg(buff, CT_SYNC_MSG_UPDATE, ct, CTS_UPD_F_INITSYNC);
- csb_use_dec(cph, csb);
+ csb_use_dec(ctsi->protoh, csb);
(*num)++;
}
@@ -1085,7 +1044,7 @@
CT_SYNC_ENTER();
- hdr = (struct ct_sync_msghdr *)
+ hdr = (struct ct_sync_msghdr *)
cts_proto_want_enqueue(cph, &csb,
sizeof(struct ct_sync_msghdr));
if (unlikely(!hdr)) {
@@ -1132,13 +1091,13 @@
if (kthread_should_stop())
break;
- READ_LOCK(&ip_conntrack_lock);
+ read_lock_bh(&ip_conntrack_lock);
dump_bucket_locked:
if (LIST_FIND(&ip_conntrack_hash[i],
_send_initsync,
struct ip_conntrack_tuple_hash *,
- &num_sent, ctsi->protoh)) {
- READ_UNLOCK(&ip_conntrack_lock);
+ &num_sent, ctsi)) {
+ read_unlock_bh(&ip_conntrack_lock);
break;
}
if (num_sent < 40 &&
@@ -1146,7 +1105,7 @@
i++;
goto dump_bucket_locked;
}
- READ_UNLOCK(&ip_conntrack_lock);
+ read_unlock_bh(&ip_conntrack_lock);
num_sent_total += num_sent;
@@ -1310,74 +1269,65 @@
CT_SYNC_LEAVE();
}
+#if 0
/* conntrack expectation created notification */
static void
ct_sync_expect_create(struct ip_conntrack_expect *exp)
{
- struct ct_sync_instance *ctsi;
struct cts_buff *csb;
struct ip_conntrack *master_ct = exp->expectant;
CT_SYNC_ENTER();
- read_lock(&ctsync_lock);
- list_for_each_entry(ctsi, &ct_sync_instances, list) {
- if (likely(cts_proto_is_master(ctsi->protoh)
-#ifdef CONFIG_IP_NF_CONNTRACK_SYNC_MARKED
- && test_bit(ctsi->config.cmarkbit, &master_ct->mark)
-#endif
- && is_confirmed(master_ct))) {
- void *buff;
+ if (likely(cts_proto_is_master(cts_cfg.protoh) &&
+ is_confirmed(master_ct))) {
+ void *buff;
- buff = cts_proto_want_enqueue(ctsi->protoh, &csb,
- CTMSG_SIZEOF(struct ct_sync_expect));
- if (unlikely(!buff)) {
- CT_SYNC_ERR("unable to enqueue event\n");
- continue;
- }
- fill_expectmsg(buff, CT_SYNC_MSG_UPDATE, master_ct,
- exp);
- csb_use_dec(ctsi->protoh, csb);
+ buff = cts_proto_want_enqueue(cts_cfg.protoh, &csb,
+ CTMSG_SIZEOF(struct ct_sync_expect));
+ if (unlikely(!buff)) {
+ CT_SYNC_ERR("unable to enqueue event\n");
+ CT_SYNC_LEAVE();
+ return;
}
+ fill_expectmsg(buff, CT_SYNC_MSG_UPDATE, master_ct, exp);
+ csb_use_dec(cts_cfg.protoh, csb);
}
- read_unlock(&ctsync_lock);
CT_SYNC_LEAVE();
+
+ return;
}
/* conntrack expectation destroyed notification */
static void
ct_sync_expect_destroy(struct ip_conntrack_expect *exp)
{
- struct ct_sync_instance *ctsi;
struct cts_buff *csb;
struct ip_conntrack *master_ct = exp->expectant;
CT_SYNC_ENTER();
- read_lock(&ctsync_lock);
- list_for_each_entry(ctsi, &ct_sync_instances, list) {
- if (likely(cts_proto_is_master(ctsi->protoh)
-#ifdef CONFIG_IP_NF_CONNTRACK_SYNC_MARKED
- && test_bit(ctsi->config.cmarkbit, &master_ct->mark)
-#endif
- && is_confirmed(master_ct))) {
- void *buff;
-
- buff = cts_proto_want_enqueue(ctsi->protoh, &csb,
- CTMSG_SIZEOF(struct ct_sync_expect));
- if (unlikely(!buff)) {
- CT_SYNC_ERR("unable to enqueue event\n");
- continue;
- }
- // FIXME: implementation
- csb_use_dec(ctsi->protoh, csb);
+ if (likely(cts_proto_is_master(cts_cfg.protoh) &&
+ is_confirmed(master_ct))) {
+ void *buff;
+
+ buff = cts_proto_want_enqueue(cts_cfg.protoh, &csb,
+ CTMSG_SIZEOF(struct ct_sync_expect));
+ if (unlikely(!buff)) {
+ CT_SYNC_ERR("unable to enqueue event\n");
+ CT_SYNC_LEAVE();
+ return;
}
+ // FIXME: implementation
+ csb_use_dec(cts_cfg.protoh, csb);
}
- read_unlock(&ctsync_lock);
CT_SYNC_LEAVE();
+
+ return;
}
+#endif
static int
ct_sync_notify(struct notifier_block *this,
@@ -1410,9 +1360,7 @@
}
static struct notifier_block ct_sync_notifier = {
- ct_sync_notify,
- NULL,
- 0
+ .notifier_call = ct_sync_notify,
};
/***********************************************************************
@@ -1457,6 +1405,7 @@
return NF_ACCEPT;
}
+#ifdef FIXME
static unsigned int
l2drop_hook(unsigned int hook,
struct sk_buff **pskb,
@@ -1500,6 +1449,7 @@
/* drop is the default */
return NF_DROP;
}
+#endif
static struct nf_hook_ops cts_hook_ops[] = {
{ .hook = notrack_hook,
@@ -1510,6 +1460,7 @@
.pf = PF_INET,
.hooknum = NF_IP_LOCAL_OUT,
.priority = NF_IP_PRI_RAW-1 },
+#ifdef FIXME
{ .hook = l2drop_hook,
.pf = PF_PACKET,
.hooknum = NF_PACKET_INPUT,
@@ -1518,6 +1469,7 @@
.pf = PF_PACKET,
.hooknum = NF_PACKET_OUTPUT,
.priority = 0 },
+#endif
};
/***********************************************************************
@@ -1531,6 +1483,9 @@
enum cts_proto_state newstate,
void *data)
{
+ struct ct_sync_instance *ctsi =
+ (struct ct_sync_instance *) data;
+
CT_SYNC_ENTER();
switch (newstate) {
@@ -1550,9 +1505,7 @@
} else if (oldstate >= CT_SYNC_PSTATE_MASTER_INIT) {
/* transition from master to slave */
ip_conntrack_unregister_notifier(&ct_sync_notifier);
- ct_sync_stop_timers(
- container_of(cph, struct ct_sync_instance,
- protoh));
+ ct_sync_stop_timers(ctsi);
}
break;
@@ -1676,6 +1629,7 @@
.llseek = seq_lseek,
.release = seq_release,
};
+
/***********************************************************************
* SYSFS
***********************************************************************/
@@ -1871,7 +1825,7 @@
static ssize_t sysfs_sendburst_show(struct ct_sync_instance *ctsi,
char *buf)
{
- sprintf(buf, "%u\n", ctsi->config.send_burst);
+ sprintf(buf, "%lu\n", ctsi->config.send_burst);
return strlen(buf);
}
@@ -1885,7 +1839,7 @@
static ssize_t sysfs_recvburst_show(struct ct_sync_instance *ctsi,
char *buf)
{
- sprintf(buf, "%u\n", ctsi->config.recv_burst);
+ sprintf(buf, "%lu\n", ctsi->config.recv_burst);
return strlen(buf);
}
@@ -1952,10 +1906,13 @@
static ssize_t
instance_attr_show(struct kobject *kobj, struct attribute *attr, char *buf)
{
- struct cts_inst_attribute *ctsi_attr = to_ctsi_attr(attr);
- struct ct_sync_instance *ctsi = to_ctsi(kobj);
+ struct cts_inst_attribute *ctsi_attr;
+ struct ct_sync_instance *ctsi;
ssize_t ret = 0;
+ ctsi_attr = to_ctsi_attr(attr);
+ ctsi = to_ctsi(kobj);
+
if (ctsi_attr->show)
ret = ctsi_attr->show(ctsi, buf);
@@ -1966,10 +1923,13 @@
instance_attr_store(struct kobject *kobj, struct attribute *attr,
const char *buf, size_t len)
{
- struct cts_inst_attribute *ctsi_attr = to_ctsi_attr(attr);
- struct ct_sync_instance *ctsi = to_ctsi(kobj);
+ struct cts_inst_attribute *ctsi_attr;
+ struct ct_sync_instance *ctsi;
ssize_t ret = 0;
+ ctsi_attr = to_ctsi_attr(attr);
+ ctsi = to_ctsi(kobj);
+
if (ctsi_attr->store)
ret = ctsi_attr->store(ctsi, buf, len);
@@ -2054,7 +2014,7 @@
}
/* init protocol layer */
- ctsi->protoh = cts_proto_init(&ct_sync_state_transition, NULL,
+ ctsi->protoh = cts_proto_init(&ct_sync_state_transition, ctsi,
&ctsi->send_wait, &ctsi->recv_wait);
if (!ctsi->protoh) {
CT_SYNC_ERR("Failed to initialize protocol.\n");
@@ -2124,8 +2084,10 @@
CT_SYNC_LEAVE();
return ret;
+#ifdef CONFIG_IP_NF_CONNTRACK_SYNC_MARKED
out_sysfs_recvburst:
sysfs_remove_file(&ctsi->kobj, &ctsi->recvburst_attr.attr);
+#endif
out_sysfs_sendburst:
sysfs_remove_file(&ctsi->kobj, &ctsi->sendburst_attr.attr);
out_sysfs_syncdev:
@@ -2255,11 +2217,13 @@
* MODULE INITIALIZATION
***********************************************************************/
+#ifdef FIXME
static int
kill_all(const struct ip_conntrack *i, void *data)
{
return 1;
}
+#endif
/* DO NOT declare this as __init!! */
static int
@@ -2294,6 +2258,7 @@
printk(KERN_NOTICE "WARNING: ct_sync internal notrack disabled\n");
}
+#ifdef FIXME
if (l2drop) {
if (nf_register_hook(&cts_hook_ops[2]) < 0)
goto error_hook1;
@@ -2301,6 +2266,7 @@
goto error_hook2;
ip_ct_selective_cleanup(kill_all, NULL);
}
+#endif
/* sysfs interface */
nf_subsys_register(&nfss_ctsync);
@@ -2351,11 +2317,13 @@
error_stat:
remove_proc_entry("ct_sync_stat", proc_net_stat);
error_hook3:
+#ifdef FIXME
if (l2drop)
nf_unregister_hook(&cts_hook_ops[3]);
error_hook2:
if (l2drop)
nf_unregister_hook(&cts_hook_ops[2]);
+#endif
error_hook1:
if (notrack)
nf_unregister_hook(&cts_hook_ops[1]);
Modified: branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_proto.c
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_proto.c 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_proto.c 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,7 +1,7 @@
/*
* Connection tracking state replication for Netfilter
*
- * (C) 2002-2004, KOVACS Krisztian <hidden at sch.bme.hu>
+ * (C) 2002-2005, KOVACS Krisztian <hidden at sch.bme.hu>
* (C) 2003-2005, Harald Welte <laforge at netfilter.org>
* (C) 2004, BalaBit IT Ltd. <www.balabit.com>
*
@@ -241,10 +241,10 @@
/* Initialize an already-allocated csb_ring with 'num' number of cts_buffs,
* each of 'size' size.
*
- * A few words about locking of the rings. The receiver ring's locking is
- * simple, since that is accessed only by our receiver kthread. For the sender
- * ring, we have to use spin_{lock,unlock}_bh(), since that ring is accessed by
- * our conntrack notifier functions as well.
+ * A few words about locking of the rings. The receiver ring's locking is simple,
+ * since that is accessed only by our receiver kthread. For the sender ring, we have
+ * to use spin_{lock,unlock}_bh(), since that ring is accessed by our conntrack
+ * notifier functions as well.
*/
static int
csb_ring_init(struct csb_ring *csr, unsigned int num, unsigned int size,
@@ -387,8 +387,8 @@
pkt.ma.upsince = htonl(jiffies);
pkt.ma.flags = 0;
- len = cts_sock_sendto(cph->send.socket, (char *)&pkt, sizeof(pkt),
- NULL, 0);
+ len = cts_sock_sendto(cph->send.socket, (char *)&pkt,
+ sizeof(pkt), NULL, 0);
if (unlikely(len < sizeof(pkt))) {
CT_SYNC_ERR("Send failed, returned %d.\n", len);
CT_SYNC_LEAVE();
@@ -452,7 +452,7 @@
memset(&pkt, 0, sizeof(pkt));
csb_hdr_fill(cph, &pkt.hdr, CT_SYNC_PKT_INITSYNC_FOLLOWS, 0);
- len = cts_sock_sendto(cph->send.socket, (unsigned char *)&pkt,
+ len = cts_sock_sendto(cph->send.socket, (unsigned char *)&pkt,
sizeof(pkt), NULL, 0);
if (unlikely(len < sizeof(pkt))) {
CT_SYNC_ERR("Send failed, returned %d.\n", len);
@@ -731,9 +731,9 @@
csb = (struct cts_buff *) cph->send.ring.sent->next;
spin_unlock_bh(&cph->send.ring.lock);
-
+
/* we can't call sendto() while holding the lock, since it might
- * sleep. However, I'm convinced it is save to release the lock here,
+ * sleep. However, I'm convinced it is safe to release the lock here,
* because:
* - there is only one kernel thread dequeuing packets from the csr
* - nobody else but this function ever changes seqno and/or
@@ -747,7 +747,7 @@
/* send packet */
CT_SYNC_DEBUG2("sending csb=%p, len=%u\n", csb, csb_len(csb));
len = cts_sock_sendto(cph->send.socket, (char *) &csb->pkt,
- csb_len(csb), NULL, 0);
+ csb_len(csb), NULL, 0);
if (len < csb_len(csb)) {
CT_SYNC_ERR("short send: %d\n", len);
CT_SYNC_LEAVE();
@@ -807,7 +807,7 @@
*/
static int
cts_proto_recover(struct cts_protoh *cph, const u16 seq,
- struct sockaddr_storage *ss)
+ struct sockaddr_storage *ss)
{
struct csb_ring *csr = &cph->send.ring;
struct list_head *i, *t, q;
@@ -833,7 +833,7 @@
if (cts_seqno_cmp(bseq, (u16)((seq + 1) & 0xffff)) > 0) {
/* give up and request initsync */
CT_SYNC_DEBUG("recovery impossible: backlog begins at %d\n",
- bseq);
+ bseq);
spin_unlock_bh(&csr->lock);
CT_SYNC_LEAVE();
return -1;
@@ -869,9 +869,9 @@
CTS_STAT_INC(tx.pkts_recover);
/* resend packet */
- ssize_t len = cts_sock_sendto(cph->send.socket,
+ ssize_t len = cts_sock_sendto(cph->send.socket,
(char *) &csb->pkt, csb_len(csb),
- (struct sockaddr *)ss,
+ (struct sockaddr *)ss,
sizeof(*ss));
if (unlikely(len < csb_len(csb))) {
CT_SYNC_ERR("error during retransmit: %d\n", len);
@@ -921,10 +921,10 @@
/* check if we already have a pending request */
if (atomic_read(&cph->recovery_request.active)) {
/* if there are at least recovery_threshold lost messages
- * since the last request, repeat; otherwise return
- * immediately */
+ * since the last request, repeat; otherwise
+ * return immediately */
if (diff < cph->recovery_request.diff +
- cts_proto_recovery_threshold) {
+ cts_proto_recovery_threshold) {
CT_SYNC_LEAVE();
return 0;
}
@@ -954,10 +954,10 @@
/*
* Check if a pending recovery request is fulfilled when 'seq' is received
*
- * We consider a pending request fulfilled, if
- * seq >= request.seq + request.diff.
- * This means that we have to successfully receive the packet which caused the
- * request to be sent.
+ * We consider a pending request fulfilled, if
+ * seq >= request.seq + request.diff.
+ * This means that we have to successfully receive the packet which caused
+ * the request to be sent.
*
* Returns:
* 0 if there were no pending recovery requests
@@ -1033,8 +1033,8 @@
}
/* receive packet */
- len = cts_sock_recvfrom(cph->recv.socket, (char *)&csb->pkt,
- csb_size(csb), (struct sockaddr *)&csb->addr,
+ len = cts_sock_recvfrom(cph->recv.socket, (char *)&csb->pkt,
+ csb_size(csb), (struct sockaddr *)&csb->addr,
sizeof(csb->addr));
if (unlikely(len < sizeof(struct ct_sync_pkthdr))) {
CT_SYNC_ERR("short packet, %d < %u\n", len,
Modified: branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_proto.h
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_proto.h 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_proto.h 2005-10-13 16:22:52 UTC (rev 4354)
@@ -32,8 +32,11 @@
wait_queue_head_t *send_wait,
wait_queue_head_t *rcv_wait);
+/* start protocol */
int cts_proto_start(struct cts_protoh *, const struct sockaddr_storage *,
const char *devname);
+
+/* stop protocol */
void cts_proto_stop(struct cts_protoh *);
/* protocol cleanup funciton */
Modified: branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_sock.c
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_sock.c 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/ct_sync/ct_sync_sock.c 2005-10-13 16:22:52 UTC (rev 4354)
@@ -363,4 +363,3 @@
return len;
}
-
Modified: branches/netfilter-ha/linux-2.6-multigroup/ct_sync/cts_buff.h
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/cts_buff.h 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/ct_sync/cts_buff.h 2005-10-13 16:22:52 UTC (rev 4354)
@@ -21,6 +21,7 @@
#if (CTSYNC_DEBUG >= 4)
unsigned int ringnum; /* number inside ring */
#endif
+
struct sockaddr_storage addr; /* address of peer */
atomic_t use; /* is somebody still busy writing data? */
Deleted: branches/netfilter-ha/linux-2.6-multigroup/patches/conntrack_alloc.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/conntrack_alloc.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/conntrack_alloc.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,176 +0,0 @@
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:57:40.500527040 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:57:53.673524440 +0100
-@@ -889,6 +889,8 @@
- EXPORT_SYMBOL(ip_conntrack_protocol_register);
- EXPORT_SYMBOL(ip_conntrack_protocol_unregister);
- EXPORT_SYMBOL(invert_tuplepr);
-+EXPORT_SYMBOL(ip_conntrack_alloc);
-+EXPORT_SYMBOL(ip_conntrack_free);
- EXPORT_SYMBOL(ip_conntrack_alter_reply);
- EXPORT_SYMBOL(ip_conntrack_destroyed);
- EXPORT_SYMBOL(need_ip_conntrack);
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:41:44.020934040 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:57:53.676523984 +0100
-@@ -336,10 +336,20 @@
- ip_ct_gather_frags(struct sk_buff *skb);
-
- /* Delete all conntracks which match. */
--extern void
-+void
- ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
- void *data);
-
-+/* Allocates and initializes a new ip_conntrack structure, increment allocated
-+ * conntrack count.
-+ * Returns: ERR_PTR(-ENOMEM) in case of failure, conntrack pointer otherwise */
-+struct ip_conntrack *
-+ip_conntrack_alloc(const struct ip_conntrack_tuple *orig,
-+ const struct ip_conntrack_tuple *reply);
-+
-+/* Free conntrack structure and decrement number of allocated conntrack entries. */
-+extern void ip_conntrack_free(struct ip_conntrack *);
-+
- /* It's confirmed if it is, or has been in the hash table. */
- static inline int is_confirmed(struct ip_conntrack *ct)
- {
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:57:40.508525824 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:59:34.087259232 +0100
-@@ -277,6 +277,13 @@
- remove_expectations(ct, 1);
- }
-
-+inline void
-+ip_conntrack_free(struct ip_conntrack *conntrack)
-+{
-+ kmem_cache_free(ip_conntrack_cachep, conntrack);
-+ atomic_dec(&ip_conntrack_count);
-+}
-+
- static void
- destroy_conntrack(struct nf_conntrack *nfct)
- {
-@@ -321,8 +328,7 @@
- ip_conntrack_put(master);
-
- DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
-- kmem_cache_free(ip_conntrack_cachep, ct);
-- atomic_dec(&ip_conntrack_count);
-+ ip_conntrack_free(ct);
- }
-
- static void death_by_timeout(unsigned long ul_conntrack)
-@@ -558,22 +564,19 @@
-
- /* Allocate a new conntrack: we return -ENOMEM if classification
- failed due to stress. Otherwise it really is unclassifiable. */
--static struct ip_conntrack_tuple_hash *
--init_conntrack(const struct ip_conntrack_tuple *tuple,
-- struct ip_conntrack_protocol *protocol,
-- struct sk_buff *skb)
-+struct ip_conntrack *
-+ip_conntrack_alloc(const struct ip_conntrack_tuple *orig,
-+ const struct ip_conntrack_tuple *reply)
- {
- struct ip_conntrack *conntrack;
-- struct ip_conntrack_tuple repl_tuple;
- size_t hash;
-- struct ip_conntrack_expect *expected;
-
- if (!ip_conntrack_hash_rnd_initted) {
- get_random_bytes(&ip_conntrack_hash_rnd, 4);
- ip_conntrack_hash_rnd_initted = 1;
- }
-
-- hash = hash_conntrack(tuple);
-+ hash = hash_conntrack(orig);
-
- if (ip_conntrack_max
- && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) {
-@@ -587,11 +590,6 @@
- }
- }
-
-- if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
-- DEBUGP("Can't invert tuple.\n");
-- return NULL;
-- }
--
- conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC);
- if (!conntrack) {
- DEBUGP("Can't allocate conntrack.\n");
-@@ -601,20 +599,46 @@
- memset(conntrack, 0, sizeof(*conntrack));
- atomic_set(&conntrack->ct_general.use, 1);
- conntrack->ct_general.destroy = destroy_conntrack;
-- conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *tuple;
-+ conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
- conntrack->tuplehash[IP_CT_DIR_ORIGINAL].ctrack = conntrack;
-- conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = repl_tuple;
-+ conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *reply;
- conntrack->tuplehash[IP_CT_DIR_REPLY].ctrack = conntrack;
-- if (!protocol->new(conntrack, skb)) {
-- kmem_cache_free(ip_conntrack_cachep, conntrack);
-- return NULL;
-- }
-+
- /* Don't set timer yet: wait for confirmation */
- init_timer(&conntrack->timeout);
- conntrack->timeout.data = (unsigned long)conntrack;
- conntrack->timeout.function = death_by_timeout;
-
- INIT_LIST_HEAD(&conntrack->sibling_list);
-+ atomic_inc(&ip_conntrack_count);
-+
-+ return conntrack;
-+}
-+
-+static struct ip_conntrack_tuple_hash *
-+init_conntrack(const struct ip_conntrack_tuple *tuple,
-+ struct ip_conntrack_protocol *protocol,
-+ struct sk_buff *skb)
-+{
-+ struct ip_conntrack *conntrack;
-+ struct ip_conntrack_tuple repl_tuple;
-+ struct ip_conntrack_expect *expected;
-+
-+ if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
-+ DEBUGP("Can't invert tuple.\n");
-+ return NULL;
-+ }
-+
-+ conntrack = ip_conntrack_alloc(tuple, &repl_tuple);
-+ if (!conntrack || IS_ERR(conntrack)) {
-+ DEBUGP("Can't allocate conntrack.\n");
-+ return ERR_PTR(-ENOMEM);
-+ }
-+
-+ if (!protocol->new(conntrack, skb)) {
-+ ip_conntrack_free(conntrack);
-+ return NULL;
-+ }
-
- WRITE_LOCK(&ip_conntrack_lock);
- /* Need finding and deleting of expected ONLY if we win race */
-@@ -654,7 +678,6 @@
- nf_conntrack_get(&master_ct(conntrack)->ct_general);
-
- /* this is a braindead... --pablo */
-- atomic_inc(&ip_conntrack_count);
- WRITE_UNLOCK(&ip_conntrack_lock);
-
- if (expected->expectfn)
-@@ -669,7 +692,7 @@
- CONNTRACK_STAT_INC(new);
- }
-
--end: atomic_inc(&ip_conntrack_count);
-+end:
- WRITE_UNLOCK(&ip_conntrack_lock);
-
- ret: return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/conntrack_hash_manip.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/conntrack_hash_manip.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/conntrack_hash_manip.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,43 +1,44 @@
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:18.557227088 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:57:40.500527040 +0100
-@@ -915,6 +915,8 @@
- EXPORT_SYMBOL(ip_conntrack_untracked);
- EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
- EXPORT_SYMBOL_GPL(__ip_conntrack_find);
-+EXPORT_SYMBOL_GPL(__ip_conntrack_hash_insert);
-+EXPORT_SYMBOL_GPL(__ip_conntrack_hash_remove);
- EXPORT_SYMBOL_GPL(ip_conntrack_clean_from_lists);
- EXPORT_SYMBOL_GPL(ip_conntrack_put);
- #ifdef CONFIG_IP_NF_NAT_NEEDED
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-04 18:40:05.475211048 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-05 20:49:03.169915944 +0200
+@@ -1019,7 +1019,8 @@
+ EXPORT_SYMBOL_GPL(ip_conntrack_alloc);
+ EXPORT_SYMBOL_GPL(ip_conntrack_free);
+ EXPORT_SYMBOL_GPL(ip_conntrack_hash_insert);
+-
++EXPORT_SYMBOL_GPL(_ip_conntrack_hash_insert);
++
+ EXPORT_SYMBOL_GPL(ip_ct_remove_expectations);
+
+ EXPORT_SYMBOL_GPL(ip_conntrack_helper_find_get);
+Index: netfilter-2.6.14/include/linux/netfilter_ipv4/ip_conntrack_core.h
===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:18.559226784 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:57:40.503526584 +0100
+--- netfilter-2.6.14.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-10-04 18:40:05.479210440 +0200
++++ netfilter-2.6.14/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-10-05 20:50:49.566741168 +0200
@@ -56,6 +56,10 @@
extern void ip_conntrack_clean_from_lists(struct ip_conntrack *ct);
+/* Non-locked conntrack hash insert and remove function: for ct_sync. */
-+void __ip_conntrack_hash_insert(struct ip_conntrack *ct);
++void _ip_conntrack_hash_insert(struct ip_conntrack *ct);
+void __ip_conntrack_hash_remove(struct ip_conntrack *ct);
+
extern struct list_head *ip_conntrack_hash;
extern struct list_head ip_conntrack_expect_list;
- DECLARE_RWLOCK_EXTERN(ip_conntrack_lock);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
+ extern rwlock_t ip_conntrack_lock;
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:56:56.733180688 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:57:40.508525824 +0100
-@@ -268,15 +268,10 @@
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-04 18:40:05.485209528 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-05 20:48:49.307023424 +0200
+@@ -291,15 +291,10 @@
void
ip_conntrack_clean_from_lists(struct ip_conntrack *ct)
{
- unsigned int ho, hr;
-
DEBUGP("ip_conntrack_clean_from_lists(%p)\n", ct);
- MUST_BE_WRITE_LOCKED(&ip_conntrack_lock);
+ ASSERT_WRITE_LOCK(&ip_conntrack_lock);
- ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
- hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
@@ -45,39 +46,52 @@
- LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]);
+ __ip_conntrack_hash_remove(ct);
- /* Destroy all un-established, pending expectations */
- remove_expectations(ct, 1);
-@@ -389,6 +384,33 @@
- return h;
+ /* Destroy all pending expectations */
+ ip_ct_remove_expectations(ct);
+@@ -411,7 +406,7 @@
+
+ static void __ip_conntrack_hash_insert(struct ip_conntrack *ct,
+ unsigned int hash,
+- unsigned int repl_hash)
++ unsigned int repl_hash)
+ {
+ ct->id = ++ip_conntrack_next_id;
+ list_prepend(&ip_conntrack_hash[hash],
+@@ -420,6 +415,16 @@
+ &ct->tuplehash[IP_CT_DIR_REPLY].list);
}
-+/* Insert a conntrack into the hash. Caller holds a write lock on
-+ * the conntrack hash. */
-+void
-+__ip_conntrack_hash_insert(struct ip_conntrack *ct)
++void _ip_conntrack_hash_insert(struct ip_conntrack *ct)
+{
-+ unsigned int ho, hr;
++ unsigned int hash, repl_hash;
+
-+ ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
-+ hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
++ hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
++ repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+
-+ list_prepend(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
-+ list_prepend(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]);
++ __ip_conntrack_hash_insert(ct, hash, repl_hash);
+}
+
+ void ip_conntrack_hash_insert(struct ip_conntrack *ct)
+ {
+ unsigned int hash, repl_hash;
+@@ -432,6 +437,20 @@
+ write_unlock_bh(&ip_conntrack_lock);
+ }
+
+/* Remove a conntrack from the hash. Caller holds a write lock on
+ * the conntrack hash. */
+void
+__ip_conntrack_hash_remove(struct ip_conntrack *ct)
+{
-+ unsigned int ho, hr;
++ unsigned int ho, hr;
+
-+ ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
-+ hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-+ LIST_DELETE(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
-+ LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]);
++ ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
++ hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
++
++ LIST_DELETE(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
++ LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]);
+}
+
/* Confirm a connection given skb; places it in hash table */
int
- __ip_conntrack_confirm(struct sk_buff *skb)
+ __ip_conntrack_confirm(struct sk_buff **pskb)
Deleted: branches/netfilter-ha/linux-2.6-multigroup/patches/ct_notifier_pkt.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/ct_notifier_pkt.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/ct_notifier_pkt.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,483 +0,0 @@
-===== include/linux/netfilter.h 1.13 vs edited =====
-Index: linux-2.6.10/include/linux/netfilter.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter.h 2005-01-10 20:23:19.000000000 +0100
-+++ linux-2.6.10/include/linux/netfilter.h 2005-01-10 20:41:44.015934800 +0100
-@@ -21,7 +21,7 @@
- #define NF_MAX_VERDICT NF_REPEAT
-
- /* Generic cache responses from hook functions.
-- <= 0x2000 is used for protocol-flags. */
-+ <= 0x2000 is reserved for conntrack event cache. */
- #define NFC_UNKNOWN 0x4000
- #define NFC_ALTERED 0x8000
-
-Index: linux-2.6.10/include/linux/netfilter_ipv4.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4.h 2004-08-14 07:37:39.000000000 +0200
-+++ linux-2.6.10/include/linux/netfilter_ipv4.h 2005-01-10 20:41:44.017934496 +0100
-@@ -8,34 +8,6 @@
- #include <linux/config.h>
- #include <linux/netfilter.h>
-
--/* IP Cache bits. */
--/* Src IP address. */
--#define NFC_IP_SRC 0x0001
--/* Dest IP address. */
--#define NFC_IP_DST 0x0002
--/* Input device. */
--#define NFC_IP_IF_IN 0x0004
--/* Output device. */
--#define NFC_IP_IF_OUT 0x0008
--/* TOS. */
--#define NFC_IP_TOS 0x0010
--/* Protocol. */
--#define NFC_IP_PROTO 0x0020
--/* IP options. */
--#define NFC_IP_OPTIONS 0x0040
--/* Frag & flags. */
--#define NFC_IP_FRAG 0x0080
--
--/* Per-protocol information: only matters if proto match. */
--/* TCP flags. */
--#define NFC_IP_TCPFLAGS 0x0100
--/* Source port. */
--#define NFC_IP_SRC_PT 0x0200
--/* Dest port. */
--#define NFC_IP_DST_PT 0x0400
--/* Something else about the proto */
--#define NFC_IP_PROTO_UNKNOWN 0x2000
--
- /* IP Hooks */
- /* After promisc drops, checksum checks. */
- #define NF_IP_PRE_ROUTING 0
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:23:19.000000000 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:41:44.020934040 +0100
-@@ -47,6 +47,58 @@
- /* Connection is confirmed: originating packet has left box */
- IPS_CONFIRMED_BIT = 3,
- IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
-+
-+ /* Connection is destroyed (removed from lists), can not be unset. */
-+ IPS_DESTROYED_BIT = 4,
-+ IPS_DESTROYED = (1 << IPS_DESTROYED_BIT),
-+};
-+
-+/* Connection tracking event bits */
-+enum ip_conntrack_events
-+{
-+ /* New conntrack */
-+ IPCT_NEW_BIT = 0,
-+ IPCT_NEW = (1 << IPCT_NEW_BIT),
-+
-+ /* Expected connection */
-+ IPCT_RELATED_BIT = 1,
-+ IPCT_RELATED = (1 << IPCT_RELATED_BIT),
-+
-+ /* Destroyed conntrack */
-+ IPCT_DESTROY_BIT = 2,
-+ IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
-+
-+ /* Timer has been refreshed */
-+ IPCT_REFRESH_BIT = 3,
-+ IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
-+
-+ /* Status has changed */
-+ IPCT_STATUS_BIT = 4,
-+ IPCT_STATUS = (1 << IPCT_STATUS_BIT),
-+
-+ /* Update of protocol info */
-+ IPCT_PROTOINFO_BIT = 5,
-+ IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
-+
-+ /* Volatile protocol info */
-+ IPCT_PROTOINFO_VOLATILE_BIT = 6,
-+ IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
-+
-+ /* New helper for conntrack */
-+ IPCT_HELPER_BIT = 7,
-+ IPCT_HELPER = (1 << IPCT_HELPER_BIT),
-+
-+ /* Update of helper info */
-+ IPCT_HELPINFO_BIT = 8,
-+ IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
-+
-+ /* Volatile helper info */
-+ IPCT_HELPINFO_VOLATILE_BIT = 9,
-+ IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
-+
-+ /* NAT info */
-+ IPCT_NATINFO_BIT = 10,
-+ IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
- };
-
- #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
-@@ -263,7 +315,7 @@
- /* Refresh conntrack for this many jiffies */
- extern void ip_ct_refresh_acct(struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- unsigned long extra_jiffies);
-
- /* These are for NAT. Icky. */
-@@ -294,6 +346,11 @@
- return test_bit(IPS_CONFIRMED_BIT, &ct->status);
- }
-
-+static inline int is_destroyed(struct ip_conntrack *ct)
-+{
-+ return test_bit(IPS_DESTROYED_BIT, &ct->status);
-+}
-+
- extern unsigned int ip_conntrack_htable_size;
-
- struct ip_conntrack_stat
-@@ -317,6 +374,57 @@
-
- #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
-
-+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
-+#include <linux/notifier.h>
-+
-+extern struct notifier_block *ip_conntrack_chain;
-+
-+static inline int ip_conntrack_register_notifier(struct notifier_block *nb)
-+{
-+ return notifier_chain_register(&ip_conntrack_chain, nb);
-+}
-+
-+static inline int ip_conntrack_unregister_notifier(struct notifier_block *nb)
-+{
-+ return notifier_chain_unregister(&ip_conntrack_chain, nb);
-+}
-+
-+static inline void ip_conntrack_event_cache_init(struct sk_buff *skb)
-+{
-+ /* Set to zero first 14 bits, see netfilter.h */
-+ skb->nfcache &= 0xc000;
-+}
-+
-+static inline void
-+ip_conntrack_event_cache(enum ip_conntrack_events event, struct sk_buff *skb)
-+{
-+ skb->nfcache |= event;
-+}
-+
-+static inline void
-+ip_conntrack_deliver_cached_events(struct sk_buff *skb)
-+{
-+ struct ip_conntrack *ct = (struct ip_conntrack *) skb->nfct;
-+
-+ if (ct != NULL && is_confirmed(ct) && !is_destroyed(ct) && skb->nfcache)
-+ notifier_call_chain(&ip_conntrack_chain, skb->nfcache, ct);
-+}
-+
-+static inline void ip_conntrack_event(enum ip_conntrack_events event,
-+ struct ip_conntrack *ct)
-+{
-+ if (is_confirmed(ct) && !is_destroyed(ct))
-+ notifier_call_chain(&ip_conntrack_chain, event, ct);
-+}
-+#else /* CONFIG_IP_NF_CONNTRACK_EVENTS */
-+static inline void ip_conntrack_event_cache_init(struct sk_buff *skb) {}
-+static inline void ip_conntrack_event_cache(enum ip_conntrack_events event,
-+ struct sk_buff *skb) {}
-+static inline void ip_conntrack_event(enum ip_conntrack_events event,
-+ struct ip_conntrack *ct) {}
-+static inline void ip_conntrack_deliver_cached_events(struct sk_buff *skb) {}
-+#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
-+
- /* eg. PROVIDES_CONNTRACK(ftp); */
- #define PROVIDES_CONNTRACK(name) \
- int needs_ip_conntrack_##name; \
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:15:47.000000000 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:41:44.022933736 +0100
-@@ -39,10 +39,14 @@
- /* Confirm a connection: returns NF_DROP if packet must be dropped. */
- static inline int ip_conntrack_confirm(struct sk_buff *skb)
- {
-+ int ret = NF_ACCEPT;
-+
- if (skb->nfct
- && !is_confirmed((struct ip_conntrack *)skb->nfct))
-- return __ip_conntrack_confirm(skb);
-- return NF_ACCEPT;
-+ ret = __ip_conntrack_confirm(skb);
-+ ip_conntrack_deliver_cached_events(skb);
-+
-+ return ret;
- }
-
- extern struct list_head *ip_conntrack_hash;
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-01-10 20:15:47.000000000 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-01-10 20:41:44.023933584 +0100
-@@ -34,7 +34,7 @@
-
- /* Returns verdict for packet, or -1 for invalid. */
- int (*packet)(struct ip_conntrack *conntrack,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- enum ip_conntrack_info ctinfo);
-
- /* Called when a new connection for this protocol found;
-Index: linux-2.6.10/net/ipv4/netfilter/Kconfig
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/Kconfig 2005-01-10 20:23:29.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/Kconfig 2005-01-10 20:41:44.027932976 +0100
-@@ -732,5 +732,15 @@
-
- To compile it as a module, choose M here. If unsure, say N.
-
-+config IP_NF_CONNTRACK_EVENTS
-+ bool "Connection tracking events"
-+ depends on IP_NF_CONNTRACK
-+ help
-+ If this option is enabled, the connection tracking code will
-+ provide a notifier chain that can be used by other kernel code
-+ to get notified about changes in the connection tracking state.
-+
-+ IF unsure, say `N'.
-+
- endmenu
-
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2005-01-10 20:15:51.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2005-01-10 20:41:44.029932672 +0100
-@@ -89,7 +89,7 @@
-
- /* Returns verdict for packet, or -1 for invalid. */
- static int icmp_packet(struct ip_conntrack *ct,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- enum ip_conntrack_info ctinfo)
- {
- /* Try to delete connection immediately after all replies:
-@@ -102,6 +102,7 @@
- ct->timeout.function((unsigned long)ct);
- } else {
- atomic_inc(&ct->proto.icmp.count);
-+ ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
- ip_ct_refresh_acct(ct, ctinfo, skb, ip_ct_icmp_timeout);
- }
-
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_generic.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_generic.c 2005-01-10 20:15:51.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_generic.c 2005-01-10 20:41:44.031932368 +0100
-@@ -49,7 +49,7 @@
-
- /* Returns verdict for packet, or -1 for invalid. */
- static int packet(struct ip_conntrack *conntrack,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- enum ip_conntrack_info ctinfo)
- {
- ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_generic_timeout);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2005-01-10 20:15:51.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2005-01-10 20:41:44.034931912 +0100
-@@ -310,7 +310,7 @@
-
- /* Returns verdict for packet, or -1 for invalid. */
- static int sctp_packet(struct ip_conntrack *conntrack,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- enum ip_conntrack_info ctinfo)
- {
- enum sctp_conntrack newconntrack, oldsctpstate;
-@@ -405,6 +405,8 @@
- }
-
- conntrack->proto.sctp.state = newconntrack;
-+ if (oldsctpstate != newconntrack)
-+ ip_conntrack_event_cache(IPCT_PROTOINFO, skb);
- WRITE_UNLOCK(&sctp_lock);
- }
-
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:23:29.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:44:56.354694864 +0100
-@@ -37,6 +37,7 @@
- #include <linux/err.h>
- #include <linux/percpu.h>
- #include <linux/moduleparam.h>
-+#include <linux/notifier.h>
-
- /* This rwlock protects the main hash table, protocol/helper/expected
- registrations, conntrack timers*/
-@@ -75,6 +76,10 @@
- struct ip_conntrack ip_conntrack_untracked;
- unsigned int ip_ct_log_invalid;
-
-+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
-+struct notifier_block *ip_conntrack_chain;
-+#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
-+
- DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
-
- inline void
-@@ -287,6 +292,8 @@
- IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
- IP_NF_ASSERT(!timer_pending(&ct->timeout));
-
-+ set_bit(IPS_DESTROYED_BIT, &ct->status);
-+
- /* To make sure we don't get any weird locking issues here:
- * destroy_conntrack() MUST NOT be called with a write lock
- * to ip_conntrack_lock!!! -HW */
-@@ -327,6 +334,7 @@
- {
- struct ip_conntrack *ct = (void *)ul_conntrack;
-
-+ ip_conntrack_event(IPCT_DESTROY, ct);
- WRITE_LOCK(&ip_conntrack_lock);
- /* Inside lock so preempt is disabled on module removal path.
- * Otherwise we can get spurious warnings. */
-@@ -436,6 +444,14 @@
- set_bit(IPS_CONFIRMED_BIT, &ct->status);
- CONNTRACK_STAT_INC(insert);
- WRITE_UNLOCK(&ip_conntrack_lock);
-+ if (ct->helper)
-+ ip_conntrack_event_cache(IPCT_HELPER, skb);
-+#ifdef CONFIG_IP_NF_NAT_NEEDED
-+ if (ct->nat.info.initialized)
-+ ip_conntrack_event_cache(IPCT_NATINFO, skb);
-+#endif
-+ ip_conntrack_event_cache(master_ct(ct) ?
-+ IPCT_RELATED : IPCT_NEW, skb);
- return NF_ACCEPT;
- }
-
-@@ -708,6 +724,8 @@
- /* FIXME: Do this right please. --RR */
- (*pskb)->nfcache |= NFC_UNKNOWN;
-
-+ ip_conntrack_event_cache_init(*pskb);
-+
- /* Doesn't cover locally-generated broadcast, so not worth it. */
- #if 0
- /* Ignore broadcast: no `connection'. */
-@@ -769,8 +787,10 @@
- return NF_ACCEPT;
- }
- }
-- if (set_reply)
-+ if (set_reply && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
- set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
-+ ip_conntrack_event_cache(IPCT_STATUS, *pskb);
-+ }
-
- return ret;
- }
-@@ -1052,6 +1072,7 @@
- if (i->ctrack->helper == me) {
- /* Get rid of any expected. */
- remove_expectations(i->ctrack, 0);
-+ ip_conntrack_event(IPCT_HELPER, i->ctrack);
- /* And *then* set helper to NULL */
- i->ctrack->helper = NULL;
- }
-@@ -1092,7 +1113,7 @@
- /* Refresh conntrack for this many jiffies and do accounting (if skb != NULL) */
- void ip_ct_refresh_acct(struct ip_conntrack *ct,
- enum ip_conntrack_info ctinfo,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- unsigned long extra_jiffies)
- {
- IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
-@@ -1107,6 +1128,7 @@
- if (del_timer(&ct->timeout)) {
- ct->timeout.expires = jiffies + extra_jiffies;
- add_timer(&ct->timeout);
-+ ip_conntrack_event_cache(IPCT_REFRESH, skb);
- }
- ct_add_counters(ct, ctinfo, skb);
- WRITE_UNLOCK(&ip_conntrack_lock);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_ftp.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_ftp.c 2005-01-10 20:23:29.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_ftp.c 2005-01-10 20:41:44.044930392 +0100
-@@ -300,6 +300,7 @@
- ct_ftp_info->seq_aft_nl[dir] =
- ntohl(th->seq) + datalen;
- ct_ftp_info->seq_aft_nl_set[dir] = 1;
-+ ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
- }
- }
-
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:23:29.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:41:44.048929784 +0100
-@@ -881,6 +881,11 @@
- {
- }
-
-+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
-+EXPORT_SYMBOL(ip_conntrack_chain);
-+EXPORT_SYMBOL(ip_conntrack_register_notifier);
-+EXPORT_SYMBOL(ip_conntrack_unregister_notifier);
-+#endif
- EXPORT_SYMBOL(ip_conntrack_protocol_register);
- EXPORT_SYMBOL(ip_conntrack_protocol_unregister);
- EXPORT_SYMBOL(invert_tuplepr);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-01-10 20:23:29.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-01-10 20:41:44.052929176 +0100
-@@ -826,7 +826,7 @@
-
- /* Returns verdict for packet, or -1 for invalid. */
- static int tcp_packet(struct ip_conntrack *conntrack,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- enum ip_conntrack_info ctinfo)
- {
- enum tcp_conntrack new_state, old_state;
-@@ -948,6 +948,10 @@
- ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
- WRITE_UNLOCK(&tcp_lock);
-
-+ ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
-+ if (new_state != old_state)
-+ ip_conntrack_event_cache(IPCT_PROTOINFO, skb);
-+
- if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) {
- /* If only reply is a RST, we can consider ourselves not to
- have an established connection: this is a fairly common
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_udp.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2005-01-10 20:15:51.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2005-01-10 20:41:44.055928720 +0100
-@@ -64,7 +64,7 @@
-
- /* Returns verdict for packet, and may modify conntracktype */
- static int udp_packet(struct ip_conntrack *conntrack,
-- const struct sk_buff *skb,
-+ struct sk_buff *skb,
- enum ip_conntrack_info ctinfo)
- {
- /* If we've seen traffic both ways, this is some kind of UDP
-@@ -73,7 +73,10 @@
- ip_ct_refresh_acct(conntrack, ctinfo, skb,
- ip_ct_udp_timeout_stream);
- /* Also, more likely to be important, and not a probe */
-- set_bit(IPS_ASSURED_BIT, &conntrack->status);
-+ if (!test_bit(IPS_ASSURED_BIT, &conntrack->status)) {
-+ set_bit(IPS_ASSURED_BIT, &conntrack->status);
-+ ip_conntrack_event_cache(IPCT_STATUS, skb);
-+ }
- } else
- ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_udp_timeout);
-
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/ct_sync_config_and_makefile.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/ct_sync_config_and_makefile.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/ct_sync_config_and_makefile.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,10 +1,10 @@
-Index: linux-2.6.9/net/ipv4/netfilter/Makefile
+Index: netfilter-2.6.14/net/ipv4/netfilter/Makefile
===================================================================
---- linux-2.6.9.orig/net/ipv4/netfilter/Makefile 2004-12-10 00:10:57.000000000 +0100
-+++ linux-2.6.9/net/ipv4/netfilter/Makefile 2004-12-15 22:03:22.000000000 +0100
-@@ -16,6 +16,9 @@
- ipfwadm-objs := $(ip_nf_compat-objs) ipfwadm_core.o
- ipchains-objs := $(ip_nf_compat-objs) ipchains_core.o
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/Makefile 2005-09-18 12:58:03.203433272 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/Makefile 2005-10-04 16:23:02.759253880 +0200
+@@ -6,6 +6,9 @@
+ ip_conntrack-objs := ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
+ iptable_nat-objs := ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
+# conntrack state synchronization
+ct_sync-objs := ct_sync_main.o ct_sync_proto.o ct_sync_sock.o
@@ -12,20 +12,20 @@
# connection tracking
obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
-@@ -99,3 +102,5 @@
- obj-$(CONFIG_IP_NF_COMPAT_IPFWADM) += ipfwadm.o
+@@ -103,3 +106,5 @@
- obj-$(CONFIG_IP_NF_QUEUE) += ip_queue.o
+ # l3 independent conntrack
+ obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
+
+obj-$(CONFIG_IP_NF_CT_SYNC) += ct_sync.o
-Index: linux-2.6.9/net/ipv4/netfilter/Kconfig
+Index: netfilter-2.6.14/net/ipv4/netfilter/Kconfig
===================================================================
---- linux-2.6.9.orig/net/ipv4/netfilter/Kconfig 2004-12-10 00:10:57.000000000 +0100
-+++ linux-2.6.9/net/ipv4/netfilter/Kconfig 2004-12-15 22:03:22.000000000 +0100
-@@ -718,5 +718,28 @@
-
- IF unsure, say `N'.
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/Kconfig 2005-09-18 12:58:02.826490576 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/Kconfig 2005-10-04 16:22:22.487376136 +0200
+@@ -794,5 +794,23 @@
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_CT_SYNC
+ tristate "Connection tracking state synchronization"
+ depends on IP_NF_CONNTRACK_EVENTS
@@ -36,11 +36,8 @@
+
+ If unsure, say `N'.
+
-+config IP_NF_CT_SYNC_ACTACT
-+ bool "Active-Active Support"
-+ depends on IP_NF_CT_SYNC && !IP_NF_NAT
-+
+config IP_NF_CONNTRACK_SYNC_MARKED
++ bool "Synchronize marked connections only"
+ depends on IP_NF_CT_SYNC && IP_NF_CONNTRACK_MARK
+ help
+ This option enables the 'cmarkbit' option of ct_sync. This means that
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_clean_from_lists.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/export_ip_conntrack_clean_from_lists.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_clean_from_lists.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,33 +1,33 @@
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:00.490973576 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:18.557227088 +0100
-@@ -915,6 +915,7 @@
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-04 17:39:05.224653712 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-04 17:40:29.406856072 +0200
+@@ -1008,6 +1008,7 @@
+ EXPORT_SYMBOL(ip_conntrack_hash);
EXPORT_SYMBOL(ip_conntrack_untracked);
EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
- EXPORT_SYMBOL_GPL(__ip_conntrack_find);
+EXPORT_SYMBOL_GPL(ip_conntrack_clean_from_lists);
- EXPORT_SYMBOL_GPL(ip_conntrack_put);
#ifdef CONFIG_IP_NF_NAT_NEEDED
EXPORT_SYMBOL(ip_conntrack_tcp_update);
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h
+ #endif
+Index: netfilter-2.6.14/include/linux/netfilter_ipv4/ip_conntrack_core.h
===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:00.492973272 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:18.559226784 +0100
+--- netfilter-2.6.14.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-10-04 17:39:05.228653104 +0200
++++ netfilter-2.6.14/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-10-04 17:39:29.208007688 +0200
@@ -54,6 +54,8 @@
- return ret;
- }
+ extern void ip_ct_unlink_expect(struct ip_conntrack_expect *exp);
+
+extern void ip_conntrack_clean_from_lists(struct ip_conntrack *ct);
+
extern struct list_head *ip_conntrack_hash;
extern struct list_head ip_conntrack_expect_list;
- DECLARE_RWLOCK_EXTERN(ip_conntrack_lock);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
+ extern rwlock_t ip_conntrack_lock;
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:54:00.497972512 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:56:56.733180688 +0100
-@@ -265,12 +265,12 @@
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-04 17:39:05.226653408 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-04 17:39:29.215006624 +0200
+@@ -288,12 +288,12 @@
}
}
@@ -40,15 +40,15 @@
- DEBUGP("clean_from_lists(%p)\n", ct);
+ DEBUGP("ip_conntrack_clean_from_lists(%p)\n", ct);
- MUST_BE_WRITE_LOCKED(&ip_conntrack_lock);
+ ASSERT_WRITE_LOCK(&ip_conntrack_lock);
ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
-@@ -339,7 +339,7 @@
+@@ -359,7 +359,7 @@
/* Inside lock so preempt is disabled on module removal path.
* Otherwise we can get spurious warnings. */
CONNTRACK_STAT_INC(delete_list);
- clean_from_lists(ct);
+ ip_conntrack_clean_from_lists(ct);
- WRITE_UNLOCK(&ip_conntrack_lock);
+ write_unlock_bh(&ip_conntrack_lock);
ip_conntrack_put(ct);
}
Deleted: branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_find.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/export_ip_conntrack_find.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_find.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,41 +0,0 @@
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:53:51.796295368 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:00.490973576 +0100
-@@ -914,6 +914,7 @@
- EXPORT_SYMBOL(ip_conntrack_hash);
- EXPORT_SYMBOL(ip_conntrack_untracked);
- EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
-+EXPORT_SYMBOL_GPL(__ip_conntrack_find);
- EXPORT_SYMBOL_GPL(ip_conntrack_put);
- #ifdef CONFIG_IP_NF_NAT_NEEDED
- EXPORT_SYMBOL(ip_conntrack_tcp_update);
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:41:44.022933736 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:00.492973272 +0100
-@@ -34,6 +34,11 @@
- ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
- const struct ip_conntrack *ignored_conntrack);
-
-+/* Non-locked, non-referenced version, for ct_sync */
-+struct ip_conntrack_tuple_hash *
-+__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
-+ const struct ip_conntrack *ignored_conntrack);
-+
- extern int __ip_conntrack_confirm(struct sk_buff *skb);
-
- /* Confirm a connection: returns NF_DROP if packet must be dropped. */
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:53:51.801294608 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:54:00.497972512 +0100
-@@ -354,7 +354,7 @@
- && ip_ct_tuple_equal(tuple, &i->tuple);
- }
-
--static struct ip_conntrack_tuple_hash *
-+struct ip_conntrack_tuple_hash *
- __ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
- const struct ip_conntrack *ignored_conntrack)
- {
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_helpers.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/export_ip_conntrack_helpers.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_conntrack_helpers.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,21 +1,21 @@
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:41:44.048929784 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:53:51.796295368 +0100
-@@ -899,6 +899,7 @@
- EXPORT_SYMBOL(ip_ct_protos);
- EXPORT_SYMBOL(ip_ct_find_proto);
- EXPORT_SYMBOL(ip_ct_find_helper);
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-09-18 12:58:03.410401808 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-10-04 11:36:34.028748760 +0200
+@@ -990,6 +990,7 @@
+ EXPORT_SYMBOL(ip_conntrack_helper_unregister);
+ EXPORT_SYMBOL(ip_ct_iterate_cleanup);
+ EXPORT_SYMBOL(ip_ct_refresh_acct);
+EXPORT_SYMBOL_GPL(__ip_ct_find_helper_by_name);
+
EXPORT_SYMBOL(ip_conntrack_expect_alloc);
- EXPORT_SYMBOL(ip_conntrack_expect_related);
- EXPORT_SYMBOL(ip_conntrack_change_expect);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
+ EXPORT_SYMBOL(ip_conntrack_expect_put);
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:44:56.354694864 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:53:51.801294608 +0100
-@@ -520,6 +520,20 @@
- tuple);
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-09-18 12:58:03.346411536 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_conntrack_core.c 2005-10-04 11:35:10.317474808 +0200
+@@ -678,6 +678,20 @@
+ kmem_cache_free(ip_conntrack_cachep, conntrack);
}
+static inline int
@@ -33,18 +33,19 @@
+}
+
/* Allocate a new conntrack: we return -ENOMEM if classification
- failed due to stress. Otherwise it really is unclassifiable. */
+ * failed due to stress. Otherwise it really is unclassifiable */
static struct ip_conntrack_tuple_hash *
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_helper.h
+Index: netfilter-2.6.14/include/linux/netfilter_ipv4/ip_conntrack_helper.h
===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2004-08-14 07:36:17.000000000 +0200
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2005-01-10 20:53:51.817292176 +0100
-@@ -35,6 +35,8 @@
+--- netfilter-2.6.14.orig/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2005-09-18 12:57:51.256249520 +0200
++++ netfilter-2.6.14/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2005-10-04 11:35:10.320474352 +0200
+@@ -31,6 +31,9 @@
+ extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);
+ extern void ip_conntrack_helper_unregister(struct ip_conntrack_helper *);
- extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple);
-
+/* Lookup conntrack helper by name: for ct_sync */
+extern struct ip_conntrack_helper *__ip_ct_find_helper_by_name(const char *name);
-
++
/* Allocate space for an expectation: this is mandatory before calling
- ip_conntrack_expect_related. */
+ ip_conntrack_expect_related. You will have to call put afterwards. */
+ extern struct ip_conntrack_expect *
Deleted: branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_nat_helpers.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/export_ip_nat_helpers.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_nat_helpers.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,49 +0,0 @@
-Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_nat_helper.h
-===================================================================
---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_nat_helper.h 2005-01-10 20:15:47.000000000 +0100
-+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_nat_helper.h 2005-01-10 20:53:56.435590088 +0100
-@@ -47,6 +47,10 @@
- extern struct ip_nat_helper *
- __ip_nat_find_helper(const struct ip_conntrack_tuple *tuple);
-
-+/* For ct_sync: look up helper by name */
-+extern struct ip_nat_helper *
-+__ip_nat_find_helper_by_name(const char *name);
-+
- /* These return true or false. */
- extern int ip_nat_mangle_tcp_packet(struct sk_buff **skb,
- struct ip_conntrack *ct,
-Index: linux-2.6.10/net/ipv4/netfilter/ip_nat_helper.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_helper.c 2005-01-10 20:15:51.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_nat_helper.c 2005-01-10 20:53:56.458586592 +0100
-@@ -455,6 +455,19 @@
- return ret;
- }
-
-+static inline int
-+helper_name_cmp(const struct ip_nat_helper *helper,
-+ const char *name)
-+{
-+ return strcmp(helper->name, name);
-+}
-+
-+struct ip_nat_helper *
-+__ip_nat_find_helper_by_name(const char *name)
-+{
-+ return LIST_FIND(&helpers, helper_name_cmp, struct ip_nat_helper *, name);
-+}
-+
- void ip_nat_helper_unregister(struct ip_nat_helper *me)
- {
- WRITE_LOCK(&ip_nat_lock);
-Index: linux-2.6.10/net/ipv4/netfilter/ip_nat_standalone.c
-===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_standalone.c 2005-01-10 20:23:29.000000000 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_nat_standalone.c 2005-01-10 20:53:56.476583856 +0100
-@@ -391,4 +391,5 @@
- EXPORT_SYMBOL(ip_nat_used_tuple);
- EXPORT_SYMBOL(ip_nat_find_helper);
- EXPORT_SYMBOL(__ip_nat_find_helper);
-+EXPORT_SYMBOL_GPL(__ip_nat_find_helper_by_name);
- MODULE_LICENSE("GPL");
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_nat_lock_and_hash.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/export_ip_nat_lock_and_hash.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/export_ip_nat_lock_and_hash.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,11 +1,71 @@
-Index: linux-2.6.10/net/ipv4/netfilter/ip_nat_standalone.c
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_nat_standalone.c
===================================================================
---- linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_standalone.c 2005-01-10 20:53:56.476583856 +0100
-+++ linux-2.6.10/net/ipv4/netfilter/ip_nat_standalone.c 2005-01-10 20:54:05.497212512 +0100
-@@ -392,4 +392,6 @@
- EXPORT_SYMBOL(ip_nat_find_helper);
- EXPORT_SYMBOL(__ip_nat_find_helper);
- EXPORT_SYMBOL_GPL(__ip_nat_find_helper_by_name);
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_nat_standalone.c 2005-10-04 17:39:04.943696424 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_nat_standalone.c 2005-10-04 17:39:15.274125960 +0200
+@@ -405,4 +405,6 @@
+ EXPORT_SYMBOL(ip_nat_mangle_udp_packet);
+ EXPORT_SYMBOL(ip_nat_used_tuple);
+ EXPORT_SYMBOL(ip_nat_follow_master);
+EXPORT_SYMBOL_GPL(ip_nat_lock);
-+EXPORT_SYMBOL_GPL(place_in_hashes);
++EXPORT_SYMBOL_GPL(ip_nat_hash_insert);
MODULE_LICENSE("GPL");
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_nat_core.c
+===================================================================
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_nat_core.c 2005-10-04 17:39:04.944696272 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_nat_core.c 2005-10-04 17:56:57.845590544 +0200
+@@ -101,6 +101,18 @@
+ write_unlock_bh(&ip_nat_lock);
+ }
+
++/* Place the conntrack entry in the nat hashtable. */
++void ip_nat_hash_insert(struct ip_conntrack *ct)
++{
++ unsigned int srchash
++ = hash_by_src(&ct->tuplehash[IP_CT_DIR_ORIGINAL]
++ .tuple);
++
++ write_lock_bh(&ip_nat_lock);
++ list_add(&ct->nat.info.bysource, &bysource[srchash]);
++ write_unlock_bh(&ip_nat_lock);
++}
++
+ /* We do checksum mangling, so if they were wrong before they're still
+ * wrong. Also works for incomplete packets (eg. ICMP dest
+ * unreachables.) */
+@@ -295,7 +307,6 @@
+ unsigned int hooknum)
+ {
+ struct ip_conntrack_tuple curr_tuple, new_tuple;
+- struct ip_nat_info *info = &conntrack->nat.info;
+ int have_to_hash = !(conntrack->status & IPS_NAT_DONE_MASK);
+ enum ip_nat_manip_type maniptype = HOOK2MANIP(hooknum);
+
+@@ -330,14 +341,8 @@
+ }
+
+ /* Place in source hash if this is the first time. */
+- if (have_to_hash) {
+- unsigned int srchash
+- = hash_by_src(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
+- .tuple);
+- write_lock_bh(&ip_nat_lock);
+- list_add(&info->bysource, &bysource[srchash]);
+- write_unlock_bh(&ip_nat_lock);
+- }
++ if (have_to_hash)
++ ip_nat_hash_insert(conntrack);
+
+ /* It's done. */
+ if (maniptype == IP_NAT_MANIP_DST)
+Index: netfilter-2.6.14/include/linux/netfilter_ipv4/ip_nat_core.h
+===================================================================
+--- netfilter-2.6.14.orig/include/linux/netfilter_ipv4/ip_nat_core.h 2005-10-04 17:39:04.946695968 +0200
++++ netfilter-2.6.14/include/linux/netfilter_ipv4/ip_nat_core.h 2005-10-04 17:39:15.282124744 +0200
+@@ -17,4 +17,7 @@
+ struct ip_conntrack *ct,
+ enum ip_nat_manip_type manip,
+ enum ip_conntrack_dir dir);
++
++extern void ip_nat_hash_insert(struct ip_conntrack *ct);
++
+ #endif /* _IP_NAT_CORE_H */
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/inet_pton6.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/inet_pton6.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/inet_pton6.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -4,26 +4,83 @@
This is required by ct_sync when compiled with ipv6 support.
-Index: linux-2.6.10-wrap-nfsroot/net/ipv6/Makefile
+Index: netfilter-2.6.14/include/linux/inet.h
===================================================================
---- linux-2.6.10-wrap-nfsroot.orig/net/ipv6/Makefile 2004-12-24 22:35:24.000000000 +0100
-+++ linux-2.6.10-wrap-nfsroot/net/ipv6/Makefile 2005-03-17 11:47:21.000000000 +0100
-@@ -8,7 +8,7 @@
- route.o ip6_fib.o ipv6_sockglue.o ndisc.o udp.o raw.o \
- protocol.o icmp.o mcast.o reassembly.o tcp_ipv6.o \
- exthdrs.o sysctl_net_ipv6.o datagram.o proc.o \
-- ip6_flowlabel.o ipv6_syms.o
-+ ip6_flowlabel.o ipv6_syms.o utils.o
+--- netfilter-2.6.14.orig/include/linux/inet.h 2005-10-07 12:32:16.837469728 +0200
++++ netfilter-2.6.14/include/linux/inet.h 2005-10-07 12:32:19.426076200 +0200
+@@ -46,5 +46,7 @@
+ #include <linux/types.h>
- ipv6-$(CONFIG_XFRM) += xfrm6_policy.o xfrm6_state.o xfrm6_input.o \
- xfrm6_output.o
-Index: linux-2.6.10-wrap-nfsroot/net/ipv6/utils.c
+ extern __u32 in_aton(const char *str);
++extern int inet_pton4(const char *src, unsigned char *dst);
++extern int inet_pton6(const char *src, unsigned char *dst);
+ #endif
+ #endif /* _LINUX_INET_H */
+Index: netfilter-2.6.14/net/core/utils.c
===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ linux-2.6.10-wrap-nfsroot/net/ipv6/utils.c 2005-03-17 11:54:31.000000000 +0100
-@@ -0,0 +1,108 @@
+--- netfilter-2.6.14.orig/net/core/utils.c 2005-10-07 12:32:16.835470032 +0200
++++ netfilter-2.6.14/net/core/utils.c 2005-10-07 14:21:09.511285384 +0200
+@@ -24,6 +24,7 @@
+ #include <linux/random.h>
+ #include <linux/percpu.h>
+ #include <linux/init.h>
++#include <linux/ctype.h>
+
+ #include <asm/byteorder.h>
+ #include <asm/system.h>
+@@ -190,3 +191,153 @@
+ }
+
+ EXPORT_SYMBOL(in_aton);
+
++/* int
++ * inet_pton4(src, dst)
++ * like inet_aton() but without all the hexadecimal and shorthand.
++ * return:
++ * 1 if `src' is a valid dotted quad, else 0.
++ * notice:
++ * does not touch `dst' unless it's returning 1.
++ * author:
++ * Paul Vixie, 1996.
++ */
++int
++inet_pton4(const char *src, u_char *dst)
++{
++ int saw_digit, octets, ch;
++ u_char tmp[4], *tp;
+
++ saw_digit = 0;
++ octets = 0;
++ *(tp = tmp) = 0;
++ while ((ch = *src++) != '\0') {
++
++ if (ch >= '0' && ch <= '9') {
++ u_int new = *tp * 10 + (ch - '0');
++
++ if (new > 255)
++ return (0);
++ *tp = new;
++ if (! saw_digit) {
++ if (++octets > 4)
++ return (0);
++ saw_digit = 1;
++ }
++ } else if (ch == '.' && saw_digit) {
++ if (octets == 4)
++ return (0);
++ *++tp = 0;
++ saw_digit = 0;
++ } else
++ return (0);
++ }
++ if (octets < 4)
++ return (0);
++ memcpy(dst, tmp, 4);
++ return (1);
++}
++
++EXPORT_SYMBOL(inet_pton4);
++
+/* int
+ * inet_pton6(src, dst)
+ * convert presentation level address to network order binary form.
@@ -38,12 +95,6 @@
+ * Paul Vixie, 1996.
+ */
+
-+#include <linux/module.h>
-+#include <linux/types.h>
-+#include <linux/ctype.h>
-+#include <linux/string.h>
-+#include <linux/inet.h>
-+
+int
+inet_pton6(const char *src, u_char *dst)
+{
@@ -129,74 +180,5 @@
+ memcpy(dst, tmp, 16);
+ return (1);
+}
-+EXPORT_SYMBOL(inet_pton6);
-Index: linux-2.6.10-wrap-nfsroot/net/ipv4/utils.c
-===================================================================
---- linux-2.6.10-wrap-nfsroot.orig/net/ipv4/utils.c 2004-12-24 22:34:44.000000000 +0100
-+++ linux-2.6.10-wrap-nfsroot/net/ipv4/utils.c 2005-03-17 11:53:57.000000000 +0100
-@@ -55,5 +55,52 @@
- }
- return(htonl(l));
- }
--
- EXPORT_SYMBOL(in_aton);
+
-+/* int
-+ * inet_pton4(src, dst)
-+ * like inet_aton() but without all the hexadecimal and shorthand.
-+ * return:
-+ * 1 if `src' is a valid dotted quad, else 0.
-+ * notice:
-+ * does not touch `dst' unless it's returning 1.
-+ * author:
-+ * Paul Vixie, 1996.
-+ */
-+int
-+inet_pton4(const char *src, u_char *dst)
-+{
-+ int saw_digit, octets, ch;
-+ u_char tmp[4], *tp;
-+
-+ saw_digit = 0;
-+ octets = 0;
-+ *(tp = tmp) = 0;
-+ while ((ch = *src++) != '\0') {
-+
-+ if (ch >= '0' && ch <= '9') {
-+ u_int new = *tp * 10 + (ch - '0');
-+
-+ if (new > 255)
-+ return (0);
-+ *tp = new;
-+ if (! saw_digit) {
-+ if (++octets > 4)
-+ return (0);
-+ saw_digit = 1;
-+ }
-+ } else if (ch == '.' && saw_digit) {
-+ if (octets == 4)
-+ return (0);
-+ *++tp = 0;
-+ saw_digit = 0;
-+ } else
-+ return (0);
-+ }
-+ if (octets < 4)
-+ return (0);
-+ memcpy(dst, tmp, 4);
-+ return (1);
-+}
-+EXPORT_SYMBOL(inet_pton4);
-+
-Index: linux-2.6.10-wrap-nfsroot/include/linux/inet.h
-===================================================================
---- linux-2.6.10-wrap-nfsroot.orig/include/linux/inet.h 2004-12-24 22:34:26.000000000 +0100
-+++ linux-2.6.10-wrap-nfsroot/include/linux/inet.h 2005-03-17 11:53:33.000000000 +0100
-@@ -46,5 +46,7 @@
- #include <linux/types.h>
-
- extern __u32 in_aton(const char *str);
-+extern int inet_pton4(const char *src, unsigned char *dst);
-+extern int inet_pton6(const char *src, unsigned char *dst);
- #endif
- #endif /* _LINUX_INET_H */
++EXPORT_SYMBOL(inet_pton6);
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/netfilter_sysfs.patch
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/netfilter_sysfs.patch 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/netfilter_sysfs.patch 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,8 +1,8 @@
-Index: linux-2.6.10-ctsync/include/linux/netfilter.h
+Index: netfilter-2.6.14/include/linux/netfilter.h
===================================================================
---- linux-2.6.10-ctsync.orig/include/linux/netfilter.h 2005-03-06 17:01:42.000000000 +0100
-+++ linux-2.6.10-ctsync/include/linux/netfilter.h 2005-03-07 22:08:13.000000000 +0100
-@@ -187,5 +187,20 @@
+--- netfilter-2.6.14.orig/include/linux/netfilter.h 2005-09-18 12:57:51.132268368 +0200
++++ netfilter-2.6.14/include/linux/netfilter.h 2005-10-06 18:10:11.833926224 +0200
+@@ -271,5 +271,20 @@
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
#endif /*CONFIG_NETFILTER*/
@@ -23,112 +23,41 @@
+
#endif /*__KERNEL__*/
#endif /*__LINUX_NETFILTER_H*/
-Index: linux-2.6.10-ctsync/net/core/netfilter.c
+Index: netfilter-2.6.14/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
---- linux-2.6.10-ctsync.orig/net/core/netfilter.c 2005-03-06 17:01:46.000000000 +0100
-+++ linux-2.6.10-ctsync/net/core/netfilter.c 2005-03-07 22:09:53.000000000 +0100
-@@ -9,6 +9,7 @@
- * February 2000: Modified by James Morris to have 1 queue per protocol.
- * 15-Mar-2000: Added NF_REPEAT --RR.
- * 08-May-2003: Internal logging interface added by Jozsef Kadlecsik.
-+ * 07-Mar-2005: Add sysfs interface (Harald Welte)
- */
- #include <linux/config.h>
- #include <linux/kernel.h>
-@@ -819,6 +820,49 @@
- }
- }
+--- netfilter-2.6.14.orig/include/linux/netfilter_ipv4/ip_tables.h 2005-09-18 12:57:51.292244048 +0200
++++ netfilter-2.6.14/include/linux/netfilter_ipv4/ip_tables.h 2005-10-06 18:12:51.100713992 +0200
+@@ -364,6 +364,8 @@
-+static struct kobj_type netfilter_ktype = {
-+};
-+
-+decl_subsys(netfilter, &netfilter_ktype, NULL);
-+
-+int nf_subsys_register(struct nf_subsys *cls)
-+{
-+ int ret = 0;
-+
-+ ret = kobject_set_name(&cls->subsys.kset.kobj, "%s", cls->name);
-+ if (ret)
-+ goto out;
-+
-+ subsys_set_kset(cls, netfilter_subsys);
-+ ret = subsystem_register(&cls->subsys);
-+ if (ret)
-+ goto out;
-+
-+out:
-+ return ret;
-+}
-+EXPORT_SYMBOL_GPL(nf_subsys_register);
-+
-+void nf_subsys_unregister(struct nf_subsys *cls)
-+{
-+ subsystem_unregister(&cls->subsys);
-+}
-+EXPORT_SYMBOL_GPL(nf_subsys_unregister);
-+
-+int nf_kset_register(struct nf_subsys *subsys, struct kset *kset)
-+{
-+ kset->subsys = &subsys->subsys;
-+ return kset_register(kset);
-+}
-+EXPORT_SYMBOL_GPL(nf_kset_register);
-+
-+void nf_kset_unregister(struct kset *kset)
-+{
-+ kset_unregister(kset);
-+}
-+EXPORT_SYMBOL_GPL(nf_kset_unregister);
-+
-+
- void __init netfilter_init(void)
- {
- int i, h;
-@@ -827,6 +871,8 @@
- for (h = 0; h < NF_MAX_HOOKS; h++)
- INIT_LIST_HEAD(&nf_hooks[i][h]);
- }
-+
-+ subsystem_register(&netfilter_subsys);
- }
+ u_int8_t revision;
- EXPORT_SYMBOL(ip_ct_attach);
-Index: linux-2.6.10-ctsync/include/linux/netfilter_ipv4/ip_tables.h
-===================================================================
---- linux-2.6.10-ctsync.orig/include/linux/netfilter_ipv4/ip_tables.h 2004-12-24 22:34:57.000000000 +0100
-+++ linux-2.6.10-ctsync/include/linux/netfilter_ipv4/ip_tables.h 2005-03-08 10:29:48.703408432 +0100
-@@ -346,6 +346,8 @@
-
- const char name[IPT_FUNCTION_MAXNAMELEN];
-
+ struct kobject kobj;
+
/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.4, as this must now handle
-@@ -380,6 +382,8 @@
+@@ -400,6 +402,8 @@
- const char name[IPT_FUNCTION_MAXNAMELEN];
+ u_int8_t revision;
+ struct kobject kobj;
+
/* Called when user tries to insert an entry of this type:
hook_mask is a bitmask of hooks from which it can be
called. */
-@@ -425,6 +429,8 @@
+@@ -441,6 +445,8 @@
/* A unique name... */
char name[IPT_TABLE_MAXNAMELEN];
+ struct kobject kobj;
+
- /* Seed table: copied in register_table */
- struct ipt_replace *table;
+ /* What hooks you will enter on */
+ unsigned int valid_hooks;
-Index: linux-2.6.10-ctsync/net/ipv4/netfilter/ip_tables.c
+Index: netfilter-2.6.14/net/ipv4/netfilter/ip_tables.c
===================================================================
---- linux-2.6.10-ctsync.orig/net/ipv4/netfilter/ip_tables.c 2004-12-24 22:34:26.000000000 +0100
-+++ linux-2.6.10-ctsync/net/ipv4/netfilter/ip_tables.c 2005-03-08 10:36:02.688554048 +0100
+--- netfilter-2.6.14.orig/net/ipv4/netfilter/ip_tables.c 2005-09-18 12:58:03.791343896 +0200
++++ netfilter-2.6.14/net/ipv4/netfilter/ip_tables.c 2005-10-06 19:49:59.300692920 +0200
@@ -11,12 +11,16 @@
* 19 Jan 2002 Harald Welte <laforge at gnumonks.org>
* - increase module usage count as soon as we have rules inside
@@ -211,31 +140,30 @@
/* Returns whether matches rule or not. */
static inline int
ip_packet_match(const struct iphdr *ip,
-@@ -1343,7 +1405,23 @@
- duprintf("ipt_register_target: `%s' already in list!\n",
- target->name);
- ret = -EINVAL;
-+ goto unlock_out;
- }
+@@ -1414,7 +1476,22 @@
+ ret = down_interruptible(&ipt_mutex);
+ if (ret != 0)
+ return ret;
++
+ memset(&target->kobj, 0, sizeof(target->kobj));
-+ ret = kobject_set_name(&target->kobj, "%s", target->name);
++ ret = kobject_set_name(&target->kobj, "%s_%d", target->name, target->revision);
+ if (ret < 0)
-+ goto listdel_out;
++ goto unlock_out;
+
+ target->kobj.parent = &ipt_target_kset.kobj;
+ target->kobj.kset = &ipt_target_kset;
+ target->kobj.ktype = &ktype_target;
+ ret = kobject_register(&target->kobj);
-+ if (ret == 0)
++ if (ret < 0)
+ goto unlock_out;
+
-+listdel_out:
-+ LIST_DELETE(&ipt_target, target);
+ list_add(&target->list, &ipt_target);
++
+unlock_out:
up(&ipt_mutex);
return ret;
}
-@@ -1352,6 +1430,7 @@
+@@ -1423,6 +1500,7 @@
ipt_unregister_target(struct ipt_target *target)
{
down(&ipt_mutex);
@@ -243,33 +171,30 @@
LIST_DELETE(&ipt_target, target);
up(&ipt_mutex);
}
-@@ -1369,9 +1448,24 @@
- duprintf("ipt_register_match: `%s' already in list!\n",
- match->name);
- ret = -EINVAL;
-+ goto unlock_out;
- }
-- up(&ipt_mutex);
+@@ -1436,9 +1514,21 @@
+ if (ret != 0)
+ return ret;
+
+ memset(&match->kobj, 0, sizeof(match->kobj));
-+ ret = kobject_set_name(&match->kobj, "%s", match->name);
++ ret = kobject_set_name(&match->kobj, "%s_%d", match->name, match->revision);
+ if (ret < 0)
-+ goto listdel_out;
++ goto unlock_out;
+ match->kobj.parent = &ipt_match_kset.kobj;
+ match->kobj.kset = &ipt_match_kset;
+ match->kobj.ktype = &ktype_match;
+ ret = kobject_register(&match->kobj);
-+ if (ret == 0)
++ if (ret < 0)
+ goto unlock_out;
++
+ list_add(&match->list, &ipt_match);
+- up(&ipt_mutex);
-+listdel_out:
-+ LIST_DELETE(&ipt_match, match);
+unlock_out:
+ up(&ipt_mutex);
-+ printk(KERN_DEBUG "returning %d\n", ret);
return ret;
}
-@@ -1379,6 +1473,7 @@
+@@ -1446,6 +1536,7 @@
ipt_unregister_match(struct ipt_match *match)
{
down(&ipt_mutex);
@@ -277,7 +202,7 @@
LIST_DELETE(&ipt_match, match);
up(&ipt_mutex);
}
-@@ -1433,10 +1528,23 @@
+@@ -1500,10 +1591,23 @@
rwlock_init(&table->lock);
list_prepend(&ipt_tables, table);
@@ -301,7 +226,7 @@
free_unlock:
vfree(newinfo);
goto unlock;
-@@ -1445,6 +1553,7 @@
+@@ -1512,6 +1616,7 @@
void ipt_unregister_table(struct ipt_table *table)
{
down(&ipt_mutex);
@@ -309,7 +234,7 @@
LIST_DELETE(&ipt_tables, table);
up(&ipt_mutex);
-@@ -1866,12 +1975,24 @@
+@@ -1933,12 +2038,24 @@
}
#endif
@@ -335,3 +260,73 @@
nf_unregister_sockopt(&ipt_sockopts);
#ifdef CONFIG_PROC_FS
{
+Index: netfilter-2.6.14/net/netfilter/core.c
+===================================================================
+--- netfilter-2.6.14.orig/net/netfilter/core.c 2005-10-04 11:31:50.650828752 +0200
++++ netfilter-2.6.14/net/netfilter/core.c 2005-10-06 18:54:42.770882088 +0200
+@@ -9,6 +9,7 @@
+ * February 2000: Modified by James Morris to have 1 queue per protocol.
+ * 15-Mar-2000: Added NF_REPEAT --RR.
+ * 08-May-2003: Internal logging interface added by Jozsef Kadlecsik.
++ * 07-Mar-2005: Add sysfs interface (Harald Welte)
+ */
+ #include <linux/config.h>
+ #include <linux/kernel.h>
+@@ -195,6 +196,48 @@
+ EXPORT_SYMBOL(proc_net_netfilter);
+ #endif
+
++static struct kobj_type netfilter_ktype = {
++};
++
++decl_subsys(netfilter, &netfilter_ktype, NULL);
++
++int nf_subsys_register(struct nf_subsys *cls)
++{
++ int ret = 0;
++
++ ret = kobject_set_name(&cls->subsys.kset.kobj, "%s", cls->name);
++ if (ret)
++ goto out;
++
++ subsys_set_kset(cls, netfilter_subsys);
++ ret = subsystem_register(&cls->subsys);
++ if (ret)
++ goto out;
++
++out:
++ return ret;
++}
++EXPORT_SYMBOL_GPL(nf_subsys_register);
++
++void nf_subsys_unregister(struct nf_subsys *cls)
++{
++ subsystem_unregister(&cls->subsys);
++}
++EXPORT_SYMBOL_GPL(nf_subsys_unregister);
++
++int nf_kset_register(struct nf_subsys *subsys, struct kset *kset)
++{
++ kset->subsys = &subsys->subsys;
++ return kset_register(kset);
++}
++EXPORT_SYMBOL_GPL(nf_kset_register);
++
++void nf_kset_unregister(struct kset *kset)
++{
++ kset_unregister(kset);
++}
++EXPORT_SYMBOL_GPL(nf_kset_unregister);
++
+ void __init netfilter_init(void)
+ {
+ int i, h;
+@@ -203,6 +246,8 @@
+ INIT_LIST_HEAD(&nf_hooks[i][h]);
+ }
+
++ subsystem_register(&netfilter_subsys);
++
+ #ifdef CONFIG_PROC_FS
+ proc_net_netfilter = proc_mkdir("netfilter", proc_net);
+ if (!proc_net_netfilter)
Modified: branches/netfilter-ha/linux-2.6-multigroup/patches/series
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/patches/series 2005-10-11 11:18:41 UTC (rev 4346)
+++ branches/netfilter-ha/linux-2.6-multigroup/patches/series 2005-10-13 16:22:52 UTC (rev 4354)
@@ -1,13 +1,7 @@
-ct_notifier_pkt.patch
-pf_packet.patch
-pf_packet_remove_warning.patch
-export_ip_conntrack_helpers.patch
-export_ip_nat_helpers.patch
-export_ip_conntrack_find.patch
-export_ip_nat_lock_and_hash.patch
-export_ip_conntrack_clean_from_lists.patch
-conntrack_hash_manip.patch
-conntrack_alloc.patch
-ct_sync_config_and_makefile.patch
+export_ip_conntrack_helpers.patch
+export_ip_nat_lock_and_hash.patch
+export_ip_conntrack_clean_from_lists.patch
+conntrack_hash_manip.patch
netfilter_sysfs.patch
inet_pton6.patch
+ct_sync_config_and_makefile.patch
More information about the netfilter-cvslog
mailing list