David S. Miller <[EMAIL PROTECTED]> wrote:
>
> I've read over Patrick's two most recent postings of these patches
> and I think they are generally sane and I cannot find any holes in
> them. Herbert brought up the legitimate concern about defragmentation,
> but I think that's a detail and does no
From: Patrick McHardy <[EMAIL PROTECTED]>
Date: Mon, 21 Nov 2005 07:52:36 +0100
> I don't see why it is confusing. Plain text packets are visible before
> encapsulation (and they have to be because we don't necessarily know
> if packets will be encapsulated at the time the hooks are called in
> ca
Yasuyuki KOZAKAI wrote:
At first, now I could agree to use same name for hooks before/after xfrm
processing, if it's important to keep compatibility than to avoid difficulty
to use. Even now I think it's confusing to pass packets before/after xfrm to
same hook, and believe it's ideal to use diffe
From: "Randy.Dunlap" <[EMAIL PROTECTED]>
Date: Fri, 18 Nov 2005 23:07:35 -0800
> Fix kernel-doc warnings in network files.
>
> Signed-off-by: Randy Dunlap <[EMAIL PROTECTED]>
Applied, thanks Randy.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [E
From: Patrick McHardy <[EMAIL PROTECTED]>
Date: Sat, 19 Nov 2005 06:51:27 +0100
> Save a few bytes in struct sk_buff.
I nearly forgot we still had that wart around after the
SKB diet stuff.
Patch applied, thanks a lot.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the bo
From: Harald Welte <[EMAIL PROTECTED]>
Date: Sat, 19 Nov 2005 11:39:08 +0100
> [NETFILTER] nf_conntrack: replace handmade list with hlist in IPv6 reassembly
>
> nf_ct_frag6_queue has *next and **prev, so they can be replaced with hlist.
> Thanks Arnaldo Carvalho de Melo for the suggestion.
>
> S
From: Harald Welte <[EMAIL PROTECTED]>
Date: Sat, 19 Nov 2005 11:39:08 +0100
> [NETFILTER] Remove ARRAY_SIZE duplicate
>
> Signed-off-by: Nicolas Kaiser <[EMAIL PROTECTED]>
> Signed-off-by: Harald Welte <[EMAIL PROTECTED]>
Applied, thanks Harald.
-
To unsubscribe from this list: send the line "u
From: Harald Welte <[EMAIL PROTECTED]>
Date: Sat, 19 Nov 2005 23:23:29 +0100
> [NETFILTER] fixed dependencies between modules related with ip_conntrack
>
> - IP_NF_CONNTRACK_MARK is bool and depends on only IP_NF_CONNTRACK
> which is tristate. If a variable depends on IP_NF_CONNTRACK_MARK and
>
Applied, thanks Patrick.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi, Patrick,
From: Patrick McHardy <[EMAIL PROTECTED]>
Date: Sun, 20 Nov 2005 17:31:36 +0100
> [IPV4/6]: Netfilter IPsec input hooks
>
> When the innermost transform uses transport mode the decapsulated packet
> is not visible to netfilter. Pass the packet through the PRE_ROUTING and
> LOCAL_IN
EXPORT_SYMBOL's do nowadays belong to the files where the actual
functions are.
Moving the module_init/module_exit to the file with the actual functions
has the advantage of saving a few bytes due to the removal of two
functions.
Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
---
drivers/n
Am Sonntag, 20. November 2005 19:07 schrieb Patrick McHardy:
Hi!
> You're right, that's the reason. Since the patches touch quite a lot of
> code they won't make it in 2.6.15, though.
Hmm, I can wait for 2.6.16. But I tried to figure out what's going wrong a
couple of days. Now I know I'll just
On Mon, Nov 21, 2005 at 08:25:14AM +1100, Herbert Xu wrote:
> On Sun, Nov 20, 2005 at 04:21:32PM -0500, Dave Jones wrote:
> >
> > Hmm, that does make sense.
> > Maybe the problem exists elsewhere, as thinking more about it,
> > it's only certain sites that seem to have the problem
> > (I not
On Sun, Nov 20, 2005 at 04:21:32PM -0500, Dave Jones wrote:
>
> Hmm, that does make sense.
> Maybe the problem exists elsewhere, as thinking more about it,
> it's only certain sites that seem to have the problem
> (I notice it mostly on bugzilla.redhat.com, but that's probably
> due to the amount
On Mon, Nov 21, 2005 at 08:07:20AM +1100, Herbert Xu wrote:
> Dave Jones <[EMAIL PROTECTED]> wrote:
> > Has anything changed recently in how e1000 handles checksum
> > offload ? My desktop box has been rock solid for months,
> > but the last few weeks I've noticed a lot of timeouts
> > over ht
Dave Jones <[EMAIL PROTECTED]> wrote:
> Has anything changed recently in how e1000 handles checksum
> offload ? My desktop box has been rock solid for months,
> but the last few weeks I've noticed a lot of timeouts
> over http etc.
>
> Further investigation with ethereal showed incorrect tcp check
Has anything changed recently in how e1000 handles checksum
offload ? My desktop box has been rock solid for months,
but the last few weeks I've noticed a lot of timeouts
over http etc.
Further investigation with ethereal showed incorrect tcp checksums
on certain packets.
Disabling rx/tx offload
On Sun, Nov 20, 2005 at 04:35:46PM +0100, Richard Knutsson wrote:
>
> >-#ifdef CONFIG_EISA
> >-cardcount = eisa_driver_register(&dgrs_eisa_driver);
> >+cardcount = dgrs_register_eisa();
> > if (cardcount < 0)
> > return cardcount;
> >-#endif
> >-cardcount = pci_register_
Joerg Platte wrote:
Am Sonntag, 20. November 2005 17:31 schrieb Patrick McHardy:
Hi!
- policy lookups after NAT:
When NAT changes a packet it already calls ip_route_me_harder, which
reroutes the packet and does a new policy lookup. It only looks at
the IP addresses however, changing the port n
Am Sonntag, 20. November 2005 17:31 schrieb Patrick McHardy:
Hi!
> - policy lookups after NAT:
>
> When NAT changes a packet it already calls ip_route_me_harder, which
> reroutes the packet and does a new policy lookup. It only looks at
> the IP addresses however, changing the port numbers require
Patrick McHardy wrote:
[NETFILTER]: Redo policy lookups after NAT when neccessary
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -195,13 +195,18 @@ static inline int ip_finish_output2(stru
return dst->neighbour->output(skb);
if (net_ratelimit())
- pri
This is the latest netfilter/IPsec patchset. Its purpose is to make
IPsec look as much as a normal tunnel device to netfilter as possible
and to enable NAT support.
It consists of basically five parts:
- output hooks:
Currently on the output path netfilter sees the plain text packet in
LOCAL_OUT
[NETFILTER]: Add ipt_policy/ip6t_policy matches
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit ff88b88efc987d1267eccf01e16880458d189a25
tree 53c34259c195cf64903940f151becd967bcce74d
parent 055c50b770e63ced784808ae22ef339724b1a44c
author Patrick McHardy <[EMAIL PROTECTED]> Sat, 19 N
[NETFILTER]: Handle NAT in IPsec policy checks
Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi
of the original packet from the conntrack information for IPsec policy
checks.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit 8b46eb2d8365ab18cc965f3768103316
[NETFILTER]: Redo policy lookups after NAT when neccessary
When NAT changes the key used for the xfrm lookup it needs to be done again.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit 8cb6cfa80dd5dc4da1de280a0278746c262a2d8d
tree efffac2335bd21d0a0c2aa848df544002e4316f4
parent 864c
[IPV4]: Replace dst_output by ip_dst_output
Preparation for netfilter IPsec support.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit 4eb320a6444a9035da8a83e4886b3691a2ea98f7
tree d31f7b331e06e1e598593c4095be7713e6fd3ba0
parent d3c70d774e32c4d6f4cc6b8b0b73678aa14a9932
author Patrick
[NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder
ip_route_me_harder doesn't use the port numbers of the xfrm lookup and
uses ip_route_input for non-local addresses which doesn't do a xfrm
lookup, ip6_route_me_harder doesn't do a xfrm lookup at all.
Use xfrm_decode_session an
[NETFILTER]: Remove okfn usage in ip_vs_core.c
okfn should only be used from different contexts to avoid deep call stacks,
i.e. by nf_queue.
Acked-by: Julian Anastasov <[EMAIL PROTECTED]>
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit ebb0baec0a5e909d4acf16a15601f013093fefb3
tree
[NETFILTER]: Call POST_ROUTING hook before fragmentation
Call POST_ROUTING hook before fragmentation to get rid of the okfn use
in ip_refrag and save the useless fragmentation/defragmentation step
when NAT is used.
The patch introduces one user-visible change, the POSTROUTING chain
in the mangle
[NETFILTER]: Use conntrack information to determine if packet was NATed
Preparation for full IPsec support for NAT:
Use conntrack information instead of saving the saving and comparing the
addresses to determine if a packet was NATed and needs to be rerouted to
make it easier to extend the key.
[IPV4/6]: Netfilter IPsec input hooks
When the innermost transform uses transport mode the decapsulated packet
is not visible to netfilter. Pass the packet through the PRE_ROUTING and
LOCAL_IN hooks again before handing it to upper layer protocols to make
netfilter-visibility symetrical to the out
[NETFILTER]: Export ip6_masked_addrcmp, don't pass IPv6 addresses on stack
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit 055c50b770e63ced784808ae22ef339724b1a44c
tree b8dc07727bb80b83c5b236f4157ed588927f46da
parent 8b46eb2d8365ab18cc965f37681033162a834fe5
author Patrick McHardy <[
[IPV6]: Replace dst_output by ip6_dst_output
Preparation for netfilter IPsec support.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit 73f59ffcebcd0a08f6a405c8522074e8b5892b73
tree 4be1e3bb174f611fa57ee6e1b8d9187e784c85ad
parent 4eb320a6444a9035da8a83e4886b3691a2ea98f7
author Patric
[IPV4/6]: Netfilter IPsec output hooks
Add alternative ip_dst_output/ip6_dst_output functions to call netfilter
hooks between xfrm transforms. Packets visit the FORWARD/LOCAL_OUT and
POST_ROUTING hook before encapsulation and the LOCAL_OUT and POST_ROUTING
hook after each tunnel mode transform.
S
Herbert Xu wrote:
Richard Knutsson <[EMAIL PROTECTED]> wrote:
diff -Narup a/drivers/net/dgrs.c b/drivers/net/dgrs.c
--- a/drivers/net/dgrs.c2005-11-19 20:17:51.0 +0100
+++ b/drivers/net/dgrs.c2005-11-19 20:29:52.0 +0100
@@ -1458,6 +1458,8 @@ static struct pci_
Richard Knutsson <[EMAIL PROTECTED]> wrote:
>
> diff -Narup a/drivers/net/dgrs.c b/drivers/net/dgrs.c
> --- a/drivers/net/dgrs.c2005-11-19 20:17:51.0 +0100
> +++ b/drivers/net/dgrs.c2005-11-19 20:29:52.0 +0100
> @@ -1458,6 +1458,8 @@ static struct pci_driver dgrs_pc
36 matches
Mail list logo
