diff -aruN netfilter-ha/linux-2.6/ct_sync/ct_sync.h netfilter-ha.heile/linux-2.6/ct_sync/ct_sync.h --- netfilter-ha/linux-2.6/ct_sync/ct_sync.h 2006-03-24 21:02:13.612504860 +0100 +++ netfilter-ha.heile/linux-2.6/ct_sync/ct_sync.h 2006-03-24 20:59:56.736073247 +0100 @@ -159,7 +159,6 @@ #ifdef CONFIG_IP_NF_NAT_NEEDED int nat_initialized; __u8 nat_num_manips; - struct ip_nat_info_manip nat_manips[IP_NAT_MAX_MANIPS]; char nat_helper[CT_SYNC_NATHELPERSIZE]; union ip_conntrack_nat_help nat_help; struct ip_nat_seq nat_seq[IP_CT_DIR_MAX]; @@ -183,7 +182,6 @@ struct ip_conntrack_tuple tuple, mask; /* expectation tuple and mask */ __u32 seq; /* sequence number */ union ip_conntrack_expect_proto proto; /* protocol specific info */ - union ip_conntrack_expect_help help; /* expectation helper specific info */ }; #ifdef __KERNEL__ diff -aruN netfilter-ha/linux-2.6/ct_sync/ct_sync_main.c netfilter-ha.heile/linux-2.6/ct_sync/ct_sync_main.c --- netfilter-ha/linux-2.6/ct_sync/ct_sync_main.c 2006-03-24 21:02:13.608504613 +0100 +++ netfilter-ha.heile/linux-2.6/ct_sync/ct_sync_main.c 2006-03-24 20:59:56.740073493 +0100 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include @@ -58,8 +59,9 @@ #define CT_SYNC_DUMP_TUPLE(x) #endif -#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_conntrack_lock) -#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_conntrack_lock) +#define ASSERT_READ_LOCK(x) +#define ASSERT_WRITE_LOCK(x) + #include #define CT_SYNC_VERSION "0.20" @@ -198,21 +200,9 @@ memcpy(&sct->proto, &ct->proto, sizeof(sct->proto)); #ifdef CONFIG_IP_NF_NAT_NEEDED - if (likely(ct->nat.info.initialized)) { + if (likely(ct->status & IPS_NAT_DONE_MASK)) { const struct ip_nat_info *nat = &ct->nat.info; - sct->nat_initialized = nat->initialized; - sct->nat_num_manips = nat->num_manips; - memcpy(sct->nat_manips, &nat->manips, - (nat->num_manips * sizeof(struct ip_nat_info_manip))); - if (unlikely(nat->helper != NULL)) { - strncpy(sct->nat_helper, nat->helper->name, - sizeof(sct->nat_helper)); - memcpy(&sct->nat_help, &ct->nat.help, - sizeof(sct->nat_help)); - } else - sct->nat_helper[0] = '\0'; - memcpy(&sct->nat_seq, &nat->seq, sizeof(sct->nat_seq)); #if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) @@ -286,33 +276,6 @@ #ifdef CONFIG_IP_NF_CONNTRACK_MARK ct->mark = (unsigned long) sct->mark; #endif - /* if conntrack has a helper, update helper info */ - if (ct->helper) - memcpy(&ct->help, &sct->help, sizeof(ct->help)); -#ifdef CONFIG_IP_NF_NAT_NEEDED - /* if there is a nat helper present, update helper info */ - if (sct->nat_initialized && ct->nat.info.initialized && - ct->nat.info.helper) - memcpy(&ct->nat.help, &sct->nat_help, sizeof(ct->nat.help)); - - /* if there are more manips initialized in sct than in ct, update ct */ - if (unlikely(sct->nat_num_manips > ct->nat.info.num_manips)) { - int m; - printk(KERN_DEBUG "more manips than first sync !!!\n"); - for (m = ct->nat.info.num_manips; m < sct->nat_num_manips; m++) { - memcpy(&ct->nat.info.manips[m], &sct->nat_manips[m], - sizeof(struct ip_nat_info_manip)); - } - ct->nat.info.num_manips = sct->nat_num_manips; - - WRITE_LOCK(&ip_nat_lock); - if (ct->nat.info.initialized) - replace_in_hashes(ct, &ct->nat.info); - else - place_in_hashes(ct, &ct->nat.info); - WRITE_UNLOCK(&ip_nat_lock); - } -#endif } else { #ifdef CONFIG_IP_NF_NAT_NEEDED struct ip_nat_info *nat = &ct->nat.info; @@ -337,57 +300,28 @@ struct ip_conntrack_helper *helper; sct->helper[CT_SYNC_CTHELPERSIZE - 1] = '\0'; - READ_LOCK(&ip_conntrack_lock); - helper = __ip_ct_find_helper_by_name(sct->helper); + read_lock_bh(&ip_conntrack_lock); + helper = __ip_conntrack_helper_find_byname(sct->helper); if (unlikely(!helper)) { CT_SYNC_ERR("Unknown conntrack helper `%s', " "ignoring.\n", sct->helper); ct->helper = NULL; } else { ct->helper = helper; - memcpy(&ct->help, &sct->help, sizeof(ct->help)); } - READ_UNLOCK(&ip_conntrack_lock); + read_unlock_bh(&ip_conntrack_lock); } #ifdef CONFIG_IP_NF_NAT_NEEDED /* NAT */ INIT_LIST_HEAD(&nat->bysource); - INIT_LIST_HEAD(&nat->byipsproto); - if (likely(sct->nat_initialized && - sct->nat_num_manips <= IP_NAT_MAX_MANIPS)) { + if (likely(sct->status & IPS_NAT_DONE_MASK)) { #if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) struct net_device *masq_dev; #endif - nat->initialized = sct->nat_initialized; - /* do not set .conntrack, place_in_hashes will do */ - nat->num_manips = sct->nat_num_manips; - memcpy(&nat->manips, sct->nat_manips, - (sct->nat_num_manips * sizeof(struct ip_nat_info_manip))); - - /* NAT helper, if present */ - if (unlikely(sct->nat_helper[0] != '\0')) { - struct ip_nat_helper *helper; - /* look up nat helper */ - sct->nat_helper[CT_SYNC_NATHELPERSIZE - 1] = '\0'; - READ_LOCK(&ip_nat_lock); - helper = __ip_nat_find_helper_by_name(sct->nat_helper); - if (unlikely(!helper)) { - CT_SYNC_ERR("Unknown NAT helper `%s', ignoring\n", sct->nat_helper); - nat->helper = NULL; - memset(&ct->nat.help, 0, sizeof(ct->nat.help)); - } else { - nat->helper = helper; - memcpy(&ct->nat.help, &sct->nat_help, - sizeof(ct->nat.help)); - } - READ_UNLOCK(&ip_nat_lock); - memcpy(&nat->seq, &sct->nat_seq, sizeof(nat->seq)); - } - #if defined(CONFIG_IP_NF_TARGET_MASQUERADE) \ || defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE) if (sct->nat_masq_iface[0] != '\0') { @@ -409,26 +343,24 @@ #endif /* CONFIG_IP_NF_NAT_NEEDED */ /* add to hash tables */ - WRITE_LOCK(&ip_conntrack_lock); + write_lock_bh(&ip_conntrack_lock); if (!__ip_conntrack_find(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, NULL) && !__ip_conntrack_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple, NULL)) { /* put in conntrack hash */ - __ip_conntrack_hash_insert(ct); + ip_conntrack_hash_insert_nolock(ct); atomic_inc(&ct->ct_general.use); #ifdef CONFIG_IP_NF_NAT_NEEDED /* put in NAT hashes if necessary */ - if (ct->nat.info.initialized) { - WRITE_LOCK(&ip_nat_lock); - place_in_hashes(ct, &ct->nat.info); - WRITE_UNLOCK(&ip_nat_lock); + if (ct->status & IPS_NAT_DONE_MASK) { + ip_nat_hash_insert(ct); } #endif } else { CT_SYNC_ERR("want to put conntrack in hash but is already there\n"); } - WRITE_UNLOCK(&ip_conntrack_lock); + write_unlock_bh(&ip_conntrack_lock); } /* if (new) */ CT_SYNC_LEAVE(); @@ -443,9 +375,9 @@ CT_SYNC_ENTER(); del_timer(&ct->timeout); - WRITE_LOCK(&ip_conntrack_lock); + write_lock_bh(&ip_conntrack_lock); ip_conntrack_clean_from_lists(ct); - WRITE_UNLOCK(&ip_conntrack_lock); + write_unlock_bh(&ip_conntrack_lock); ip_conntrack_put(ct); CT_SYNC_LEAVE(); @@ -457,7 +389,7 @@ _start_ct_timer(const struct ip_conntrack_tuple_hash *h, unsigned int *num, unsigned int *started) { - struct ip_conntrack *ct = h->ctrack; + struct ip_conntrack *ct = tuplehash_to_ctrack(h); if (DIRECTION(h)) return 0; @@ -485,7 +417,7 @@ CT_SYNC_ENTER(); - WRITE_LOCK(&ip_conntrack_lock); + write_lock_bh(&ip_conntrack_lock); for (i = 0; i < ip_conntrack_htable_size; i++) { if (LIST_FIND(&ip_conntrack_hash[i], _start_ct_timer, @@ -494,7 +426,7 @@ break; } - WRITE_UNLOCK(&ip_conntrack_lock); + write_unlock_bh(&ip_conntrack_lock); CT_SYNC_INFO("started timer of %u (total %u) conntrack entries\n", num_started, num_entries); @@ -506,7 +438,7 @@ _stop_ct_timer(const struct ip_conntrack_tuple_hash *h, unsigned int *num, unsigned int *stopped) { - struct ip_conntrack *ct = h->ctrack; + struct ip_conntrack *ct = tuplehash_to_ctrack(h); if (DIRECTION(h)) return 0; @@ -534,7 +466,7 @@ CT_SYNC_ENTER(); - WRITE_LOCK(&ip_conntrack_lock); + write_lock_bh(&ip_conntrack_lock); for (i = 0; i < ip_conntrack_htable_size; i++) { if (LIST_FIND(&ip_conntrack_hash[i], _stop_ct_timer, @@ -543,7 +475,7 @@ break; } - WRITE_UNLOCK(&ip_conntrack_lock); + write_unlock_bh(&ip_conntrack_lock); CT_SYNC_INFO("stopped timer of %u (total %u) conntrack entries\n", num_stopped, num_entries); @@ -580,7 +512,7 @@ h = ip_conntrack_find_get(&sct->orig, NULL); if (h) { - ct = h->ctrack; + ct = tuplehash_to_ctrack(h); } else { CT_SYNC_DEBUG("Conntrack entry not found, creating.\n"); ct = ip_conntrack_alloc(&dummy_tuple, &dummy_tuple); @@ -632,10 +564,12 @@ h = ip_conntrack_find_get(t, NULL); if (h) { - _ct_sync_remove_conntrack(h->ctrack); + struct ip_conntrack *ct = tuplehash_to_ctrack(h); + + _ct_sync_remove_conntrack(ct); CT_SYNC_DEBUG("Deleting conntrack: "); CT_SYNC_DUMP_TUPLE(t); - ip_conntrack_put(h->ctrack); + ip_conntrack_put(ct); } else { CTS_STAT_INC(rx.del_nothere); CT_SYNC_DEBUG("Cannot delete nonexistent conntrack:"); @@ -1181,7 +1115,7 @@ static inline int _send_initsync(const struct ip_conntrack_tuple_hash *h, unsigned int *num) { - struct ip_conntrack *ct = h->ctrack; + struct ip_conntrack *ct = tuplehash_to_ctrack(h); if (DIRECTION(h)) return 0; @@ -1280,13 +1214,13 @@ if (kthread_should_stop()) break; - READ_LOCK(&ip_conntrack_lock); + read_lock_bh(&ip_conntrack_lock); dump_bucket_locked: if (LIST_FIND(&ip_conntrack_hash[i], _send_initsync, struct ip_conntrack_tuple_hash *, &num_sent)) { - READ_UNLOCK(&ip_conntrack_lock); + read_unlock_bh(&ip_conntrack_lock); break; } if (num_sent < 40 && @@ -1294,7 +1228,7 @@ i++; goto dump_bucket_locked; } - READ_UNLOCK(&ip_conntrack_lock); + read_unlock_bh(&ip_conntrack_lock); num_sent_total += num_sent; @@ -1817,7 +1751,7 @@ goto error_hook1; if (nf_register_hook(&cts_hook_ops[3]) < 0) goto error_hook2; - ip_ct_selective_cleanup(kill_all, NULL); + ip_conntrack_cleanup(); } /* init protocol layer */ diff -aruN netfilter-ha/linux-2.6/ct_sync/ct_sync_sock.c netfilter-ha.heile/linux-2.6/ct_sync/ct_sync_sock.c --- netfilter-ha/linux-2.6/ct_sync/ct_sync_sock.c 2006-03-24 21:02:13.608504613 +0100 +++ netfilter-ha.heile/linux-2.6/ct_sync/ct_sync_sock.c 2006-03-24 20:59:56.740073493 +0100 @@ -39,6 +39,8 @@ #include +#include + /* * Setup loopback of outgoing multicasts on a sending socket */ diff -aruN netfilter-ha/linux-2.6/patches/conntrack_alloc.patch netfilter-ha.heile/linux-2.6/patches/conntrack_alloc.patch --- netfilter-ha/linux-2.6/patches/conntrack_alloc.patch 2006-03-24 21:02:13.700510278 +0100 +++ netfilter-ha.heile/linux-2.6/patches/conntrack_alloc.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,176 +0,0 @@ -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:57:40.500527040 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:57:53.673524440 +0100 -@@ -889,6 +889,8 @@ - EXPORT_SYMBOL(ip_conntrack_protocol_register); - EXPORT_SYMBOL(ip_conntrack_protocol_unregister); - EXPORT_SYMBOL(invert_tuplepr); -+EXPORT_SYMBOL(ip_conntrack_alloc); -+EXPORT_SYMBOL(ip_conntrack_free); - EXPORT_SYMBOL(ip_conntrack_alter_reply); - EXPORT_SYMBOL(ip_conntrack_destroyed); - EXPORT_SYMBOL(need_ip_conntrack); -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:41:44.020934040 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:57:53.676523984 +0100 -@@ -336,10 +336,20 @@ - ip_ct_gather_frags(struct sk_buff *skb); - - /* Delete all conntracks which match. */ --extern void -+void - ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data), - void *data); - -+/* Allocates and initializes a new ip_conntrack structure, increment allocated -+ * conntrack count. -+ * Returns: ERR_PTR(-ENOMEM) in case of failure, conntrack pointer otherwise */ -+struct ip_conntrack * -+ip_conntrack_alloc(const struct ip_conntrack_tuple *orig, -+ const struct ip_conntrack_tuple *reply); -+ -+/* Free conntrack structure and decrement number of allocated conntrack entries. */ -+extern void ip_conntrack_free(struct ip_conntrack *); -+ - /* It's confirmed if it is, or has been in the hash table. */ - static inline int is_confirmed(struct ip_conntrack *ct) - { -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:57:40.508525824 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:59:34.087259232 +0100 -@@ -277,6 +277,13 @@ - remove_expectations(ct, 1); - } - -+inline void -+ip_conntrack_free(struct ip_conntrack *conntrack) -+{ -+ kmem_cache_free(ip_conntrack_cachep, conntrack); -+ atomic_dec(&ip_conntrack_count); -+} -+ - static void - destroy_conntrack(struct nf_conntrack *nfct) - { -@@ -321,8 +328,7 @@ - ip_conntrack_put(master); - - DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct); -- kmem_cache_free(ip_conntrack_cachep, ct); -- atomic_dec(&ip_conntrack_count); -+ ip_conntrack_free(ct); - } - - static void death_by_timeout(unsigned long ul_conntrack) -@@ -558,22 +564,19 @@ - - /* Allocate a new conntrack: we return -ENOMEM if classification - failed due to stress. Otherwise it really is unclassifiable. */ --static struct ip_conntrack_tuple_hash * --init_conntrack(const struct ip_conntrack_tuple *tuple, -- struct ip_conntrack_protocol *protocol, -- struct sk_buff *skb) -+struct ip_conntrack * -+ip_conntrack_alloc(const struct ip_conntrack_tuple *orig, -+ const struct ip_conntrack_tuple *reply) - { - struct ip_conntrack *conntrack; -- struct ip_conntrack_tuple repl_tuple; - size_t hash; -- struct ip_conntrack_expect *expected; - - if (!ip_conntrack_hash_rnd_initted) { - get_random_bytes(&ip_conntrack_hash_rnd, 4); - ip_conntrack_hash_rnd_initted = 1; - } - -- hash = hash_conntrack(tuple); -+ hash = hash_conntrack(orig); - - if (ip_conntrack_max - && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) { -@@ -587,11 +590,6 @@ - } - } - -- if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) { -- DEBUGP("Can't invert tuple.\n"); -- return NULL; -- } -- - conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC); - if (!conntrack) { - DEBUGP("Can't allocate conntrack.\n"); -@@ -601,20 +599,46 @@ - memset(conntrack, 0, sizeof(*conntrack)); - atomic_set(&conntrack->ct_general.use, 1); - conntrack->ct_general.destroy = destroy_conntrack; -- conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *tuple; -+ conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig; - conntrack->tuplehash[IP_CT_DIR_ORIGINAL].ctrack = conntrack; -- conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = repl_tuple; -+ conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *reply; - conntrack->tuplehash[IP_CT_DIR_REPLY].ctrack = conntrack; -- if (!protocol->new(conntrack, skb)) { -- kmem_cache_free(ip_conntrack_cachep, conntrack); -- return NULL; -- } -+ - /* Don't set timer yet: wait for confirmation */ - init_timer(&conntrack->timeout); - conntrack->timeout.data = (unsigned long)conntrack; - conntrack->timeout.function = death_by_timeout; - - INIT_LIST_HEAD(&conntrack->sibling_list); -+ atomic_inc(&ip_conntrack_count); -+ -+ return conntrack; -+} -+ -+static struct ip_conntrack_tuple_hash * -+init_conntrack(const struct ip_conntrack_tuple *tuple, -+ struct ip_conntrack_protocol *protocol, -+ struct sk_buff *skb) -+{ -+ struct ip_conntrack *conntrack; -+ struct ip_conntrack_tuple repl_tuple; -+ struct ip_conntrack_expect *expected; -+ -+ if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) { -+ DEBUGP("Can't invert tuple.\n"); -+ return NULL; -+ } -+ -+ conntrack = ip_conntrack_alloc(tuple, &repl_tuple); -+ if (!conntrack || IS_ERR(conntrack)) { -+ DEBUGP("Can't allocate conntrack.\n"); -+ return ERR_PTR(-ENOMEM); -+ } -+ -+ if (!protocol->new(conntrack, skb)) { -+ ip_conntrack_free(conntrack); -+ return NULL; -+ } - - WRITE_LOCK(&ip_conntrack_lock); - /* Need finding and deleting of expected ONLY if we win race */ -@@ -654,7 +678,6 @@ - nf_conntrack_get(&master_ct(conntrack)->ct_general); - - /* this is a braindead... --pablo */ -- atomic_inc(&ip_conntrack_count); - WRITE_UNLOCK(&ip_conntrack_lock); - - if (expected->expectfn) -@@ -669,7 +692,7 @@ - CONNTRACK_STAT_INC(new); - } - --end: atomic_inc(&ip_conntrack_count); -+end: - WRITE_UNLOCK(&ip_conntrack_lock); - - ret: return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL]; diff -aruN netfilter-ha/linux-2.6/patches/conntrack_hash_manip.patch netfilter-ha.heile/linux-2.6/patches/conntrack_hash_manip.patch --- netfilter-ha/linux-2.6/patches/conntrack_hash_manip.patch 2006-03-24 21:02:13.700510278 +0100 +++ netfilter-ha.heile/linux-2.6/patches/conntrack_hash_manip.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,83 +0,0 @@ -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:18.557227088 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:57:40.500527040 +0100 -@@ -915,6 +915,8 @@ - EXPORT_SYMBOL(ip_conntrack_untracked); - EXPORT_SYMBOL_GPL(ip_conntrack_find_get); - EXPORT_SYMBOL_GPL(__ip_conntrack_find); -+EXPORT_SYMBOL_GPL(__ip_conntrack_hash_insert); -+EXPORT_SYMBOL_GPL(__ip_conntrack_hash_remove); - EXPORT_SYMBOL_GPL(ip_conntrack_clean_from_lists); - EXPORT_SYMBOL_GPL(ip_conntrack_put); - #ifdef CONFIG_IP_NF_NAT_NEEDED -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:18.559226784 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:57:40.503526584 +0100 -@@ -56,6 +56,10 @@ - - extern void ip_conntrack_clean_from_lists(struct ip_conntrack *ct); - -+/* Non-locked conntrack hash insert and remove function: for ct_sync. */ -+void __ip_conntrack_hash_insert(struct ip_conntrack *ct); -+void __ip_conntrack_hash_remove(struct ip_conntrack *ct); -+ - extern struct list_head *ip_conntrack_hash; - extern struct list_head ip_conntrack_expect_list; - DECLARE_RWLOCK_EXTERN(ip_conntrack_lock); -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:56:56.733180688 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:57:40.508525824 +0100 -@@ -268,15 +268,10 @@ - void - ip_conntrack_clean_from_lists(struct ip_conntrack *ct) - { -- unsigned int ho, hr; -- - DEBUGP("ip_conntrack_clean_from_lists(%p)\n", ct); - MUST_BE_WRITE_LOCKED(&ip_conntrack_lock); - -- ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); -- hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); -- LIST_DELETE(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]); -- LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]); -+ __ip_conntrack_hash_remove(ct); - - /* Destroy all un-established, pending expectations */ - remove_expectations(ct, 1); -@@ -389,6 +384,33 @@ - return h; - } - -+/* Insert a conntrack into the hash. Caller holds a write lock on -+ * the conntrack hash. */ -+void -+__ip_conntrack_hash_insert(struct ip_conntrack *ct) -+{ -+ unsigned int ho, hr; -+ -+ ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); -+ hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); -+ -+ list_prepend(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]); -+ list_prepend(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]); -+} -+ -+/* Remove a conntrack from the hash. Caller holds a write lock on -+ * the conntrack hash. */ -+void -+__ip_conntrack_hash_remove(struct ip_conntrack *ct) -+{ -+ unsigned int ho, hr; -+ -+ ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); -+ hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); -+ LIST_DELETE(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]); -+ LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]); -+} -+ - /* Confirm a connection given skb; places it in hash table */ - int - __ip_conntrack_confirm(struct sk_buff *skb) diff -aruN netfilter-ha/linux-2.6/patches/ct_notifier_pkt.patch netfilter-ha.heile/linux-2.6/patches/ct_notifier_pkt.patch --- netfilter-ha/linux-2.6/patches/ct_notifier_pkt.patch 2006-03-24 21:02:13.696510032 +0100 +++ netfilter-ha.heile/linux-2.6/patches/ct_notifier_pkt.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,483 +0,0 @@ -===== include/linux/netfilter.h 1.13 vs edited ===== -Index: linux-2.6.10/include/linux/netfilter.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter.h 2005-01-10 20:23:19.000000000 +0100 -+++ linux-2.6.10/include/linux/netfilter.h 2005-01-10 20:41:44.015934800 +0100 -@@ -21,7 +21,7 @@ - #define NF_MAX_VERDICT NF_REPEAT - - /* Generic cache responses from hook functions. -- <= 0x2000 is used for protocol-flags. */ -+ <= 0x2000 is reserved for conntrack event cache. */ - #define NFC_UNKNOWN 0x4000 - #define NFC_ALTERED 0x8000 - -Index: linux-2.6.10/include/linux/netfilter_ipv4.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4.h 2004-08-14 07:37:39.000000000 +0200 -+++ linux-2.6.10/include/linux/netfilter_ipv4.h 2005-01-10 20:41:44.017934496 +0100 -@@ -8,34 +8,6 @@ - #include - #include - --/* IP Cache bits. */ --/* Src IP address. */ --#define NFC_IP_SRC 0x0001 --/* Dest IP address. */ --#define NFC_IP_DST 0x0002 --/* Input device. */ --#define NFC_IP_IF_IN 0x0004 --/* Output device. */ --#define NFC_IP_IF_OUT 0x0008 --/* TOS. */ --#define NFC_IP_TOS 0x0010 --/* Protocol. */ --#define NFC_IP_PROTO 0x0020 --/* IP options. */ --#define NFC_IP_OPTIONS 0x0040 --/* Frag & flags. */ --#define NFC_IP_FRAG 0x0080 -- --/* Per-protocol information: only matters if proto match. */ --/* TCP flags. */ --#define NFC_IP_TCPFLAGS 0x0100 --/* Source port. */ --#define NFC_IP_SRC_PT 0x0200 --/* Dest port. */ --#define NFC_IP_DST_PT 0x0400 --/* Something else about the proto */ --#define NFC_IP_PROTO_UNKNOWN 0x2000 -- - /* IP Hooks */ - /* After promisc drops, checksum checks. */ - #define NF_IP_PRE_ROUTING 0 -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:23:19.000000000 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack.h 2005-01-10 20:41:44.020934040 +0100 -@@ -47,6 +47,58 @@ - /* Connection is confirmed: originating packet has left box */ - IPS_CONFIRMED_BIT = 3, - IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT), -+ -+ /* Connection is destroyed (removed from lists), can not be unset. */ -+ IPS_DESTROYED_BIT = 4, -+ IPS_DESTROYED = (1 << IPS_DESTROYED_BIT), -+}; -+ -+/* Connection tracking event bits */ -+enum ip_conntrack_events -+{ -+ /* New conntrack */ -+ IPCT_NEW_BIT = 0, -+ IPCT_NEW = (1 << IPCT_NEW_BIT), -+ -+ /* Expected connection */ -+ IPCT_RELATED_BIT = 1, -+ IPCT_RELATED = (1 << IPCT_RELATED_BIT), -+ -+ /* Destroyed conntrack */ -+ IPCT_DESTROY_BIT = 2, -+ IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), -+ -+ /* Timer has been refreshed */ -+ IPCT_REFRESH_BIT = 3, -+ IPCT_REFRESH = (1 << IPCT_REFRESH_BIT), -+ -+ /* Status has changed */ -+ IPCT_STATUS_BIT = 4, -+ IPCT_STATUS = (1 << IPCT_STATUS_BIT), -+ -+ /* Update of protocol info */ -+ IPCT_PROTOINFO_BIT = 5, -+ IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), -+ -+ /* Volatile protocol info */ -+ IPCT_PROTOINFO_VOLATILE_BIT = 6, -+ IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT), -+ -+ /* New helper for conntrack */ -+ IPCT_HELPER_BIT = 7, -+ IPCT_HELPER = (1 << IPCT_HELPER_BIT), -+ -+ /* Update of helper info */ -+ IPCT_HELPINFO_BIT = 8, -+ IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT), -+ -+ /* Volatile helper info */ -+ IPCT_HELPINFO_VOLATILE_BIT = 9, -+ IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT), -+ -+ /* NAT info */ -+ IPCT_NATINFO_BIT = 10, -+ IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), - }; - - #include -@@ -263,7 +315,7 @@ - /* Refresh conntrack for this many jiffies */ - extern void ip_ct_refresh_acct(struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - unsigned long extra_jiffies); - - /* These are for NAT. Icky. */ -@@ -294,6 +346,11 @@ - return test_bit(IPS_CONFIRMED_BIT, &ct->status); - } - -+static inline int is_destroyed(struct ip_conntrack *ct) -+{ -+ return test_bit(IPS_DESTROYED_BIT, &ct->status); -+} -+ - extern unsigned int ip_conntrack_htable_size; - - struct ip_conntrack_stat -@@ -317,6 +374,57 @@ - - #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++) - -+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS -+#include -+ -+extern struct notifier_block *ip_conntrack_chain; -+ -+static inline int ip_conntrack_register_notifier(struct notifier_block *nb) -+{ -+ return notifier_chain_register(&ip_conntrack_chain, nb); -+} -+ -+static inline int ip_conntrack_unregister_notifier(struct notifier_block *nb) -+{ -+ return notifier_chain_unregister(&ip_conntrack_chain, nb); -+} -+ -+static inline void ip_conntrack_event_cache_init(struct sk_buff *skb) -+{ -+ /* Set to zero first 14 bits, see netfilter.h */ -+ skb->nfcache &= 0xc000; -+} -+ -+static inline void -+ip_conntrack_event_cache(enum ip_conntrack_events event, struct sk_buff *skb) -+{ -+ skb->nfcache |= event; -+} -+ -+static inline void -+ip_conntrack_deliver_cached_events(struct sk_buff *skb) -+{ -+ struct ip_conntrack *ct = (struct ip_conntrack *) skb->nfct; -+ -+ if (ct != NULL && is_confirmed(ct) && !is_destroyed(ct) && skb->nfcache) -+ notifier_call_chain(&ip_conntrack_chain, skb->nfcache, ct); -+} -+ -+static inline void ip_conntrack_event(enum ip_conntrack_events event, -+ struct ip_conntrack *ct) -+{ -+ if (is_confirmed(ct) && !is_destroyed(ct)) -+ notifier_call_chain(&ip_conntrack_chain, event, ct); -+} -+#else /* CONFIG_IP_NF_CONNTRACK_EVENTS */ -+static inline void ip_conntrack_event_cache_init(struct sk_buff *skb) {} -+static inline void ip_conntrack_event_cache(enum ip_conntrack_events event, -+ struct sk_buff *skb) {} -+static inline void ip_conntrack_event(enum ip_conntrack_events event, -+ struct ip_conntrack *ct) {} -+static inline void ip_conntrack_deliver_cached_events(struct sk_buff *skb) {} -+#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */ -+ - /* eg. PROVIDES_CONNTRACK(ftp); */ - #define PROVIDES_CONNTRACK(name) \ - int needs_ip_conntrack_##name; \ -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:15:47.000000000 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:41:44.022933736 +0100 -@@ -39,10 +39,14 @@ - /* Confirm a connection: returns NF_DROP if packet must be dropped. */ - static inline int ip_conntrack_confirm(struct sk_buff *skb) - { -+ int ret = NF_ACCEPT; -+ - if (skb->nfct - && !is_confirmed((struct ip_conntrack *)skb->nfct)) -- return __ip_conntrack_confirm(skb); -- return NF_ACCEPT; -+ ret = __ip_conntrack_confirm(skb); -+ ip_conntrack_deliver_cached_events(skb); -+ -+ return ret; - } - - extern struct list_head *ip_conntrack_hash; -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_protocol.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-01-10 20:15:47.000000000 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-01-10 20:41:44.023933584 +0100 -@@ -34,7 +34,7 @@ - - /* Returns verdict for packet, or -1 for invalid. */ - int (*packet)(struct ip_conntrack *conntrack, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - enum ip_conntrack_info ctinfo); - - /* Called when a new connection for this protocol found; -Index: linux-2.6.10/net/ipv4/netfilter/Kconfig -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/Kconfig 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/Kconfig 2005-01-10 20:41:44.027932976 +0100 -@@ -732,5 +732,15 @@ - - To compile it as a module, choose M here. If unsure, say N. - -+config IP_NF_CONNTRACK_EVENTS -+ bool "Connection tracking events" -+ depends on IP_NF_CONNTRACK -+ help -+ If this option is enabled, the connection tracking code will -+ provide a notifier chain that can be used by other kernel code -+ to get notified about changes in the connection tracking state. -+ -+ IF unsure, say `N'. -+ - endmenu - -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_icmp.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2005-01-10 20:15:51.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 2005-01-10 20:41:44.029932672 +0100 -@@ -89,7 +89,7 @@ - - /* Returns verdict for packet, or -1 for invalid. */ - static int icmp_packet(struct ip_conntrack *ct, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - enum ip_conntrack_info ctinfo) - { - /* Try to delete connection immediately after all replies: -@@ -102,6 +102,7 @@ - ct->timeout.function((unsigned long)ct); - } else { - atomic_inc(&ct->proto.icmp.count); -+ ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); - ip_ct_refresh_acct(ct, ctinfo, skb, ip_ct_icmp_timeout); - } - -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_generic.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_generic.c 2005-01-10 20:15:51.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_generic.c 2005-01-10 20:41:44.031932368 +0100 -@@ -49,7 +49,7 @@ - - /* Returns verdict for packet, or -1 for invalid. */ - static int packet(struct ip_conntrack *conntrack, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - enum ip_conntrack_info ctinfo) - { - ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_generic_timeout); -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_sctp.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2005-01-10 20:15:51.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_sctp.c 2005-01-10 20:41:44.034931912 +0100 -@@ -310,7 +310,7 @@ - - /* Returns verdict for packet, or -1 for invalid. */ - static int sctp_packet(struct ip_conntrack *conntrack, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - enum ip_conntrack_info ctinfo) - { - enum sctp_conntrack newconntrack, oldsctpstate; -@@ -405,6 +405,8 @@ - } - - conntrack->proto.sctp.state = newconntrack; -+ if (oldsctpstate != newconntrack) -+ ip_conntrack_event_cache(IPCT_PROTOINFO, skb); - WRITE_UNLOCK(&sctp_lock); - } - -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:44:56.354694864 +0100 -@@ -37,6 +37,7 @@ - #include - #include - #include -+#include - - /* This rwlock protects the main hash table, protocol/helper/expected - registrations, conntrack timers*/ -@@ -75,6 +76,10 @@ - struct ip_conntrack ip_conntrack_untracked; - unsigned int ip_ct_log_invalid; - -+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS -+struct notifier_block *ip_conntrack_chain; -+#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */ -+ - DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat); - - inline void -@@ -287,6 +292,8 @@ - IP_NF_ASSERT(atomic_read(&nfct->use) == 0); - IP_NF_ASSERT(!timer_pending(&ct->timeout)); - -+ set_bit(IPS_DESTROYED_BIT, &ct->status); -+ - /* To make sure we don't get any weird locking issues here: - * destroy_conntrack() MUST NOT be called with a write lock - * to ip_conntrack_lock!!! -HW */ -@@ -327,6 +334,7 @@ - { - struct ip_conntrack *ct = (void *)ul_conntrack; - -+ ip_conntrack_event(IPCT_DESTROY, ct); - WRITE_LOCK(&ip_conntrack_lock); - /* Inside lock so preempt is disabled on module removal path. - * Otherwise we can get spurious warnings. */ -@@ -436,6 +444,14 @@ - set_bit(IPS_CONFIRMED_BIT, &ct->status); - CONNTRACK_STAT_INC(insert); - WRITE_UNLOCK(&ip_conntrack_lock); -+ if (ct->helper) -+ ip_conntrack_event_cache(IPCT_HELPER, skb); -+#ifdef CONFIG_IP_NF_NAT_NEEDED -+ if (ct->nat.info.initialized) -+ ip_conntrack_event_cache(IPCT_NATINFO, skb); -+#endif -+ ip_conntrack_event_cache(master_ct(ct) ? -+ IPCT_RELATED : IPCT_NEW, skb); - return NF_ACCEPT; - } - -@@ -708,6 +724,8 @@ - /* FIXME: Do this right please. --RR */ - (*pskb)->nfcache |= NFC_UNKNOWN; - -+ ip_conntrack_event_cache_init(*pskb); -+ - /* Doesn't cover locally-generated broadcast, so not worth it. */ - #if 0 - /* Ignore broadcast: no `connection'. */ -@@ -769,8 +787,10 @@ - return NF_ACCEPT; - } - } -- if (set_reply) -+ if (set_reply && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { - set_bit(IPS_SEEN_REPLY_BIT, &ct->status); -+ ip_conntrack_event_cache(IPCT_STATUS, *pskb); -+ } - - return ret; - } -@@ -1052,6 +1072,7 @@ - if (i->ctrack->helper == me) { - /* Get rid of any expected. */ - remove_expectations(i->ctrack, 0); -+ ip_conntrack_event(IPCT_HELPER, i->ctrack); - /* And *then* set helper to NULL */ - i->ctrack->helper = NULL; - } -@@ -1092,7 +1113,7 @@ - /* Refresh conntrack for this many jiffies and do accounting (if skb != NULL) */ - void ip_ct_refresh_acct(struct ip_conntrack *ct, - enum ip_conntrack_info ctinfo, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - unsigned long extra_jiffies) - { - IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct); -@@ -1107,6 +1128,7 @@ - if (del_timer(&ct->timeout)) { - ct->timeout.expires = jiffies + extra_jiffies; - add_timer(&ct->timeout); -+ ip_conntrack_event_cache(IPCT_REFRESH, skb); - } - ct_add_counters(ct, ctinfo, skb); - WRITE_UNLOCK(&ip_conntrack_lock); -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_ftp.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_ftp.c 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_ftp.c 2005-01-10 20:41:44.044930392 +0100 -@@ -300,6 +300,7 @@ - ct_ftp_info->seq_aft_nl[dir] = - ntohl(th->seq) + datalen; - ct_ftp_info->seq_aft_nl_set[dir] = 1; -+ ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb); - } - } - -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:41:44.048929784 +0100 -@@ -881,6 +881,11 @@ - { - } - -+#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS -+EXPORT_SYMBOL(ip_conntrack_chain); -+EXPORT_SYMBOL(ip_conntrack_register_notifier); -+EXPORT_SYMBOL(ip_conntrack_unregister_notifier); -+#endif - EXPORT_SYMBOL(ip_conntrack_protocol_register); - EXPORT_SYMBOL(ip_conntrack_protocol_unregister); - EXPORT_SYMBOL(invert_tuplepr); -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_tcp.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-01-10 20:41:44.052929176 +0100 -@@ -826,7 +826,7 @@ - - /* Returns verdict for packet, or -1 for invalid. */ - static int tcp_packet(struct ip_conntrack *conntrack, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - enum ip_conntrack_info ctinfo) - { - enum tcp_conntrack new_state, old_state; -@@ -948,6 +948,10 @@ - ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state]; - WRITE_UNLOCK(&tcp_lock); - -+ ip_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); -+ if (new_state != old_state) -+ ip_conntrack_event_cache(IPCT_PROTOINFO, skb); -+ - if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { - /* If only reply is a RST, we can consider ourselves not to - have an established connection: this is a fairly common -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_udp.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2005-01-10 20:15:51.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2005-01-10 20:41:44.055928720 +0100 -@@ -64,7 +64,7 @@ - - /* Returns verdict for packet, and may modify conntracktype */ - static int udp_packet(struct ip_conntrack *conntrack, -- const struct sk_buff *skb, -+ struct sk_buff *skb, - enum ip_conntrack_info ctinfo) - { - /* If we've seen traffic both ways, this is some kind of UDP -@@ -73,7 +73,10 @@ - ip_ct_refresh_acct(conntrack, ctinfo, skb, - ip_ct_udp_timeout_stream); - /* Also, more likely to be important, and not a probe */ -- set_bit(IPS_ASSURED_BIT, &conntrack->status); -+ if (!test_bit(IPS_ASSURED_BIT, &conntrack->status)) { -+ set_bit(IPS_ASSURED_BIT, &conntrack->status); -+ ip_conntrack_event_cache(IPCT_STATUS, skb); -+ } - } else - ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_udp_timeout); - diff -aruN netfilter-ha/linux-2.6/patches/ct_sync_config_and_makefile.patch netfilter-ha.heile/linux-2.6/patches/ct_sync_config_and_makefile.patch --- netfilter-ha/linux-2.6/patches/ct_sync_config_and_makefile.patch 2006-03-24 21:02:13.696510032 +0100 +++ netfilter-ha.heile/linux-2.6/patches/ct_sync_config_and_makefile.patch 2006-03-24 20:59:56.740073493 +0100 @@ -1,10 +1,10 @@ -Index: linux-2.6.10-ctsync/net/ipv4/netfilter/Makefile +Index: netfilter-2.6.14/net/ipv4/netfilter/Makefile =================================================================== ---- linux-2.6.10-ctsync.orig/net/ipv4/netfilter/Makefile 2005-07-19 11:26:32.516195604 +0200 -+++ linux-2.6.10-ctsync/net/ipv4/netfilter/Makefile 2005-07-19 11:27:42.791714055 +0200 -@@ -16,6 +16,9 @@ - ipfwadm-objs := $(ip_nf_compat-objs) ipfwadm_core.o - ipchains-objs := $(ip_nf_compat-objs) ipchains_core.o +--- netfilter-2.6.14.orig/net/ipv4/netfilter/Makefile 2005-09-18 12:58:03.203433272 +0200 ++++ netfilter-2.6.14/net/ipv4/netfilter/Makefile 2005-10-04 16:23:02.759253880 +0200 +@@ -10,6 +10,9 @@ + ip_conntrack-objs := ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o + iptable_nat-objs := ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o +# conntrack state synchronization +ct_sync-objs := ct_sync_main.o ct_sync_proto.o ct_sync_sock.o @@ -12,19 +12,19 @@ # connection tracking obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o -@@ -101,3 +104,5 @@ - obj-$(CONFIG_IP_NF_COMPAT_IPFWADM) += ipfwadm.o +@@ -103,3 +113,5 @@ - obj-$(CONFIG_IP_NF_QUEUE) += ip_queue.o + # l3 independent conntrack + obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o + +obj-$(CONFIG_IP_NF_CT_SYNC) += ct_sync.o -Index: linux-2.6.10-ctsync/net/ipv4/netfilter/Kconfig +Index: netfilter-2.6.14/net/ipv4/netfilter/Kconfig =================================================================== ---- linux-2.6.10-ctsync.orig/net/ipv4/netfilter/Kconfig 2005-07-19 11:26:32.516195604 +0200 -+++ linux-2.6.10-ctsync/net/ipv4/netfilter/Kconfig 2005-07-19 11:30:00.179497725 +0200 -@@ -742,5 +742,23 @@ - - IF unsure, say `N'. +--- netfilter-2.6.14.orig/net/ipv4/netfilter/Kconfig 2005-09-18 12:58:02.826490576 +0200 ++++ netfilter-2.6.14/net/ipv4/netfilter/Kconfig 2005-10-04 16:22:22.487376136 +0200 +@@ -852,5 +852,23 @@ + + To compile it as a module, choose M here. If unsure, say N. +config IP_NF_CT_SYNC + tristate "Connection tracking state synchronization" diff -aruN netfilter-ha/linux-2.6/patches/export_ip_conntrack_clean_from_lists.patch netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_clean_from_lists.patch --- netfilter-ha/linux-2.6/patches/export_ip_conntrack_clean_from_lists.patch 2006-03-24 21:02:13.704510525 +0100 +++ netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_clean_from_lists.patch 2006-03-24 20:59:56.744073740 +0100 @@ -1,19 +1,19 @@ -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c +Index: linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_standalone.c =================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:00.490973576 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:18.557227088 +0100 +--- linux-2.6.15.4.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:00.490973576 +0100 ++++ linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:18.557227088 +0100 @@ -915,6 +915,7 @@ - EXPORT_SYMBOL(ip_conntrack_untracked); - EXPORT_SYMBOL_GPL(ip_conntrack_find_get); + + EXPORT_SYMBOL_GPL(ip_conntrack_flush); EXPORT_SYMBOL_GPL(__ip_conntrack_find); +EXPORT_SYMBOL_GPL(ip_conntrack_clean_from_lists); - EXPORT_SYMBOL_GPL(ip_conntrack_put); - #ifdef CONFIG_IP_NF_NAT_NEEDED - EXPORT_SYMBOL(ip_conntrack_tcp_update); -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h + + EXPORT_SYMBOL_GPL(ip_conntrack_alloc); + EXPORT_SYMBOL_GPL(ip_conntrack_free); +Index: linux-2.6.15.4/include/linux/netfilter_ipv4/ip_conntrack_core.h =================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:00.492973272 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:18.559226784 +0100 +--- linux-2.6.15.4.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:00.492973272 +0100 ++++ linux-2.6.15.4/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:18.559226784 +0100 @@ -54,6 +54,8 @@ return ret; } @@ -23,10 +23,10 @@ extern struct list_head *ip_conntrack_hash; extern struct list_head ip_conntrack_expect_list; DECLARE_RWLOCK_EXTERN(ip_conntrack_lock); -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c +Index: linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_core.c =================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:54:00.497972512 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:56:56.733180688 +0100 +--- linux-2.6.15.4.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:54:00.497972512 +0100 ++++ linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:56:56.733180688 +0100 @@ -265,12 +265,12 @@ } } @@ -40,15 +40,24 @@ - DEBUGP("clean_from_lists(%p)\n", ct); + DEBUGP("ip_conntrack_clean_from_lists(%p)\n", ct); - MUST_BE_WRITE_LOCKED(&ip_conntrack_lock); + ASSERT_WRITE_LOCK(&ip_conntrack_lock); ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); -@@ -339,7 +339,7 @@ +@@ -333,7 +333,7 @@ + ip_conntrack_destroyed(ct); + + write_lock_bh(&ip_conntrack_lock); +- /* Expectations will have been removed in clean_from_lists, ++ /* Expectations will have been removed in ip_conntrack_clean_from_lists, + * except TFTP can create an expectation on the first packet, + * before connection is in the list, so we need to clean here, + * too. */ +@@ -363,7 +363,7 @@ /* Inside lock so preempt is disabled on module removal path. * Otherwise we can get spurious warnings. */ CONNTRACK_STAT_INC(delete_list); - clean_from_lists(ct); + ip_conntrack_clean_from_lists(ct); - WRITE_UNLOCK(&ip_conntrack_lock); + write_unlock_bh(&ip_conntrack_lock); ip_conntrack_put(ct); } diff -aruN netfilter-ha/linux-2.6/patches/export_ip_conntrack_cleanup.patch netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_cleanup.patch --- netfilter-ha/linux-2.6/patches/export_ip_conntrack_cleanup.patch 1970-01-01 01:00:00.000000000 +0100 +++ netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_cleanup.patch 2006-03-24 20:59:56.744073740 +0100 @@ -0,0 +1,10 @@ +--- linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_core.c 2006-03-07 05:42:07.000000000 +0100 ++++ linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_core.max.c 2006-03-07 06:00:34.000000000 +0100 +@@ -1388,6 +1388,7 @@ + ip_conntrack_htable_size); + nf_unregister_sockopt(&so_getorigdst); + } ++EXPORT_SYMBOL_GPL(ip_conntrack_cleanup); + + static struct list_head *alloc_hashtable(int size, int *vmalloced) + { diff -aruN netfilter-ha/linux-2.6/patches/export_ip_conntrack_find.patch netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_find.patch --- netfilter-ha/linux-2.6/patches/export_ip_conntrack_find.patch 2006-03-24 21:02:13.700510278 +0100 +++ netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_find.patch 2006-03-24 20:59:56.744073740 +0100 @@ -1,20 +1,8 @@ -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c +Index: linux-2.6.15.4/include/linux/netfilter_ipv4/ip_conntrack_core.h =================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:53:51.796295368 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:54:00.490973576 +0100 -@@ -914,6 +914,7 @@ - EXPORT_SYMBOL(ip_conntrack_hash); - EXPORT_SYMBOL(ip_conntrack_untracked); - EXPORT_SYMBOL_GPL(ip_conntrack_find_get); -+EXPORT_SYMBOL_GPL(__ip_conntrack_find); - EXPORT_SYMBOL_GPL(ip_conntrack_put); - #ifdef CONFIG_IP_NF_NAT_NEEDED - EXPORT_SYMBOL(ip_conntrack_tcp_update); -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:41:44.022933736 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:00.492973272 +0100 -@@ -34,6 +34,11 @@ +--- linux-2.6.15.4.orig/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:41:44.022933736 +0100 ++++ linux-2.6.15.4/include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-01-10 20:54:00.492973272 +0100 +@@ -36,6 +36,11 @@ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple, const struct ip_conntrack *ignored_conntrack); @@ -23,19 +11,6 @@ +__ip_conntrack_find(const struct ip_conntrack_tuple *tuple, + const struct ip_conntrack *ignored_conntrack); + - extern int __ip_conntrack_confirm(struct sk_buff *skb); + extern int __ip_conntrack_confirm(struct sk_buff **pskb); /* Confirm a connection: returns NF_DROP if packet must be dropped. */ -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:53:51.801294608 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:54:00.497972512 +0100 -@@ -354,7 +354,7 @@ - && ip_ct_tuple_equal(tuple, &i->tuple); - } - --static struct ip_conntrack_tuple_hash * -+struct ip_conntrack_tuple_hash * - __ip_conntrack_find(const struct ip_conntrack_tuple *tuple, - const struct ip_conntrack *ignored_conntrack) - { diff -aruN netfilter-ha/linux-2.6/patches/export_ip_conntrack_helpers.patch netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_helpers.patch --- netfilter-ha/linux-2.6/patches/export_ip_conntrack_helpers.patch 2006-03-24 21:02:13.704510525 +0100 +++ netfilter-ha.heile/linux-2.6/patches/export_ip_conntrack_helpers.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,50 +0,0 @@ -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:41:44.048929784 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_standalone.c 2005-01-10 20:53:51.796295368 +0100 -@@ -899,6 +899,7 @@ - EXPORT_SYMBOL(ip_ct_protos); - EXPORT_SYMBOL(ip_ct_find_proto); - EXPORT_SYMBOL(ip_ct_find_helper); -+EXPORT_SYMBOL_GPL(__ip_ct_find_helper_by_name); - EXPORT_SYMBOL(ip_conntrack_expect_alloc); - EXPORT_SYMBOL(ip_conntrack_expect_related); - EXPORT_SYMBOL(ip_conntrack_change_expect); -Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:44:56.354694864 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c 2005-01-10 20:53:51.801294608 +0100 -@@ -520,6 +520,20 @@ - tuple); - } - -+static inline int -+helper_name_cmp(const struct ip_conntrack_helper *helper, -+ const char *name) -+{ -+ return strcmp(helper->name, name); -+} -+ -+struct ip_conntrack_helper * -+__ip_ct_find_helper_by_name(const char *name) -+{ -+ return LIST_FIND(&helpers, helper_name_cmp, -+ struct ip_conntrack_helper *, name); -+} -+ - /* Allocate a new conntrack: we return -ENOMEM if classification - failed due to stress. Otherwise it really is unclassifiable. */ - static struct ip_conntrack_tuple_hash * -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_helper.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2004-08-14 07:36:17.000000000 +0200 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_conntrack_helper.h 2005-01-10 20:53:51.817292176 +0100 -@@ -35,6 +35,8 @@ - - extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple); - -+/* Lookup conntrack helper by name: for ct_sync */ -+extern struct ip_conntrack_helper *__ip_ct_find_helper_by_name(const char *name); - - /* Allocate space for an expectation: this is mandatory before calling - ip_conntrack_expect_related. */ diff -aruN netfilter-ha/linux-2.6/patches/export_ip_nat_helpers.patch netfilter-ha.heile/linux-2.6/patches/export_ip_nat_helpers.patch --- netfilter-ha/linux-2.6/patches/export_ip_nat_helpers.patch 2006-03-24 21:02:13.704510525 +0100 +++ netfilter-ha.heile/linux-2.6/patches/export_ip_nat_helpers.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,49 +0,0 @@ -Index: linux-2.6.10/include/linux/netfilter_ipv4/ip_nat_helper.h -=================================================================== ---- linux-2.6.10.orig/include/linux/netfilter_ipv4/ip_nat_helper.h 2005-01-10 20:15:47.000000000 +0100 -+++ linux-2.6.10/include/linux/netfilter_ipv4/ip_nat_helper.h 2005-01-10 20:53:56.435590088 +0100 -@@ -47,6 +47,10 @@ - extern struct ip_nat_helper * - __ip_nat_find_helper(const struct ip_conntrack_tuple *tuple); - -+/* For ct_sync: look up helper by name */ -+extern struct ip_nat_helper * -+__ip_nat_find_helper_by_name(const char *name); -+ - /* These return true or false. */ - extern int ip_nat_mangle_tcp_packet(struct sk_buff **skb, - struct ip_conntrack *ct, -Index: linux-2.6.10/net/ipv4/netfilter/ip_nat_helper.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_helper.c 2005-01-10 20:15:51.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_nat_helper.c 2005-01-10 20:53:56.458586592 +0100 -@@ -455,6 +455,19 @@ - return ret; - } - -+static inline int -+helper_name_cmp(const struct ip_nat_helper *helper, -+ const char *name) -+{ -+ return strcmp(helper->name, name); -+} -+ -+struct ip_nat_helper * -+__ip_nat_find_helper_by_name(const char *name) -+{ -+ return LIST_FIND(&helpers, helper_name_cmp, struct ip_nat_helper *, name); -+} -+ - void ip_nat_helper_unregister(struct ip_nat_helper *me) - { - WRITE_LOCK(&ip_nat_lock); -Index: linux-2.6.10/net/ipv4/netfilter/ip_nat_standalone.c -=================================================================== ---- linux-2.6.10.orig/net/ipv4/netfilter/ip_nat_standalone.c 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/ipv4/netfilter/ip_nat_standalone.c 2005-01-10 20:53:56.476583856 +0100 -@@ -391,4 +391,5 @@ - EXPORT_SYMBOL(ip_nat_used_tuple); - EXPORT_SYMBOL(ip_nat_find_helper); - EXPORT_SYMBOL(__ip_nat_find_helper); -+EXPORT_SYMBOL_GPL(__ip_nat_find_helper_by_name); - MODULE_LICENSE("GPL"); diff -aruN netfilter-ha/linux-2.6/patches/export_ip_nat_lock_and_hash.patch netfilter-ha.heile/linux-2.6/patches/export_ip_nat_lock_and_hash.patch --- netfilter-ha/linux-2.6/patches/export_ip_nat_lock_and_hash.patch 2006-03-24 21:02:13.700510278 +0100 +++ netfilter-ha.heile/linux-2.6/patches/export_ip_nat_lock_and_hash.patch 2006-03-24 20:59:56.744073740 +0100 @@ -1,12 +1,61 @@ -Index: linux-2.6.10-ctsync/net/ipv4/netfilter/ip_nat_standalone.c +Index: linux-2.6.15.4/net/ipv4/netfilter/ip_nat_core.c =================================================================== ---- linux-2.6.10-ctsync.orig/net/ipv4/netfilter/ip_nat_standalone.c 2005-07-19 11:24:12.057142833 +0200 -+++ linux-2.6.10-ctsync/net/ipv4/netfilter/ip_nat_standalone.c 2005-07-19 11:27:16.136965119 +0200 -@@ -392,4 +392,7 @@ - EXPORT_SYMBOL(ip_nat_find_helper); - EXPORT_SYMBOL(__ip_nat_find_helper); - EXPORT_SYMBOL_GPL(__ip_nat_find_helper_by_name); -+EXPORT_SYMBOL_GPL(ip_nat_lock); -+EXPORT_SYMBOL_GPL(place_in_hashes); -+EXPORT_SYMBOL_GPL(replace_in_hashes); - MODULE_LICENSE("GPL"); +--- linux-2.6.15.4.orig/net/ipv4/netfilter/ip_nat_core.c 2005-10-04 17:39:04.944696272 +0200 ++++ linux-2.6.15.4/net/ipv4/netfilter/ip_nat_core.c 2005-10-04 17:56:57.845590544 +0200 +@@ -101,6 +101,19 @@ + write_unlock_bh(&ip_nat_lock); + } + ++/* Place the conntrack entry in the nat hashtable. */ ++void ip_nat_hash_insert(struct ip_conntrack *ct) ++{ ++ unsigned int srchash ++ = hash_by_src(&ct->tuplehash[IP_CT_DIR_ORIGINAL] ++ .tuple); ++ ++ write_lock_bh(&ip_nat_lock); ++ list_add(&ct->nat.info.bysource, &bysource[srchash]); ++ write_unlock_bh(&ip_nat_lock); ++} ++EXPORT_SYMBOL_GPL(ip_nat_hash_insert); ++ + /* We do checksum mangling, so if they were wrong before they're still + * wrong. Also works for incomplete packets (eg. ICMP dest + * unreachables.) */ +@@ -295,7 +309,6 @@ + unsigned int hooknum) + { + struct ip_conntrack_tuple curr_tuple, new_tuple; +- struct ip_nat_info *info = &conntrack->nat.info; + int have_to_hash = !(conntrack->status & IPS_NAT_DONE_MASK); + enum ip_nat_manip_type maniptype = HOOK2MANIP(hooknum); + +@@ -330,14 +343,8 @@ + } + + /* Place in source hash if this is the first time. */ +- if (have_to_hash) { +- unsigned int srchash +- = hash_by_src(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL] +- .tuple); +- write_lock_bh(&ip_nat_lock); +- list_add(&info->bysource, &bysource[srchash]); +- write_unlock_bh(&ip_nat_lock); +- } ++ if (have_to_hash) ++ ip_nat_hash_insert(conntrack); + + /* It's done. */ + if (maniptype == IP_NAT_MANIP_DST) +Index: linux-2.6.15.4/include/linux/netfilter_ipv4/ip_nat_core.h +=================================================================== +--- linux-2.6.15.4.orig/include/linux/netfilter_ipv4/ip_nat_core.h 2005-10-04 17:39:04.946695968 +0200 ++++ linux-2.6.15.4/include/linux/netfilter_ipv4/ip_nat_core.h 2005-10-04 17:39:15.282124744 +0200 +@@ -15,4 +15,7 @@ + struct ip_conntrack *ct, + enum ip_nat_manip_type manip, + enum ip_conntrack_dir dir); ++ ++extern void ip_nat_hash_insert(struct ip_conntrack *ct); ++ + #endif /* _IP_NAT_CORE_H */ diff -aruN netfilter-ha/linux-2.6/patches/ip_conntrack_hash_insert_nolock.patch netfilter-ha.heile/linux-2.6/patches/ip_conntrack_hash_insert_nolock.patch --- netfilter-ha/linux-2.6/patches/ip_conntrack_hash_insert_nolock.patch 1970-01-01 01:00:00.000000000 +0100 +++ netfilter-ha.heile/linux-2.6/patches/ip_conntrack_hash_insert_nolock.patch 2006-03-24 20:59:56.744073740 +0100 @@ -0,0 +1,42 @@ +--- linux-2.6.15.4/include/linux/netfilter_ipv4/ip_conntrack.h 2006-03-08 01:03:37.079785975 +0100 ++++ linux-2.6.15.4/include/linux/netfilter_ipv4/ip_conntrack.max.h 2006-03-08 01:07:52.091014039 +0100 +@@ -270,6 +270,9 @@ + + extern void ip_conntrack_hash_insert(struct ip_conntrack *ct); + ++/* Non-Locking ip_conntrack_hash_insert for ct_sync */ ++extern void ip_conntrack_hash_insert_nolock(struct ip_conntrack *ct); ++ + extern struct ip_conntrack_expect * + __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple); + +--- linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_core.c 2006-03-08 01:03:37.139789604 +0100 ++++ linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_core.max.c 2006-03-08 01:08:44.278068578 +0100 +@@ -437,6 +437,17 @@ + write_unlock_bh(&ip_conntrack_lock); + } + ++/* Non-Locking ip_conntrack_hash_insert for ct_sync */ ++void ip_conntrack_hash_insert_nolock(struct ip_conntrack *ct) ++{ ++ unsigned int hash, repl_hash; ++ ++ hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); ++ repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); ++ ++ __ip_conntrack_hash_insert(ct, hash, repl_hash); ++} ++ + /* Confirm a connection given skb; places it in hash table */ + int + __ip_conntrack_confirm(struct sk_buff **pskb) +--- linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_standalone.c 2006-03-08 01:03:37.123788636 +0100 ++++ linux-2.6.15.4/net/ipv4/netfilter/ip_conntrack_standalone.max.c 2006-03-08 01:06:48.643301648 +0100 +@@ -1018,6 +1018,7 @@ + EXPORT_SYMBOL_GPL(ip_conntrack_alloc); + EXPORT_SYMBOL_GPL(ip_conntrack_free); + EXPORT_SYMBOL_GPL(ip_conntrack_hash_insert); ++EXPORT_SYMBOL_GPL(ip_conntrack_hash_insert_nolock); + + EXPORT_SYMBOL_GPL(ip_ct_remove_expectations); + diff -aruN netfilter-ha/linux-2.6/patches/pf_packet.patch netfilter-ha.heile/linux-2.6/patches/pf_packet.patch --- netfilter-ha/linux-2.6/patches/pf_packet.patch 2006-03-24 21:02:13.700510278 +0100 +++ netfilter-ha.heile/linux-2.6/patches/pf_packet.patch 2006-03-24 20:59:56.744073740 +0100 @@ -1,8 +1,8 @@ %patch -Index: linux-2.6.10/include/linux/netfilter_packet.h +Index: linux-2.6.15.4/include/linux/netfilter_packet.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ linux-2.6.10/include/linux/netfilter_packet.h 2005-01-10 20:45:51.363332280 +0100 ++++ linux-2.6.15.4/include/linux/netfilter_packet.h 2005-01-10 20:45:51.363332280 +0100 @@ -0,0 +1,17 @@ +#ifndef __LINUX_NETFILTER_PACKET_H +#define __LINUX_NETFILTER_PACKET_H @@ -21,165 +21,3 @@ +#define NF_PACKET_OUTPUT 1 + +#endif /* __LINUX_NETFILTER_PACKET_H */ -Index: linux-2.6.10/net/core/dev.c -=================================================================== ---- linux-2.6.10.orig/net/core/dev.c 2005-01-10 20:23:28.000000000 +0100 -+++ linux-2.6.10/net/core/dev.c 2005-01-10 21:24:31.645595760 +0100 -@@ -112,6 +112,7 @@ - #include /* Note : will define WIRELESS_EXT */ - #include - #endif /* CONFIG_NET_RADIO */ -+#include - #include - - /* This define, if set, will randomly drop a packet when congestion -@@ -1215,35 +1216,12 @@ - * to congestion or traffic shaping. - */ - --int dev_queue_xmit(struct sk_buff *skb) -+static int dev_queue_xmit_finish(struct sk_buff *skb) - { - struct net_device *dev = skb->dev; - struct Qdisc *q; - int rc = -ENOMEM; - -- if (skb_shinfo(skb)->frag_list && -- !(dev->features & NETIF_F_FRAGLIST) && -- __skb_linearize(skb, GFP_ATOMIC)) -- goto out_kfree_skb; -- -- /* Fragmented skb is linearized if device does not support SG, -- * or if at least one of fragments is in highmem and device -- * does not support DMA from it. -- */ -- if (skb_shinfo(skb)->nr_frags && -- (!(dev->features & NETIF_F_SG) || illegal_highdma(dev, skb)) && -- __skb_linearize(skb, GFP_ATOMIC)) -- goto out_kfree_skb; -- -- /* If packet is not checksummed and device does not support -- * checksumming for this protocol, complete checksumming here. -- */ -- if (skb->ip_summed == CHECKSUM_HW && -- (!(dev->features & (NETIF_F_HW_CSUM | NETIF_F_NO_CSUM)) && -- (!(dev->features & NETIF_F_IP_CSUM) || -- skb->protocol != htons(ETH_P_IP)))) -- if (skb_checksum_help(skb, 0)) -- goto out_kfree_skb; - - /* Disable soft irqs for various locks below. Also - * stops preemption for RCU. -@@ -1324,7 +1302,6 @@ - rc = -ENETDOWN; - local_bh_enable(); - --out_kfree_skb: - kfree_skb(skb); - return rc; - out: -@@ -1332,6 +1309,41 @@ - return rc; - } - -+int dev_queue_xmit(struct sk_buff *skb) -+{ -+ struct net_device *dev = skb->dev; -+ -+ if (skb_shinfo(skb)->frag_list && -+ !(dev->features & NETIF_F_FRAGLIST) && -+ __skb_linearize(skb, GFP_ATOMIC)) -+ goto out_kfree_skb; -+ -+ /* Fragmented skb is linearized if device does not support SG, -+ * or if at least one of fragments is in highmem and device -+ * does not support DMA from it. -+ */ -+ if (skb_shinfo(skb)->nr_frags && -+ (!(dev->features & NETIF_F_SG) || illegal_highdma(dev, skb)) && -+ __skb_linearize(skb, GFP_ATOMIC)) -+ goto out_kfree_skb; -+ -+ /* If packet is not checksummed and device does not support -+ * checksumming for this protocol, complete checksumming here. -+ */ -+ if (skb->ip_summed == CHECKSUM_HW && -+ (!(dev->features & (NETIF_F_HW_CSUM | NETIF_F_NO_CSUM)) && -+ (!(dev->features & NETIF_F_IP_CSUM) || -+ skb->protocol != htons(ETH_P_IP)))) -+ if (skb_checksum_help(skb, 0)) -+ goto out_kfree_skb; -+ -+ return NF_HOOK(PF_PACKET, NF_PACKET_OUTPUT, skb, NULL, dev, -+ dev_queue_xmit_finish); -+ -+out_kfree_skb: -+ kfree_skb(skb); -+ return -ENOMEM; -+} - - /*======================================================================= - Receiver routines -@@ -1622,29 +1634,12 @@ - } - #endif - --int netif_receive_skb(struct sk_buff *skb) -+static int netif_receive_skb_finish(struct sk_buff *skb) - { - struct packet_type *ptype, *pt_prev; - int ret = NET_RX_DROP; - unsigned short type; - --#ifdef CONFIG_NETPOLL -- if (skb->dev->netpoll_rx && skb->dev->poll && netpoll_rx(skb)) { -- kfree_skb(skb); -- return NET_RX_DROP; -- } --#endif -- -- if (!skb->stamp.tv_sec) -- net_timestamp(&skb->stamp); -- -- skb_bond(skb); -- -- __get_cpu_var(netdev_rx_stat).total++; -- -- skb->h.raw = skb->nh.raw = skb->data; -- skb->mac_len = skb->nh.raw - skb->mac.raw; -- - pt_prev = NULL; - - rcu_read_lock(); -@@ -1713,7 +1708,30 @@ - return ret; - } - --static int process_backlog(struct net_device *backlog_dev, int *budget) -+int netif_receive_skb(struct sk_buff *skb) -+{ -+#ifdef CONFIG_NETPOLL -+ if (skb->dev->netpoll_rx && skb->dev->poll && netpoll_rx(skb)) { -+ kfree_skb(skb); -+ return NET_RX_DROP; -+ } -+#endif -+ -+ if (!skb->stamp.tv_sec) -+ net_timestamp(&skb->stamp); -+ -+ skb_bond(skb); -+ -+ __get_cpu_var(netdev_rx_stat).total++; -+ -+ skb->h.raw = skb->nh.raw = skb->data; -+ skb->mac_len = skb->nh.raw - skb->mac.raw; -+ -+ return NF_HOOK(PF_PACKET, NF_PACKET_INPUT, skb, skb->dev, NULL, -+ netif_receive_skb_finish); -+} -+ -+ static int process_backlog(struct net_device *backlog_dev, int *budget) - { - int work = 0; - int quota = min(backlog_dev->quota, *budget); diff -aruN netfilter-ha/linux-2.6/patches/pf_packet_remove_warning.patch netfilter-ha.heile/linux-2.6/patches/pf_packet_remove_warning.patch --- netfilter-ha/linux-2.6/patches/pf_packet_remove_warning.patch 2006-03-24 21:02:13.704510525 +0100 +++ netfilter-ha.heile/linux-2.6/patches/pf_packet_remove_warning.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,17 +0,0 @@ -Index: linux-2.6.10/net/core/netfilter.c -=================================================================== ---- linux-2.6.10.orig/net/core/netfilter.c 2005-01-10 20:23:29.000000000 +0100 -+++ linux-2.6.10/net/core/netfilter.c 2005-01-10 20:53:47.460954440 +0100 -@@ -508,10 +508,12 @@ - rcu_read_lock(); - - #ifdef CONFIG_NETFILTER_DEBUG -+#if 0 - if (skb->nf_debug & (1 << hook)) { - printk("nf_hook: hook %i already set.\n", hook); - nf_dump_skb(pf, skb); - } -+#endif - skb->nf_debug |= (1 << hook); - #endif - diff -aruN netfilter-ha/linux-2.6/patches/series netfilter-ha.heile/linux-2.6/patches/series --- netfilter-ha/linux-2.6/patches/series 2006-03-24 21:02:13.704510525 +0100 +++ netfilter-ha.heile/linux-2.6/patches/series 2006-03-24 20:59:56.748073986 +0100 @@ -1,11 +1,7 @@ -ct_notifier_pkt.patch pf_packet.patch -pf_packet_remove_warning.patch -export_ip_conntrack_helpers.patch -export_ip_nat_helpers.patch export_ip_conntrack_find.patch -export_ip_nat_lock_and_hash.patch +export_ip_nat_lock_and_hash.patch export_ip_conntrack_clean_from_lists.patch -conntrack_hash_manip.patch -conntrack_alloc.patch +export_ip_conntrack_cleanup.patch +ip_conntrack_hash_insert_nolock.patch ct_sync_config_and_makefile.patch