search for: ip_conntrack_core

...is_confirmed(struct ip_conntrack *ct) { - return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next !=3D NULL; + return test_bit(IPS_CONFIRMED_BIT, &ct->status); } =20 extern unsigned int ip_conntrack_htable_size; diff -urN --exclude-from=3Ddiff.exclude linux-2.4.20-base/net/ipv4/netfilte= r/ip_conntrack_core.c linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core= =2Ec --- linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_core.c Tue Feb 18 17:= 08:21 2003 +++ linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core.c Fri Feb 21 17:0= 1:39 2003 @@ -292,9 +292,6 @@ { DEBUGP("clean_from_lists(%p)\n&q...

...Priority: P2 Component: connection tracking AssignedTo: laforge@netfilter.org ReportedBy: laforge@netfilter.org CC: netfilter-buglog@lists.netfilter.org From: "Chris Poon" <Chris.Poon@TELUS.COM> After running a kernel with debugging on ip_conntrack_core.c, I can see that it doesn't find a match in the expected connections list, but the print out suggests that the expectation for the related connection is set correctly. That points me to two scenarios: 1) the related connection entry was not found in the expectation...

...seful starting point for a fix. Fix We decided to eliminate the race by having subsequent packets with the same conntrack tuple join the conntrack context of the first packet instead of creating a new conntrack context for each of them. Here's the patch: --- linux-2.4.32/net/ipv4/netfilter/ip_conntrack_core.c.orig 2005-04-03 18:42:20.000000000 -0700 +++ linux-2.4.32/net/ipv4/netfilter/ip_conntrack_core.c 2006-07-24 13:23:25.000000000 -0700 @@ -777,6 +777,14 @@ /* look for tuple match */ h = ip_conntrack_find_get(&tuple, NULL); if (!h) { + READ_LOCK(&ip_conntrack_lock); + h = LIST_FIND(...

...support is disabled > together with iptables-1.2.6a ( all compiled by myself). > I applied patches to netfilter using POM. which patches? > The following messages are seen in my log-file > ASSERT: ip_nat_core.c: 743 &ip_conntrack_lock not readlocked > ASSERT:ip_conntrack_core.c: 973 &ip_conntrack_lock readlocked how often do you see them? Do they have always the same line number? Could you send me a grep on all ''ASSERT:'' entries in your syslog? What kind of machine are you running? > Thanks for your help > Albrecht -- Live long an...

...s my fault to use a automatic build system and not check it... In the end the patch didn't apply in its whole and I didn't discover it, because the build system just went on. Here is the error: patching file include/linux/netfilter_ipv4/ip_conntrack.h patching file net/ipv4/netfilter/ip_conntrack_core.c patching file net/ipv4/netfilter/ip_conntrack_proto_tcp.c Hunk #1 FAILED at 192. 1 out of 1 hunk FAILED -- saving rejects to file net/ipv4/netfilter/ip_conntrack_proto_tcp.c.rej patching file net/ipv4/netfilter/ip_conntrack_proto_udp.c patching file net/ipv4/netfilter/ip_conntrack_standalon...

...handles the termination of ''expected'' connection; handling in the case when ''expected'' connection arrived, then terminates (In my conntrack module, I need to specially handle the event of termination termination of ''expected'' connection.) In ip_conntrack_core.c, I can''t find the call chain of deallocation of ''expectation'' after termination of ''expected'' connection. Deallocation must happen somewhere, but I don''t see any hooks related to termination of ''expected'' connection. Or ma...

...void *targinfo, void *userdata) { struct ipt_imq_info *mr = (struct ipt_imq_info*)targinfo; (*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE; (*pskb)->nfcache |= NFC_ALTERED; return IPT_CONTINUE; } I found that in places like ip_conntrack_core.c and ip_nat_core.c, nfcache references have just being removed. Tk in advance for any help. Cheers... -------------------------------------------------------------------- Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com | Visit my personal projec...

...`/usr/src/linux-2.4.19/net/ipv4/netfilter' make[2]: Se elimina la dependencia circular /usr/src/linux-2.4.19/include/linux/netfilter_ipv4/ip_conntrack_helper.h <- /usr/src/linux-2.4.19/include/linux/netfilter_ipv4/ip_conntrack.h. ld -m elf_i386 -r -o ip_conntrack.o ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o ld -m elf_i386 -r -o iptable_nat.o ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o gcc -D__KERN...

...static __inline__ void list_del(struct list_head *entry) > { > __list_del(entry->prev, entry->next); > + entry->next =3D entry->prev =3D 0; > } > =20 > /** This change breaks an assumption made by the netfilter connection tracking code in linux/net/ipv4/netfilter/ip_conntrack_core.c: > static void > clean_from_lists(struct ip_conntrack *ct) > { > MUST_BE_WRITE_LOCKED(&ip_conntrack_lock); > /* Remove from both hash lists: must not NULL out next ptrs, > otherwise we'll look unconfirmed. Fortunately, LIST_DELETE >...

...etfilter.h 2004-08-04 22:47:49.000000000 +0200 @@ -24,6 +24,7 @@ <= 0x2000 is used for protocol-flags. */ #define NFC_UNKNOWN 0x4000 #define NFC_ALTERED 0x8000 +#define NFC_DEFRAGMENTED 0x10000 #ifdef __KERNEL__ #include <linux/config.h> --- linux-2.6.8-rc2-bk9/net/ipv4/netfilter/ip_conntrack_core.c.old 2004-08-04 22:46:32.000000000 +0200 +++ linux-2.6.8-rc2-bk9/net/ipv4/netfilter/ip_conntrack_core.c 2004-08-04 22:48:20.000000000 +0200 @@ -1212,7 +1212,7 @@ ip_ct_gather_frags(struct sk_buff *skb) } ip_send_check(skb->nh.iph); - skb->nfcache |= NFC_ALTERED; + skb->nfcache |= NF...

Hey guys, I am planning to buy some components for a Linux router that will handle the Internet access of 200 computers (includes tc shaping) and some inter sub-network routing (at least 100MBps per eth - and there are 3 eth cards). I was thinking of a: Pentium 4 - 3GHz 256 or 512MB RAM Network Cards. Now - I wonder what is more important: the processor speed or the amount of RAM. And can you

I have just completed the installation of a new firewall running Shorewall 1.4 on Mandrake 9.2 for our campus network. It appears to be running fairly well so far, but is generating significantly more log entries than our previous linux 2.0.x firewall... Our previous firewall enjoyed more than 6 years of 24/7 operation with no downtime before we finally decided it needed more horsepower, and

...nux-2.6.12-xen/net/ipv4/ip_sockglue.c 2006-02-17 00:45:18.235521137 +0100 ++++ linux-2.6.12-xen/net/ipv4/ip_sockglue.c 2006-02-25 00:12:33.777993342 +0100 @@ -848,6 +848,9 @@ mc_msf_out: case IP_IPSEC_POLICY: @@ -103812,7 +103815,7 @@ diff -Nurp pristine-linux-2.6.12/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.12-xen/net/ipv4/netfilter/ip_conntrack_core.c --- pristine-linux-2.6.12/net/ipv4/netfilter/ip_conntrack_core.c 2005-06-17 21:48:29.000000000 +0200 -+++ linux-2.6.12-xen/net/ipv4/netfilter/ip_conntrack_core.c 2006-02-17 00:45:18.236520984 +0100 ++++ linux-2.6.12-xen/net/ipv4/netfilter/i...