[PATCH] Conntrack l4 protocol helper for GRE has no GRE/IPv6 support

Add and register l4 GRE/IPv6 support. Signed-off-by: Ignatius Cheng --- net/netfilter/nf_conntrack_proto_gre.c | 54 +- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c

[PATCH nf-next] netfilter: nat: remove duplicate skb_is_nonlinear() in __nf_nat_mangle_tcp_packet()

__nf_nat_mangle_tcp_packet() and nf_nat_mangle_udp_packet() call mangle_contents(). and __nf_nat_mangle_tcp_packet() and mangle_contents() call skb_is_nonlinear(). so that skb_is_nonlinear() in __nf_nat_mangle_tcp_packet() is unnecessary. Signed-off-by: Taehee Yoo ---

[PATCH nf-next 8/8] netfilter: conntrack: clamp l4proto array size at largers supported protocol

All higher l4proto numbers are handled by the generic tracker; the l4proto lookup function already returns generic one in case the l4proto number exceeds max size. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_l4proto.h | 2 +- net/netfilter/nf_conntrack_proto.c

[PATCH nf-next 6/8] netfilter: conntrack: remove unused proto arg from netns init functions

Its unused, next patch will remove l4proto->l3proto number to simplify l4 protocol demuxer lookup. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_l4proto.h | 2 +- net/netfilter/nf_conntrack_proto.c | 5 ++--- net/netfilter/nf_conntrack_proto_dccp.c | 2 +-

[PATCH nf-next 7/8] netfilter: conntrack: remove l3->l4 mapping information

l4 protocols are demuxed by l3num, l4num pair. However, almost all l4 trackers are l3 agnostic. Only exceptions are: - gre, icmp (ipv4 only) - icmpv6 (ipv6 only) This commit gets rid of the l3 mapping, l4 trackers can now be looked up by their IPPROTO_XXX value alone, which gets rid of the

[PATCH nf-next 2/8] netfilter: conntrack: remove the l4proto->new() function

->new() gets invoked after ->error() and before ->packet() if a conntrack lookup has found no result for the tuple. We can fold it into ->packet() -- the packet() implementations can check if the conntrack is confirmed (new) or not (already in hash). If its unconfirmed, the conntrack isn't in

[PATCH nf-next 5/8] netfilter: conntrack: remove error callback and handle icmp from core

icmp(v6) are the only two layer four protocols that need the error() callback (to handle icmp errors that are related to an established connections, e.g. packet too big, port unreachable and the like). Remove the error callback and handle these two special cases from the core. Signed-off-by:

[PATCH nf-next 4/8] netfilter: conntrack: avoid using ->error callback if possible

The error() handler gets called before allocating or looking up a connection tracking entry. We can instead use direct calls from the ->packet() handlers which get invoked for every packet anyway. Only exceptions are icmp and icmpv6, these two special cases will be handled in the next patch.

[PATCH nf-next 3/8] netfilter: conntrack: deconstify packet callback skb pointer

Only two protocols need the ->error() function: icmp and icmpv6. This is because icmp error mssages might be RELATED to an existing connection (e.g. PMTUD, port unreachable and the like), and their ->error() handlers do this. The error callback is already optional, so remove it for udp and call