There are also some feature enhancements pending, but they can wait
for 2.4.2 (dropped table, adjustable hash sizes, multi-port FTP).
Cheers,
Rusty.
-- Premature optmztion is rt of all evl. --DK--- working-2.4.0-test13-3/include/linux/netfilter_ipv6.h.~1~ Tue May 23 02:50:55 2000 +++ working-2.4.0-test13-3/include/linux/netfilter_ipv6.h Tue Jan 2 10:27:51 2001 @@ -54,7 +54,7 @@ #define NF_IP6_NUMHOOKS 5 -enum nf_ip_hook_priorities { +enum nf_ip6_hook_priorities { NF_IP6_PRI_FIRST = INT_MIN, NF_IP6_PRI_CONNTRACK = -200, NF_IP6_PRI_MANGLE = -150, diff -urN -I \$.*\$ -X /tmp/kerndiff.QgcCTD --minimal linux-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c working-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c --- linux-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c Fri Aug 11 05:35:15 2000 +++ working-2.4.1-pre10/net/ipv4/netfilter/ip_nat_core.c Wed Jan 24 17:16:07 2001 @@ -438,8 +438,27 @@ conntrack)); ret = 1; goto clear_fulls; + } else if (HOOK2MANIP(hooknum) == IP_NAT_MANIP_DST) { + /* Try implicit source NAT; protocol + may be able to play with ports to + make it unique. */ + struct ip_nat_range r + = { IP_NAT_RANGE_MAP_IPS, + tuple->src.ip, tuple->src.ip, + { 0 }, { 0 } }; + DEBUGP("Trying implicit mapping\n"); + if (proto->unique_tuple(tuple, &r, + IP_NAT_MANIP_SRC, + conntrack)) { + /* Must be unique. */ + IP_NF_ASSERT(!ip_nat_used_tuple + (tuple, conntrack)); + ret = 1; + goto clear_fulls; + } } - DEBUGP("Protocol can't get unique tuple.\n"); + DEBUGP("Protocol can't get unique tuple %u.\n", + hooknum); } /* Eliminate that from range, and try again. */ diff -urN -I \$.*\$ -X /tmp/kerndiff.QgcCTD --minimal linux-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c working-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c --- linux-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c Fri Aug 11 05:35:15 2000 +++ working-2.4.1-pre10/net/ipv4/netfilter/ipt_MASQUERADE.c Wed Jan 24 17:15:58 2001 @@ -68,6 +68,7 @@ struct ip_nat_multi_range newrange; u_int32_t newsrc; struct rtable *rt; + struct rt_key key; IP_NF_ASSERT(hooknum == NF_IP_POST_ROUTING); @@ -82,10 +83,14 @@ mr = targinfo; - if (ip_route_output(&rt, (*pskb)->nh.iph->daddr, - 0, - RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN, - out->ifindex) != 0) { + key.dst = (*pskb)->nh.iph->daddr; + key.src = 0; /* Unknown: that's what we're trying to establish */ + key.tos = RT_TOS((*pskb)->nh.iph->tos)|RTO_CONN; + key.oif = out->ifindex; +#ifdef CONFIG_IP_ROUTE_FWMARK + key.fwmark = (*pskb)->nfmark; +#endif + if (ip_route_output_key(&rt, &key) != 0) { /* Shouldn't happen */ printk("MASQUERADE: No route: Rusty's brain broke!\n"); return NF_DROP; diff -urN -I \$.*\$ -X /tmp/kerndiff.QgcCTD --minimal linux-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c working-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c --- linux-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c Sat Sep 16 15:37:23 2000 +++ working-2.4.1-pre10/net/ipv4/netfilter/iptable_mangle.c Wed Jan 24 17:16:15 2001 @@ -53,7 +53,7 @@ sizeof(struct ipt_entry), sizeof(struct ipt_standard), 0, { 0, 0 }, { } }, - { { { { sizeof(struct ipt_standard_target), "" } }, { } }, + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } }, /* LOCAL_OUT */ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, @@ -61,7 +61,7 @@ sizeof(struct ipt_entry), sizeof(struct ipt_standard), 0, { 0, 0 }, { } }, - { { { { sizeof(struct ipt_standard_target), "" } }, { } }, + { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, -NF_ACCEPT - 1 } } }, /* ERROR */ @@ -70,7 +70,7 @@ sizeof(struct ipt_entry), sizeof(struct ipt_error), 0, { 0, 0 }, { } }, - { { { { sizeof(struct ipt_error_target), IPT_ERROR_TARGET } }, + { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, { } }, "ERROR" } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/