1. 25 1月, 2011 2 次提交
  2. 24 1月, 2011 1 次提交
  3. 22 1月, 2011 2 次提交
  4. 21 1月, 2011 11 次提交
  5. 20 1月, 2011 14 次提交
  6. 19 1月, 2011 6 次提交
    • P
      netfilter: nf_conntrack_tstamp: add flow-based timestamp extension · a992ca2a
      Pablo Neira Ayuso 提交于
      This patch adds flow-based timestamping for conntracks. This
      conntrack extension is disabled by default. Basically, we use
      two 64-bits variables to store the creation timestamp once the
      conntrack has been confirmed and the other to store the deletion
      time. This extension is disabled by default, to enable it, you
      have to:
      
      echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
      
      This patch allows to save memory for user-space flow-based
      loogers such as ulogd2. In short, ulogd2 does not need to
      keep a hashtable with the conntrack in user-space to know
      when they were created and destroyed, instead we use the
      kernel timestamp. If we want to have a sane IPFIX implementation
      in user-space, this nanosecs resolution timestamps are also
      useful. Other custom user-space applications can benefit from
      this via libnetfilter_conntrack.
      
      This patch modifies the /proc output to display the delta time
      in seconds since the flow start. You can also obtain the
      flow-start date by means of the conntrack-tools.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      a992ca2a
    • E
      net: filter: dont block softirqs in sk_run_filter() · 80f8f102
      Eric Dumazet 提交于
      Packet filter (BPF) doesnt need to disable softirqs, being fully
      re-entrant and lock-less.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      80f8f102
    • A
      af_unix: implement socket filter · d6ae3bae
      Alban Crequy 提交于
      Linux Socket Filters can already be successfully attached and detached on unix
      sockets with setsockopt(sockfd, SOL_SOCKET, SO_{ATTACH,DETACH}_FILTER, ...).
      See: Documentation/networking/filter.txt
      
      But the filter was never used in the unix socket code so it did not work. This
      patch uses sk_filter() to filter buffers before delivery.
      
      This short program demonstrates the problem on SOCK_DGRAM.
      
      int main(void) {
        int i, j, ret;
        int sv[2];
        struct pollfd fds[2];
        char *message = "Hello world!";
        char buffer[64];
        struct sock_filter ins[32] = {{0,},};
        struct sock_fprog filter;
      
        socketpair(AF_UNIX, SOCK_DGRAM, 0, sv);
      
        for (i = 0 ; i < 2 ; i++) {
          fds[i].fd = sv[i];
          fds[i].events = POLLIN;
          fds[i].revents = 0;
        }
      
        for(j = 1 ; j < 13 ; j++) {
      
          /* Set a socket filter to truncate the message */
          memset(ins, 0, sizeof(ins));
          ins[0].code = BPF_RET|BPF_K;
          ins[0].k = j;
          filter.len = 1;
          filter.filter = ins;
          setsockopt(sv[1], SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter));
      
          /* send a message */
          send(sv[0], message, strlen(message) + 1, 0);
      
          /* The filter should let the message pass but truncated. */
          poll(fds, 2, 0);
      
          /* Receive the truncated message*/
          ret = recv(sv[1], buffer, 64, 0);
          printf("received %d bytes, expected %d\n", ret, j);
        }
      
          for (i = 0 ; i < 2 ; i++)
            close(sv[i]);
      
        return 0;
      }
      Signed-off-by: NAlban Crequy <alban.crequy@collabora.co.uk>
      Reviewed-by: NIan Molton <ian.molton@collabora.co.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d6ae3bae
    • J
      net offloading: Do not mask out NETIF_F_HW_VLAN_TX for vlan. · 6ee400aa
      Jesse Gross 提交于
      In netif_skb_features() we return only the features that are valid for vlans
      if we have a vlan packet.  However, we should not mask out NETIF_F_HW_VLAN_TX
      since it enables transmission of vlan tags and is obviously valid.
      Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NJesse Gross <jesse@nicira.com>
      Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6ee400aa
    • R
      ipv6: Silence privacy extensions initialization · 2fdc1c80
      Romain Francoise 提交于
      When a network namespace is created (via CLONE_NEWNET), the loopback
      interface is automatically added to the new namespace, triggering a
      printk in ipv6_add_dev() if CONFIG_IPV6_PRIVACY is set.
      
      This is problematic for applications which use CLONE_NEWNET as
      part of a sandbox, like Chromium's suid sandbox or recent versions of
      vsftpd. On a busy machine, it can lead to thousands of useless
      "lo: Disabled Privacy Extensions" messages appearing in dmesg.
      
      It's easy enough to check the status of privacy extensions via the
      use_tempaddr sysctl, so just removing the printk seems like the most
      sensible solution.
      Signed-off-by: NRomain Francoise <romain@orebokech.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2fdc1c80
    • J
      netfilter: nf_conntrack: nf_conntrack snmp helper · 93557f53
      Jiri Olsa 提交于
      Adding support for SNMP broadcast connection tracking. The SNMP
      broadcast requests are now paired with the SNMP responses.
      Thus allowing using SNMP broadcasts with firewall enabled.
      
      Please refer to the following conversation:
      http://marc.info/?l=netfilter-devel&m=125992205006600&w=2
      
      Patrick McHardy wrote:
      > > The best solution would be to add generic broadcast tracking, the
      > > use of expectations for this is a bit of abuse.
      > > The second best choice I guess would be to move the help() function
      > > to a shared module and generalize it so it can be used for both.
      This patch implements the "second best choice".
      
      Since the netbios-ns conntrack module uses the same helper
      functionality as the snmp, only one helper function is added
      for both snmp and netbios-ns modules into the new object -
      nf_conntrack_broadcast.
      Signed-off-by: NJiri Olsa <jolsa@redhat.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      93557f53
  7. 18 1月, 2011 4 次提交
    • E
      netfilter: ipt_CLUSTERIP: remove "no conntrack!" · 94d117a1
      Eric Dumazet 提交于
      When a packet is meant to be handled by another node of the cluster,
      silently drop it instead of flooding kernel log.
      
      Note : INVALID packets are also dropped without notice.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      94d117a1
    • F
      netfilter: allow NFQUEUE bypass if no listener is available · 94b27cc3
      Florian Westphal 提交于
      If an skb is to be NF_QUEUE'd, but no program has opened the queue, the
      packet is dropped.
      
      This adds a v2 target revision of xt_NFQUEUE that allows packets to
      continue through the ruleset instead.
      
      Because the actual queueing happens outside of the target context, the
      'bypass' flag has to be communicated back to the netfilter core.
      
      Unfortunately the only choice to do this without adding a new function
      argument is to use the target function return value (i.e. the verdict).
      
      In the NF_QUEUE case, the upper 16bit already contain the queue number
      to use.  The previous patch reduced NF_VERDICT_MASK to 0xff, i.e.
      we now have extra room for a new flag.
      
      If a hook issued a NF_QUEUE verdict, then the netfilter core will
      continue packet processing if the queueing hook
      returns -ESRCH (== "this queue does not exist") and the new
      NF_VERDICT_FLAG_QUEUE_BYPASS flag is set in the verdict value.
      
      Note: If the queue exists, but userspace does not consume packets fast
      enough, the skb will still be dropped.
      Signed-off-by: NFlorian Westphal <fwestphal@astaro.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      94b27cc3
    • F
      netfilter: reduce NF_VERDICT_MASK to 0xff · f615df76
      Florian Westphal 提交于
      NF_VERDICT_MASK is currently 0xffff. This is because the upper
      16 bits are used to store errno (for NF_DROP) or the queue number
      (NF_QUEUE verdict).
      
      As there are up to 0xffff different queues available, there is no more
      room to store additional flags.
      
      At the moment there are only 6 different verdicts, i.e. we can reduce
      NF_VERDICT_MASK to 0xff to allow storing additional flags in the 0xff00 space.
      
      NF_VERDICT_BITS would then be reduced to 8, but because the value is
      exported to userspace, this might cause breakage; e.g.:
      
      e.g. 'queuenr = (1 << NF_VERDICT_BITS) | NF_QUEUE'  would now break.
      
      Thus, remove NF_VERDICT_BITS usage in the kernel and move the old value
      to the 'userspace compat' section.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      f615df76
    • F
      netfilter: nfnetlink_queue: do not free skb on error · 06cdb634
      Florian Westphal 提交于
      Move free responsibility from nf_queue to caller.
      This enables more flexible error handling; we can now accept the skb
      instead of freeing it.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      06cdb634