1. 23 12月, 2011 3 次提交
    • P
      netfilter: nf_nat: use hash random for bysource hash · 4d4e61c6
      Patrick McHardy 提交于
      Use nf_conntrack_hash_rnd in NAT bysource hash to avoid hash chain attacks.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Acked-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      4d4e61c6
    • P
      netfilter: nf_nat: export NAT definitions to userspace · cbc9f2f4
      Patrick McHardy 提交于
      Export the NAT definitions to userspace. So far userspace (specifically,
      iptables) has been copying the headers files from include/net. Also
      rename some structures and definitions in preparation for IPv6 NAT.
      Since these have never been officially exported, this doesn't affect
      existing userspace code.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      cbc9f2f4
    • P
      netfilter: rework user-space expectation helper support · 3d058d7b
      Pablo Neira Ayuso 提交于
      This partially reworks bc01befd
      which added userspace expectation support.
      
      This patch removes the nf_ct_userspace_expect_list since now we
      force to use the new iptables CT target feature to add the helper
      extension for conntracks that have attached expectations from
      userspace.
      
      A new version of the proof-of-concept code to implement userspace
      helpers from userspace is available at:
      
      http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-POC.tar.bz2
      
      This patch also modifies the CT target to allow to set the
      conntrack's userspace helper status flags. This flag is used
      to tell the conntrack system to explicitly allocate the helper
      extension.
      
      This helper extension is useful to link the userspace expectations
      with the master conntrack that is being tracked from one userspace
      helper.
      
      This feature fixes a problem in the current approach of the
      userspace helper support. Basically, if the master conntrack that
      has got a userspace expectation vanishes, the expectations point to
      one invalid memory address. Thus, triggering an oops in the
      expectation deletion event path.
      
      I decided not to add a new revision of the CT target because
      I only needed to add a new flag for it. I'll document in this
      issue in the iptables manpage. I have also changed the return
      value from EINVAL to EOPNOTSUPP if one flag not supported is
      specified. Thus, in the future adding new features that only
      require a new flag can be added without a new revision.
      
      There is no official code using this in userspace (apart from
      the proof-of-concept) that uses this infrastructure but there
      will be some by beginning 2012.
      Reported-by: NSam Roberts <vieuxtech@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      3d058d7b
  2. 18 12月, 2011 3 次提交
  3. 13 12月, 2011 2 次提交
  4. 05 12月, 2011 5 次提交
    • F
      ipv6: add ip6_route_lookup · ea6e574e
      Florian Westphal 提交于
      like rt6_lookup, but allows caller to pass in flowi6 structure.
      Will be used by the upcoming ipv6 netfilter reverse path filter
      match.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      ea6e574e
    • F
      netfilter: add ipv4 reverse path filter match · 8f97339d
      Florian Westphal 提交于
      This tries to do the same thing as fib_validate_source(), but differs
      in several aspects.
      
      The most important difference is that the reverse path filter built into
      fib_validate_source uses the oif as iif when performing the reverse
      lookup.  We do not do this, as the oif is not yet known by the time the
      PREROUTING hook is invoked.
      
      We can't wait until FORWARD chain because by the time FORWARD is invoked
      ipv4 forward path may have already sent icmp messages is response
      to to-be-discarded-via-rpfilter packets.
      
      To avoid the such an additional lookup in PREROUTING, Patrick McHardy
      suggested to attach the path information directly in the match
      (i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).
      
      This works, but it also has a few caveats. Most importantly, when using
      marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
      would have to be used after the nfmark has been set; otherwise the nfmark
      would have no effect (because the route is already attached).
      
      Another problem would be interaction with -j TPROXY, as this target sets an
      nfmark and uses ACCEPT instead of continue, i.e. such a version of
      -m rpfilter cannot be used for the initial to-be-intercepted packets.
      
      In case in turns out that the oif is required, we can add Patricks
      suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
      compatibility.
      
      Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
      transformation are not automatically excluded. If you want this, simply
      combine -m rpfilter with the policy match.
      
      Packets arriving on loopback interfaces always match.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      8f97339d
    • F
      net: ipv4: export fib_lookup and fib_table_lookup · 6fc01438
      Florian Westphal 提交于
      The reverse path filter module will use fib_lookup.
      
      If CONFIG_IP_MULTIPLE_TABLES is not set, fib_lookup is
      only a static inline helper that calls fib_table_lookup,
      so export that too.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      6fc01438
    • E
      tcp: tcp_sendmsg() page recycling · 761965ea
      Eric Dumazet 提交于
      If our TCP_PAGE(sk) is not shared (page_count() == 1), we can set page
      offset to 0.
      
      This permits better filling of the pages on small to medium tcp writes.
      
      "tbench 16" results on my dev server (2x4x2 machine) :
      
      Before : 3072 MB/s
      After  : 3146 MB/s  (2.4 % gain)
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      761965ea
    • E
      tcp: take care of misalignments · 117632e6
      Eric Dumazet 提交于
      We discovered that TCP stack could retransmit misaligned skbs if a
      malicious peer acknowledged sub MSS frame. This currently can happen
      only if output interface is non SG enabled : If SG is enabled, tcp
      builds headless skbs (all payload is included in fragments), so the tcp
      trimming process only removes parts of skb fragments, header stay
      aligned.
      
      Some arches cant handle misalignments, so force a head reallocation and
      shrink headroom to MAX_TCP_HEADER.
      
      Dont care about misaligments on x86 and PPC (or other arches setting
      NET_IP_ALIGN to 0)
      
      This patch introduces __pskb_copy() which can specify the headroom of
      new head, and pskb_copy() becomes a wrapper on top of __pskb_copy()
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      117632e6
  5. 04 12月, 2011 15 次提交
  6. 03 12月, 2011 4 次提交
  7. 02 12月, 2011 8 次提交
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5983fe2b
      Linus Torvalds 提交于
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
        netfilter: Remove ADVANCED dependency from NF_CONNTRACK_NETBIOS_NS
        ipv4: flush route cache after change accept_local
        sch_red: fix red_change
        Revert "udp: remove redundant variable"
        bridge: master device stuck in no-carrier state forever when in user-stp mode
        ipv4: Perform peer validation on cached route lookup.
        net/core: fix rollback handler in register_netdevice_notifier
        sch_red: fix red_calc_qavg_from_idle_time
        bonding: only use primary address for ARP
        ipv4: fix lockdep splat in rt_cache_seq_show
        sch_teql: fix lockdep splat
        net: fec: Select the FEC driver by default for i.MX SoCs
        isdn: avoid copying too long drvid
        isdn: make sure strings are null terminated
        netlabel: Fix build problems when IPv6 is not enabled
        sctp: better integer overflow check in sctp_auth_create_key()
        sctp: integer overflow in sctp_auth_create_key()
        ipv6: Set mcast_hops to IPV6_DEFAULT_MCASTHOPS when -1 was given.
        net: Fix corruption in /proc/*/net/dev_mcast
        mac80211: fix race between the AGG SM and the Tx data path
        ...
      5983fe2b
    • D
      netfilter: Remove ADVANCED dependency from NF_CONNTRACK_NETBIOS_NS · 3ced1be5
      David S. Miller 提交于
      firewalld in Fedora 16 needs this.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3ced1be5
    • D
      niu: Add support for byte queue limits. · efa230f2
      David S. Miller 提交于
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      efa230f2
    • D
      63ec3c83
    • P
      ipv4: flush route cache after change accept_local · d01ff0a0
      Peter Pan(潘卫平) 提交于
      After reset ipv4_devconf->data[IPV4_DEVCONF_ACCEPT_LOCAL] to 0,
      we should flush route cache, or it will continue receive packets with local
      source address, which should be dropped.
      Signed-off-by: NWeiping Pan <panweiping3@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d01ff0a0
    • E
      sch_red: fix red_change · 1ee5fa1e
      Eric Dumazet 提交于
      Le mercredi 30 novembre 2011 à 14:36 -0800, Stephen Hemminger a écrit :
      
      > (Almost) nobody uses RED because they can't figure it out.
      > According to Wikipedia, VJ says that:
      >  "there are not one, but two bugs in classic RED."
      
      RED is useful for high throughput routers, I doubt many linux machines
      act as such devices.
      
      I was considering adding Adaptative RED (Sally Floyd, Ramakrishna
      Gummadi, Scott Shender), August 2001
      
      In this version, maxp is dynamic (from 1% to 50%), and user only have to
      setup min_th (target average queue size)
      (max_th and wq (burst in linux RED) are automatically setup)
      
      By the way it seems we have a small bug in red_change()
      
      if (skb_queue_empty(&sch->q))
      	red_end_of_idle_period(&q->parms);
      
      First, if queue is empty, we should call
      red_start_of_idle_period(&q->parms);
      
      Second, since we dont use anymore sch->q, but q->qdisc, the test is
      meaningless.
      
      Oh well...
      
      [PATCH] sch_red: fix red_change()
      
      Now RED is classful, we must check q->qdisc->q.qlen, and if queue is empty,
      we start an idle period, not end it.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ee5fa1e
    • L
      Linux 3.2-rc4 · 5611cc45
      Linus Torvalds 提交于
      5611cc45
    • L
      Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2 · 0a4ebed7
      Linus Torvalds 提交于
      * 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jlbec/ocfs2: (31 commits)
        ocfs2: avoid unaligned access to dqc_bitmap
        ocfs2: Use filemap_write_and_wait() instead of write_inode_now()
        ocfs2: honor O_(D)SYNC flag in fallocate
        ocfs2: Add a missing journal credit in ocfs2_link_credits() -v2
        ocfs2: send correct UUID to cleancache initialization
        ocfs2: Commit transactions in error cases -v2
        ocfs2: make direntry invalid when deleting it
        fs/ocfs2/dlm/dlmlock.c: free kmem_cache_zalloc'd data using kmem_cache_free
        ocfs2: Avoid livelock in ocfs2_readpage()
        ocfs2: serialize unaligned aio
        ocfs2: Implement llseek()
        ocfs2: Fix ocfs2_page_mkwrite()
        ocfs2: Add comment about orphan scanning
        ocfs2: Clean up messages in the fs
        ocfs2/cluster: Cluster up now includes network connections too
        ocfs2/cluster: Add new function o2net_fill_node_map()
        ocfs2/cluster: Fix output in file elapsed_time_in_ms
        ocfs2/dlm: dlmlock_remote() needs to account for remastery
        ocfs2/dlm: Take inflight reference count for remotely mastered resources too
        ocfs2/dlm: Cleanup dlm_wait_for_node_death() and dlm_wait_for_node_recovery()
        ...
      0a4ebed7