1. 26 9月, 2014 3 次提交
  2. 24 9月, 2014 2 次提交
    • E
      tcp: add coalescing attempt in tcp_ofo_queue() · bd1e75ab
      Eric Dumazet 提交于
      In order to make TCP more resilient in presence of reorders, we need
      to allow coalescing to happen when skbs from out of order queue are
      transferred into receive queue. LRO/GRO can be completely canceled
      in some pathological cases, like per packet load balancing on aggregated
      links.
      
      I had to move tcp_try_coalesce() up in the file above tcp_ofo_queue()
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bd1e75ab
    • E
      icmp: add a global rate limitation · 4cdf507d
      Eric Dumazet 提交于
      Current ICMP rate limiting uses inetpeer cache, which is an RBL tree
      protected by a lock, meaning that hosts can be stuck hard if all cpus
      want to check ICMP limits.
      
      When say a DNS or NTP server process is restarted, inetpeer tree grows
      quick and machine comes to its knees.
      
      iptables can not help because the bottleneck happens before ICMP
      messages are even cooked and sent.
      
      This patch adds a new global limitation, using a token bucket filter,
      controlled by two new sysctl :
      
      icmp_msgs_per_sec - INTEGER
          Limit maximal number of ICMP packets sent per second from this host.
          Only messages whose type matches icmp_ratemask are
          controlled by this limit.
          Default: 1000
      
      icmp_msgs_burst - INTEGER
          icmp_msgs_per_sec controls number of ICMP packets sent per second,
          while icmp_msgs_burst controls the burst size of these packets.
          Default: 50
      
      Note that if we really want to send millions of ICMP messages per
      second, we might extend idea and infra added in commit 04ca6973
      ("ip: make IP identifiers less predictable") :
      add a token bucket in the ip_idents hash and no longer rely on inetpeer.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4cdf507d
  3. 23 9月, 2014 2 次提交
  4. 20 9月, 2014 9 次提交
  5. 16 9月, 2014 4 次提交
  6. 13 9月, 2014 1 次提交
    • S
      udp: Fix inverted NAPI_GRO_CB(skb)->flush test · 2d8f7e2c
      Scott Wood 提交于
      Commit 2abb7cdc ("udp: Add support for doing checksum unnecessary
      conversion") caused napi_gro_cb structs with the "flush" field zero to
      take the "udp_gro_receive" path rather than the "set flush to 1" path
      that they would previously take.  As a result I saw booting from an NFS
      root hang shortly after starting userspace, with "server not
      responding" messages.
      
      This change to the handling of "flush == 0" packets appears to be
      incidental to the goal of adding new code in the case where
      skb_gro_checksum_validate_zero_check() returns zero.  Based on that and
      the fact that it breaks things, I'm assuming that it is unintentional.
      
      Fixes: 2abb7cdc ("udp: Add support for doing checksum unnecessary conversion")
      Cc: Tom Herbert <therbert@google.com>
      Signed-off-by: NScott Wood <scottwood@freescale.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2d8f7e2c
  7. 10 9月, 2014 5 次提交
  8. 09 9月, 2014 4 次提交
  9. 07 9月, 2014 1 次提交
  10. 06 9月, 2014 5 次提交
  11. 05 9月, 2014 1 次提交
  12. 02 9月, 2014 3 次提交
    • P
      netfilter: nft_chain_nat_ipv4: use generic IPv4 NAT code from core · 65cd90ac
      Pablo Neira Ayuso 提交于
      Use the exported IPv4 NAT functions that are provided by the core. This
      removes duplicated code so iptables and nft use the same NAT codebase.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      65cd90ac
    • P
      netfilter: nat: move specific NAT IPv4 to core · 30766f4c
      Pablo Neira Ayuso 提交于
      Move the specific NAT IPv4 core functions that are called from the
      hooks from iptable_nat.c to nf_nat_l3proto_ipv4.c. This prepares the
      ground to allow iptables and nft to use the same NAT engine code that
      comes in a follow up patch.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      30766f4c
    • W
      sock: deduplicate errqueue dequeue · 364a9e93
      Willem de Bruijn 提交于
      sk->sk_error_queue is dequeued in four locations. All share the
      exact same logic. Deduplicate.
      
      Also collapse the two critical sections for dequeue (at the top of
      the recv handler) and signal (at the bottom).
      
      This moves signal generation for the next packet forward, which should
      be harmless.
      
      It also changes the behavior if the recv handler exits early with an
      error. Previously, a signal for follow-up packets on the errqueue
      would then not be scheduled. The new behavior, to always signal, is
      arguably a bug fix.
      
      For rxrpc, the change causes the same function to be called repeatedly
      for each queued packet (because the recv handler == sk_error_report).
      It is likely that all packets will fail for the same reason (e.g.,
      memory exhaustion).
      
      This code runs without sk_lock held, so it is not safe to trust that
      sk->sk_err is immutable inbetween releasing q->lock and the subsequent
      test. Introduce int err just to avoid this potential race.
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      364a9e93