1. 05 12月, 2011 4 次提交
    • F
      netfilter: add ipv4 reverse path filter match · 8f97339d
      Florian Westphal 提交于
      This tries to do the same thing as fib_validate_source(), but differs
      in several aspects.
      
      The most important difference is that the reverse path filter built into
      fib_validate_source uses the oif as iif when performing the reverse
      lookup.  We do not do this, as the oif is not yet known by the time the
      PREROUTING hook is invoked.
      
      We can't wait until FORWARD chain because by the time FORWARD is invoked
      ipv4 forward path may have already sent icmp messages is response
      to to-be-discarded-via-rpfilter packets.
      
      To avoid the such an additional lookup in PREROUTING, Patrick McHardy
      suggested to attach the path information directly in the match
      (i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).
      
      This works, but it also has a few caveats. Most importantly, when using
      marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
      would have to be used after the nfmark has been set; otherwise the nfmark
      would have no effect (because the route is already attached).
      
      Another problem would be interaction with -j TPROXY, as this target sets an
      nfmark and uses ACCEPT instead of continue, i.e. such a version of
      -m rpfilter cannot be used for the initial to-be-intercepted packets.
      
      In case in turns out that the oif is required, we can add Patricks
      suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
      compatibility.
      
      Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
      transformation are not automatically excluded. If you want this, simply
      combine -m rpfilter with the policy match.
      
      Packets arriving on loopback interfaces always match.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      8f97339d
    • F
      net: ipv4: export fib_lookup and fib_table_lookup · 6fc01438
      Florian Westphal 提交于
      The reverse path filter module will use fib_lookup.
      
      If CONFIG_IP_MULTIPLE_TABLES is not set, fib_lookup is
      only a static inline helper that calls fib_table_lookup,
      so export that too.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      6fc01438
    • E
      tcp: tcp_sendmsg() page recycling · 761965ea
      Eric Dumazet 提交于
      If our TCP_PAGE(sk) is not shared (page_count() == 1), we can set page
      offset to 0.
      
      This permits better filling of the pages on small to medium tcp writes.
      
      "tbench 16" results on my dev server (2x4x2 machine) :
      
      Before : 3072 MB/s
      After  : 3146 MB/s  (2.4 % gain)
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      761965ea
    • E
      tcp: take care of misalignments · 117632e6
      Eric Dumazet 提交于
      We discovered that TCP stack could retransmit misaligned skbs if a
      malicious peer acknowledged sub MSS frame. This currently can happen
      only if output interface is non SG enabled : If SG is enabled, tcp
      builds headless skbs (all payload is included in fragments), so the tcp
      trimming process only removes parts of skb fragments, header stay
      aligned.
      
      Some arches cant handle misalignments, so force a head reallocation and
      shrink headroom to MAX_TCP_HEADER.
      
      Dont care about misaligments on x86 and PPC (or other arches setting
      NET_IP_ALIGN to 0)
      
      This patch introduces __pskb_copy() which can specify the headroom of
      new head, and pskb_copy() becomes a wrapper on top of __pskb_copy()
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      117632e6
  2. 04 12月, 2011 15 次提交
  3. 03 12月, 2011 4 次提交
  4. 02 12月, 2011 17 次提交