1. 14 8月, 2008 1 次提交
    • D
      netns: Fix crash by making igmp per namespace · 877acedc
      Daniel Lezcano 提交于
      This patch makes the multicast socket to be per namespace.
      
      When a network namespace is created, other than the init_net and a
      multicast packet is received, the kernel goes to a hang or a kernel panic.
      
      How to reproduce ?
      
       * create a child network namespace
       * create a pair virtual device veth
          * ip link add type veth
       * move one side to the pair network device to the child namespace
          * ip link set netns <childpid> dev veth1
       * ping -I veth0 224.0.0.1
      
      The bug appears because the function ip_mc_init_dev does not initialize
      the different multicast fields as it exits because it is not the init_net.
      
      BUG: soft lockup - CPU#0 stuck for 61s! [avahi-daemon:2695]
      Modules linked in:
      irq event stamp: 50350
      hardirqs last  enabled at (50349): [<c03ee949>] _spin_unlock_irqrestore+0x34/0x39
      hardirqs last disabled at (50350): [<c03ec639>] schedule+0x9f/0x5ff
      softirqs last  enabled at (45712): [<c0374d4b>] ip_setsockopt+0x8e7/0x909
      softirqs last disabled at (45710): [<c03ee682>] _spin_lock_bh+0x8/0x27
      
      Pid: 2695, comm: avahi-daemon Not tainted (2.6.27-rc2-00029-g0872073 #3)
      EIP: 0060:[<c03ee47c>] EFLAGS: 00000297 CPU: 0
      EIP is at __read_lock_failed+0x8/0x10
      EAX: c4f38810 EBX: c4f38810 ECX: 00000000 EDX: c04cc22e
      ESI: fb0000e0 EDI: 00000011 EBP: 0f02000a ESP: c4e3faa0
       DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      CR0: 8005003b CR2: 44618a40 CR3: 04e37000 CR4: 000006d0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
       [<c02311f8>] ? _raw_read_lock+0x23/0x25
       [<c0390666>] ? ip_check_mc+0x1c/0x83
       [<c036d478>] ? ip_route_input+0x229/0xe92
       [<c022e2e4>] ? trace_hardirqs_on_thunk+0xc/0x10
       [<c0104c9c>] ? do_IRQ+0x69/0x7d
       [<c0102e64>] ? restore_nocheck_notrace+0x0/0xe
       [<c036fdba>] ? ip_rcv+0x227/0x505
       [<c0358764>] ? netif_receive_skb+0xfe/0x2b3
       [<c03588d2>] ? netif_receive_skb+0x26c/0x2b3
       [<c035af31>] ? process_backlog+0x73/0xbd
       [<c035a8cd>] ? net_rx_action+0xc1/0x1ae
       [<c01218a8>] ? __do_softirq+0x7b/0xef
       [<c0121953>] ? do_softirq+0x37/0x4d
       [<c035b50d>] ? dev_queue_xmit+0x3d4/0x40b
       [<c0122037>] ? local_bh_enable+0x96/0xab
       [<c035b50d>] ? dev_queue_xmit+0x3d4/0x40b
       [<c012181e>] ? _local_bh_enable+0x79/0x88
       [<c035fcb8>] ? neigh_resolve_output+0x20f/0x239
       [<c0373118>] ? ip_finish_output+0x1df/0x209
       [<c0373364>] ? ip_dev_loopback_xmit+0x62/0x66
       [<c0371db5>] ? ip_local_out+0x15/0x17
       [<c0372013>] ? ip_push_pending_frames+0x25c/0x2bb
       [<c03891b8>] ? udp_push_pending_frames+0x2bb/0x30e
       [<c038a189>] ? udp_sendmsg+0x413/0x51d
       [<c038a1a9>] ? udp_sendmsg+0x433/0x51d
       [<c038f927>] ? inet_sendmsg+0x35/0x3f
       [<c034f092>] ? sock_sendmsg+0xb8/0xd1
       [<c012d554>] ? autoremove_wake_function+0x0/0x2b
       [<c022e6de>] ? copy_from_user+0x32/0x5e
       [<c022e6de>] ? copy_from_user+0x32/0x5e
       [<c034f238>] ? sys_sendmsg+0x18d/0x1f0
       [<c0175e90>] ? pipe_write+0x3cb/0x3d7
       [<c0170347>] ? do_sync_write+0xbe/0x105
       [<c012d554>] ? autoremove_wake_function+0x0/0x2b
       [<c03503b2>] ? sys_socketcall+0x176/0x1b0
       [<c01085ea>] ? syscall_trace_enter+0x6c/0x7b
       [<c0102e1a>] ? syscall_call+0x7/0xb
      Signed-off-by: NDaniel Lezcano <dlezcano@fr.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      877acedc
  2. 11 8月, 2008 9 次提交
  3. 09 8月, 2008 1 次提交
  4. 08 8月, 2008 1 次提交
  5. 07 8月, 2008 2 次提交
    • G
      tcp: Fix kernel panic when calling tcp_v(4/6)_md5_do_lookup · 6edafaaf
      Gui Jianfeng 提交于
      If the following packet flow happen, kernel will panic.
      MathineA			MathineB
      		SYN
      	---------------------->    
              	SYN+ACK
      	<----------------------
      		ACK(bad seq)
      	---------------------->
      When a bad seq ACK is received, tcp_v4_md5_do_lookup(skb->sk, ip_hdr(skb)->daddr))
      is finally called by tcp_v4_reqsk_send_ack(), but the first parameter(skb->sk) is 
      NULL at that moment, so kernel panic happens.
      This patch fixes this bug.
      
      OOPS output is as following:
      [  302.812793] IP: [<c05cfaa6>] tcp_v4_md5_do_lookup+0x12/0x42
      [  302.817075] Oops: 0000 [#1] SMP 
      [  302.819815] Modules linked in: ipv6 loop dm_multipath rtc_cmos rtc_core rtc_lib pcspkr pcnet32 mii i2c_piix4 parport_pc i2c_core parport ac button ata_piix libata dm_mod mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod crc_t10dif ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded: scsi_wait_scan]
      [  302.849946] 
      [  302.851198] Pid: 0, comm: swapper Not tainted (2.6.27-rc1-guijf #5)
      [  302.855184] EIP: 0060:[<c05cfaa6>] EFLAGS: 00010296 CPU: 0
      [  302.858296] EIP is at tcp_v4_md5_do_lookup+0x12/0x42
      [  302.861027] EAX: 0000001e EBX: 00000000 ECX: 00000046 EDX: 00000046
      [  302.864867] ESI: ceb69e00 EDI: 1467a8c0 EBP: cf75f180 ESP: c0792e54
      [  302.868333]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [  302.871287] Process swapper (pid: 0, ti=c0792000 task=c0712340 task.ti=c0746000)
      [  302.875592] Stack: c06f413a 00000000 cf75f180 ceb69e00 00000000 c05d0d86 000016d0 ceac5400 
      [  302.883275]        c05d28f8 000016d0 ceb69e00 ceb69e20 681bf6e3 00001000 00000000 0a67a8c0 
      [  302.890971]        ceac5400 c04250a3 c06f413a c0792eb0 c0792edc cf59a620 cf59a620 cf59a634 
      [  302.900140] Call Trace:
      [  302.902392]  [<c05d0d86>] tcp_v4_reqsk_send_ack+0x17/0x35
      [  302.907060]  [<c05d28f8>] tcp_check_req+0x156/0x372
      [  302.910082]  [<c04250a3>] printk+0x14/0x18
      [  302.912868]  [<c05d0aa1>] tcp_v4_do_rcv+0x1d3/0x2bf
      [  302.917423]  [<c05d26be>] tcp_v4_rcv+0x563/0x5b9
      [  302.920453]  [<c05bb20f>] ip_local_deliver_finish+0xe8/0x183
      [  302.923865]  [<c05bb10a>] ip_rcv_finish+0x286/0x2a3
      [  302.928569]  [<c059e438>] dev_alloc_skb+0x11/0x25
      [  302.931563]  [<c05a211f>] netif_receive_skb+0x2d6/0x33a
      [  302.934914]  [<d0917941>] pcnet32_poll+0x333/0x680 [pcnet32]
      [  302.938735]  [<c05a3b48>] net_rx_action+0x5c/0xfe
      [  302.941792]  [<c042856b>] __do_softirq+0x5d/0xc1
      [  302.944788]  [<c042850e>] __do_softirq+0x0/0xc1
      [  302.948999]  [<c040564b>] do_softirq+0x55/0x88
      [  302.951870]  [<c04501b1>] handle_fasteoi_irq+0x0/0xa4
      [  302.954986]  [<c04284da>] irq_exit+0x35/0x69
      [  302.959081]  [<c0405717>] do_IRQ+0x99/0xae
      [  302.961896]  [<c040422b>] common_interrupt+0x23/0x28
      [  302.966279]  [<c040819d>] default_idle+0x2a/0x3d
      [  302.969212]  [<c0402552>] cpu_idle+0xb2/0xd2
      [  302.972169]  =======================
      [  302.974274] Code: fc ff 84 d2 0f 84 df fd ff ff e9 34 fe ff ff 83 c4 0c 5b 5e 5f 5d c3 90 90 57 89 d7 56 53 89 c3 50 68 3a 41 6f c0 e8 e9 55 e5 ff <8b> 93 9c 04 00 00 58 85 d2 59 74 1e 8b 72 10 31 db 31 c9 85 f6 
      [  303.011610] EIP: [<c05cfaa6>] tcp_v4_md5_do_lookup+0x12/0x42 SS:ESP 0068:c0792e54
      [  303.018360] Kernel panic - not syncing: Fatal exception in interrupt
      Signed-off-by: NGui Jianfeng <guijianfeng@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6edafaaf
    • D
      ipv4: Fix over-ifdeffing of ip_static_sysctl_init. · 11d46123
      David S. Miller 提交于
      Noticed by Paulius Zaleckas.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      11d46123
  6. 06 8月, 2008 2 次提交
  7. 04 8月, 2008 1 次提交
  8. 01 8月, 2008 3 次提交
  9. 31 7月, 2008 2 次提交
  10. 30 7月, 2008 1 次提交
  11. 28 7月, 2008 1 次提交
    • A
      missing bits of net-namespace / sysctl · eeb61f71
      Al Viro 提交于
      Piss-poor sysctl registration API strikes again, film at 11...
      
      What we really need is _pathname_ required to be present in already
      registered table, so that kernel could warn about bad order.  That's the
      next target for sysctl stuff (and generally saner and more explicit
      order of initialization of ipv[46] internals wouldn't hurt either).
      
      For the time being, here are full fixups required by ..._rotable()
      stuff; we make per-net sysctl sets descendents of "ro" one and make sure
      that sufficient skeleton is there before we start registering per-net
      sysctls.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      eeb61f71
  12. 27 7月, 2008 6 次提交
  13. 26 7月, 2008 3 次提交
  14. 25 7月, 2008 1 次提交
  15. 24 7月, 2008 2 次提交
    • P
    • D
      tcp: Clear probes_out more aggressively in tcp_ack(). · 4b53fb67
      David S. Miller 提交于
      This is based upon an excellent bug report from Eric Dumazet.
      
      tcp_ack() should clear ->icsk_probes_out even if there are packets
      outstanding.  Otherwise if we get a sequence of ACKs while we do have
      packets outstanding over and over again, we'll never clear the
      probes_out value and eventually think the connection is too sick and
      we'll reset it.
      
      This appears to be some "optimization" added to tcp_ack() in the 2.4.x
      timeframe.  In 2.2.x, probes_out is pretty much always cleared by
      tcp_ack().
      
      Here is Eric's original report:
      
      ----------------------------------------
      Apparently, we can in some situations reset TCP connections in a couple of seconds when some frames are lost.
      
      In order to reproduce the problem, please try the following program on linux-2.6.25.*
      
      Setup some iptables rules to allow two frames per second sent on loopback interface to tcp destination port 12000
      
      iptables -N SLOWLO
      iptables -A SLOWLO -m hashlimit --hashlimit 2 --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name slow2 -j ACCEPT
      iptables -A SLOWLO -j DROP
      
      iptables -A OUTPUT -o lo -p tcp --dport 12000 -j SLOWLO
      
      Then run the attached program and see the output :
      
      # ./loop
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,200ms,1)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,200ms,3)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,200ms,5)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,200ms,7)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,200ms,9)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,200ms,11)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,201ms,13)
      State      Recv-Q Send-Q                                  Local Address:Port                                    Peer Address:Port
      ESTAB      0      40                                          127.0.0.1:54455                                      127.0.0.1:12000  timer:(persist,188ms,15)
      write(): Connection timed out
      wrote 890 bytes but was interrupted after 9 seconds
      ESTAB      0      0                 127.0.0.1:12000            127.0.0.1:54455
      Exiting read() because no data available (4000 ms timeout).
      read 860 bytes
      
      While this tcp session makes progress (sending frames with 50 bytes of payload, every 500ms), linux tcp stack decides to reset it, when tcp_retries 2 is reached (default value : 15)
      
      tcpdump :
      
      15:30:28.856695 IP 127.0.0.1.56554 > 127.0.0.1.12000: S 33788768:33788768(0) win 32792 <mss 16396,nop,nop,sackOK,nop,wscale 7>
      15:30:28.856711 IP 127.0.0.1.12000 > 127.0.0.1.56554: S 33899253:33899253(0) ack 33788769 win 32792 <mss 16396,nop,nop,sackOK,nop,wscale 7>
      15:30:29.356947 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 1:61(60) ack 1 win 257
      15:30:29.356966 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 61 win 257
      15:30:29.866415 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 61:111(50) ack 1 win 257
      15:30:29.866427 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 111 win 257
      15:30:30.366516 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 111:161(50) ack 1 win 257
      15:30:30.366527 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 161 win 257
      15:30:30.876196 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 161:211(50) ack 1 win 257
      15:30:30.876207 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 211 win 257
      15:30:31.376282 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 211:261(50) ack 1 win 257
      15:30:31.376290 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 261 win 257
      15:30:31.885619 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 261:311(50) ack 1 win 257
      15:30:31.885631 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 311 win 257
      15:30:32.385705 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 311:361(50) ack 1 win 257
      15:30:32.385715 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 361 win 257
      15:30:32.895249 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 361:411(50) ack 1 win 257
      15:30:32.895266 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 411 win 257
      15:30:33.395341 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 411:461(50) ack 1 win 257
      15:30:33.395351 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 461 win 257
      15:30:33.918085 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 461:511(50) ack 1 win 257
      15:30:33.918096 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 511 win 257
      15:30:34.418163 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 511:561(50) ack 1 win 257
      15:30:34.418172 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 561 win 257
      15:30:34.927685 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 561:611(50) ack 1 win 257
      15:30:34.927698 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 611 win 257
      15:30:35.427757 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 611:661(50) ack 1 win 257
      15:30:35.427766 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 661 win 257
      15:30:35.937359 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 661:711(50) ack 1 win 257
      15:30:35.937376 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 711 win 257
      15:30:36.437451 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 711:761(50) ack 1 win 257
      15:30:36.437464 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 761 win 257
      15:30:36.947022 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 761:811(50) ack 1 win 257
      15:30:36.947039 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 811 win 257
      15:30:37.447135 IP 127.0.0.1.56554 > 127.0.0.1.12000: P 811:861(50) ack 1 win 257
      15:30:37.447203 IP 127.0.0.1.12000 > 127.0.0.1.56554: . ack 861 win 257
      15:30:41.448171 IP 127.0.0.1.12000 > 127.0.0.1.56554: F 1:1(0) ack 861 win 257
      15:30:41.448189 IP 127.0.0.1.56554 > 127.0.0.1.12000: R 33789629:33789629(0) win 0
      
      Source of program :
      
      /*
       * small producer/consumer program.
       * setup a listener on 127.0.0.1:12000
       * Forks a child
       *   child connect to 127.0.0.1, and sends 10 bytes on this tcp socket every 100 ms
       * Father accepts connection, and read all data
       */
      #include <sys/types.h>
      #include <sys/socket.h>
      #include <netinet/in.h>
      #include <unistd.h>
      #include <stdio.h>
      #include <time.h>
      #include <sys/poll.h>
      
      int port = 12000;
      char buffer[4096];
      int main(int argc, char *argv[])
      {
              int lfd = socket(AF_INET, SOCK_STREAM, 0);
              struct sockaddr_in socket_address;
              time_t t0, t1;
              int on = 1, sfd, res;
              unsigned long total = 0;
              socklen_t alen = sizeof(socket_address);
              pid_t pid;
      
              time(&t0);
              socket_address.sin_family = AF_INET;
              socket_address.sin_port = htons(port);
              socket_address.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
      
              if (lfd == -1) {
                      perror("socket()");
                      return 1;
              }
              setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(int));
              if (bind(lfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) {
                      perror("bind");
                      close(lfd);
                      return 1;
              }
              if (listen(lfd, 1) == -1) {
                      perror("listen()");
                      close(lfd);
                      return 1;
              }
              pid = fork();
              if (pid == 0) {
                      int i, cfd = socket(AF_INET, SOCK_STREAM, 0);
                      close(lfd);
                      if (connect(cfd, (struct sockaddr *)&socket_address, sizeof(socket_address)) == -1) {
                              perror("connect()");
                              return 1;
                              }
                      for (i = 0 ; ;) {
                              res = write(cfd, "blablabla\n", 10);
                              if (res > 0) total += res;
                              else if (res == -1) {
                                      perror("write()");
                                      break;
                              } else break;
                              usleep(100000);
                              if (++i == 10) {
                                      system("ss -on dst 127.0.0.1:12000");
                                      i = 0;
                              }
                      }
                      time(&t1);
                      fprintf(stderr, "wrote %lu bytes but was interrupted after %g seconds\n", total, difftime(t1, t0));
                      system("ss -on | grep 127.0.0.1:12000");
                      close(cfd);
                      return 0;
              }
              sfd = accept(lfd, (struct sockaddr *)&socket_address, &alen);
              if (sfd == -1) {
                      perror("accept");
                      return 1;
              }
              close(lfd);
              while (1) {
                      struct pollfd pfd[1];
                      pfd[0].fd = sfd;
                      pfd[0].events = POLLIN;
                      if (poll(pfd, 1, 4000) == 0) {
                              fprintf(stderr, "Exiting read() because no data available (4000 ms timeout).\n");
                              break;
                      }
                      res = read(sfd, buffer, sizeof(buffer));
                      if (res > 0) total += res;
                      else if (res == 0) break;
                      else perror("read()");
              }
              fprintf(stderr, "read %lu bytes\n", total);
              close(sfd);
              return 0;
      }
      ----------------------------------------
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4b53fb67
  16. 22 7月, 2008 4 次提交
    • D
      tcp: Fix bitmask test in tcp_syn_options() · b32d1310
      David S. Miller 提交于
      As reported by Alexey Dobriyan:
      
      	  CHECK   net/ipv4/tcp_output.c
      	net/ipv4/tcp_output.c:475:7: warning: dubious: !x & y
      
      And sparse is damn right!
      
      	if (unlikely(!OPTION_TS & opts->options))
      		    ^^^
      		size += TCPOLEN_SACKPERM_ALIGNED;
      
      OPTION_TS is (1 << 1), so condition will never trigger.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b32d1310
    • G
      udplite: Protection against coverage value wrap-around · 47112e25
      Gerrit Renker 提交于
      This patch clamps the cscov setsockopt values to a maximum of 0xFFFF.
      
      Setsockopt values greater than 0xffff can cause an unwanted
      wrap-around.  Further, IPv6 jumbograms are not supported (RFC 3838,
      3.5), so that values greater than 0xffff are not even useful.
      
      Further changes: fixed a typo in the documentation.
      Signed-off-by: NGerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      47112e25
    • H
      netfilter: nf_nat_sip: c= is optional for session · c71529e4
      Herbert Xu 提交于
      According to RFC2327, the connection information is optional
      in the session description since it can be specified in the
      media description instead.
      
      My provider does exactly that and does not provide any connection
      information in the session description.  As a result the new
      kernel drops all invite responses.
      
      This patch makes it optional as documented.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c71529e4
    • K
      netfilter: accounting rework: ct_extend + 64bit counters (v4) · 58401572
      Krzysztof Piotr Oledzki 提交于
      Initially netfilter has had 64bit counters for conntrack-based accounting, but
      it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
      still required, for example for "connbytes" extension. However, 64bit counters
      waste a lot of memory and it was not possible to enable/disable it runtime.
      
      This patch:
       - reimplements accounting with respect to the extension infrastructure,
       - makes one global version of seq_print_acct() instead of two seq_print_counters(),
       - makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
       - makes it possible to enable/disable it at runtime by sysctl or sysfs,
       - extends counters from 32bit to 64bit,
       - renames ip_conntrack_counter -> nf_conn_counter,
       - enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
       - set initial accounting enable state based on CONFIG_NF_CT_ACCT
       - removes buggy IPCT_COUNTER_FILLING event handling.
      
      If accounting is enabled newly created connections get additional acct extend.
      Old connections are not changed as it is not possible to add a ct_extend area
      to confirmed conntrack. Accounting is performed for all connections with
      acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
      Signed-off-by: NKrzysztof Piotr Oledzki <ole@ans.pl>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      58401572