1. 02 7月, 2013 10 次提交
  2. 01 7月, 2013 2 次提交
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 4e144d3a
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      The following batch contains Netfilter/IPVS updates for net-next,
      they are:
      
      * Enforce policy to several nfnetlink subsystem, from Daniel
        Borkmann.
      
      * Use xt_socket to match the third packet (to perform simplistic
        socket-based stateful filtering), from Eric Dumazet.
      
      * Avoid large timeout for picked up from the middle TCP flows,
        from Florian Westphal.
      
      * Exclude IPVS from struct net if IPVS is disabled and removal
        of unnecessary included header file, from JunweiZhang.
      
      * Release SCTP connection immediately under load, to mimic current
        TCP behaviour, from Julian Anastasov.
      
      * Replace and enhance SCTP state machine, from Julian Anastasov.
      
      * Add tweak to reduce sync traffic in the presence of persistence,
        also from Julian Anastasov.
      
      * Add tweak for the IPVS SH scheduler not to reject connections
        directed to a server, choose a new one instead, from Alexander
        Frolkin.
      
      * Add support for sloppy TCP and SCTP modes, that creates state
        information on any packet, not only initial handshake packets,
        from Alexander Frolkin.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e144d3a
    • F
      netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag · 496e4ae7
      Florian Westphal 提交于
      The common case is that TCP/IP checksums have already been
      verified, e.g. by hardware (rx checksum offload), or conntrack.
      
      Userspace can use this flag to determine when the checksum
      has not been validated yet.
      
      If the flag is set, this doesn't necessarily mean that the packet has
      an invalid checksum, e.g. if NIC doesn't support rx checksum.
      
      Userspace that sucessfully enabled NFQA_CFG_F_GSO queue feature flag can
      infer that IP/TCP checksum has already been validated if either the
      SKB_INFO attribute is not present or the NFQA_SKB_CSUM_NOTVERIFIED
      flag is unset.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      496e4ae7
  3. 30 6月, 2013 1 次提交
  4. 29 6月, 2013 13 次提交
  5. 28 6月, 2013 6 次提交
    • N
      bonding: when cloning a MAC use NET_ADDR_STOLEN · ae0d6750
      nikolay@redhat.com 提交于
      A simple semantic change, when a slave's MAC is cloned by the bond
      master then set addr_assign_type to NET_ADDR_STOLEN instead of
      NET_ADDR_SET. Also use bond_set_dev_addr() in BOND_FOM_ACTIVE mode
      to change the bond's MAC address because the assign_type has to be
      set properly.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ae0d6750
    • N
      bonding: remove unnecessary dev_addr_from_first member · 97a1e639
      nikolay@redhat.com 提交于
      In struct bonding there's a member called dev_addr_from_first which is
      used to denote when the bond dev should clone the first slave's MAC
      address but since we have netdev's addr_assign_type variable that is not
      necessary. We clone the first slave's MAC each time we have a random MAC
      set to the bond device. This has the nice side-effect of also fixing an
      inconsistency - when the MAC address of the bond dev is set after its
      creation, but prior to having slaves, it's not kept and the first slave's
      MAC is cloned. The only way to keep the MAC was to create the bond device
      with the MAC address set (e.g. through ip link). In all cases if the
      bond device is left without any slaves - its MAC gets reset to a random
      one as before.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      97a1e639
    • N
      bonding: remove unnecessary setup_by_slave member · 8d2ada77
      nikolay@redhat.com 提交于
      We have a member called setup_by_slave in struct bonding to denote if the
      bond dev has different type than ARPHRD_ETHER, but that is already denoted
      in bond's netdev type variable if it was setup by the slave, so use that
      instead of the member.
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8d2ada77
    • P
      netlink: fix splat in skb_clone with large messages · 3a36515f
      Pablo Neira 提交于
      Since (c05cdb1b netlink: allow large data transfers from user-space),
      netlink splats if it invokes skb_clone on large netlink skbs since:
      
      * skb_shared_info was not correctly initialized.
      * skb->destructor is not set in the cloned skb.
      
      This was spotted by trinity:
      
      [  894.990671] BUG: unable to handle kernel paging request at ffffc9000047b001
      [  894.991034] IP: [<ffffffff81a212c4>] skb_clone+0x24/0xc0
      [...]
      [  894.991034] Call Trace:
      [  894.991034]  [<ffffffff81ad299a>] nl_fib_input+0x6a/0x240
      [  894.991034]  [<ffffffff81c3b7e6>] ? _raw_read_unlock+0x26/0x40
      [  894.991034]  [<ffffffff81a5f189>] netlink_unicast+0x169/0x1e0
      [  894.991034]  [<ffffffff81a601e1>] netlink_sendmsg+0x251/0x3d0
      
      Fix it by:
      
      1) introducing a new netlink_skb_clone function that is used in nl_fib_input,
         that sets our special skb->destructor in the cloned skb. Moreover, handle
         the release of the large cloned skb head area in the destructor path.
      
      2) not allowing large skbuffs in the netlink broadcast path. I cannot find
         any reasonable use of the large data transfer using netlink in that path,
         moreover this helps to skip extra skb_clone handling.
      
      I found two more netlink clients that are cloning the skbs, but they are
      not in the sendmsg path. Therefore, the sole client cloning that I found
      seems to be the fib frontend.
      
      Thanks to Eric Dumazet for helping to address this issue.
      Reported-by: NFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3a36515f
    • N
      sit: add support of x-netns · 5e6700b3
      Nicolas Dichtel 提交于
      This patch allows to switch the netns when packet is encapsulated or
      decapsulated. In other word, the encapsulated packet is received in a netns,
      where the lookup is done to find the tunnel. Once the tunnel is found, the
      packet is decapsulated and injecting into the corresponding interface which
      stands to another netns.
      
      When one of the two netns is removed, the tunnel is destroyed.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5e6700b3
    • N
      dev: introduce skb_scrub_packet() · 621e84d6
      Nicolas Dichtel 提交于
      The goal of this new function is to perform all needed cleanup before sending
      an skb into another netns.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      621e84d6
  6. 27 6月, 2013 8 次提交