Doug / smarc-fsl-linux-kernel

22 Feb, 2013

1 commit

  • 06991c28f   Merge tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core ... Browse Code »

    Pull driver core patches from Greg Kroah-Hartman:
    "Here is the big driver core merge for 3.9-rc1

    There are two major series here, both of which touch lots of drivers
    all over the kernel, and will cause you some merge conflicts:

    - add a new function called devm_ioremap_resource() to properly be
    able to check return values.

    - remove CONFIG_EXPERIMENTAL

    Other than those patches, there's not much here, some minor fixes and
    updates"

    Fix up trivial conflicts

    * tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (221 commits)
    base: memory: fix soft/hard_offline_page permissions
    drivercore: Fix ordering between deferred_probe and exiting initcalls
    backlight: fix class_find_device() arguments
    TTY: mark tty_get_device call with the proper const values
    driver-core: constify data for class_find_device()
    firmware: Ignore abort check when no user-helper is used
    firmware: Reduce ifdef CONFIG_FW_LOADER_USER_HELPER
    firmware: Make user-mode helper optional
    firmware: Refactoring for splitting user-mode helper code
    Driver core: treat unregistered bus_types as having no devices
    watchdog: Convert to devm_ioremap_resource()
    thermal: Convert to devm_ioremap_resource()
    spi: Convert to devm_ioremap_resource()
    power: Convert to devm_ioremap_resource()
    mtd: Convert to devm_ioremap_resource()
    mmc: Convert to devm_ioremap_resource()
    mfd: Convert to devm_ioremap_resource()
    media: Convert to devm_ioremap_resource()
    iommu: Convert to devm_ioremap_resource()
    drm: Convert to devm_ioremap_resource()
    ...

    Linus Torvalds
     

05 Feb, 2013

1 commit

21 Jan, 2013

1 commit

  • e6f30c731   netfilter: x_tables: add xt_bpf match ... Browse Code »

    Support arbitrary linux socket filter (BPF) programs as x_tables
    match rules. This allows for very expressive filters, and on
    platforms with BPF JIT appears competitive with traditional
    hardcoded iptables rules using the u32 match.

    The size of the filter has been artificially limited to 64
    instructions maximum to avoid bloating the size of each rule
    using this new match.

    Signed-off-by: Willem de Bruijn
    Signed-off-by: Pablo Neira Ayuso

    Willem de Bruijn
     

18 Jan, 2013

1 commit

  • c539f0171   netfilter: add connlabel conntrack extension ... Browse Code »

    similar to connmarks, except labels are bit-based; i.e.
    all labels may be attached to a flow at the same time.

    Up to 128 labels are supported. Supporting more labels
    is possible, but requires increasing the ct offset delta
    from u8 to u16 type due to increased extension sizes.

    Mapping of bit-identifier to label name is done in userspace.

    The extension is enabled at run-time once "-m connlabel" netfilter
    rules are added.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

12 Jan, 2013

1 commit

  • 663ef0d18   net/netfilter: remove depends on CONFIG_EXPERIMENTAL ... Browse Code »

    The CONFIG_EXPERIMENTAL config item has not carried much meaning for a
    while now and is almost always enabled by default. As agreed during the
    Linux kernel summit, remove it from any "depends on" lines in Kconfigs.

    CC: Pablo Neira Ayuso
    CC: Patrick McHardy
    CC: "David S. Miller"
    Signed-off-by: Kees Cook
    Acked-by: David S. Miller

    Kees Cook
     

05 Jan, 2013

1 commit

  • 757ae316f   netfilter: fix missing dependencies for the NOTRACK target ... Browse Code »

    warning: (NETFILTER_XT_TARGET_NOTRACK) selects NETFILTER_XT_TARGET_CT which has unmet direct
    +dependencies (NET && INET && NETFILTER && NETFILTER_XTABLES && NF_CONNTRACK && (IP_NF_RAW ||
    +IP6_NF_RAW) && NETFILTER_ADVANCED)

    Reported-by: Randy Dunlap
    Reported-by: kbuild test robot
    Acked-by: Randy Dunlap
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

24 Dec, 2012

1 commit

  • 10db9069e   netfilter: xt_CT: recover NOTRACK target support ... Browse Code »

    Florian Westphal reported that the removal of the NOTRACK target
    (9655050 netfilter: remove xt_NOTRACK) is breaking some existing
    setups.

    That removal was scheduled for removal since long time ago as
    described in Documentation/feature-removal-schedule.txt

    What: xt_NOTRACK
    Files: net/netfilter/xt_NOTRACK.c
    When: April 2011
    Why: Superseded by xt_CT

    Still, people may have not notice / may have decided to stick to an
    old iptables version. I agree with him in that some more conservative
    approach by spotting some printk to warn users for some time is less
    agressive.

    Current iptables 1.4.16.3 already contains the aliasing support
    that makes it point to the CT target, so upgrading would fix it.
    Still, the policy so far has been to avoid pushing our users to
    upgrade.

    As a solution, this patch recovers the NOTRACK target inside the CT
    target and it now spots a warning.

    Reported-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

21 Sep, 2012

2 commits

  • 2cbc78a29   netfilter: combine ipt_REDIRECT and ip6t_REDIRECT ... Browse Code »

    Combine more modules since the actual code is so small anyway that the
    kmod metadata and the module in its loaded state totally outweighs the
    combined actual code size.

    IP_NF_TARGET_REDIRECT becomes a compat option; IP6_NF_TARGET_REDIRECT
    is completely eliminated since it has not see a release yet.

    Signed-off-by: Jan Engelhardt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Jan Engelhardt
     
  • b3d54b3e4   netfilter: combine ipt_NETMAP and ip6t_NETMAP ... Browse Code »

    Combine more modules since the actual code is so small anyway that the
    kmod metadata and the module in its loaded state totally outweighs the
    combined actual code size.

    IP_NF_TARGET_NETMAP becomes a compat option; IP6_NF_TARGET_NETMAP
    is completely eliminated since it has not see a release yet.

    Signed-off-by: Jan Engelhardt
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Jan Engelhardt
     

03 Sep, 2012

1 commit

  • 965505015   netfilter: remove xt_NOTRACK ... Browse Code »

    It was scheduled to be removed for a long time.

    Cc: Pablo Neira Ayuso
    Cc: Patrick McHardy
    Cc: "David S. Miller"
    Cc: netfilter@vger.kernel.org
    Signed-off-by: Cong Wang
    Signed-off-by: Pablo Neira Ayuso

    Cong Wang
     

30 Aug, 2012

6 commits

19 Jun, 2012

2 commits

  • 7c6223454   netfilter: nfnetlink_queue: fix compilation with NF_CONNTRACK disabled ... Browse Code »

    In "9cb0176 netfilter: add glue code to integrate nfnetlink_queue and ctnetlink"
    the compilation with NF_CONNTRACK disabled is broken. This patch fixes this
    issue.

    I have moved the conntrack part into nfnetlink_queue_ct.c to avoid
    peppering the entire nfnetlink_queue.c code with ifdefs.

    I also needed to rename nfnetlink_queue.c to nfnetlink_queue_pkt.c
    to update the net/netfilter/Makefile to support conditional compilation
    of the conntrack integration.

    This patch also adds CONFIG_NETFILTER_QUEUE_CT in case you want to explicitly
    disable the integration between nf_conntrack and nfnetlink_queue.

    Reported-by: Andrew Morton
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • 6e9c2db3a   netfilter: fix compilation of the nfnl_cthelper if NF_CONNTRACK is unset ... Browse Code »

    This patch fixes the compilation of net/netfilter/nfnetlink_cthelper.c
    if CONFIG_NF_CONNTRACK is not set.

    This patch also moves the definition of the cthelper infrastructure to
    the scope of NF_CONNTRACK things.

    I have also renamed NETFILTER_NETLINK_CTHELPER by NF_CT_NETLINK_HELPER,
    to use similar names to other nf_conntrack_netlink extensions. Better now
    that this has been only for two days in David's tree.

    Two new dependencies have been added:

    * NF_CT_NETLINK
    * NETFILTER_NETLINK_QUEUE

    Since these infrastructure requires both ctnetlink and nfqueue.

    Reported-by: Randy Dunlap
    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

16 Jun, 2012

1 commit

  • 12f7a5053   netfilter: add user-space connection tracking helper infrastructure ... Browse Code »

    There are good reasons to supports helpers in user-space instead:

    * Rapid connection tracking helper development, as developing code
    in user-space is usually faster.

    * Reliability: A buggy helper does not crash the kernel. Moreover,
    we can monitor the helper process and restart it in case of problems.

    * Security: Avoid complex string matching and mangling in kernel-space
    running in privileged mode. Going further, we can even think about
    running user-space helpers as a non-root process.

    * Extensibility: It allows the development of very specific helpers (most
    likely non-standard proprietary protocols) that are very likely not to be
    accepted for mainline inclusion in the form of kernel-space connection
    tracking helpers.

    This patch adds the infrastructure to allow the implementation of
    user-space conntrack helpers by means of the new nfnetlink subsystem
    `nfnetlink_cthelper' and the existing queueing infrastructure
    (nfnetlink_queue).

    I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
    ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
    two pieces. This change is required not to break NAT sequence
    adjustment and conntrack confirmation for traffic that is enqueued
    to our user-space conntrack helpers.

    Basic operation, in a few steps:

    1) Register user-space helper by means of `nfct':

    nfct helper add ftp inet tcp

    [ It must be a valid existing helper supported by conntrack-tools ]

    2) Add rules to enable the FTP user-space helper which is
    used to track traffic going to TCP port 21.

    For locally generated packets:

    iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp

    For non-locally generated packets:

    iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

    3) Run the test conntrackd in helper mode (see example files under
    doc/helper/conntrackd.conf

    conntrackd

    4) Generate FTP traffic going, if everything is OK, then conntrackd
    should create expectations (you can check that with `conntrack':

    conntrack -E expect

    [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
    [DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp

    This confirms that our test helper is receiving packets including the
    conntrack information, and adding expectations in kernel-space.

    The user-space helper can also store its private tracking information
    in the conntrack structure in the kernel via the CTA_HELP_INFO. The
    kernel will consider this a binary blob whose layout is unknown. This
    information will be included in the information that is transfered
    to user-space via glue code that integrates nfnetlink_queue and
    ctnetlink.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

09 May, 2012

1 commit

  • cf308a1fa   netfilter: add xt_hmark target for hash-based skb marking ... Browse Code »

    The target allows you to create rules in the "raw" and "mangle" tables
    which set the skbuff mark by means of hash calculation within a given
    range. The nfmark can influence the routing method (see "Use netfilter
    MARK value as routing key") and can also be used by other subsystems to
    change their behaviour.

    [ Part of this patch has been refactorized and modified by Pablo Neira Ayuso ]

    Signed-off-by: Hans Schillstrom
    Signed-off-by: Pablo Neira Ayuso

    Hans Schillstrom
     

08 Mar, 2012

3 commits

30 Dec, 2011

1 commit

  • bc94b5216   netfilter: Kconfig: fix unmet xt_nfacct dependencies ... Browse Code »

    warning: (NETFILTER_XT_MATCH_NFACCT) selects NETFILTER_NETLINK_ACCT which has
    unmet direct dependencies (NET && INET && NETFILTER && NETFILTER_ADVANCED)

    and then

    ERROR: "nfnetlink_subsys_unregister" [net/netfilter/nfnetlink_acct.ko] undefined!
    ERROR: "nfnetlink_subsys_register" [net/netfilter/nfnetlink_acct.ko] undefined!

    Reported-by: Randy Dunlap
    Signed-off-by: Pablo Neira Ayuso
    Acked-by: Randy Dunlap
    Signed-off-by: David S. Miller

    Pablo Neira Ayuso
     

28 Dec, 2011

2 commits

25 Dec, 2011

2 commits

  • ceb98d03e   netfilter: xtables: add nfacct match to support extended accounting ... Browse Code »

    This patch adds the match that allows to perform extended
    accounting. It requires the new nfnetlink_acct infrastructure.

    # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
    # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     
  • 941390279   netfilter: add extended accounting infrastructure over nfnetlink ... Browse Code »

    We currently have two ways to account traffic in netfilter:

    - iptables chain and rule counters:

    # iptables -L -n -v
    Chain INPUT (policy DROP 3 packets, 867 bytes)
    pkts bytes target prot opt in out source destination
    8 1104 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

    - use flow-based accounting provided by ctnetlink:

    # conntrack -L
    tcp 6 431999 ESTABLISHED src=192.168.1.130 dst=212.106.219.168 sport=58152 dport=80 packets=47 bytes=7654 src=212.106.219.168 dst=192.168.1.130 sport=80 dport=58152 packets=49 bytes=66340 [ASSURED] mark=0 use=1

    While trying to display real-time accounting statistics, we require
    to pool the kernel periodically to obtain this information. This is
    OK if the number of flows is relatively low. However, in case that
    the number of flows is huge, we can spend a considerable amount of
    cycles to iterate over the list of flows that have been obtained.

    Moreover, if we want to obtain the sum of the flow accounting results
    that match some criteria, we have to iterate over the whole list of
    existing flows, look for matchings and update the counters.

    This patch adds the extended accounting infrastructure for
    nfnetlink which aims to allow displaying real-time traffic accounting
    without the need of complicated and resource-consuming implementation
    in user-space. Basically, this new infrastructure allows you to create
    accounting objects. One accounting object is composed of packet and
    byte counters.

    In order to manipulate create accounting objects, you require the
    new libnetfilter_acct library. It contains several examples of use:

    libnetfilter_acct/examples# ./nfacct-add http-traffic
    libnetfilter_acct/examples# ./nfacct-get
    http-traffic = { pkts = 000000000000, bytes = 000000000000 };

    Then, you can use one of this accounting objects in several iptables
    rules using the new nfacct match (which comes in a follow-up patch):

    # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
    # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic

    The idea is simple: if one packet matches the rule, the nfacct match
    updates the counters.

    Thanks to Patrick McHardy, Eric Dumazet, Changli Gao for reviewing and
    providing feedback for this contribution.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

02 Dec, 2011

1 commit

24 Nov, 2011

1 commit

28 Sep, 2011

1 commit

  • 395cf9691   doc: fix broken references ... Browse Code »

    There are numerous broken references to Documentation files (in other
    Documentation files, in comments, etc.). These broken references are
    caused by typo's in the references, and by renames or removals of the
    Documentation files. Some broken references are simply odd.

    Fix these broken references, sometimes by dropping the irrelevant text
    they were part of.

    Signed-off-by: Paul Bolle
    Signed-off-by: Jiri Kosina

    Paul Bolle
     

04 Apr, 2011

1 commit

16 Mar, 2011

2 commits

03 Feb, 2011

1 commit

01 Feb, 2011

2 commits

  • d956798d8   netfilter: xtables: "set" match and "SET" target support ... Browse Code »

    The patch adds the combined module of the "SET" target and "set" match
    to netfilter. Both the previous and the current revisions are supported.

    Signed-off-by: Jozsef Kadlecsik
    Signed-off-by: Patrick McHardy

    Jozsef Kadlecsik
     
  • a7b4f989a   netfilter: ipset: IP set core support ... Browse Code »

    The patch adds the IP set core support to the kernel.

    The IP set core implements a netlink (nfnetlink) based protocol by which
    one can create, destroy, flush, rename, swap, list, save, restore sets,
    and add, delete, test elements from userspace. For simplicity (and backward
    compatibilty and for not to force ip(6)tables to be linked with a netlink
    library) reasons a small getsockopt-based protocol is also kept in order
    to communicate with the ip(6)tables match and target.

    The netlink protocol passes all u16, etc values in network order with
    NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
    NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.

    For other kernel subsystems (netfilter match and target) the API contains
    the functions to add, delete and test elements in sets and the required calls
    to get/put refereces to the sets before those operations can be performed.

    The set types (which are implemented in independent modules) are stored
    in a simple RCU protected list. A set type may have variants: for example
    without timeout or with timeout support, for IPv4 or for IPv6. The sets
    (i.e. the pointers to the sets) are stored in an array. The sets are
    identified by their index in the array, which makes possible easy and
    fast swapping of sets. The array is protected indirectly by the nfnl
    mutex from nfnetlink. The content of the sets are protected by the rwlock
    of the set.

    There are functional differences between the add/del/test functions
    for the kernel and userspace:

    - kernel add/del/test: works on the current packet (i.e. one element)
    - kernel test: may trigger an "add" operation in order to fill
    out unspecified parts of the element from the packet (like MAC address)
    - userspace add/del: works on the netlink message and thus possibly
    on multiple elements from the IPSET_ATTR_ADT container attribute.
    - userspace add: may trigger resizing of a set

    Signed-off-by: Jozsef Kadlecsik
    Signed-off-by: Patrick McHardy

    Jozsef Kadlecsik
     

19 Jan, 2011

2 commits

  • a992ca2a0   netfilter: nf_conntrack_tstamp: add flow-based timestamp extension ... Browse Code »

    This patch adds flow-based timestamping for conntracks. This
    conntrack extension is disabled by default. Basically, we use
    two 64-bits variables to store the creation timestamp once the
    conntrack has been confirmed and the other to store the deletion
    time. This extension is disabled by default, to enable it, you
    have to:

    echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp

    This patch allows to save memory for user-space flow-based
    loogers such as ulogd2. In short, ulogd2 does not need to
    keep a hashtable with the conntrack in user-space to know
    when they were created and destroyed, instead we use the
    kernel timestamp. If we want to have a sane IPFIX implementation
    in user-space, this nanosecs resolution timestamps are also
    useful. Other custom user-space applications can benefit from
    this via libnetfilter_conntrack.

    This patch modifies the /proc output to display the delta time
    in seconds since the flow start. You can also obtain the
    flow-start date by means of the conntrack-tools.

    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: Patrick McHardy

    Pablo Neira Ayuso
     
  • 93557f53e   netfilter: nf_conntrack: nf_conntrack snmp helper ... Browse Code »

    Adding support for SNMP broadcast connection tracking. The SNMP
    broadcast requests are now paired with the SNMP responses.
    Thus allowing using SNMP broadcasts with firewall enabled.

    Please refer to the following conversation:
    http://marc.info/?l=netfilter-devel&m=125992205006600&w=2

    Patrick McHardy wrote:
    > > The best solution would be to add generic broadcast tracking, the
    > > use of expectations for this is a bit of abuse.
    > > The second best choice I guess would be to move the help() function
    > > to a shared module and generalize it so it can be used for both.
    This patch implements the "second best choice".

    Since the netbios-ns conntrack module uses the same helper
    functionality as the snmp, only one helper function is added
    for both snmp and netbios-ns modules into the new object -
    nf_conntrack_broadcast.

    Signed-off-by: Jiri Olsa
    Signed-off-by: Patrick McHardy

    Jiri Olsa
     

18 Jan, 2011

1 commit