18 Oct, 2011
1 commit
13 Oct, 2011
1 commit
-
ip_vs_mutext is used by both netns shutdown code and startup
and both implicit uses sk_lock-AF_INET mutex.cleanup CPU-1 startup CPU-2
ip_vs_dst_event() ip_vs_genl_set_cmd()
sk_lock-AF_INET __ip_vs_mutex
sk_lock-AF_INET
__ip_vs_mutex
* DEAD LOCK *A new mutex placed in ip_vs netns struct called sync_mutex is added.
Comments from Julian and Simon added.
This patch has been running for more than 3 month now and it seems to work.Ver. 3
IP_VS_SO_GET_DAEMON in do_ip_vs_get_ctl protected by sync_mutex
instead of __ip_vs_mutex as sugested by Julian.Signed-off-by: Hans Schillstrom
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
Signed-off-by: Pablo Neira Ayuso
06 Oct, 2011
1 commit
-
Replace the open coded initialization with the init function.
Signed-off-by: Thomas Gleixner
Acked-by: Hans Schillstrom
Signed-off-by: David S. Miller
03 Oct, 2011
1 commit
-
GRE connections cause ctnetlink event flood because the ASSURED event
is set for every packet received.Reported-by: Denys Fedoryshchenko
Tested-by: Denys Fedoryshchenko
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
31 Aug, 2011
1 commit
30 Aug, 2011
4 commits
-
The wrong multiplication of TCPOLEN_TSTAMP_ALIGNED by 4 skips the fast path
for the timestamp-only option. Bug reported by Michael M. Builov (netfilter
bugzilla #738).Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Michael M. Builov reported that in the tcp_options and tcp_sack functions
of netfilter TCP conntrack the incorrect handling of invalid TCP option
with too big opsize may lead to read access beyond tcp-packet or buffer
allocated on stack (netfilter bugzilla #738). The fix is to stop parsing
the options at detecting the broken option.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
When both the server and the client are NATed, the set-link-info control
packet containing the peer's call-id field is not properly translated.I have verified that it was working in 2.6.16.13 kernel previously but
due to rewrite, this scenario stopped working (Not knowing exact version
when it stopped working).Signed-off-by: Sanket Shah
Signed-off-by: Patrick McHardy -
A userspace listener may send (bogus) NF_STOLEN verdict, which causes skb leak.
This problem was previously fixed via
64507fdbc29c3a622180378210ecea8659b14e40 (netfilter:
nf_queue: fix NF_STOLEN skb leak) but this had to be reverted because
NF_STOLEN can also be returned by a netfilter hook when iterating the
rules in nf_reinject.Reject userspace NF_STOLEN verdict, as suggested by Michal Miroslaw.
This is complementary to commit fad54440438a7c231a6ae347738423cbabc936d9
(netfilter: avoid double free in nf_reinject).Cc: Julian Anastasov
Cc: Eric Dumazet
Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy
08 Aug, 2011
1 commit
-
NF_STOLEN means skb was already freed
Signed-off-by: Julian Anastasov
Signed-off-by: David S. Miller
29 Jul, 2011
2 commits
-
commit 4a5a5c73b7cfee (slightly better error reporting) added some
useless code in xt_rateest_mt_checkentry().Fix this so that different error codes can really be returned.
Signed-off-by: Eric Dumazet
CC: Jan Engelhardt
Signed-off-by: Patrick McHardy
27 Jul, 2011
1 commit
-
This allows us to move duplicated code in
(atomic_inc_not_zero() for now) toSigned-off-by: Arun Sharma
Reviewed-by: Eric Dumazet
Cc: Ingo Molnar
Cc: David Miller
Cc: Eric Dumazet
Acked-by: Mike Frysinger
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
23 Jul, 2011
1 commit
-
* 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
rcu: Fix wrong check in list_splice_init_rcu()
net,rcu: Convert call_rcu(xt_rateest_free_rcu) to kfree_rcu()
sysctl,rcu: Convert call_rcu(free_head) to kfree
vmalloc,rcu: Convert call_rcu(rcu_free_vb) to kfree_rcu()
vmalloc,rcu: Convert call_rcu(rcu_free_va) to kfree_rcu()
ipc,rcu: Convert call_rcu(ipc_immediate_free) to kfree_rcu()
ipc,rcu: Convert call_rcu(free_un) to kfree_rcu()
security,rcu: Convert call_rcu(sel_netport_free) to kfree_rcu()
security,rcu: Convert call_rcu(sel_netnode_free) to kfree_rcu()
ia64,rcu: Convert call_rcu(sn_irq_info_free) to kfree_rcu()
block,rcu: Convert call_rcu(disk_free_ptbl_rcu_cb) to kfree_rcu()
scsi,rcu: Convert call_rcu(fc_rport_free_rcu) to kfree_rcu()
audit_tree,rcu: Convert call_rcu(__put_tree) to kfree_rcu()
security,rcu: Convert call_rcu(whitelist_item_free) to kfree_rcu()
md,rcu: Convert call_rcu(free_conf) to kfree_rcu()
22 Jul, 2011
2 commits
-
This resolves a panic on module removal.
Reported-by: Dave Jones
Acked-by: Julian Anastasov
Signed-off-by: Hans Schillstrom
Signed-off-by: Simon Horman
21 Jul, 2011
2 commits
-
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Exampleipset create test hash:net,iface
ipset add test 192.168.0.0/16,eth0
ipset add test 192.168.0.0/24,eth1Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.In the patch the algorithm is fixed in order to correctly handle
overlapping networks.Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The RCU callback xt_rateest_free_rcu() just calls kfree(), so we can
use kfree_rcu() instead of call_rcu(). This also allows us to dispense
with an rcu_barrier() call, speeding up unloading of this module.Signed-off-by: Paul E. McKenney
Cc: Patrick McHardy
Reviewed-by: Josh Triplett
19 Jul, 2011
2 commits
-
Introduces a new nfnetlink type that applies a given
verdict to all queued packets with an id
Signed-off-by: Patrick McHardy -
Packet identifier is currently setup in nfqnl_build_packet_message(),
using one atomic_inc_return().Problem is that since several cpus might concurrently call
nfqnl_enqueue_packet() for the same queue, we can deliver packets to
consumer in non monotonic way (packet N+1 being delivered after packet
N)This patch moves the packet id setup from nfqnl_build_packet_message()
to nfqnl_enqueue_packet() to guarantee correct delivery order.This also removes one atomic operation.
Signed-off-by: Eric Dumazet
CC: Florian Westphal
CC: Pablo Neira Ayuso
CC: Eric Leblond
Signed-off-by: Patrick McHardy
18 Jul, 2011
2 commits
-
nenetlink_queue operations on SMP are not efficent if several queues are
used, because of nfnl_mutex contention when applications give packet
verdict.Use new call_rcu field in struct nfnl_callback to advertize a callback
that is called under rcu_read_lock instead of nfnl_mutex.On my 2x4x2 machine, I was able to reach 2.000.000 pps going through
user land returning NF_ACCEPT verdicts without losses, instead of less
than 500.000 pps before patch.Signed-off-by: Eric Dumazet
CC: Florian Westphal
CC: Eric Leblond
Signed-off-by: Patrick McHardy -
Goal of this patch is to permit nfnetlink providers not mandate
nfnl_mutex being held while nfnetlink_rcv_msg() calls them.If struct nfnl_callback contains a non NULL call_rcu(), then
nfnetlink_rcv_msg() will use it instead of call() field, holding
rcu_read_lock instead of nfnl_mutexSigned-off-by: Eric Dumazet
CC: Florian Westphal
CC: Eric Leblond
Signed-off-by: Patrick McHardy
02 Jul, 2011
1 commit
-
Make the case labels the same indent as the switch.
git diff -w shows miscellaneous 80 column wrapping,
comment reflowing and a comment for a useless gcc
warning for an otherwise unused default: case.Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
30 Jun, 2011
1 commit
-
In this revision the conversion of secid to SELinux context and adding it
to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
separate helper function - audit_log_secctx - which does both the conversion
and logging of SELinux context, thus also preventing internal secid number
being leaked to userspace. If conversion is not successful an error is raised.With the introduction of this helper function the work done in xt_AUDIT.c is
much more simplified. It also opens the possibility of this helper function
being used by other modules (including auditd itself), if desired. With this
addition, typical (raw auditd) output after applying the patch would be:type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0Acked-by: Eric Paris
Signed-off-by: Mr Dash Four
Signed-off-by: Patrick McHardy
22 Jun, 2011
2 commits
-
There are enough instances of this:
iph->frag_off & htons(IP_MF | IP_OFFSET)
that a helper function is probably warranted.
Signed-off-by: Paul Gortmaker
Signed-off-by: David S. Miller -
It was suggested by "make versioncheck" that the follwing includes of
linux/version.h are redundant:/home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed.
/home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed.
/home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed.and it seems that it is right.
Beyond manually inspecting the source files I also did a few build
tests with various configs to confirm that including the header in
those files is indeed not needed.Here's a patch to remove the pointless includes.
Signed-off-by: Jesper Juhl
Acked-by: Jozsef Kadlecsik
Signed-off-by: David S. Miller
21 Jun, 2011
1 commit
-
Conflicts:
drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
drivers/net/wireless/rtlwifi/pci.c
net/netfilter/ipvs/ip_vs_core.c
17 Jun, 2011
13 commits
-
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
When creating a set from a range expressed as a network like
10.1.1.172/29, the from address was taken as the IP address part and
not masked with the netmask from the cidr.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The range internally is converted to the network(s) equal to the range.
Example:# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
A set type may have multiple revisions, for example when syntax is
extended. Support continuous revision ranges in set types.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
When ranges are added to hash types, the elements may trigger rehashing
the set. However, the last successfully added element was not kept track
so the adding started again with the first element after the rehashing.Bug reported by Mr Dash Four.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy