Eric Lee / smarc-fsl-linux-kernel

11 Mar, 2016

1 commit

  • d387eaf51   Merge tag 'ipvs-fixes-for-v4.5' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs ... Browse Code »

    Simon Horman says:

    ====================
    please consider these IPVS fixes for v4.5 or
    if it is too late please consider them for v4.6.

    * Arnd Bergman has corrected an error whereby the SIP persistence engine
    may incorrectly access protocol fields
    * Julian Anastasov has corrected a problem reported by Jiri Bohac with the
    connection rescheduling mechanism added in 3.10 when new SYNs in
    connection to dead real server can be redirected to another real server.
    * Marco Angaroni resolved a problem in the SIP persistence engine
    whereby the Call-ID could not be found if it was at the beginning of a
    SIP message.
    ====================

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

09 Mar, 2016

1 commit

  • 4c38cd61a   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter/IPVS updates for net-next

    The following patchset contains Netfilter updates for your net-next tree,
    they are:

    1) Remove useless debug message when deleting IPVS service, from
    Yannick Brosseau.

    2) Get rid of compilation warning when CONFIG_PROC_FS is unset in
    several spots of the IPVS code, from Arnd Bergmann.

    3) Add prandom_u32 support to nft_meta, from Florian Westphal.

    4) Remove unused variable in xt_osf, from Sudip Mukherjee.

    5) Don't calculate IP checksum twice from netfilter ipv4 defrag hook
    since fixing af_packet defragmentation issues, from Joe Stringer.

    6) On-demand hook registration for iptables from netns. Instead of
    registering the hooks for every available netns whenever we need
    one of the support tables, we register this on the specific netns
    that needs it, patchset from Florian Westphal.

    7) Add missing port range selection to nf_tables masquerading support.

    BTW, just for the record, there is a typo in the description of
    5f6c253ebe93b0 ("netfilter: bridge: register hooks only when bridge
    interface is added") that refers to the cluster match as deprecated, but
    it is actually the CLUSTERIP target (which registers hooks
    inconditionally) the one that is scheduled for removal.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

07 Mar, 2016

4 commits

  • 7617a24f8   ipvs: correct initial offset of Call-ID header search in SIP persistence engine ... Browse Code »

    The IPVS SIP persistence engine is not able to parse the SIP header
    "Call-ID" when such header is inserted in the first positions of
    the SIP message.

    When IPVS is configured with "--pe sip" option, like for example:
    ipvsadm -A -u 1.2.3.4:5060 -s rr --pe sip -p 120 -o
    some particular messages (see below for details) do not create entries
    in the connection template table, which can be listed with:
    ipvsadm -Lcn --persistent-conn

    Problematic SIP messages are SIP responses having "Call-ID" header
    positioned just after message first line:
    SIP/2.0 200 OK
    [Call-ID header here]
    [rest of the headers]

    When "Call-ID" header is positioned down (after a few other headers)
    it is correctly recognized.

    This is due to the data offset used in get_callid function call inside
    ip_vs_pe_sip.c file: since dptr already points to the start of the
    SIP message, the value of dataoff should be initially 0.
    Otherwise the header is searched starting from some bytes after the
    first character of the SIP message.

    Fixes: 758ff0338722 ("IPVS: sip persistence engine")
    Signed-off-by: Marco Angaroni
    Acked-by: Julian Anastasov
    Signed-off-by: Simon Horman

    Marco Angaroni
     
  • f911b675a   ipvs: allow rescheduling after RST ... Browse Code »

    "RFC 5961, 4.2. Mitigation" describes a mechanism to request
    client to confirm with RST the restart of TCP connection
    before resending its SYN. As result, IPVS can see SYNs for
    existing connection in CLOSE state. Add check to allow
    rescheduling in this state.

    Signed-off-by: Julian Anastasov
    Signed-off-by: Simon Horman

    Julian Anastasov
     
  • f719e3754   ipvs: drop first packet to redirect conntrack ... Browse Code »

    Jiri Bohac is reporting for a problem where the attempt
    to reschedule existing connection to another real server
    needs proper redirect for the conntrack used by the IPVS
    connection. For example, when IPVS connection is created
    to NAT-ed real server we alter the reply direction of
    conntrack. If we later decide to select different real
    server we can not alter again the conntrack. And if we
    expire the old connection, the new connection is left
    without conntrack.

    So, the only way to redirect both the IPVS connection and
    the Netfilter's conntrack is to drop the SYN packet that
    hits existing connection, to wait for the next jiffie
    to expire the old connection and its conntrack and to rely
    on client's retransmission to create new connection as
    usually.

    Jiri Bohac provided a fix that drops all SYNs on rescheduling,
    I extended his patch to do such drops only for connections
    that use conntrack. Here is the original report from Jiri Bohac:

    Since commit dc7b3eb900aa ("ipvs: Fix reuse connection if real server
    is dead"), new connections to dead servers are redistributed
    immediately to new servers. The old connection is expired using
    ip_vs_conn_expire_now() which sets the connection timer to expire
    immediately.

    However, before the timer callback, ip_vs_conn_expire(), is run
    to clean the connection's conntrack entry, the new redistributed
    connection may already be established and its conntrack removed
    instead.

    Fix this by dropping the first packet of the new connection
    instead, like we do when the destination server is not available.
    The timer will have deleted the old conntrack entry long before
    the first packet of the new connection is retransmitted.

    Fixes: dc7b3eb900aa ("ipvs: Fix reuse connection if real server is dead")
    Signed-off-by: Jiri Bohac
    Signed-off-by: Julian Anastasov
    Signed-off-by: Simon Horman

    Julian Anastasov
     
  • 3f20efba4   ipvs: handle ip_vs_fill_iph_skb_off failure ... Browse Code »

    ip_vs_fill_iph_skb_off() may not find an IP header, and gcc has
    determined that ip_vs_sip_fill_param() then incorrectly accesses
    the protocol fields:

    net/netfilter/ipvs/ip_vs_pe_sip.c: In function 'ip_vs_sip_fill_param':
    net/netfilter/ipvs/ip_vs_pe_sip.c:76:5: error: 'iph.protocol' may be used uninitialized in this function [-Werror=maybe-uninitialized]
    if (iph.protocol != IPPROTO_UDP)
    ^
    net/netfilter/ipvs/ip_vs_pe_sip.c:81:10: error: 'iph.len' may be used uninitialized in this function [-Werror=maybe-uninitialized]
    dataoff = iph.len + sizeof(struct udphdr);
    ^

    This adds a check for the ip_vs_fill_iph_skb_off() return code
    before looking at the ip header data returned from it.

    Signed-off-by: Arnd Bergmann
    Fixes: b0e010c527de ("ipvs: replace ip_vs_fill_ip4hdr with ip_vs_fill_iph_skb_off")
    Acked-by: Julian Anastasov
    Signed-off-by: Simon Horman

    Arnd Bergmann
     

02 Mar, 2016

1 commit

  • 64d4e3431   net: remove skb_sender_cpu_clear() ... Browse Code »

    After commit 52bd2d62ce67 ("net: better skb->sender_cpu and skb->napi_id cohabitation")
    skb_sender_cpu_clear() becomes empty and can be removed.

    Cc: Eric Dumazet
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller

    WANG Cong
     

18 Feb, 2016

2 commits

  • f6ca9f46f   netfilter: ipvs: avoid unused variable warnings ... Browse Code »

    The proc_create() and remove_proc_entry() functions do not reference
    their arguments when CONFIG_PROC_FS is disabled, so we get a couple
    of warnings about unused variables in IPVS:

    ipvs/ip_vs_app.c:608:14: warning: unused variable 'net' [-Wunused-variable]
    ipvs/ip_vs_ctl.c:3950:14: warning: unused variable 'net' [-Wunused-variable]
    ipvs/ip_vs_ctl.c:3994:14: warning: unused variable 'net' [-Wunused-variable]

    This removes the local variables and instead looks them up separately
    for each use, which obviously avoids the warning.

    Signed-off-by: Arnd Bergmann
    Fixes: 4c50a8ce2b63 ("netfilter: ipvs: avoid unused variable warning")
    Acked-by: Julian Anastasov
    Signed-off-by: Simon Horman

    Arnd Bergmann
     
  • 2d9e9b0d0   netfilter: ipvs: Remove noisy debug print from ip_vs_del_service ... Browse Code »

    This have been there for a long time, but does not seem to add value

    Signed-off-by: Yannick Brosseau
    Signed-off-by: Simon Horman

    Yannick Brosseau
     

12 Feb, 2016

1 commit

16 Dec, 2015

1 commit

  • 53692b1de   sctp: Rename NETIF_F_SCTP_CSUM to NETIF_F_SCTP_CRC ... Browse Code »

    The SCTP checksum is really a CRC and is very different from the
    standards 1's complement checksum that serves as the checksum
    for IP protocols. This offload interface is also very different.
    Rename NETIF_F_SCTP_CSUM to NETIF_F_SCTP_CRC to highlight these
    differences. The term CSUM should be reserved in the stack to refer
    to the standard 1's complement IP checksum.

    Signed-off-by: Tom Herbert
    Signed-off-by: David S. Miller

    Tom Herbert
     

16 Nov, 2015

1 commit

  • 340c78e59   ipvs: use skb_to_full_sk() helper ... Browse Code »

    SYNACK packets might be attached to request sockets.

    Use skb_to_full_sk() helper to avoid illegal accesses to
    inet_sk(skb->sk)

    Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
    Signed-off-by: Eric Dumazet
    Reported-by: Sander Eikelenboom
    Acked-by: Julian Anastasov
    Acked-by: Simon Horman
    Signed-off-by: David S. Miller

    Eric Dumazet
     

17 Oct, 2015

2 commits

13 Oct, 2015

1 commit

  • 19bcf9f20   ipv4: Pass struct net into ip_defrag and ip_check_defrag ... Browse Code »

    The function ip_defrag is called on both the input and the output
    paths of the networking stack. In particular conntrack when it is
    tracking outbound packets from the local machine calls ip_defrag.

    So add a struct net parameter and stop making ip_defrag guess which
    network namespace it needs to defragment packets in.

    Signed-off-by: "Eric W. Biederman"
    Acked-by: Pablo Neira Ayuso
    Signed-off-by: David S. Miller

    Eric W. Biederman
     

08 Oct, 2015

4 commits

07 Oct, 2015

2 commits

  • 92240e8dc   ipvs: Remove possibly unused variables from ip_vs_conn_net_{init,cleanup} ... Browse Code »

    If CONFIG_PROC_FS is undefined then the arguments of proc_create()
    and remove_proc_entry() are unused. As a result the net variables of
    ip_vs_conn_net_{init,cleanup} are unused.

    net/netfilter/ipvs//ip_vs_conn.c: In function ‘ip_vs_conn_net_init’:
    net/netfilter/ipvs//ip_vs_conn.c:1350:14: warning: unused variable ‘net’ [-Wunused-variable]
    net/netfilter/ipvs//ip_vs_conn.c: In function ‘ip_vs_conn_net_cleanup’:
    net/netfilter/ipvs//ip_vs_conn.c:1361:14: warning: unused variable ‘net’ [-Wunused-variable]
    ...

    Resolve this by dereferencing net as needed rather than storing it
    in a variable.

    Fixes: 3d99376689ee ("ipvs: Pass ipvs not net into ip_vs_control_net_(init|cleanup)")
    Signed-off-by: Simon Horman
    Acked-by: Julian Anastasov

    Simon Horman
     
  • ed1c9f0e7   ipvs: Remove possibly unused variable from ip_vs_out ... Browse Code »

    Eric's net namespace changes in 1b75097dd7a26 leaves net unreferenced if
    CONFIG_IP_VS_IPV6 is not enabled:

    ../net/netfilter/ipvs/ip_vs_core.c: In function ‘ip_vs_out’:
    ../net/netfilter/ipvs/ip_vs_core.c:1177:14: warning: unused variable ‘net’ [-Wunused-variable]

    After the net refactoring there is only 1 user; push the reference to the
    1 user. While the line length slightly exceeds 80 it seems to be the
    best change.

    Fixes: 1b75097dd7a26("ipvs: Pass ipvs into ip_vs_out")
    Signed-off-by: David Ahern
    Acked-by: Julian Anastasov
    [horms: updated subject]
    Signed-off-by: Simon Horman

    David Ahern
     

01 Oct, 2015

1 commit

  • b59f2e31b   ipvs: Don't protect ip_vs_addr_is_unicast with CONFIG_SYSCTL ... Browse Code »

    I arranged the code so that the compiler can remove the unecessary bits
    in ip_vs_leave when CONFIG_SYSCTL is unset, and removed an explicit
    CONFIG_SYSCTL.

    Unfortunately when rebasing my work on top of that of Alex Gartrell I
    missed the fact that the newly added function ip_vs_addr_is_unicast was
    surrounded by CONFIG_SYSCTL.

    So remove the now unnecessary CONFIG_SYSCTL guards around
    ip_vs_addr_is_unicast. It is causing build failures today when
    CONFIG_SYSCTL is not selected and any self respecting compiler will
    notice that sysctl_cache_bypass is always false without CONFIG_SYSCTL
    and not include the logic from the function ip_vs_addr_is_unicast in
    the compiled code.

    Signed-off-by: "Eric W. Biederman"
    Acked-by: Julian Anastasov
    Signed-off-by: Simon Horman

    Eric W. Biederman
     

30 Sep, 2015

2 commits

24 Sep, 2015

16 commits