Eric Lee / smarc-fsl-linux-kernel

20 Jan, 2016

1 commit

  • b16c29191   netfilter: nf_conntrack: use safer way to lock all buckets ... Browse Code »

    When we need to lock all buckets in the connection hashtable we'd attempt to
    lock 1024 spinlocks, which is way more preemption levels than supported by
    the kernel. Furthermore, this behavior was hidden by checking if lockdep is
    enabled, and if it was - use only 8 buckets(!).

    Fix this by using a global lock and synchronize all buckets on it when we
    need to lock them all. This is pretty heavyweight, but is only done when we
    need to resize the hashtable, and that doesn't happen often enough (or at all).

    Signed-off-by: Sasha Levin
    Acked-by: Jesper Dangaard Brouer
    Reviewed-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Sasha Levin
     

29 Dec, 2015

1 commit

05 Oct, 2015

4 commits

18 Aug, 2015

2 commits

  • 5e8018fc6   netfilter: nf_conntrack: add efficient mark to zone mapping ... Browse Code »

    This work adds the possibility of deriving the zone id from the skb->mark
    field in a scalable manner. This allows for having only a single template
    serving hundreds/thousands of different zones, for example, instead of the
    need to have one match for each zone as an extra CT jump target.

    Note that we'd need to have this information attached to the template as at
    the time when we're trying to lookup a possible ct object, we already need
    to know zone information for a possible match when going into
    __nf_conntrack_find_get(). This work provides a minimal implementation for
    a possible mapping.

    In order to not add/expose an extra ct->status bit, the zone structure has
    been extended to carry a flag for deriving the mark.

    Signed-off-by: Daniel Borkmann
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     
  • deedb5903   netfilter: nf_conntrack: add direction support for zones ... Browse Code »

    This work adds a direction parameter to netfilter zones, so identity
    separation can be performed only in original/reply or both directions
    (default). This basically opens up the possibility of doing NAT with
    conflicting IP address/port tuples from multiple, isolated tenants
    on a host (e.g. from a netns) without requiring each tenant to NAT
    twice resp. to use its own dedicated IP address to SNAT to, meaning
    overlapping tuples can be made unique with the zone identifier in
    original direction, where the NAT engine will then allocate a unique
    tuple in the commonly shared default zone for the reply direction.
    In some restricted, local DNAT cases, also port redirection could be
    used for making the reply traffic unique w/o requiring SNAT.

    The consensus we've reached and discussed at NFWS and since the initial
    implementation [1] was to directly integrate the direction meta data
    into the existing zones infrastructure, as opposed to the ct->mark
    approach we proposed initially.

    As we pass the nf_conntrack_zone object directly around, we don't have
    to touch all call-sites, but only those, that contain equality checks
    of zones. Thus, based on the current direction (original or reply),
    we either return the actual id, or the default NF_CT_DEFAULT_ZONE_ID.
    CT expectations are direction-agnostic entities when expectations are
    being compared among themselves, so we can only use the identifier
    in this case.

    Note that zone identifiers can not be included into the hash mix
    anymore as they don't contain a "stable" value that would be equal
    for both directions at all times, f.e. if only zone->id would
    unconditionally be xor'ed into the table slot hash, then replies won't
    find the corresponding conntracking entry anymore.

    If no particular direction is specified when configuring zones, the
    behaviour is exactly as we expect currently (both directions).

    Support has been added for the CT netlink interface as well as the
    x_tables raw CT target, which both already offer existing interfaces
    to user space for the configuration of zones.

    Below a minimal, simplified collision example (script in [2]) with
    netperf sessions:

    +--- tenant-1 ---+ mark := 1
    | netperf |--+
    +----------------+ | CT zone := mark [ORIGINAL]
    [ip,sport] := X +--------------+ +--- gateway ---+
    | mark routing |--| SNAT |-- ... +
    +--------------+ +---------------+ |
    +--- tenant-2 ---+ | ~~~|~~~
    | netperf |--+ +-----------+ |
    +----------------+ mark := 2 | netserver |------ ... +
    [ip,sport] := X +-----------+
    [ip,port] := Y
    On the gateway netns, example:

    iptables -t raw -A PREROUTING -j CT --zone mark --zone-dir ORIGINAL
    iptables -t nat -A POSTROUTING -o -j SNAT --to-source --random-fully

    iptables -t mangle -A PREROUTING -m conntrack --ctdir ORIGINAL -j CONNMARK --save-mark
    iptables -t mangle -A POSTROUTING -m conntrack --ctdir REPLY -j CONNMARK --restore-mark

    conntrack dump from gateway netns:

    netperf -H 10.1.1.2 -t TCP_STREAM -l60 -p12865,5555 from each tenant netns

    tcp 6 431995 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=5555 dport=12865 zone-orig=1
    src=10.1.1.2 dst=10.1.1.1 sport=12865 dport=1024
    [ASSURED] mark=1 secctx=system_u:object_r:unlabeled_t:s0 use=1

    tcp 6 431994 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=5555 dport=12865 zone-orig=2
    src=10.1.1.2 dst=10.1.1.1 sport=12865 dport=5555
    [ASSURED] mark=2 secctx=system_u:object_r:unlabeled_t:s0 use=1

    tcp 6 299 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=39438 dport=33768 zone-orig=1
    src=10.1.1.2 dst=10.1.1.1 sport=33768 dport=39438
    [ASSURED] mark=1 secctx=system_u:object_r:unlabeled_t:s0 use=1

    tcp 6 300 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=32889 dport=40206 zone-orig=2
    src=10.1.1.2 dst=10.1.1.1 sport=40206 dport=32889
    [ASSURED] mark=2 secctx=system_u:object_r:unlabeled_t:s0 use=2

    Taking this further, test script in [2] creates 200 tenants and runs
    original-tuple colliding netperf sessions each. A conntrack -L dump in
    the gateway netns also confirms 200 overlapping entries, all in ESTABLISHED
    state as expected.

    I also did run various other tests with some permutations of the script,
    to mention some: SNAT in random/random-fully/persistent mode, no zones (no
    overlaps), static zones (original, reply, both directions), etc.

    [1] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/57412/
    [2] https://paste.fedoraproject.org/242835/65657871/

    Signed-off-by: Daniel Borkmann
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     

11 Aug, 2015

1 commit

  • 308ac9143   netfilter: nf_conntrack: push zone object into functions ... Browse Code »

    This patch replaces the zone id which is pushed down into functions
    with the actual zone object. It's a bigger one-time change, but
    needed for later on extending zones with a direction parameter, and
    thus decoupling this additional information from all call-sites.

    No functional changes in this patch.

    The default zone becomes a global const object, namely nf_ct_zone_dflt
    and will be returned directly in various cases, one being, when there's
    f.e. no zoning support.

    Signed-off-by: Daniel Borkmann
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     

10 Jul, 2015

1 commit

08 Jan, 2015

1 commit

  • 866476f32   netfilter: conntrack: Flush connections with a given mark ... Browse Code »

    This patch adds support for selective flushing of conntrack mappings.
    By adding CTA_MARK and CTA_MARK_MASK to a delete-message, the mark (and
    mask) is checked before a connection is deleted while flushing.

    Configuring the flush is moved out of ctnetlink_del_conntrack(), and
    instead of calling nf_conntrack_flush_report(), we always call
    nf_ct_iterate_cleanup(). This enables us to only make one call from the
    new ctnetlink_flush_conntrack() and makes it easy to add more filter
    parameters.

    Filtering is done in the ctnetlink_filter_match()-function, which is
    also called from ctnetlink_dump_table(). ctnetlink_dump_filter has been
    renamed ctnetlink_filter, to indicated that it is no longer only used
    when dumping conntrack entries.

    Moreover, reject mark filters with -EOPNOTSUPP if no ct mark support is
    available.

    Signed-off-by: Kristian Evensen
    Signed-off-by: Pablo Neira Ayuso

    Kristian Evensen
     

23 Aug, 2014

1 commit

21 Jul, 2014

1 commit

  • a8138f42d   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter updates for net-next

    The following patchset contains updates for your net-next tree,
    they are:

    1) Use kvfree() helper function from x_tables, from Eric Dumazet.

    2) Remove extra timer from the conntrack ecache extension, use a
    workqueue instead to redeliver lost events to userspace instead,
    from Florian Westphal.

    3) Removal of the ulog targets for ebtables and iptables. The nflog
    infrastructure superseded this almost 9 years ago, time to get rid
    of this code.

    4) Replace the list of loggers by an array now that we can only have
    two possible non-overlapping logger flavours, ie. kernel ring buffer
    and netlink logging.

    5) Move Eric Dumazet's log buffer code to nf_log to reuse it from
    all of the supported per-family loggers.

    6) Consolidate nf_log_packet() as an unified interface for packet logging.
    After this patch, if the struct nf_loginfo is available, it explicitly
    selects the logger that is used.

    7) Move ip and ip6 logging code from xt_LOG to the corresponding
    per-family loggers. Thus, x_tables and nf_tables share the same code
    for packet logging.

    8) Add generic ARP packet logger, which is used by nf_tables. The
    format aims to be consistent with the output of xt_LOG.

    9) Add generic bridge packet logger. Again, this is used by nf_tables
    and it routes the packets to the real family loggers. As a result,
    we get consistent logging format for the bridge family. The ebt_log
    logging code has been intentionally left in place not to break
    backward compatibility since the logging output differs from xt_LOG.

    10) Update nft_log to explicitly request the required family logger when
    needed.

    11) Finish nft_log so it supports arp, ip, ip6, bridge and inet families.
    Allowing selection between netlink and kernel buffer ring logging.

    12) Several fixes coming after the netfilter core logging changes spotted
    by robots.

    13) Use IS_ENABLED() macros whenever possible in the netfilter tree,
    from Duan Jiong.

    14) Removal of a couple of unnecessary branch before kfree, from Fabian
    Frederick.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

25 Jun, 2014

1 commit

16 Jun, 2014

3 commits

30 Apr, 2014

1 commit

  • fe337ac28   netfilter: ctnetlink: don't add null bindings if no nat requested ... Browse Code »

    commit 0eba801b64cc8284d9024c7ece30415a2b981a72 tried to fix a race
    where nat initialisation can happen after ctnetlink-created conntrack
    has been created.

    However, it causes the nat module(s) to be loaded needlessly on
    systems that are not using NAT.

    Fortunately, we do not have to create null bindings in that case.

    conntracks injected via ctnetlink always have the CONFIRMED bit set,
    which prevents addition of the nat extension in nf_nat_ipv4/6_fn().

    We only need to make sure that either no nat extension is added
    or that we've created both src and dst manips.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

18 Mar, 2014

1 commit

  • e86e180b8   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    Netfilter/IPVS updates for net-next

    The following patchset contains Netfilter/IPVS updates for net-next,
    most relevantly they are:

    * cleanup to remove double semicolon from stephen hemminger.

    * calm down sparse warning in xt_ipcomp, from Fan Du.

    * nf_ct_labels support for nf_tables, from Florian Westphal.

    * new macros to simplify rcu dereferences in the scope of nfnetlink
    and nf_tables, from Patrick McHardy.

    * Accept queue and drop (including reason for drop) to verdict
    parsing in nf_tables, also from Patrick.

    * Remove unused random seed initialization in nfnetlink_log, from
    Florian Westphal.

    * Allow to attach user-specific information to nf_tables rules, useful
    to attach user comments to rule, from me.

    * Return errors in ipset according to the manpage documentation, from
    Jozsef Kadlecsik.

    * Fix coccinelle warnings related to incorrect bool type usage for ipset,
    from Fengguang Wu.

    * Add hash:ip,mark set type to ipset, from Vytas Dauksa.

    * Fix message for each spotted by ipset for each netns that is created,
    from Ilia Mirkin.

    * Add forceadd option to ipset, which evicts a random entry from the set
    if it becomes full, from Josh Hunt.

    * Minor IPVS cleanups and fixes from Andi Kleen and Tingwei Liu.

    * Improve conntrack scalability by removing a central spinlock, original
    work from Eric Dumazet. Jesper Dangaard Brouer took them over to address
    remaining issues. Several patches to prepare this change come in first
    place.

    * Rework nft_hash to resolve bugs (leaking chain, missing rcu synchronization
    on element removal, etc. from Patrick McHardy.

    * Restore context in the rule deletion path, as we now release rule objects
    synchronously, from Patrick McHardy. This gets back event notification for
    anonymous sets.

    * Fix NAT family validation in nft_nat, also from Patrick.

    * Improve scalability of xt_connlimit by using an array of spinlocks and
    by introducing a rb-tree of hashtables for faster lookup of accounted
    objects per network. This patch was preceded by several patches and
    refactorizations to accomodate this change including the use of kmem_cache,
    from Florian Westphal.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

07 Mar, 2014

3 commits

  • 93bb0ceb7   netfilter: conntrack: remove central spinlock nf_conntrack_lock ... Browse Code »

    nf_conntrack_lock is a monolithic lock and suffers from huge contention
    on current generation servers (8 or more core/threads).

    Perf locking congestion is clear on base kernel:

    - 72.56% ksoftirqd/6 [kernel.kallsyms] [k] _raw_spin_lock_bh
    - _raw_spin_lock_bh
    + 25.33% init_conntrack
    + 24.86% nf_ct_delete_from_lists
    + 24.62% __nf_conntrack_confirm
    + 24.38% destroy_conntrack
    + 0.70% tcp_packet
    + 2.21% ksoftirqd/6 [kernel.kallsyms] [k] fib_table_lookup
    + 1.15% ksoftirqd/6 [kernel.kallsyms] [k] __slab_free
    + 0.77% ksoftirqd/6 [kernel.kallsyms] [k] inet_getpeer
    + 0.70% ksoftirqd/6 [nf_conntrack] [k] nf_ct_delete
    + 0.55% ksoftirqd/6 [ip_tables] [k] ipt_do_table

    This patch change conntrack locking and provides a huge performance
    improvement. SYN-flood attack tested on a 24-core E5-2695v2(ES) with
    10Gbit/s ixgbe (with tool trafgen):

    Base kernel: 810.405 new conntrack/sec
    After patch: 2.233.876 new conntrack/sec

    Notice other floods attack (SYN+ACK or ACK) can easily be deflected using:
    # iptables -A INPUT -m state --state INVALID -j DROP
    # sysctl -w net/netfilter/nf_conntrack_tcp_loose=0

    Use an array of hashed spinlocks to protect insertions/deletions of
    conntracks into the hash table. 1024 spinlocks seem to give good
    results, at minimal cost (4KB memory). Due to lockdep max depth,
    1024 becomes 8 if CONFIG_LOCKDEP=y

    The hash resize is a bit tricky, because we need to take all locks in
    the array. A seqcount_t is used to synchronize the hash table users
    with the resizing process.

    Signed-off-by: Eric Dumazet
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: David S. Miller
    Reviewed-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Jesper Dangaard Brouer
     
  • ca7433df3   netfilter: conntrack: seperate expect locking from nf_conntrack_lock ... Browse Code »

    Netfilter expectations are protected with the same lock as conntrack
    entries (nf_conntrack_lock). This patch split out expectations locking
    to use it's own lock (nf_conntrack_expect_lock).

    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: David S. Miller
    Reviewed-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Jesper Dangaard Brouer
     
  • b7779d06f   netfilter: conntrack: spinlock per cpu to protect special lists. ... Browse Code »

    One spinlock per cpu to protect dying/unconfirmed/template special lists.
    (These lists are now per cpu, a bit like the untracked ct)
    Add a @cpu field to nf_conn, to make sure we hold the appropriate
    spinlock at removal time.

    Signed-off-by: Eric Dumazet
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: David S. Miller
    Reviewed-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Jesper Dangaard Brouer
     

19 Feb, 2014

1 commit

  • d2bf2f34c   netfilter: nft_ct: labels get support ... Browse Code »

    This also adds NF_CT_LABELS_MAX_SIZE so it can be re-used
    as BUILD_BUG_ON in nft_ct.

    At this time, nft doesn't yet support writing to the label area;
    when this changes the label->words handling needs to be moved
    out of xt_connlabel.c into nf_conntrack_labels.c.

    Also removes a useless run-time check: words cannot grow beyond
    4 (32 bit) or 2 (64bit) since xt_connlabel enforces a maximum of
    128 labels.

    Signed-off-by: Florian Westphal
    Acked-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

18 Feb, 2014

1 commit

  • 0eba801b6   netfilter: ctnetlink: force null nat binding on insert ... Browse Code »

    Quoting Andrey Vagin:
    When a conntrack is created by kernel, it is initialized (sets
    IPS_{DST,SRC}_NAT_DONE_BIT bits in nf_nat_setup_info) and only then it
    is added in hashes (__nf_conntrack_hash_insert), so one conntract
    can't be initialized from a few threads concurrently.

    ctnetlink can add an uninitialized conntrack (w/o
    IPS_{DST,SRC}_NAT_DONE_BIT) in hashes, then a few threads can look up
    this conntrack and start initialize it concurrently. It's dangerous,
    because BUG can be triggered from nf_nat_setup_info.

    Fix this race by always setting up nat, even if no CTA_NAT_ attribute
    was requested before inserting the ct into the hash table. In absence
    of CTA_NAT_ attribute, a null binding is created.

    This alters current behaviour: Before this patch, the first packet
    matching the newly injected conntrack would be run through the nat
    table since nf_nat_initialized() returns false. IOW, this forces
    ctnetlink users to specify the desired nat transformation on ct
    creation time.

    Thanks for Florian Westphal, this patch is based on his original
    patch to address this problem, including this patch description.

    Reported-By: Andrey Vagin
    Signed-off-by: Pablo Neira Ayuso
    Acked-by: Florian Westphal

    Pablo Neira Ayuso
     

20 Dec, 2013

1 commit

  • 534473c60   netfilter: ctnetlink: honor CTA_MARK_MASK when setting ctmark ... Browse Code »

    Useful to only set a particular range of the conntrack mark while
    leaving exisiting parts of the value alone, e.g. when setting
    conntrack marks via NFQUEUE.

    Follows same scheme as MARK/CONNMARK targets, i.e. the mask defines
    those bits that should be altered. No mask is equal to '~0', ie.
    the old value is replaced by new one.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

04 Nov, 2013

2 commits

28 Aug, 2013

2 commits

  • b7e092c05   netfilter: ctnetlink: fix uninitialized variable ... Browse Code »

    net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_nfqueue_attach_expect':
    'helper' may be used uninitialized in this function

    It was only initialized in if CTA_EXPECT_HELP_NAME attribute was
    present, it must be NULL otherwise.

    Problem added recently in bd077937
    (netfilter: nfnetlink_queue: allow to attach expectations to conntracks).

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     
  • 41d73ec05   netfilter: nf_conntrack: make sequence number adjustments usuable without NAT ... Browse Code »

    Split out sequence number adjustments from NAT and move them to the conntrack
    core to make them usable for SYN proxying. The sequence number adjustment
    information is moved to a seperate extend. The extend is added to new
    conntracks when a NAT mapping is set up for a connection using a helper.

    As a side effect, this saves 24 bytes per connection with NAT in the common
    case that a connection does not have a helper assigned.

    Signed-off-by: Patrick McHardy
    Tested-by: Martin Topholm
    Signed-off-by: Jesper Dangaard Brouer
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

13 Aug, 2013

2 commits

01 Aug, 2013

1 commit

04 Jul, 2013

1 commit

  • 0c1072ae0   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/net/ethernet/freescale/fec_main.c
    drivers/net/ethernet/renesas/sh_eth.c
    net/ipv4/gre.c

    The GRE conflict is between a bug fix (kfree_skb --> kfree_skb_list)
    and the splitting of the gre.c code into seperate files.

    The FEC conflict was two sets of changes adding ethtool support code
    in an "!CONFIG_M5272" CPP protected block.

    Finally the sh_eth.c conflict was between one commit add bits set
    in the .eesr_err_check mask whilst another commit removed the
    .tx_error_check member and assignments.

    Signed-off-by: David S. Miller

    David S. Miller
     

24 Jun, 2013

1 commit

  • 797a7d66d   netfilter: ctnetlink: send event when conntrack label was modified ... Browse Code »

    commit 0ceabd83875b72a29f33db4ab703d6ba40ea4c58
    (netfilter: ctnetlink: deliver labels to userspace) sets the event bit
    when we raced with another packet, instead of raising the event bit
    when the label bit is set for the first time.

    commit 9b21f6a90924dfe8e5e686c314ddb441fb06501e
    (netfilter: ctnetlink: allow userspace to modify labels) forgot to update
    the event mask in the "conntrack already exists" case.

    Both issues result in CTA_LABELS attribute not getting included in the
    conntrack event.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

20 Jun, 2013

1 commit

  • 130ffbc26   netfilter: check return code from nla_parse_tested ... Browse Code »

    These are the only calls under net/ that do not check nla_parse_nested()
    for its error code, but simply continue execution. If parsing of netlink
    attributes fails, we should return with an error instead of continuing.
    In nearly all of these calls we have a policy attached, that is being
    type verified during nla_parse_nested(), which we would miss checking
    for otherwise.

    Signed-off-by: Daniel Borkmann
    Signed-off-by: Pablo Neira Ayuso

    Daniel Borkmann
     

20 Mar, 2013

1 commit

28 Feb, 2013

1 commit

  • b67bfe0d4   hlist: drop the node parameter from iterators ... Browse Code »

    I'm not sure why, but the hlist for each entry iterators were conceived

    list_for_each_entry(pos, head, member)

    The hlist ones were greedy and wanted an extra parameter:

    hlist_for_each_entry(tpos, pos, head, member)

    Why did they need an extra pos parameter? I'm not quite sure. Not only
    they don't really need it, it also prevents the iterator from looking
    exactly like the list iterator, which is unfortunate.

    Besides the semantic patch, there was some manual work required:

    - Fix up the actual hlist iterators in linux/list.h
    - Fix up the declaration of other iterators based on the hlist ones.
    - A very small amount of places were using the 'node' parameter, this
    was modified to use 'obj->member' instead.
    - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
    properly, so those had to be fixed up manually.

    The semantic patch which is mostly the work of Peter Senna Tschudin is here:

    @@
    iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

    type T;
    expression a,c,d,e;
    identifier b;
    statement S;
    @@

    -T b;

    [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
    [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
    [akpm@linux-foundation.org: checkpatch fixes]
    [akpm@linux-foundation.org: fix warnings]
    [akpm@linux-foudnation.org: redo intrusive kvm changes]
    Tested-by: Peter Senna Tschudin
    Acked-by: Paul E. McKenney
    Signed-off-by: Sasha Levin
    Cc: Wu Fengguang
    Cc: Marcelo Tosatti
    Cc: Gleb Natapov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Sasha Levin
     

19 Feb, 2013

2 commits

  • 2ccba5433   Merge branch 'master' of git://1984.lsi.us.es/nf-next ... Browse Code »

    Pablo Neira Ayuso says:

    ====================
    The following patchset contain updates for your net-next tree, they are:

    * Fix (for just added) connlabel dependencies, from Florian Westphal.

    * Add aliasing support for conntrack, thus users can either use -m state
    or -m conntrack from iptables while using the same kernel module, from
    Jozsef Kadlecsik.

    * Some code refactoring for the CT target to merge common code in
    revision 0 and 1, from myself.

    * Add aliasing support for CT, based on patch from Jozsef Kadlecsik.

    * Add one mutex per nfnetlink subsystem, from myself.

    * Improved logging for packets that are dropped by helpers, from myself.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     
  • 6338a53a2   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net into net ... Browse Code »

    Pull in 'net' to take in the bug fixes that didn't make it into
    3.8-final.

    Also, deal with the semantic conflict of the change made to
    net/ipv6/xfrm6_policy.c A missing rt6->n neighbour release
    was added to 'net', but in 'net-next' we no longer cache the
    neighbour entries in the ipv6 routes so that change is not
    appropriate there.

    Signed-off-by: David S. Miller

    David S. Miller
     

13 Feb, 2013

1 commit