04 Oct, 2010
9 commits
-
This is based heavily on the scheduler management code
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
This shouldn't break compatibility with userspace as the new data
is at the end of the line.I have confirmed that this doesn't break ipvsadm, the main (only?)
user-space user of this data.Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
In general NULL arguments aren't passed by the few callers that exist,
so don't test for them.The exception is to make passing NULL to ip_vs_unbind_scheduler() a noop.
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
This simplifies caller logic sightly.
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
Compact ip_vs_sched_persist() by setting up parameters
and calling functions once.Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov -
Signed-off-by: Simon Horman
Acked-by: Julian Anastasov
29 Sep, 2010
1 commit
-
This patch adds the basic infrastructure to support user-space
expectation helpers via ctnetlink and the netfilter queuing
infrastructure NFQUEUE. Basically, this patch:* adds NF_CT_EXPECT_USERSPACE flag to identify user-space
created expectations. I have also added a sanity check in
__nf_ct_expect_check() to avoid that kernel-space helpers
may create an expectation if the master conntrack has no
helper assigned.
* adds some branches to check if the master conntrack helper
exists, otherwise we skip the code that refers to kernel-space
helper such as the local expectation list and the expectation
policy.
* allows to set the timeout for user-space expectations with
no helper assigned.
* a list of expectations created from user-space that depends
on ctnetlink (if this module is removed, they are deleted).
* includes USERSPACE in the /proc output for expectations
that have been created by a user-space helper.This patch also modifies ctnetlink to skip including the helper
name in the Netlink messages if no kernel-space helper is set
(since no user-space expectation has not kernel-space kernel
assigned).You can access an example user-space FTP conntrack helper at:
http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-userspace-POC.tar.bzSigned-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
22 Sep, 2010
4 commits
-
With this patch, you can specify the expectation flags for user-space
created expectations.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy -
This patch adds the missing validation of the CTA_EXPECT_ZONE
attribute in the ctnetlink code.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy -
This patch improves the situation in which the expectation table is
full for conntrack NAT helpers. Basically, we give up if we don't
find a place in the table instead of looping over nf_ct_expect_related()
with a different port (we should only do this if it returns -EBUSY, for
-EMFILE or -ESHUTDOWN I think that it's better to skip this).Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy -
Change the usage of svc usecnt during command execution:
- we check if svc is registered but we do not need to hold usecnt
reference while under __ip_vs_mutex, only the packet handling needs
it during scheduling- change __ip_vs_service_get to __ip_vs_service_find and
__ip_vs_svc_fwm_get to __ip_vs_svc_fwm_find because now caller
will increase svc->usecnt- put common code that calls update_service in __ip_vs_update_dest
- put common code in ip_vs_unlink_service() and use it to unregister
the service- add comment that svc should not be accessed after ip_vs_del_service
anymore- all IP_VS_WAIT_WHILE calls are now unified: usecnt > 0
- Properly log the app ports
As result, some problems are fixed:
- possible use-after-free of svc in ip_vs_genl_set_cmd after
ip_vs_del_service because our usecnt reference does not guarantee that
svc is not freed on refcnt==0, eg. when no dests are moved to trash- possible usecnt leak in do_ip_vs_set_ctl after ip_vs_del_service
when the service is not freed now, for example, when some
destionations are moved into trash and svc->refcnt remains above 0.
It is harmless because svc is not in hash anymore.Signed-off-by: Julian Anastasov
Acked-by: Simon Horman
Signed-off-by: Patrick McHardy
21 Sep, 2010
3 commits
-
Since we don't change the tuple in the original direction, we can save it
in ct->tuplehash[IP_CT_DIR_REPLY].hnode.pprev for __nf_conntrack_confirm()
use.__hash_conntrack() is split into two steps: hash_conntrack_raw() is used
to get the raw hash, and __hash_bucket() is used to get the bucket id.In SYN-flood case, early_drop() doesn't need to recompute the hash again.
Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
Add new sysctl flag "snat_reroute". Recent kernels use
ip_route_me_harder() to route LVS-NAT responses properly by
VIP when there are multiple paths to client. But setups
that do not have alternative default routes can skip this
routing lookup by using snat_reroute=0.Signed-off-by: Julian Anastasov
Signed-off-by: Patrick McHardy -
Add more code to IPVS to work with Netfilter connection
tracking and fix some problems.- Allow IPVS to be compiled without connection tracking as in
2.6.35 and before. This can avoid keeping conntracks for all
IPVS connections because this costs memory. ip_vs_ftp still
depends on connection tracking and NAT as implemented for 2.6.36.- Add sysctl var "conntrack" to enable connection tracking for
all IPVS connections. For loaded IPVS directors it needs
tuning of nf_conntrack_max limit.- Add IP_VS_CONN_F_NFCT connection flag to request the connection
to use connection tracking. This allows user space to provide this
flag, for example, in dest->conn_flags. This can be useful to
request connection tracking per real server instead of forcing it
for all connections with the "conntrack" sysctl. This flag is
set currently only by ip_vs_ftp and of course by "conntrack" sysctl.- Add ip_vs_nfct.c file to hold all connection tracking code,
by this way main code should not depend of netfilter conntrack
support.- Return back the ip_vs_post_routing handler as in 2.6.35 and use
skb->ipvs_property=1 to allow IPVS to work without connection
trackingConnection tracking:
- most of the code is already in 2.6.36-rc
- alter conntrack reply tuple for LVS-NAT connections when first packet
from client is forwarded and conntrack state is NEW or RELATED.
Additionally, alter reply for RELATED connections from real server,
again for packet in original direction.- add IP_VS_XMIT_TUNNEL to confirm conntrack (without altering
reply) for LVS-TUN early because we want to call nf_reset. It is
needed because we add IPIP header and the original conntrack
should be preserved, not destroyed. The transmitted IPIP packets
can reuse same conntrack, so we do not set skb->ipvs_property.- try to destroy conntrack when the IPVS connection is destroyed.
It is not fatal if conntrack disappears before that, it depends
on the used timers.Fix problems from long time:
- add skb->ip_summed = CHECKSUM_NONE for the LVS-TUN transmitters
Signed-off-by: Julian Anastasov
Signed-off-by: Patrick McHardy
17 Sep, 2010
5 commits
-
- the sync protocol supports 16 bits only, so bits 0..15 should be
used only for flags that should go to backup server, bits 16 and
above should be allocated for flags not sent to backup.- use IP_VS_CONN_F_DEST_MASK as mask of connection flags in
destination that can be changed by user space- allow IP_VS_CONN_F_ONE_PACKET to be set in destination
Signed-off-by: Julian Anastasov
Signed-off-by: Patrick McHardy -
nf_conntrack_alloc() isn't called with nf_conntrack_lock locked, so hash
random initializing code maybe executed more than once on different
CPUs.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
When alloc_null_binding(), no IP_NAT_RNAGE_MAP_IPS in flags means no IP address
translation is needed. It isn't necessary to specify the address explicitly.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
Eliminate nf_nat_used_tuple() to save some CPU cycles when there is no
other choice.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
The field family of xt_target should be NFPROTO_IPV4, though
NFPROTO_IPV4 and AF_INET are the same.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy
16 Sep, 2010
1 commit
-
Add a static function nf_nat_csum() to replace the duplicate code in
nf_nat_mangle_udp_packet() and __nf_nat_mangle_tcp_packet().Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy
15 Sep, 2010
1 commit
-
The code is quite convoluted, simplify it. This also avoids calling
e1000_request_irq() without testing the value it returned, which was
bad.Signed-off-by: Jean Delvare
Cc: Bruce Allan
Cc: Jeff Kirsher
Acked-by: Jeff Kirsher
Signed-off-by: David S. Miller
14 Sep, 2010
10 commits
-
Signed-off-by: Andy Shevchenko
Signed-off-by: David S. Miller -
Default number of rx buffers will be divided equally
between allocated queues. This will decrease amount of
pre-allocated buffers on systems with multiple CPUs.
User can override this behavior with ethtool -G.
Minimum amount of rx buffers per queue set to 128.Reported-by: Eric Dumazet
Signed-off-by: Dmitry Kravkov
Signed-off-by: Eilon Greenstein
Signed-off-by: David S. Miller -
Empty received URBs are currently counted as errors but the device sends them
sometimes as part of regular traffic - so remove this check.Signed-off-by: Ondrej Zary
Signed-off-by: David S. Miller -
Fix that usb_string() return value is not checked for error (negative value).
Also change the ignore message a bit and lower its level to info.Signed-off-by: Ondrej Zary
Signed-off-by: David S. Miller -
Signed-off-by: Joe Perches
Signed-off-by: David S. Miller -
Modifying an object twice without an intervening sequence point is
undefined.Signed-off-by: Andreas Schwab
Signed-off-by: David S. Miller -
Modifying an object twice without an intervening sequence point is
undefined.Signed-off-by: Andreas Schwab
Signed-off-by: David S. Miller -
This patch to adds support for PM hooks into sundance driver
Signed-off-by: Denis Kirjanov
Signed-off-by: David S. Miller -
Allocate hash tables for every online cpus, not every possible ones.
NUMA aware allocations.
Dont use a full page on arches where PAGE_SIZE > 1024*sizeof(void *)
misc:
__percpu , __read_mostly, __cpuinit annotations
flow_compare_t is just an "unsigned long"Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller
13 Sep, 2010
1 commit
-
Reported-by: Jiri Slaby
Signed-off-by: David S. Miller
11 Sep, 2010
5 commits
-
Now that est_tree_lock is acquired with BH protection, the other
call is unnecessary.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Use rcu_dereference_rtnl() helper
Change hard coded constants in fib_flag_trans()
7 -> RTN_UNREACHABLE
8 -> RTN_PROHIBITSigned-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This requires some reorganisation of channel setup and teardown to
ensure that we can always roll-back a failed change.Based on work by Steve Hodgson
Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
- Allow the ring size to be specified in non
power-of-two sizes (for instance to limit
the amount of receive buffers).
- Automatically size the event queue.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller -
This will allow for reallocation of channel structures and rings.
Change module parameter separate_tx_channels to be read-only, since we
now require its value to be constant.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller