15 May, 2011
1 commit
-
Without this patch every access to ip_vs in procfs will increase
the netns count i.e. an unbalanced get_net()/put_net().
(ipvsadm commands also use procfs.)
The result is you can't exit a netns if reading ip_vs_* procfs entries.Signed-off-by: Hans Schillstrom
Signed-off-by: Pablo Neira Ayuso
10 May, 2011
6 commits
-
This patch reverts a2361c8735e07322023aedc36e4938b35af31eb0:
"[PATCH] netfilter: xt_conntrack: warn about use in raw table"Florian Wesphal says:
"... when the packet was sent from the local machine the skb
already has ->nfct attached, and -m conntrack seems to do
the right thing."Acked-by: Jan Engelhardt
Reported-by: Florian Wesphal
Signed-off-by: Pablo Neira Ayuso -
The mask indicates the bits one wants to zero out, so it needs to be
inverted before applying to the original TOS field.Signed-off-by: Fernando Luis Vazquez Cao
Signed-off-by: Pablo Neira Ayuso -
DESCRIPTION
This patch tries to restore the initial init and cleanup
sequences that was before namspace patch.
Netns also requires action when net devices unregister
which has never been implemented. I.e this patch also
covers when a device moves into a network namespace,
and has to be released.IMPLEMENTATION
The number of calls to register_pernet_device have been
reduced to one for the ip_vs.ko
Schedulers still have their own calls.This patch adds a function __ip_vs_service_cleanup()
and an enable flag for the netfilter hooks.The nf hooks will be enabled when the first service is loaded
and never disabled again, except when a namespace exit starts.Signed-off-by: Hans Schillstrom
Acked-by: Julian Anastasov
[horms@verge.net.au: minor edit to changelog]
Signed-off-by: Simon Horman -
If the sync daemons run in a name space while it crashes
or get killed, there is no way to stop them except for a reboot.
When all patches are there, ip_vs_core will handle register_pernet_(),
i.e. ip_vs_sync_init() and ip_vs_sync_cleanup() will be removed.Kernel threads should not increment the use count of a socket.
By calling sk_change_net() after creating a socket this is avoided.
sock_release cant be used intead sk_release_kernel() should be used.Thanks Eric W Biederman for your advices.
Signed-off-by: Hans Schillstrom
[horms@verge.net.au: minor edit to changelog]
Signed-off-by: Simon Horman -
commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations)
made ebtables not working anymore.1) xt_compat_calc_jump() is not an exact match lookup
2) compat_table_info() has a typo in xt_compat_init_offsets() call
3) compat_do_replace() misses a xt_compat_init_offsets() callReported-by: dann frazier
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy -
This patch fixes the missing initialization of the start time if
the timestamp support is enabled.libnetfilter_conntrack/utils# conntrack -E &
libnetfilter_conntrack/utils# ./conntrack_create
tcp 6 109 ESTABLISHED src=1.1.1.1 dst=2.2.2.2 sport=1025 dport=21 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=21 dport=1025 packets=0 bytes=0 mark=0 delta-time=1303296401 use=2Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
20 Apr, 2011
1 commit
19 Apr, 2011
1 commit
-
A restoreable saving of sets requires that list:set type of sets
come last and the code part which should have taken into account
the ordering was broken. The patch fixes the listing order.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
13 Apr, 2011
2 commits
-
The SET target with --del-set did not work due to using wrongly
the internal dimension of --add-set instead of --del-set.
Also, the checkentries did not release the set references when
returned an error. Bugs reported by Lennert Buytenhek.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
11 Apr, 2011
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (34 commits)
net: Add support for SMSC LAN9530, LAN9730 and LAN89530
mlx4_en: Restoring RX buffer pointer in case of failure
mlx4: Sensing link type at device initialization
ipv4: Fix "Set rt->rt_iif more sanely on output routes."
MAINTAINERS: add entry for Xen network backend
be2net: Fix suspend/resume operation
be2net: Rename some struct members for clarity
pppoe: drop PPPOX_ZOMBIEs in pppoe_flush_dev
dsa/mv88e6131: add support for mv88e6085 switch
ipv6: Enable RFS sk_rxhash tracking for ipv6 sockets (v2)
be2net: Fix a potential crash during shutdown.
bna: Fix for handling firmware heartbeat failure
can: mcp251x: Allow pass IRQ flags through platform data.
smsc911x: fix mac_lock acquision before calling smsc911x_mac_read
iwlwifi: accept EEPROM version 0x423 for iwl6000
rt2x00: fix cancelling uninitialized work
rtlwifi: Fix some warnings/bugs
p54usb: IDs for two new devices
wl12xx: fix potential buffer overflow in testmode nvs push
zd1211rw: reset rx idle timer from tasklet
...
04 Apr, 2011
8 commits
-
--ctdir ORIGINAL matches REPLY packets, and vv:
userspace sets "invert_flags &= ~XT_CONNTRACK_DIRECTION" in ORIGINAL
case.Thus: (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) ^
!!(info->invert_flags & XT_CONNTRACK_DIRECTION))yields "1 ^ 0", which is true -> returns false.
Reproducer:
iptables -I OUTPUT 1 -p tcp --syn -m conntrack --ctdir ORIGINALSigned-off-by: Florian Westphal
Signed-off-by: Patrick McHardy -
This avoids pulling in the ipv6 module when using (ipv4-only) iptables
-m addrtype.Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy -
ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
to an interface, but this flag cannot be set via struct flowi.Also, it cannot be set via ip6_route_output: this function uses the
passed sock struct to determine if this flag is required
(by testing for nonzero sk_bound_dev_if).Work around this by passing in an artificial struct sk in case
'strict' argument is true.This is required to replace the rt6_lookup call in xt_addrtype.c with
nf_afinfo->route().Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy -
This is required to eventually replace the rt6_lookup call in
xt_addrtype.c with nf_afinfo->route().Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy -
ipvsadm -ln --daemon will trigger a Null pointer exception because
ip_vs_genl_dump_daemons() uses skb_net() instead of skb_sknet().To prevent others from NULL ptr a check is made in ip_vs.h skb_net().
Signed-off-by: Hans Schillstrom
Signed-off-by: Simon Horman
Signed-off-by: Patrick McHardy -
Static analyzer of clang found a dead store which appears to be a bug in
reading count of items in SEQOF field, only the lower byte of word is
stored. This may lead to corrupted read and communication shutdown.The bug has been in the module since it's first inclusion into linux
kernel.[Patrick: the bug is real, but without practical consequence since the
largest amount of sequence-of members we parse is 30.]Signed-off-by: David Sterba
Signed-off-by: Patrick McHardy -
The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex
protection of the references is a no go. Therefore the reference protection
is converted to rwlock.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
- the timeout value was actually not set
- the garbage collector was brokenThe variant is fixed, the tests to the ipset testsuite are added.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
31 Mar, 2011
1 commit
-
Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: Lucas De Marchi
22 Mar, 2011
2 commits
-
As part of the work to make IPVS network namespace aware
__ip_vs_app_mutex was replaced by a per-namespace lock,
ipvs->app_mutex. ipvs->app_key is also supplied for debugging purposes.Unfortunately this implementation results in ipvs->app_key residing
in non-static storage which at the very least causes a lockdep warning.This patch takes the rather heavy-handed approach of reinstating
__ip_vs_app_mutex which will cover access to the ipvs->list_head
of all network namespaces.[ 12.610000] IPVS: Creating netns size=2456 id=0
[ 12.630000] IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)
[ 12.640000] BUG: key ffff880003bbf1a0 not in .data!
[ 12.640000] ------------[ cut here ]------------
[ 12.640000] WARNING: at kernel/lockdep.c:2701 lockdep_init_map+0x37b/0x570()
[ 12.640000] Hardware name: Bochs
[ 12.640000] Pid: 1, comm: swapper Tainted: G W 2.6.38-kexec-06330-g69b7efe-dirty #122
[ 12.650000] Call Trace:
[ 12.650000] [] warn_slowpath_common+0x75/0xb0
[ 12.650000] [] warn_slowpath_null+0x15/0x20
[ 12.650000] [] lockdep_init_map+0x37b/0x570
[ 12.650000] [] ? trace_hardirqs_on+0xd/0x10
[ 12.650000] [] debug_mutex_init+0x38/0x50
[ 12.650000] [] __mutex_init+0x5c/0x70
[ 12.650000] [] __ip_vs_app_init+0x64/0x86
[ 12.660000] [] ? ip_vs_init+0x0/0xff
[ 12.660000] [] T.620+0x43/0x170
[ 12.660000] [] ? register_pernet_subsys+0x1a/0x40
[ 12.660000] [] ? ip_vs_init+0x0/0xff
[ 12.660000] [] ? ip_vs_init+0x0/0xff
[ 12.660000] [] register_pernet_operations+0x57/0xb0
[ 12.660000] [] ? ip_vs_init+0x0/0xff
[ 12.670000] [] register_pernet_subsys+0x29/0x40
[ 12.670000] [] ip_vs_app_init+0x10/0x12
[ 12.670000] [] ip_vs_init+0x4c/0xff
[ 12.670000] [] do_one_initcall+0x7a/0x12e
[ 12.670000] [] kernel_init+0x13e/0x1c2
[ 12.670000] [] kernel_thread_helper+0x4/0x10
[ 12.670000] [] ? restore_args+0x0/0x30
[ 12.680000] [] ? kernel_init+0x0/0x1c2
[ 12.680000] [] ? kernel_thread_helper+0x0/0x1global0Signed-off-by: Simon Horman
Cc: Ingo Molnar
Cc: Eric Dumazet
Cc: Julian Anastasov
Cc: Hans Schillstrom
Signed-off-by: David S. Miller -
Reported-by: Ingo Molnar
Signed-off-by: Eric Dumazet
Cc: Simon Horman
Cc: Julian Anastasov
Acked-by: Simon Horman
Signed-off-by: David S. Miller
20 Mar, 2011
2 commits
-
The revision of the set type was not checked at the create command: if the
userspace sent a valid set type but with not supported revision number,
it'd create a loop.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The hash:*port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and used the first
address from the range only.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
17 Mar, 2011
2 commits
-
Even though ebtables uses xtables it still requires targets to
return EBT_CONTINUE instead of XT_CONTINUE. This prevented
xt_AUDIT to work as ebt module.Upon Jan's suggestion, use a separate struct xt_target for
NFPROTO_BRIDGE having its own target callback returning
EBT_CONTINUE instead of cloning the module.Signed-off-by: Thomas Graf
Signed-off-by: Patrick McHardy
16 Mar, 2011
3 commits
-
Conflicts:
Documentation/feature-removal-schedule.txt -
The kernel will refuse certain types that do not work in ipv6 mode.
We can then add these features incrementally without risk of userspace
breakage.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy -
Followup patch will add ipv6 support.
ipt_addrtype.h is retained for compatibility reasons, but no longer used
by the kernel.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy
15 Mar, 2011
10 commits
-
A potential race condition when generating connlimit_rnd is also fixed.
Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
The header of hlist is smaller than list.
Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
All the members are initialized after kzalloc().
Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
We use the reply tuples when limiting the connections by the destination
addresses, however, in SNAT scenario, the final reply tuples won't be
ready until SNAT is done in POSTROUING or INPUT chain, and the following
nf_conntrack_find_get() in count_tem() will get nothing, so connlimit
can't work as expected.In this patch, the original tuples are always used, and an additional
member addr is appended to save the address in either end.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
Break out the portions of __ip_vs_control_init() and
__ip_vs_control_cleanup() where aren't necessary when
CONFIG_SYSCTL is undefined.Signed-off-by: Simon Horman
-
ip_vs_lblc_table and ip_vs_lblcr_table, and code that uses them
are unnecessary when CONFIG_SYSCTL is undefined.Signed-off-by: Simon Horman
-
Much of ip_vs_leave() is unnecessary if CONFIG_SYSCTL is undefined.
I tried an approach of breaking the now #ifdef'ed portions out
into a separate function. However this appeared to grow the
compiled code on x86_64 by about 200 bytes in the case where
CONFIG_SYSCTL is defined. So I have gone with the simpler though
less elegant #ifdef'ed solution for now.Signed-off-by: Simon Horman
-
In preparation for not including sysctl_lblc{r}_expiration in
struct netns_ipvs when CONFIG_SYCTL is not defined.Signed-off-by: Simon Horman
-
In preparation for not including sysctl_expire_quiescent_template in
struct netns_ipvs when CONFIG_SYCTL is not defined.Signed-off-by: Simon Horman
-
In preparation for not including sysctl_expire_nodest_conn in
struct netns_ipvs when CONFIG_SYCTL is not defined.Signed-off-by: Simon Horman
