03 Feb, 2011
10 commits
-
Signed-off-by: David S. Miller
-
CHOKe ("CHOose and Kill" or "CHOose and Keep") is an alternative
packet scheduler based on the Random Exponential Drop (RED) algorithm.The core idea is:
For every packet arrival:
Calculate Qave
if (Qave < minth)
Queue the new packet
else
Select randomly a packet from the queue
if (both packets from same flow)
then Drop both the packets
else if (Qave > maxth)
Drop packet
else
Admit packet with proability p (same as RED)See also:
Rong Pan, Balaji Prabhakar, Konstantinos Psounis, "CHOKe: a stateless active
queue management scheme for approximating fair bandwidth allocation",
Proceeding of INFOCOM'2000, March 2000.Help from:
Eric Dumazet
Patrick McHardySigned-off-by: Stephen Hemminger
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
The change to allow divisor to be a parameter (in 2.6.38-rc1)
commit 817fb15dfd988d8dda916ee04fa506f0c466b9d6
introduced a possible deadlock caught by sparse.The scheduler tree lock was left locked in the case of an incorrect
divisor value. Simplest fix is to move test outside of lock
which also solves problem of partial update.Signed-off-by: Stephen Hemminger
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
If we end up including include/linux/node.h (either explicitly
or implicitly) that header has a definition of "structt node"
too.So rename the one we use in fib_trie to "rt_trie_node" to avoid
the conflict.Reported-by: Stephen Rothwell
Signed-off-by: David S. Miller -
Signed-off-by: David S. Miller
Acked-by: Nandita Dukkipati -
Use DMA API as PCI equivalents will be deprecated.
Signed-off-by: Ivan Vecera
Signed-off-by: David S. Miller -
Add a new 'devgroup' match to match on the device group of the
incoming and outgoing network device of a packet.Signed-off-by: Patrick McHardy
-
When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.Signed-off-by: Jozsef Kadlecsik
-
Add a dummy ip_set_get_ip6_port function that unconditionally
returns false for CONFIG_IPV6=n and convert the real function
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables module
when loading ipset.Signed-off-by: Patrick McHardy
02 Feb, 2011
11 commits
-
Don't fall through in the switch statement, otherwise IPv4 headers
are incorrectly parsed again as IPv6 and the return value will always
be 'false'.Signed-off-by: Patrick McHardy
-
To avoid confusion with the recently deleted fib_hash.c
code, use "fib_info_hash_*" instead of plain "fib_hash_*".Signed-off-by: David S. Miller
-
fib_hash_init() --> fib_trie_init()
fib_hash_table() --> fib_trie_table()Signed-off-by: David S. Miller
-
The time has finally come to remove the hash based routing table
implementation in ipv4.FIB Trie is mature, well tested, and I've done an audit of it's code
to confirm that it implements insert, delete, and lookup with the same
identical semantics as fib_hash did.If there are any semantic differences found in fib_trie, we should
simply fix them.I've placed the trie statistic config option under advanced router
configuration.Signed-off-by: David S. Miller
Acked-by: Stephen Hemminger -
Signed-off-by: Patrick McHardy
-
ip_vs_sync_cleanup() may be called from ip_vs_init() on error
and thus needs to be accesible from section __initReporte-by: Randy Dunlap
Signed-off-by: Simon Horman
Acked-by: Randy Dunlap
Signed-off-by: Hans Schillstrom
Tested-by: Hans Schillstrom
Signed-off-by: Patrick McHardy -
This is a rather naieve approach to allowing PVS to compile with
CONFIG_SYSCTL disabled. I am working on a more comprehensive patch which
will remove compilation of all sysctl-related IPVS code when CONFIG_SYSCTL
is disabled.Reported-by: Randy Dunlap
Signed-off-by: Simon Horman
Acked-by: Randy Dunlap
Signed-off-by: Hans Schillstrom
Tested-by: Hans Schillstrom
Signed-off-by: Patrick McHardy -
These variables are unused as a result of the recent netns work.
Signed-off-by: Simon Horman
Acked-by: Randy Dunlap
Signed-off-by: Hans Schillstrom
Tested-by: Hans Schillstrom
Signed-off-by: Patrick McHardy -
Signed-off-by: Simon Horman
Acked-by: Randy Dunlap
Signed-off-by: Hans Schillstrom
Tested-by: Hans Schillstrom
Signed-off-by: Patrick McHardy -
Reported-by: Randy Dunlap
Signed-off-by: Simon Horman
Acked-by: Randy Dunlap
Signed-off-by: Hans Schillstrom
Tested-by: Hans Schillstrom
Signed-off-by: Patrick McHardy -
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_parse_tuple':
net/netfilter/nf_conntrack_netlink.c:832:11: warning: comparison between 'enum ctattr_tuple' and 'enum ctattr_type'Use ctattr_type for the 'type' parameter since that's the type of all attributes
passed to this function.Signed-off-by: Patrick McHardy
01 Feb, 2011
19 commits
-
None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.Signed-off-by: Patrick McHardy
-
Replace calls of the form:
nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy)
by:
nla_parse_nested(tb, ATTR_MAX, attr, policy)
Signed-off-by: Patrick McHardy
-
The patch adds the combined module of the "SET" target and "set" match
to netfilter. Both the previous and the current revisions are supported.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the list:set type support in two flavours:
without and with timeout. The sets has two sides: for the userspace,
they store the names of other (non list:set type of) sets: one can add,
delete and test set names. For the kernel, it forms an ordered union of
the member sets: the members sets are tried in order when elements are
added, deleted and tested and the process stops at the first success.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:net,port type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are two dimensional: IPv4/IPv6 network address/prefix and protocol/port
pairs.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:net type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are one dimensional: IPv4/IPv6 network address/prefixes.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:ip,port,net type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
network address/prefix triples. The different prefixes are searched/matched
from the longest prefix to the shortes one (most specific to least).
In other words the processing time linearly grows with the number of
different prefixes in the set.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:ip,port,ip type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
address triples.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:ip,port type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are two dimensional: IPv4/IPv6 address and protocol/port pairs. The port
is interpeted for TCP, UPD, ICMP and ICMPv6 (at the latters as type/code
of course).Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:ip type support in four flavours:
for IPv4 or IPv6, both without and with timeout support.All the hash types are based on the "array hash" or ahash structure
and functions as a good compromise between minimal memory footprint
and speed. The hashing uses arrays to resolve clashes. The hash table
is resized (doubled) when searching becomes too long. Resizing can be
triggered by userspace add commands only and those are serialized by
the nfnl mutex. During resizing the set is read-locked, so the only
possible concurrent operations are the kernel side readers. Those are
protected by RCU locking.Because of the four flavours and the other hash types, the functions
are implemented in general forms in the ip_set_ahash.h header file
and the real functions are generated before compiling by macro expansion.
Thus the dereferencing of low-level functions and void pointer arguments
could be avoided: the low-level functions are inlined, the function
arguments are pointers of type-specific structures.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the bitmap:port type in two flavours, without
and with timeout support to store TCP/UDP ports from a range.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the bitmap:ip,mac set type in two flavours,
without and with timeout support. In this kind of set one can store
IPv4 address and (source) MAC address pairs. The type supports elements
added without the MAC part filled out: when the first matching from kernel
happens, the MAC part is automatically filled out. The timing out of the
elements stars when an element is complete in the IP,MAC pair.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the bitmap:ip set type in two flavours, without
and with timeout support. In this kind of set one can store IPv4
addresses (or network addresses) from a given range.In order not to waste memory, the timeout version does not rely on
the kernel timer for every element to be timed out but on garbage
collection. All set types use this mechanism.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The patch adds the IP set core support to the kernel.
The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.There are functional differences between the add/del/test functions
for the kernel and userspace:- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation in order to fill
out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a setSigned-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The patch adds the NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros to the
vanilla kernel.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Move all shared mem code to bnx2x to avoid code duplication. bnx2x now
performs:- Read the FCoE and iSCSI max connection information.
- Read the iSCSI and FCoE MACs from NPAR configuration in shmem.
- Block the CNIC for the current function if there is neither FCoE nor
iSCSI valid configuration by returning NULL from bnx2x_cnic_probe().Signed-off-by: Vladislav Zolotarov
Signed-off-by: Eilon Greenstein
Signed-off-by: Michael Chan
Signed-off-by: David S. Miller -
Both fib_trie and fib_hash have a local implementation of
fib_table_select_default(). This is completely unnecessary
code duplication.Since we now remember the fib_table and the head of the fib
alias list of the default route, we can implement one single
generic version of this routine.Looking at the fib_hash implementation you may get the impression
that it's possible for there to be multiple top-level routes in
the table for the default route. The truth is, it isn't, the
insert code will only allow one entry to exist in the zero
prefix hash table, because all keys evaluate to zero and all
keys in a hash table must be unique.Signed-off-by: David S. Miller
-
This will be used later to implement fib_select_default() in a
completely generic manner, instead of the current situation where the
default route is re-looked up in the TRIE/HASH table and then the
available aliases are analyzed.Signed-off-by: David S. Miller
