13 Jan, 2012
1 commit
-
commit a9b3cd7f32 (rcu: convert uses of rcu_assign_pointer(x, NULL) to
RCU_INIT_POINTER) did a lot of incorrect changes, since it did a
complete conversion of rcu_assign_pointer(x, y) to RCU_INIT_POINTER(x,
y).We miss needed barriers, even on x86, when y is not NULL.
Signed-off-by: Eric Dumazet
CC: Stephen Hemminger
CC: Paul E. McKenney
Signed-off-by: David S. Miller
03 Jan, 2012
1 commit
31 Dec, 2011
2 commits
-
The sanity check (timeout < 0) never works; the dividend is unsigned
and so is the division, which should have been a signed division.long timeout = (ct->timeout.expires - jiffies) / HZ;
if (timeout < 0)
timeout = 0;This patch converts the time values to signed for the division.
Signed-off-by: Xi Wang
Signed-off-by: Pablo Neira Ayuso
25 Dec, 2011
2 commits
-
This patch fixes one scheduling while atomic error:
[ 385.565186] ctnetlink v0.93: registering with nfnetlink.
[ 385.565349] BUG: scheduling while atomic: lt-expect_creat/16163/0x00000200It can be triggered with utils/expect_create included in
libnetfilter_conntrack if the FTP helper is not loaded.Signed-off-by: Pablo Neira Ayuso
-
This fixes one bogus error that is returned to user-space:
libnetfilter_conntrack/utils# ./expect_get
TEST: get expectation (-1)(Unknown error 18446744073709551504)This patch includes the correct handling for EAGAIN (nfnetlink
uses this error value to restart the operation after module
auto-loading).Signed-off-by: Pablo Neira Ayuso
24 Dec, 2011
1 commit
-
The get and zero operations have to be done in an atomic context,
otherwise counters added between them will be lost.This problem was spotted by Changli Gao while discussing the
nfacct infrastructure.Signed-off-by: Pablo Neira Ayuso
23 Dec, 2011
2 commits
-
Export the NAT definitions to userspace. So far userspace (specifically,
iptables) has been copying the headers files from include/net. Also
rename some structures and definitions in preparation for IPv6 NAT.
Since these have never been officially exported, this doesn't affect
existing userspace code.Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso -
This partially reworks bc01befdcf3e40979eb518085a075cbf0aacede0
which added userspace expectation support.This patch removes the nf_ct_userspace_expect_list since now we
force to use the new iptables CT target feature to add the helper
extension for conntracks that have attached expectations from
userspace.A new version of the proof-of-concept code to implement userspace
helpers from userspace is available at:http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-POC.tar.bz2
This patch also modifies the CT target to allow to set the
conntrack's userspace helper status flags. This flag is used
to tell the conntrack system to explicitly allocate the helper
extension.This helper extension is useful to link the userspace expectations
with the master conntrack that is being tracked from one userspace
helper.This feature fixes a problem in the current approach of the
userspace helper support. Basically, if the master conntrack that
has got a userspace expectation vanishes, the expectations point to
one invalid memory address. Thus, triggering an oops in the
expectation deletion event path.I decided not to add a new revision of the CT target because
I only needed to add a new flag for it. I'll document in this
issue in the iptables manpage. I have also changed the return
value from EINVAL to EOPNOTSUPP if one flag not supported is
specified. Thus, in the future adding new features that only
require a new flag can be added without a new revision.There is no official code using this in userspace (apart from
the proof-of-concept) that uses this infrastructure but there
will be some by beginning 2012.Reported-by: Sam Roberts
Signed-off-by: Pablo Neira Ayuso
18 Dec, 2011
3 commits
-
This allows to use the get operation to atomically get-and-reset
counters.Signed-off-by: Pablo Neira Ayuso
-
Use the expect tuple (if possible) instead of the master tuple for
the get operation. If two or more expectations come from the same
master, the returned expectation may not be the one that user-space
is requesting.This is how it works for the expect deletion operation.
Although I think that nobody has been seriously using this. We
accept both possibilities, using the expect tuple if possible.
I decided to do it like this to avoid breaking backward
compatibility.Signed-off-by: Pablo Neira Ayuso
-
We can use atomic64_t infrastructure to avoid taking a spinlock in fast
path, and remove inaccuracies while reading values in
ctnetlink_dump_counters() and connbytes_mt() on 32bit arches.Suggested by Pablo.
Signed-off-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso
22 Nov, 2011
1 commit
-
This patch fixes an oops that can be triggered following this recipe:
0) make sure nf_conntrack_netlink and nf_conntrack_ipv4 are loaded.
1) container is started.
2) connect to it via lxc-console.
3) generate some traffic with the container to create some conntrack
entries in its table.
4) stop the container: you hit one oops because the conntrack table
cleanup tries to report the destroy event to user-space but the
per-netns nfnetlink socket has already gone (as the nfnetlink
socket is per-netns but event callback registration is global).To fix this situation, we make the ctnl_notifier per-netns so the
callback is registered/unregistered if the container is
created/destroyed.Alex Bligh and Alexey Dobriyan originally proposed one small patch to
check if the nfnetlink socket is gone in nfnetlink_has_listeners,
but this is a very visited path for events, thus, it may reduce
performance and it looks a bit hackish to check for the nfnetlink
socket only to workaround this situation. As a result, I decided
to follow the bigger path choice, which seems to look nicer to me.Cc: Alexey Dobriyan
Reported-by: Alex Bligh
Signed-off-by: Pablo Neira Ayuso
02 Aug, 2011
1 commit
-
When assigning a NULL value to an RCU protected pointer, no barrier
is needed. The rcu_assign_pointer, used to handle that but will soon
change to not handle the special case.Convert all rcu_assign_pointer of NULL value.
//smpl
@@ expression P; @@- rcu_assign_pointer(P, NULL)
+ RCU_INIT_POINTER(P, NULL)//
Signed-off-by: Stephen Hemminger
Acked-by: Paul E. McKenney
Signed-off-by: David S. Miller
10 Jun, 2011
1 commit
-
The message size allocated for rtnl ifinfo dumps was limited to
a single page. This is not enough for additional interface info
available with devices that support SR-IOV and caused a bug in
which VF info would not be displayed if more than approximately
40 VFs were created per interface.Implement a new function pointer for the rtnl_register service that will
calculate the amount of data required for the ifinfo dump and allocate
enough data to satisfy the request.Signed-off-by: Greg Rose
Signed-off-by: Jeff Kirsher
10 May, 2011
1 commit
-
This patch fixes the missing initialization of the start time if
the timestamp support is enabled.libnetfilter_conntrack/utils# conntrack -E &
libnetfilter_conntrack/utils# ./conntrack_create
tcp 6 109 ESTABLISHED src=1.1.1.1 dst=2.2.2.2 sport=1025 dport=21 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=21 dport=1025 packets=0 bytes=0 mark=0 delta-time=1303296401 use=2Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
05 Feb, 2011
1 commit
03 Feb, 2011
1 commit
02 Feb, 2011
1 commit
-
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_parse_tuple':
net/netfilter/nf_conntrack_netlink.c:832:11: warning: comparison between 'enum ctattr_tuple' and 'enum ctattr_type'Use ctattr_type for the 'type' parameter since that's the type of all attributes
passed to this function.Signed-off-by: Patrick McHardy
25 Jan, 2011
2 commits
-
Conflicts:
net/sched/sch_hfsc.c
net/sched/sch_htb.c
net/sched/sch_tbf.c -
In 13ee6ac netfilter: fix race in conntrack between dump_table and
destroy, we recovered spinlocks to protect the dump of the conntrack
table according to reports from Stephen and acknowledgments on the
issue from Eric.In that patch, the refcount bump that allows to keep a reference
to the current ct object was removed. However, we still decrement
the refcount for that object in the output path of
ctnetlink_dump_table():if (last)
nf_ct_put(last)Cc: Stephen Hemminger
Signed-off-by: Pablo Neira Ayuso
Acked-by: Eric Dumazet
Signed-off-by: Patrick McHardy
20 Jan, 2011
2 commits
-
This reverts commit 0ab03c2b1478f2438d2c80204f7fef65b1bca9cf.
It breaks several things including the avahi daemon.
Signed-off-by: David S. Miller
19 Jan, 2011
1 commit
-
This patch adds flow-based timestamping for conntracks. This
conntrack extension is disabled by default. Basically, we use
two 64-bits variables to store the creation timestamp once the
conntrack has been confirmed and the other to store the deletion
time. This extension is disabled by default, to enable it, you
have to:echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
This patch allows to save memory for user-space flow-based
loogers such as ulogd2. In short, ulogd2 does not need to
keep a hashtable with the conntrack in user-space to know
when they were created and destroyed, instead we use the
kernel timestamp. If we want to have a sane IPFIX implementation
in user-space, this nanosecs resolution timestamps are also
useful. Other custom user-space applications can benefit from
this via libnetfilter_conntrack.This patch modifies the /proc output to display the delta time
in seconds since the flow start. You can also obtain the
flow-start date by means of the conntrack-tools.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
14 Jan, 2011
1 commit
-
This patch fixes a loop in ctnetlink_get_conntrack() that can be
triggered if you use the same socket to receive events and to
perform a GET operation. Under heavy load, netlink_unicast()
may return -EAGAIN, this error code is reserved in nfnetlink for
the module load-on-demand. Instead, we return -ENOBUFS which is
the appropriate error code that has to be propagated to
user-space.Reported-by: Holger Eitzenberger
Signed-off-by: Pablo Neira Ayuso
13 Jan, 2011
1 commit
12 Jan, 2011
1 commit
-
The netlink interface to dump the connection tracking table has a race
when entries are deleted at the same time. A customer reported a crash
and the backtrace showed thatctnetlink_dump_table was running while a
conntrack entry was being destroyed.
(see https://bugzilla.vyatta.com/show_bug.cgi?id=6402).According to RCU documentation, when using hlist_nulls the reader
must handle the case of seeing a deleted entry and not proceed
further down the linked list. The old code would continue
which caused the scan to walk into the free list.This patch uses locking (rather than RCU) for this operation which
is guaranteed safe, and no longer requires getting reference while
doing dump operation.Signed-off-by: Stephen Hemminger
Signed-off-by: Pablo Neira Ayuso
10 Jan, 2011
1 commit
-
Due to NLM_F_DUMP is composed of two bits, NLM_F_ROOT | NLM_F_MATCH,
when doing "if (x & NLM_F_DUMP)", it tests for _either_ of the bits
being set. Because NLM_F_MATCH's value overlaps with NLM_F_EXCL,
non-dump requests with NLM_F_EXCL set are mistaken as dump requests.Substitute the condition to test for _all_ bits being set.
Signed-off-by: Jan Engelhardt
Acked-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
07 Jan, 2011
1 commit
-
In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported
via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
instead of the secmark.That patch introduced the use of security_secid_to_secctx() which may
return a non-zero value on error.In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
security modules. Thus, security_secid_to_secctx() returns a negative
value that results in the breakage of the /proc and `conntrack -L'
outputs. To fix this, we skip the inclusion of secctx if the
aforementioned function fails.This patch also fixes the dynamic netlink message size calculation
if security_secid_to_secctx() returns an error, since its logic is
also wrong.This problem exists in Linux kernel >= 2.6.37.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
13 Nov, 2010
1 commit
-
ct->proto is big(60 bytes) due to structure ip_ct_tcp, and we don't need
to initialize the whole for all the other protocols. This patch moves
proto to the end of structure nf_conn, and pushes the initialization down
to the individual protocols.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy
24 Oct, 2010
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1699 commits)
bnx2/bnx2x: Unsupported Ethtool operations should return -EINVAL.
vlan: Calling vlan_hwaccel_do_receive() is always valid.
tproxy: use the interface primary IP address as a default value for --on-ip
tproxy: added IPv6 support to the socket match
cxgb3: function namespace cleanup
tproxy: added IPv6 support to the TPROXY target
tproxy: added IPv6 socket lookup function to nf_tproxy_core
be2net: Changes to use only priority codes allowed by f/w
tproxy: allow non-local binds of IPv6 sockets if IP_TRANSPARENT is enabled
tproxy: added tproxy sockopt interface in the IPV6 layer
tproxy: added udp6_lib_lookup function
tproxy: added const specifiers to udp lookup functions
tproxy: split off ipv6 defragmentation to a separate module
l2tp: small cleanup
nf_nat: restrict ICMP translation for embedded header
can: mcp251x: fix generation of error frames
can: mcp251x: fix endless loop in interrupt handler if CANINTF_MERRF is set
can-raw: add msg_flags to distinguish local traffic
9p: client code cleanup
rds: make local functions/variables static
...Fix up conflicts in net/core/dev.c, drivers/net/pcmcia/smc91c92_cs.c and
drivers/net/wireless/ath/ath9k/debug.c as per David
21 Oct, 2010
2 commits
-
When CONFIG_NF_CONNTRACK_SECMARK is not set we accidentally attempt to use
the secmark fielf of struct nf_conn. Problem is when that config isn't set
the field doesn't exist. whoops. Wrap the incorrect usage in the config.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
The conntrack code can export the internal secid to userspace. These are
dynamic, can change on lsm changes, and have no meaning in userspace. We
should instead be sending lsm contexts to userspace instead. This patch sends
the secctx (rather than secid) to userspace over the netlink socket. We use a
new field CTA_SECCTX and stop using the the old CTA_SECMARK field since it did
not send particularly useful information.Signed-off-by: Eric Paris
Reviewed-by: Paul Moore
Acked-by: Patrick McHardy
Signed-off-by: James Morris
19 Oct, 2010
1 commit
-
This patch allows to listen to events that inform about
expectations destroyed.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
29 Sep, 2010
1 commit
-
This patch adds the basic infrastructure to support user-space
expectation helpers via ctnetlink and the netfilter queuing
infrastructure NFQUEUE. Basically, this patch:* adds NF_CT_EXPECT_USERSPACE flag to identify user-space
created expectations. I have also added a sanity check in
__nf_ct_expect_check() to avoid that kernel-space helpers
may create an expectation if the master conntrack has no
helper assigned.
* adds some branches to check if the master conntrack helper
exists, otherwise we skip the code that refers to kernel-space
helper such as the local expectation list and the expectation
policy.
* allows to set the timeout for user-space expectations with
no helper assigned.
* a list of expectations created from user-space that depends
on ctnetlink (if this module is removed, they are deleted).
* includes USERSPACE in the /proc output for expectations
that have been created by a user-space helper.This patch also modifies ctnetlink to skip including the helper
name in the Netlink messages if no kernel-space helper is set
(since no user-space expectation has not kernel-space kernel
assigned).You can access an example user-space FTP conntrack helper at:
http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-userspace-POC.tar.bzSigned-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
22 Sep, 2010
2 commits
-
With this patch, you can specify the expectation flags for user-space
created expectations.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy -
This patch adds the missing validation of the CTA_EXPECT_ZONE
attribute in the ctnetlink code.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
08 Jun, 2010
1 commit
-
NOTRACK makes all cpus share a cache line on nf_conntrack_untracked
twice per packet. This is bad for performance.
__read_mostly annotation is also a bad choice.This patch introduces IPS_UNTRACKED bit so that we can use later a
per_cpu untrack structure more easily.A new helper, nf_ct_untracked_get() returns a pointer to
nf_conntrack_untracked.Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add
IPS_NAT_DONE_MASK bits to untracked status.nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer.
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
13 May, 2010
2 commits
-
This patch removes from net/ netfilter files
all the unnecessary return; statements that precede the
last closing brace of void functions.It does not remove the returns that are immediately
preceded by a label as gcc doesn't like that.Done via:
$ grep -rP --include=*.[ch] -l "return;\n}" net/ | \
xargs perl -i -e 'local $/ ; while (<>) { s/\n[ \t\n]+return;\n}/\n}/g; print; }'Signed-off-by: Joe Perches
[Patrick: changed to keep return statements in otherwise empty function bodies]
Signed-off-by: Patrick McHardy -
Make sure all printk messages have a severity level.
Signed-off-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
