Eric Lee / smarc-fsl-linux-kernel

28 Dec, 2011

1 commit

18 Apr, 2011

1 commit

20 Jan, 2011

1 commit

19 Jan, 2011

1 commit

  • a992ca2a0   netfilter: nf_conntrack_tstamp: add flow-based timestamp extension ... Browse Code »

    This patch adds flow-based timestamping for conntracks. This
    conntrack extension is disabled by default. Basically, we use
    two 64-bits variables to store the creation timestamp once the
    conntrack has been confirmed and the other to store the deletion
    time. This extension is disabled by default, to enable it, you
    have to:

    echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp

    This patch allows to save memory for user-space flow-based
    loogers such as ulogd2. In short, ulogd2 does not need to
    keep a hashtable with the conntrack in user-space to know
    when they were created and destroyed, instead we use the
    kernel timestamp. If we want to have a sane IPFIX implementation
    in user-space, this nanosecs resolution timestamps are also
    useful. Other custom user-space applications can benefit from
    this via libnetfilter_conntrack.

    This patch modifies the /proc output to display the delta time
    in seconds since the flow start. You can also obtain the
    flow-start date by means of the conntrack-tools.

    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: Patrick McHardy

    Pablo Neira Ayuso
     

13 Jan, 2011

1 commit

07 Jan, 2011

1 commit

  • cba85b532   netfilter: fix export secctx error handling ... Browse Code »

    In 1ae4de0cdf855305765592647025bde55e85e451, the secctx was exported
    via the /proc/net/netfilter/nf_conntrack and ctnetlink interfaces
    instead of the secmark.

    That patch introduced the use of security_secid_to_secctx() which may
    return a non-zero value on error.

    In one of my setups, I have NF_CONNTRACK_SECMARK enabled but no
    security modules. Thus, security_secid_to_secctx() returns a negative
    value that results in the breakage of the /proc and `conntrack -L'
    outputs. To fix this, we skip the inclusion of secctx if the
    aforementioned function fails.

    This patch also fixes the dynamic netlink message size calculation
    if security_secid_to_secctx() returns an error, since its logic is
    also wrong.

    This problem exists in Linux kernel >= 2.6.37.

    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: David S. Miller

    Pablo Neira Ayuso
     

16 Nov, 2010

1 commit

21 Oct, 2010

1 commit

  • 1ae4de0cd   secmark: export secctx, drop secmark in procfs ... Browse Code »

    The current secmark code exports a secmark= field which just indicates if
    there is special labeling on a packet or not. We drop this field as it
    isn't particularly useful and instead export a new field secctx= which is
    the actual human readable text label.

    Signed-off-by: Eric Paris
    Acked-by: Patrick McHardy
    Signed-off-by: James Morris

    Eric Paris
     

13 May, 2010

1 commit

23 Apr, 2010

1 commit

30 Mar, 2010

1 commit

  • 5a0e3ad6a   include cleanup: Update gfp.h and slab.h includes to prepare for breaking implic… ... Browse Code »

    …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

16 Feb, 2010

1 commit

09 Feb, 2010

1 commit

  • d696c7bda   netfilter: nf_conntrack: fix hash resizing with namespaces ... Browse Code »

    As noticed by Jon Masters , the conntrack hash
    size is global and not per namespace, but modifiable at runtime through
    /sys/module/nf_conntrack/hashsize. Changing the hash size will only
    resize the hash in the current namespace however, so other namespaces
    will use an invalid hash size. This can cause crashes when enlarging
    the hashsize, or false negative lookups when shrinking it.

    Move the hash size into the per-namespace data and only use the global
    hash size to initialize the per-namespace value when instanciating a
    new namespace. Additionally restrict hash resizing to init_net for
    now as other namespaces are not handled currently.

    Cc: stable@kernel.org
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Patrick McHardy
     

12 Nov, 2009

1 commit

  • f8572d8f2   sysctl net: Remove unused binary sysctl code ... Browse Code »

    Now that sys_sysctl is a compatiblity wrapper around /proc/sys
    all sysctl strategy routines, and all ctl_name and strategy
    entries in the sysctl tables are unused, and can be
    revmoed.

    In addition neigh_sysctl_register has been modified to no longer
    take a strategy argument and it's callers have been modified not
    to pass one.

    Cc: "David Miller"
    Cc: Hideaki YOSHIFUJI
    Cc: netdev@vger.kernel.org
    Signed-off-by: Eric W. Biederman

    Eric W. Biederman
     

26 Mar, 2009

1 commit

  • ea781f197   netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu() ... Browse Code »

    Use "hlist_nulls" infrastructure we added in 2.6.29 for RCUification of UDP & TCP.

    This permits an easy conversion from call_rcu() based hash lists to a
    SLAB_DESTROY_BY_RCU one.

    Avoiding call_rcu() delay at nf_conn freeing time has numerous gains.

    First, it doesnt fill RCU queues (up to 10000 elements per cpu).
    This reduces OOM possibility, if queued elements are not taken into account
    This reduces latency problems when RCU queue size hits hilimit and triggers
    emergency mode.

    - It allows fast reuse of just freed elements, permitting better use of
    CPU cache.

    - We delete rcu_head from "struct nf_conn", shrinking size of this structure
    by 8 or 16 bytes.

    This patch only takes care of "struct nf_conn".
    call_rcu() is still used for less critical conntrack parts, that may
    be converted later if necessary.

    Signed-off-by: Eric Dumazet
    Signed-off-by: Patrick McHardy

    Eric Dumazet
     

30 Dec, 2008

1 commit

04 Nov, 2008

1 commit

  • 6d9f239a1   net: '&' redux ... Browse Code »

    I want to compile out proc_* and sysctl_* handlers totally and
    stub them to NULL depending on config options, however usage of &
    will prevent this, since taking adress of NULL pointer will break
    compilation.

    So, drop & in front of every ->proc_handler and every ->strategy
    handler, it was never needed in fact.

    Signed-off-by: Alexey Dobriyan
    Signed-off-by: David S. Miller

    Alexey Dobriyan
     

08 Oct, 2008

9 commits

06 Aug, 2008

1 commit

  • 9714be7da   netfilter: fix two recent sysctl problems ... Browse Code »

    Starting with 9043476f726802f4b00c96d0c4f418dde48d1304 ("[PATCH]
    sanitize proc_sysctl") we have two netfilter releated problems:

    - WARNING: at kernel/sysctl.c:1966 unregister_sysctl_table+0xcc/0x103(),
    caused by wrong order of ini/fini calls

    - net.netfilter is duplicated and has truncated set of records

    Thanks to very useful guidelines from Al Viro, this patch fixes both
    of them.

    Signed-off-by: Krzysztof Piotr Oledzki
    Acked-by: Al Viro
    Signed-off-by: David S. Miller

    Krzysztof Piotr Oledzki
     

22 Jul, 2008

1 commit

  • 584015727   netfilter: accounting rework: ct_extend + 64bit counters (v4) ... Browse Code »

    Initially netfilter has had 64bit counters for conntrack-based accounting, but
    it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
    still required, for example for "connbytes" extension. However, 64bit counters
    waste a lot of memory and it was not possible to enable/disable it runtime.

    This patch:
    - reimplements accounting with respect to the extension infrastructure,
    - makes one global version of seq_print_acct() instead of two seq_print_counters(),
    - makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
    - makes it possible to enable/disable it at runtime by sysctl or sysfs,
    - extends counters from 32bit to 64bit,
    - renames ip_conntrack_counter -> nf_conn_counter,
    - enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
    - set initial accounting enable state based on CONFIG_NF_CT_ACCT
    - removes buggy IPCT_COUNTER_FILLING event handling.

    If accounting is enabled newly created connections get additional acct extend.
    Old connections are not changed as it is not possible to add a ct_extend area
    to confirmed conntrack. Accounting is performed for all connections with
    acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".

    Signed-off-by: Krzysztof Piotr Oledzki
    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Krzysztof Piotr Oledzki
     

02 May, 2008

1 commit

14 Apr, 2008

2 commits

28 Mar, 2008

2 commits

01 Mar, 2008

1 commit

01 Feb, 2008

5 commits

29 Jan, 2008

1 commit