23 Jul, 2010
8 commits
-
We should copy the initial value to userspace for iptables-save and
to allow removal of specific quota rules.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
Use per-rule spin lock to improve the scalability.
Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
use arp_hdr_len().
Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
proto->unique_tuple() will be called finally, if the previous calls fail. This
patch checks the false condition of (range->flags &IP_NAT_RANGE_PROTO_RANDOM)
instead to avoid duplicate line of code: proto->unique_tuple().Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
In some situations a CPU match permits a better spreading of
connections, or select targets only for a given cpu.With Remote Packet Steering or multiqueue NIC and appropriate IRQ
affinities, we can distribute trafic on available cpus, per session.
(all RX packets for a given flow is handled by a given cpu)Some legacy applications being not SMP friendly, one way to scale a
server is to run multiple copies of them.Instead of randomly choosing an instance, we can use the cpu number as a
key so that softirq handler for a whole instance is running on a single
cpu, maximizing cache effects in TCP/UDP stacks.Using NAT for example, a four ways machine might run four copies of
server application, using a separate listening port for each instance,
but still presenting an unique external port :iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 0 \
-j REDIRECT --to-port 8080iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 1 \
-j REDIRECT --to-port 8081iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 2 \
-j REDIRECT --to-port 8082iptables -t nat -A PREROUTING -p tcp --dport 80 -m cpu --cpu 3 \
-j REDIRECT --to-port 8083Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy -
Use nf_conntrack/nf_nat code to do the packet mangling and the TCP
sequence adjusting. The function 'ip_vs_skb_replace' is now dead
code, so it is removed.To SNAT FTP, use something like:
% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
--vport 21 -j SNAT --to-source 192.168.10.10
and for the data connections in passive mode:% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 \
--vportctl 21 -j SNAT --to-source 192.168.10.10
using '-m state --state RELATED' would also works.Make sure the kernel modules ip_vs_ftp, nf_conntrack_ftp, and
nf_nat_ftp are loaded.[ up-port and minor fixes by Simon Horman ]
Signed-off-by: Hannes Eder
Signed-off-by: Simon Horman
Signed-off-by: Patrick McHardy -
Update the nf_conntrack tuple in reply direction, as we will see
traffic from the real server (RIP) to the client (CIP). Once this is
done we can use netfilters SNAT in POSTROUTING, especially with
xt_ipvs, to do source NAT, e.g.:% iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.100.30/32 --vport 80 \
-j SNAT --to-source 192.168.10.10[ minor fixes by Simon Horman ]
Signed-off-by: Hannes Eder
Signed-off-by: Simon Horman
Signed-off-by: Patrick McHardy -
This implements the kernel-space side of the netfilter matcher xt_ipvs.
[ minor fixes by Simon Horman ]
Signed-off-by: Hannes Eder
Signed-off-by: Simon Horman
[ Patrick: added xt_ipvs.h to Kbuild ]
Signed-off-by: Patrick McHardy
16 Jul, 2010
1 commit
-
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Patrick McHardy
15 Jul, 2010
3 commits
-
This adds a `CHECKSUM' target, which can be used in the iptables mangle
table.You can use this target to compute and fill in the checksum in
a packet that lacks a checksum. This is particularly useful,
if you need to work around old applications such as dhcp clients,
that do not work well with checksum offloads, but don't want to
disable checksum offload in your device.The problem happens in the field with virtualized applications.
For reference, see Red Hat bz 605555, as well as
http://www.spinics.net/lists/kvm/msg37660.htmlTypical expected use (helps old dhclient binary running in a VM):
iptables -A POSTROUTING -t mangle -p udp --dport bootpc \
-j CHECKSUM --checksum-fillIncludes fixes by Jan Engelhardt
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Patrick McHardy -
This patch adds the missing bits to support the recovery of TCP flows
without disabling window tracking (aka be_liberal). To ensure a
successful recovery, we have to inject the window scale factor via
ctnetlink.This patch has been tested with a development snapshot of conntrackd
and the new clause `TCPWindowTracking' that allows to perform strict
TCP window tracking recovery across fail-overs.With this patch, we don't update the receiver's window until it's not
initiated. We require this to perform a successful recovery. Jozsef
confirmed in a private email that this spotted a real issue since that
should not happen.Signed-off-by: Pablo Neira Ayuso
Acked-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
This patch moves NFULNL_COPY_PACKET definition from
linux/netfilter/nfnetlink_log.h to net/netfilter/nfnetlink_log.h
since this copy mode is only for internal use.I have also changed the value from 0x03 to 0xff. Thus, we avoid
a gap from user-space that may confuse users if we add new
copy modes in the future.This change was introduced in:
http://www.spinics.net/lists/netfilter-devel/msg13535.htmlSince this change is not included in any stable Linux kernel,
I think it's safe to make this change now. Anyway, this copy
mode does not make any sense from user-space, so this patch
should not break any existing setup.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
09 Jul, 2010
2 commits
-
According to the Documentation/CodingStyle, the length of lines should
be within 80.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
lvs sctp protocol handler is incorrectly invoked ip_vs_app_pkt_out
Since there's no sctp helpers at present, it does the same thing as
ip_vs_app_pkt_in.Signed-off-by: Xiaoyu Du
Acked-by: Simon Horman
Signed-off-by: Patrick McHardy
05 Jul, 2010
13 commits
-
IP_VS_PROTO_AH_ESP should be set iff either of IP_VS_PROTO_{AH,ESP} is
selected. Express this with standard kconfig syntax.Signed-off-by: Michal Marek
Acked-by: Simon Horman
Signed-off-by: Patrick McHardy -
We can avoid a pair of atomic ops in ipt_REJECT send_reset()
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy -
postpone the checksum calculation, then if the output NIC supports checksum
offloading, we can utlize it. And though the output NIC doesn't support
checksum offloading, but we'll mangle this packet, this can free us from
updating the checksum, as the checksum calculation occurs later.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
As the fragments are sent in order in most of OSes, such as Windows, Darwin and
FreeBSD, it is likely the new fragments are at the end of the inet_frag_queue.
In the fast path, we check if the skb at the end of the inet_frag_queue is the
prev we expect.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy -
Following commit 1437ce3983bcbc0447a0dedcd644c14fe833d266 "ethtool:
Change ethtool_op_set_flags to validate flags", ethtool_op_set_flags
takes a third parameter and cannot be used directly as an
implementation of ethtool_ops::set_flags.Changes nes and ipoib driver to pass in the appropriate value.
Signed-off-by: Ben Hutchings
Acked-by: Roland Dreier
Signed-off-by: David S. Miller -
Signed-off-by: Michael Chan
Signed-off-by: David S. Miller -
These config register values will be useful when the memory registers
are returning 0xffffffff which has been reported.Signed-off-by: Michael Chan
Signed-off-by: David S. Miller -
Add skb->rxhash support for TCP packets only because the bnx2 RSS hash
does not hash UDP ports.Signed-off-by: Michael Chan
Signed-off-by: David S. Miller -
Minor change to use MSI-X even if there is only one CPU. This allows
the CNIC driver to always have a dedicated MSI-X vector to handle
iSCSI events, instead of sharing the MSI vector.Signed-off-by: Michael Chan
Signed-off-by: David S. Miller -
Reduces text ~300 bytes of text (woohoo!) in an x86 defconfig
$ size vmlinux*
text data bss dec hex filename
7198526 720112 1366288 9284926 8dad3e vmlinux
7198862 720112 1366288 9285262 8dae8e vmlinux.netdevSigned-off-by: Joe Perches
Acked-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller -
Reduces an x86 defconfig text and data ~2k.
text is smaller, data is larger.$ size vmlinux*
text data bss dec hex filename
7198862 720112 1366288 9285262 8dae8e vmlinux
7205273 716016 1366288 9287577 8db799 vmlinux.device_hUses %pV and struct va_format
Format arguments are verified before printkSigned-off-by: Joe Perches
Acked-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller -
Reduces an x86 defconfig text and data ~55k, .6% smaller.
$ size vmlinux*
text data bss dec hex filename
7205273 716016 1366288 9287577 8db799 vmlinux
7258890 719768 1366288 9344946 8e97b2 vmlinux.masterUses %pV and struct va_format
Format arguments are verified before printkThe dev_info macro is converted to _dev_info because there are
existing uses of variables named dev_info in the kernel tree
like drivers/net/pcmcia/pcnet_cs.cA dev_info macro is created to call _dev_info
Signed-off-by: Joe Perches
Acked-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller -
Add the ability to print a format and va_list from a structure pointer
Allows __dev_printk to be implemented as a single printk while
minimizing string space duplication.%pV should not be used without some mechanism to verify the
format and argument use ala __attribute__(format (printf(...))).Signed-off-by: Joe Perches
Acked-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller
03 Jul, 2010
1 commit
02 Jul, 2010
12 commits
-
Support more fine grained control of bridge netfilter iptables invocation
by adding seperate brnf_call_*tables parameters for each device using the
sysfs interface. Packets are passed to layer 3 netfilter when either the
global parameter or the per bridge parameter is enabled.Acked-by: Stephen Hemminger
Acked-by: David S. Miller
Signed-off-by: Patrick McHardy -
Both ETH_FLAG_LRO and NETIF_F_LRO have the same value, but NETIF_F_LRO
is intended to use with netdev->features.Signed-off-by: Stanislaw Gruszka
Acked-by: Don Skidmore
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
Add explanatory comment to avoid confusion when a pointer is set
to the second word of an array instead of the customary cast of a
pointer to the beginning of the array.Signed-off-by: Greg Rose
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
The igb online link test was always reporting pass because instead of
checking for if_running it was checking for netif_carrier_ok.This change corrects the test so that it is run if the interface is running
instead of checking for netif carrier ok.Signed-off-by: Alexander Duyck
Tested-by: Emil Tantilov
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
Check the value of max_vfs at the time of assignment of vfs_allocated_count.
The previous check in igb_probe_vfs was too late as by that time the rx/tx
rings were initialized with the wrong offset.Signed-off-by: Emil Tantilov
Tested-by: Jeff Pieper
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
The 82576 expects the second rx queue in any pool to receive L2 switch
loop back packets sent from the second tx queue in another pool. The
82576 VF driver does not enable the second rx queue so if the PF driver
sends packets destined to a VF from its second tx queue then the VF
driver will never see them. In SR-IOV mode limit the number of tx queues
used by the PF driver to one. This patch fixes a bug reported in which
the PF cannot communciate with the VF and should be considered for 2.6.34
stable.CC: stable@kernel.org
Signed-off-by: Greg Rose
Tested-by: Jeff Pieper
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
82580 NICs can have up to 4 functions. This fixes phy accesses
to use the correct locks for functions 2 and 3.Signed-off-by: Nicholas Nunley
Tested-by: Jeff Pieper
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
This patch removes the CONFIG_MCORE2 check from around NET_IP_ALIGN. It is
based on a suggestion from Andi Kleen. The assumption is that there are
not any x86 cores where unaligned access is really slow, and this change
would allow for a performance improvement to still exist on configurations
that are not necessarily optimized for Core 2.Cc: Andi Kleen
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: x86@kernel.org
Signed-off-by: Alexander Duyck
Signed-off-by: Jeff Kirsher
Acked-by: H. Peter Anvin
Signed-off-by: David S. Miller -
Add error checking to DMA descriptor rings initialization code.
Signed-off-by: Denis Kirjanov
Signed-off-by: David S. Miller -
be2net driver is currently not showing correct phy details in certain cases.
This patch fixes it.Signed-off-by: Ajit Khaparde
Signed-off-by: David S. Miller -
Since ehea_get_stats calls ehea_h_query_ehea_port, which
can sleep, we can also sleep when allocating a page in
this function. This fixes some memory allocation failure
warnings seen under low memory conditions.Signed-off-by: Brian King
Signed-off-by: David S. Miller -
Conflicts:
drivers/net/wireless/libertas/host.h
