06 Nov, 2014
2 commits
-
Since adding a new function to seq_file (seq_has_overflowed())
there isn't any value for functions called from seq_show to
return anything. Remove the int returns of the various
print_tuple/_print_tuple functions.Link: http://lkml.kernel.org/p/f2e8cf8df433a197daa62cbaf124c900c708edc7.1412031505.git.joe@perches.com
Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Joe Perches
Signed-off-by: Steven Rostedt -
The seq_printf() and friends are having their return values removed.
The print_conntrack() returns the result of seq_printf(), which is
meaningless when seq_printf() returns void. Might as well remove the
return values of print_conntrack() as well.Link: http://lkml.kernel.org/r/20141029220107.465008329@goodmis.org
Acked-by: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Steven Rostedt
08 Apr, 2014
1 commit
-
nf_ct_gre_keymap_flush() removes a nf_ct_gre_keymap object from
net_gre->keymap_list and frees the object. But it doesn't clean
a reference on this object from ct_pptp_info->keymap[dir].
Then nf_ct_gre_keymap_destroy() may release the same object again.So nf_ct_gre_keymap_flush() can be called only when we are sure that
when nf_ct_gre_keymap_destroy will not be called.nf_ct_gre_keymap is created by nf_ct_gre_keymap_add() and the right way
to destroy it is to call nf_ct_gre_keymap_destroy().This patch marks nf_ct_gre_keymap_flush() as static, so this patch can
break compilation of third party modules, which use
nf_ct_gre_keymap_flush. I'm not sure this is the right way to deprecate
this function.[ 226.540793] general protection fault: 0000 [#1] SMP
[ 226.541750] Modules linked in: nf_nat_pptp nf_nat_proto_gre
nf_conntrack_pptp nf_conntrack_proto_gre ip_gre ip_tunnel gre
ppp_deflate bsd_comp ppp_async crc_ccitt ppp_generic slhc xt_nat
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack veth tun bridge stp llc ppdev microcode joydev pcspkr
serio_raw virtio_console virtio_balloon floppy parport_pc parport
pvpanic i2c_piix4 virtio_net drm_kms_helper ttm ata_generic virtio_pci
virtio_ring virtio drm i2c_core pata_acpi [last unloaded: ip_tunnel]
[ 226.541776] CPU: 0 PID: 49 Comm: kworker/u4:2 Not tainted 3.14.0-rc8+ #101
[ 226.541776] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 226.541776] Workqueue: netns cleanup_net
[ 226.541776] task: ffff8800371e0000 ti: ffff88003730c000 task.ti: ffff88003730c000
[ 226.541776] RIP: 0010:[] [] __list_del_entry+0x29/0xd0
[ 226.541776] RSP: 0018:ffff88003730dbd0 EFLAGS: 00010a83
[ 226.541776] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800374e6c40 RCX: dead000000200200
[ 226.541776] RDX: 6b6b6b6b6b6b6b6b RSI: ffff8800371e07d0 RDI: ffff8800374e6c40
[ 226.541776] RBP: ffff88003730dbd0 R08: 0000000000000000 R09: 0000000000000000
[ 226.541776] R10: 0000000000000001 R11: ffff88003730d92e R12: 0000000000000002
[ 226.541776] R13: ffff88007a4c42d0 R14: ffff88007aef0000 R15: ffff880036cf0018
[ 226.541776] FS: 0000000000000000(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
[ 226.541776] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 226.541776] CR2: 00007f07f643f7d0 CR3: 0000000036fd2000 CR4: 00000000000006f0
[ 226.541776] Stack:
[ 226.541776] ffff88003730dbe8 ffffffff81389c5d ffff8800374ffbe4 ffff88003730dc28
[ 226.541776] ffffffffa0162a43 ffffffffa01627c5 ffff88007a4c42d0 ffff88007aef0000
[ 226.541776] ffffffffa01651c0 ffff88007a4c45e0 ffff88007aef0000 ffff88003730dc40
[ 226.541776] Call Trace:
[ 226.541776] [] list_del+0xd/0x30
[ 226.541776] [] nf_ct_gre_keymap_destroy+0x283/0x2d0 [nf_conntrack_proto_gre]
[ 226.541776] [] ? nf_ct_gre_keymap_destroy+0x5/0x2d0 [nf_conntrack_proto_gre]
[ 226.541776] [] gre_destroy+0x27/0x70 [nf_conntrack_proto_gre]
[ 226.541776] [] destroy_conntrack+0x83/0x200 [nf_conntrack]
[ 226.541776] [] ? destroy_conntrack+0x27/0x200 [nf_conntrack]
[ 226.541776] [] ? nf_conntrack_hash_check_insert+0x2e0/0x2e0 [nf_conntrack]
[ 226.541776] [] nf_conntrack_destroy+0x72/0x180
[ 226.541776] [] ? nf_conntrack_destroy+0x5/0x180
[ 226.541776] [] ? kill_l3proto+0x20/0x20 [nf_conntrack]
[ 226.541776] [] nf_ct_iterate_cleanup+0x14e/0x170 [nf_conntrack]
[ 226.541776] [] nf_ct_l4proto_pernet_unregister+0x5b/0x90 [nf_conntrack]
[ 226.541776] [] proto_gre_net_exit+0x19/0x30 [nf_conntrack_proto_gre]
[ 226.541776] [] ops_exit_list.isra.1+0x39/0x60
[ 226.541776] [] cleanup_net+0x100/0x1d0
[ 226.541776] [] process_one_work+0x1ea/0x4f0
[ 226.541776] [] ? process_one_work+0x188/0x4f0
[ 226.541776] [] worker_thread+0x11b/0x3a0
[ 226.541776] [] ? process_one_work+0x4f0/0x4f0
[ 226.541776] [] kthread+0xed/0x110
[ 226.541776] [] ? _raw_spin_unlock_irq+0x2c/0x40
[ 226.541776] [] ? kthread_create_on_node+0x200/0x200
[ 226.541776] [] ret_from_fork+0x7c/0xb0
[ 226.541776] [] ? kthread_create_on_node+0x200/0x200
[ 226.541776] Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de
48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 ad de 48
39 c8 74 7a 8b 00 4c 39 c7 75 53 4c 8b 42 08 4c 39 c7 75 2b 48 89
42 08
[ 226.541776] RIP [] __list_del_entry+0x29/0xd0
[ 226.541776] RSP
[ 226.612193] ---[ end trace 985ae23ddfcc357c ]---Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: "David S. Miller"
Signed-off-by: Andrey Vagin
Signed-off-by: Pablo Neira Ayuso
19 Apr, 2013
1 commit
-
Add copyright statements to all netfilter files which have had significant
changes done by myself in the past.Some notes:
- nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
Core Team when it got split out of nf_conntrack_core.c. The copyrights
even state a date which lies six years before it was written. It was
written in 2005 by Harald and myself.- net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
statements. I've added the copyright statement from net/netfilter/core.c,
where this code originated- for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
it to give the wrong impressionSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
15 Mar, 2013
1 commit
-
In (c296bb4 netfilter: nf_conntrack: refactor l4proto support for netns)
the l4proto gre/dccp/udplite/sctp registration happened before the pernet
subsystem, which is wrong.Register pernet subsystem before register L4proto since after register
L4proto, init_conntrack may try to access the resources which allocated
in register_pernet_subsys.Reported-by: Alexey Dobriyan
Cc: Alexey Dobriyan
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
23 Jan, 2013
1 commit
-
Move the code that register/unregister l4proto to the
module_init/exit context.Given that we have to modify some interfaces to accomodate
these changes, it is a good time to use shorter function names
for this using the nf_ct_* prefix instead of nf_conntrack_*,
that is:nf_ct_l4proto_register
nf_ct_l4proto_pernet_register
nf_ct_l4proto_unregister
nf_ct_l4proto_pernet_unregisterWe same many line breaks with it.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
28 Jun, 2012
1 commit
-
l4proto->init contain quite redundant code. We can simplify this
by adding a new parameter l3proto.This patch prepares that code simplification.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
16 Jun, 2012
1 commit
-
This patch uses the new variable length conntrack extensions.
Instead of using union nf_conntrack_help that contain all the
helper private data information, we allocate variable length
area to store the private helper data.This patch includes the modification of all existing helpers.
It also includes a couple of include header to avoid compilation
warnings.Signed-off-by: Pablo Neira Ayuso
07 Jun, 2012
3 commits
-
This patch adds namespace support for cttimeout.
Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch modifies the GRE protocol tracker, which partially
supported namespace before this patch, to use the new namespace
infrastructure for nf_conntrack.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch prepares the namespace support for layer 4 protocol trackers.
Basically, this modifies the following interfaces:* nf_ct_[un]register_sysctl
* nf_conntrack_l4proto_[un]registerto include the namespace parameter. We still use init_net in this patch
to prepare the ground for follow-up patches for each layer 4 protocol
tracker.We add a new net_id field to struct nf_conntrack_l4proto that is used
to store the pernet_operations id for each layer 4 protocol tracker.Note that AF_INET6's protocols do not need to do sysctl compat. Thus,
we only register compat sysctl when l4proto.l3proto != AF_INET6.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
02 Apr, 2012
1 commit
-
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.Signed-off-by: David S. Miller
08 Mar, 2012
3 commits
-
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.Signed-off-by: Pablo Neira Ayuso
-
This patch defines a new interface for l4 protocol trackers:
unsigned int *(*get_timeouts)(struct net *net);
that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.Signed-off-by: Pablo Neira Ayuso
-
This patch adds an array to define the default GRE timeouts.
Signed-off-by: Pablo Neira Ayuso
17 Dec, 2011
1 commit
-
Use IS_ENABLED(CONFIG_FOO)
instead of defined(CONFIG_FOO) || defined (CONFIG_FOO_MODULE)Signed-off-by: Igor Maravić
Signed-off-by: David S. Miller
03 Oct, 2011
1 commit
-
GRE connections cause ctnetlink event flood because the ASSURED event
is set for every packet received.Reported-by: Denys Fedoryshchenko
Tested-by: Denys Fedoryshchenko
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
30 Mar, 2010
1 commit
-
…it slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
03 Feb, 2010
1 commit
-
Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated
when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is
generated when the IPS_ASSURED bit is set.In combination with a following patch to support selective event delivery,
this can be used for "sparse" conntrack replication: start replicating the
conntrack entry after it reached the ASSURED state and that way it's SYN-flood
resistant.Signed-off-by: Patrick McHardy
02 Dec, 2009
1 commit
-
Take advantage of the new pernet automatic storage management,
and stop using compatibility network namespace functions.Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
18 Nov, 2009
1 commit
-
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
11 Jun, 2009
1 commit
10 Jun, 2009
1 commit
-
Introduce per-conntrack locks and use them instead of the global protocol
locks to avoid contention. Especially tcp_lock shows up very high in
profiles on larger machines.This will also allow to simplify the upcoming reliable event delivery patches.
Signed-off-by: Patrick McHardy
03 Jun, 2009
1 commit
-
Define three accessors to get/set dst attached to a skb
struct dst_entry *skb_dst(const struct sk_buff *skb)
void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;Delete skb->dst field
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
26 Mar, 2009
1 commit
-
Signed-off-by: Holger Eitzenberger
Signed-off-by: Patrick McHardy
20 Nov, 2008
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
31 Oct, 2008
1 commit
-
register_pernet_gen_device() can't be used is nf_conntrack_pptp module is
also used (compiled in or loaded).Right now, proto_gre_net_exit() is called before nf_conntrack_pptp_net_exit().
The former shutdowns and frees GRE piece of netns, however the latter
absolutely needs it to flush keymap. Oops is inevitable.Switch to shiny new register_pernet_gen_subsys() to get correct ordering in
netns ops list.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Oct, 2008
3 commits
-
* make keymap list per-netns
* per-netns keymal lock (not strictly necessary)
* flush keymap at netns stop and module unload.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
This is cleaner, we already know conntrack to which event is relevant.
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
and (try to) consistently use u_int8_t for the L3 family.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
08 Sep, 2008
2 commits
-
It does "kfree(list_head)" which looks wrong because entity that was
allocated is definitely not list_head.However, this all works because list_head is first item in
struct nf_ct_gre_keymap.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
gre_keymap_list should be protected in all places.
(unless I'm misreading something)Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Apr, 2008
2 commits
-
Directly call IPv4 and IPv6 variants where the address family is
easily known.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
01 Feb, 2008
1 commit
-
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Oct, 2007
2 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
There is no struct nfattr anymore, rename functions to 'nlattr'.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
15 Jul, 2007
1 commit
-
Also remove two unnecessary EXPORT_SYMBOLs and move the
nf_conntrack_l3proto_ipv4 declaration to the correct file.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Jun, 2007
1 commit
-
When a helper module is unloaded all conntracks refering to it have their
helper pointer NULLed out, leading to lots of races. In most places this
can be fixed by proper use of RCU (they do already check for != NULL,
but in a racy way), additionally nf_conntrack_expect_related needs to
bail out when no helper is present.Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
and not worth fixing.Signed-off-by: Patrick McHarrdy
Signed-off-by: David S. Miller