07 Jan, 2011
1 commit
-
Since nf_ct_expect_dst_hash() may be called without nf_conntrack_lock
locked, nf_ct_expect_hash_rnd should be initialized in the atomic way.In this patch, we use nf_conntrack_hash_rnd instead of
nf_ct_expect_hash_rnd.Signed-off-by: Changli Gao
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
19 Oct, 2010
1 commit
-
This patch allows to listen to events that inform about
expectations destroyed.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
29 Sep, 2010
1 commit
-
This patch adds the basic infrastructure to support user-space
expectation helpers via ctnetlink and the netfilter queuing
infrastructure NFQUEUE. Basically, this patch:* adds NF_CT_EXPECT_USERSPACE flag to identify user-space
created expectations. I have also added a sanity check in
__nf_ct_expect_check() to avoid that kernel-space helpers
may create an expectation if the master conntrack has no
helper assigned.
* adds some branches to check if the master conntrack helper
exists, otherwise we skip the code that refers to kernel-space
helper such as the local expectation list and the expectation
policy.
* allows to set the timeout for user-space expectations with
no helper assigned.
* a list of expectations created from user-space that depends
on ctnetlink (if this module is removed, they are deleted).
* includes USERSPACE in the /proc output for expectations
that have been created by a user-space helper.This patch also modifies ctnetlink to skip including the helper
name in the Netlink messages if no kernel-space helper is set
(since no user-space expectation has not kernel-space kernel
assigned).You can access an example user-space FTP conntrack helper at:
http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-userspace-POC.tar.bzSigned-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
16 Feb, 2010
1 commit
-
Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.Example:
iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1Signed-off-by: Patrick McHardy
12 Feb, 2010
1 commit
-
call_rcu() will unconditionally reinitialize RCU head anyway.
Signed-off-by: Alexey Dobriyan
Reviewed-by: Paul E. McKenney
Signed-off-by: Patrick McHardy
11 Feb, 2010
1 commit
-
Make the output a bit more informative by showing the helper an expectation
belongs to and the expectation class.Signed-off-by: Patrick McHardy
09 Feb, 2010
2 commits
-
As noticed by Jon Masters , the conntrack hash
size is global and not per namespace, but modifiable at runtime through
/sys/module/nf_conntrack/hashsize. Changing the hash size will only
resize the hash in the current namespace however, so other namespaces
will use an invalid hash size. This can cause crashes when enlarging
the hashsize, or false negative lookups when shrinking it.Move the hash size into the per-namespace data and only use the global
hash size to initialize the per-namespace value when instanciating a
new namespace. Additionally restrict hash resizing to init_net for
now as other namespaces are not handled currently.Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Expectation hashtable size was simply glued to a variable with no code
to rehash expectations, so it was a bug to allow writing to it.
Make "expect_hashsize" readonly.Signed-off-by: Alexey Dobriyan
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
30 Nov, 2009
1 commit
-
Not including net/atm/
Compiled tested x86 allyesconfig only
Added a > 80 column line or two, which I ignored.
Existing checkpatch plaints willfully, cheerfully ignored.Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
25 Jun, 2009
1 commit
-
RCU barriers, rcu_barrier(), is inserted two places.
In nf_conntrack_expect.c nf_conntrack_expect_fini() before the
kmem_cache_destroy(). Firstly to make sure the callback to the
nf_ct_expect_free_rcu() code is still around. Secondly because I'm
unsure about the consequence of having in flight
nf_ct_expect_free_rcu/kmem_cache_free() calls while doing a
kmem_cache_destroy() slab destroy.And in nf_conntrack_extend.c nf_ct_extend_unregister(), inorder to
wait for completion of callbacks to __nf_ct_ext_free_rcu(), which is
invoked by __nf_ct_ext_add(). It might be more efficient to call
rcu_barrier() in nf_conntrack_core.c nf_conntrack_cleanup_net(), but
thats make it more difficult to read the code (as the callback code
in located in nf_conntrack_extend.c).Signed-off-by: Jesper Dangaard Brouer
Signed-off-by: Patrick McHardy
06 Apr, 2009
1 commit
-
This patch fixes a regression (introduced by myself in commit 19abb7b:
netfilter: ctnetlink: deliver events for conntracks changed from
userspace) that results in an expectation re-insertion since
__nf_ct_expect_check() may return 0 for expectation timer refreshing.This patch also removes a unnecessary refcount bump that
pretended to avoid a possible race condition with event delivery
and expectation timers (as said, not needed since we hold a
reference to the object since until we finish the expectation
setup). This also merges nf_ct_expect_related_report() and
nf_ct_expect_related() which look basically the same.Reported-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
26 Mar, 2009
1 commit
-
Use "hlist_nulls" infrastructure we added in 2.6.29 for RCUification of UDP & TCP.
This permits an easy conversion from call_rcu() based hash lists to a
SLAB_DESTROY_BY_RCU one.Avoiding call_rcu() delay at nf_conn freeing time has numerous gains.
First, it doesnt fill RCU queues (up to 10000 elements per cpu).
This reduces OOM possibility, if queued elements are not taken into account
This reduces latency problems when RCU queue size hits hilimit and triggers
emergency mode.- It allows fast reuse of just freed elements, permitting better use of
CPU cache.- We delete rcu_head from "struct nf_conn", shrinking size of this structure
by 8 or 16 bytes.This patch only takes care of "struct nf_conn".
call_rcu() is still used for less critical conntrack parts, that may
be converted later if necessary.Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
20 Feb, 2009
1 commit
-
get_random_bytes() is sometimes called with a hard coded size assumption
of an integer. This could not be true for next centuries. This patch
replace it with a compile time statement.Signed-off-by: Hagen Paul Pfeifer
Signed-off-by: Patrick McHardy
18 Nov, 2008
1 commit
-
As for now, the creation and update of conntracks via ctnetlink do not
propagate an event to userspace. This can result in inconsistent situations
if several userspace processes modify the connection tracking table by means
of ctnetlink at the same time. Specifically, using the conntrack command
line tool and conntrackd at the same time can trigger unconsistencies.This patch also modifies the event cache infrastructure to pass the
process PID and the ECHO flag to nfnetlink_send() to report back
to userspace if the process that triggered the change needs so.
Based on a suggestion from Patrick McHardy.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
08 Oct, 2008
6 commits
-
Add init_net checks to not remove kmem_caches twice and so on.
Refactor functions to split code which should be executed only for
init_net into one place.ip_ct_attach and ip_ct_destroy assignments remain separate, because
they're separate stages in setup and teardown.NOTE: NOTRACK code is in for-every-net part. It will be made per-netns
after we decidce how to do it correctly.Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
Make per-netns a) expectation hash and b) expectations count.
Expectations always belongs to netns to which it's master conntrack belong.
This is natural and doesn't bloat expectation.Proc files and leaf users are stubbed to init_net, this is temporary.
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
One comment: #ifdefs around #include is necessary to overcome amazing compile
breakages in NOTRACK-in-netns patch (see below).Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
and (try to) consistently use u_int8_t for the L3 family.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
29 May, 2008
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Mar, 2008
4 commits
-
Introduce expectation classes and policies. An expectation class
is used to distinguish different types of expectations by the
same helper (for example audio/video/t.120). The expectation
policy is used to hold the maximum number of expectations and
the initial timeout for each class.The individual classes are isolated from each other, which means
that for example an audio expectation will only evict other audio
expectations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This is useful for the SIP helper and signalling expectations.
We don't want to create a full-blown expectation with a wildcard
as source based on a single UDP packet, but need to know the
final port anyways. With inactive expectations we can register
the expectation and reserve the tuple, but wait for confirmation
from the registrar before activating it.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Mar, 2008
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2008
3 commits
-
With the RCU conversion only write_lock usages of nf_conntrack_lock are
left (except one read_lock that should actually use write_lock in the
H.323 helper). Switch to a spinlock.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Use RCU for expectation hash. This doesn't buy much for conntrack
runtime performance, but allows to reduce the use of nf_conntrack_lock
for /proc and nf_netlink_conntrack.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
CHECK net/netfilter/nf_conntrack_expect.c
net/netfilter/nf_conntrack_expect.c:429:13: warning: context imbalance in 'exp_seq_start' - wrong count at exit
net/netfilter/nf_conntrack_expect.c:441:13: warning: context imbalance in 'exp_seq_stop' - unexpected unlock
CHECK net/netfilter/nf_log.c
net/netfilter/nf_log.c:105:13: warning: context imbalance in 'seq_start' - wrong count at exit
net/netfilter/nf_log.c:125:13: warning: context imbalance in 'seq_stop' - unexpected unlock
CHECK net/netfilter/nfnetlink_queue.c
net/netfilter/nfnetlink_queue.c:363:7: warning: symbol 'size' shadows an earlier one
net/netfilter/nfnetlink_queue.c:217:9: originally declared here
net/netfilter/nfnetlink_queue.c:847:13: warning: context imbalance in 'seq_start' - wrong count at exit
net/netfilter/nfnetlink_queue.c:859:13: warning: context imbalance in 'seq_stop' - unexpected unlockSigned-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
2 commits
-
Apply Eric Dumazet's jhash optimizations where applicable. Quoting Eric:
Thanks to jhash, hash value uses full 32 bits. Instead of returning
hash % size (implying a divide) we return the high 32 bits of the
(hash * size) that will give results between [0 and size-1] and same
hash distribution.On most cpus, a multiply is less expensive than a divide, by an order
of magnitude.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
A few netfilter modules provide their own union of IPv4 and IPv6
address storage. Will unify that in this patch series.(1/4): Rename union nf_conntrack_address to union nf_inet_addr and
move it to x_tables.h.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Oct, 2007
3 commits
-
Just switch to the consolidated calls.
ipt_recent() has to initialize the private, so use
the __seq_open_private() helper.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Similar to the conntrack ID, the per-expectation ID is not needed
anymore, kill it.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch makes /proc/net per network namespace. It modifies the global
variables proc_net and proc_net_stat to be per network namespace.
The proc_net file helpers are modified to take a network namespace argument,
and all of their callers are fixed to pass &init_net for that argument.
This ensures that all of the /proc/net files are only visible and
usable in the initial network namespace until the code behind them
has been updated to be handle multiple network namespaces.Making /proc/net per namespace is necessary as at least some files
in /proc/net depend upon the set of network devices which is per
network namespace, and even more files in /proc/net have contents
that are relevant to a single network namespace.Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
03 Aug, 2007
1 commit
-
Signed-off-by: Mariusz Kozlowski
Signed-off-by: David S. Miller
27 Jul, 2007
1 commit
-
no real bugs, just misannotations cropping up
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
20 Jul, 2007
1 commit
-
Slab destructors were no longer supported after Christoph's
c59def9f222d44bb7e2f0a559f2906191a0862d7 change. They've been
BUGs for both slab and slub, and slob never supported them
either.This rips out support for the dtor pointer from kmem_cache_create()
completely and fixes up every single callsite in the kernel (there were
about 224, not including the slab allocator definitions themselves,
or the documentation references).Signed-off-by: Paul Mundt
11 Jul, 2007
3 commits
-
Make all initialized struct seq_operations in net/ const
Signed-off-by: Philippe De Muyter
Signed-off-by: David S. Miller -
As a last step of preventing DoS by creating lots of expectations, this
patch introduces a global maximum and a sysctl to control it. The default
is initialized to 4 * the expectation hash table size, which results in
1/64 of the default maxmimum of conntracks.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch brings back the per-conntrack expectation list that was
removed around 2.6.10 to avoid walking all expectations on expectation
eviction and conntrack destruction.As these were the last users of the global expectation list, this patch
also kills that.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller