8 years agoipvs: move struct netns_ipvs
Julian Anastasov [Fri, 4 Mar 2011 10:18:07 +0000]
ipvs: move struct netns_ipvs

  Remove include/net/netns/ip_vs.h because it depends on
structures from include/net/ip_vs.h. As ipvs is pointer in
struct net it is better to move struct netns_ipvs into
include/net/ip_vs.h, so that we can easily use other structures
in struct netns_ipvs.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoIPVS: Fix variable assignment in ip_vs_notrack
Jesper Juhl [Wed, 9 Mar 2011 21:55:05 +0000]
IPVS: Fix variable assignment in ip_vs_notrack

There's no sense to 'ct = ct = ' in ip_vs_notrack(). Just assign
nf_ct_get()'s return value directly to the pointer variable 'ct' once.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agonetfilter:ipvs: use kmemdup
Shan Wei [Mon, 7 Mar 2011 02:11:34 +0000]
netfilter:ipvs: use kmemdup

The semantic patch that makes this output is available
in scripts/coccinelle/api/memdup.cocci.

More information about semantic patching is available at
http://coccinelle.lip6.fr/

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: remove _bh from percpu stats reading
Julian Anastasov [Fri, 4 Mar 2011 10:28:20 +0000]
ipvs: remove _bh from percpu stats reading

  ip_vs_read_cpu_stats is called only from timer, so
no need for _bh locks.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: avoid lookup for fwmark 0
Julian Anastasov [Fri, 4 Mar 2011 10:26:17 +0000]
ipvs: avoid lookup for fwmark 0

  Restore the previous behaviour to lookup for fwmark
service only when fwmark is non-null. This saves only CPU.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agonetfilter: nf_conntrack: fix sysctl memory leak
Stephen Hemminger [Mon, 14 Mar 2011 18:20:44 +0000]
netfilter: nf_conntrack: fix sysctl memory leak

Message in log because sysctl table was not empty at netns exit
 WARNING: at net/sysctl_net.c:84 sysctl_net_exit+0x2a/0x2c()

Instrumenting showed that the nf_conntrack_timestamp was the entry
that was being created but not cleared.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: x_tables: return -ENOENT for non-existant matches/targets
Patrick McHardy [Mon, 14 Mar 2011 18:11:44 +0000]
netfilter: x_tables: return -ENOENT for non-existant matches/targets

As Stephen correctly points out, we need to return -ENOENT in
xt_find_match()/xt_find_target() after the patch "netfilter: x_tables:
misuse of try_then_request_module" in order to properly indicate
a non-existant module to the caller.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: x_tables: misuse of try_then_request_module
Stephen Hemminger [Wed, 9 Mar 2011 13:14:26 +0000]
netfilter: x_tables: misuse of try_then_request_module

Since xt_find_match() returns ERR_PTR(xx) on error not NULL,
the macro try_then_request_module won't work correctly here.
The macro expects its first argument will be zero if condition
fails. But ERR_PTR(-ENOENT) is not zero.

The correct solution is to propagate the error value
back.

Found by inspection, and compile tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: fix the compile warning in ip_set_create
Shan Wei [Tue, 8 Mar 2011 14:37:27 +0000]
netfilter: ipset: fix the compile warning in ip_set_create

net/netfilter/ipset/ip_set_core.c:615: warning: ‘clash’ may be used uninitialized in this function

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: nf_ct_tcp: fix out of sync scenario while in SYN_RECV
Pablo Neira Ayuso [Mon, 28 Feb 2011 16:59:15 +0000]
netfilter: nf_ct_tcp: fix out of sync scenario while in SYN_RECV

This patch fixes the out of sync scenarios while in SYN_RECV state.

Quoting Jozsef, what it happens if we are out of sync if the
following:

> > b. conntrack entry is outdated, new SYN received
> >    - (b1) we ignore it but save the initialization data from it
> >    - (b2) when the reply SYN/ACK receives and it matches the saved data,
> >      we pick up the new connection
This is what it should happen if we are in SYN_RECV state. Initially,
the SYN packet hits b1, thus we save data from it. But the SYN/ACK
packet is considered a retransmission given that we're in SYN_RECV
state. Therefore, we never hit b2 and we don't get in sync. To fix
this, we ignore SYN/ACK if we are in SYN_RECV. If the previous packet
was a SYN, then we enter the ignore case that get us in sync.

This patch helps a lot to conntrackd in stress scenarios (assumming a
client that generates lots of small TCP connections). During the failover,
consider that the new primary has injected one outdated flow in SYN_RECV
state (this is likely to happen if the conntrack event rate is high
because the backup will be a bit delayed from the primary). With the
current code, if the client starts a new fresh connection that matches
the tuple, the SYN packet will be ignored without updating the state
tracking, and the SYN+ACK in reply will blocked as it will not pass
checkings III or IV (since all state tracking in the original direction
is not initialized because of the SYN packet was ignored and the ignore
case that get us in sync is not applied).

I posted a couple of patches before this one. Changli Gao spotted
a simpler way to fix this problem. This patch implements his idea.

Cc: Changli Gao <xiaosuo@gmail.com>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoipvs: unify the formula to estimate the overhead of processing connections
Changli Gao [Sat, 19 Feb 2011 09:32:28 +0000]
ipvs: unify the formula to estimate the overhead of processing connections

lc and wlc use the same formula, but lblc and lblcr use another one. There
is no reason for using two different formulas for the lc variants.

The formula used by lc is used by all the lc variants in this patch.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Wensong Zhang <wensong@linux-vs.org>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: use enum to instead of magic numbers
Changli Gao [Thu, 24 Feb 2011 00:19:57 +0000]
ipvs: use enum to instead of magic numbers

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: use hlist instead of list
Changli Gao [Sat, 19 Feb 2011 10:05:08 +0000]
ipvs: use hlist instead of list

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: make "no destination available" message more informative
Patrick Schaaf [Fri, 11 Feb 2011 13:01:12 +0000]
ipvs: make "no destination available" message more informative

When IP_VS schedulers do not find a destination, they output a terse
"WLC: no destination available" message through kernel syslog, which I
can not only make sense of because syslog puts them in a logfile
together with keepalived checker results.

This patch makes the output a bit more informative, by telling you which
virtual service failed to find a destination.

Example output:

kernel: [1539214.552233] IPVS: wlc: TCP 192.168.8.30:22 - no destination available
kernel: [1539299.674418] IPVS: wlc: FWM 22 0x00000016 - no destination available

I have tested the code for IPv4 and FWM services, as you can see from
the example; I do not have an IPv6 setup to test the third code path
with.

To avoid code duplication, I put a new function ip_vs_scheduler_err()
into ip_vs_sched.c, and use that from the schedulers instead of calling
IP_VS_ERR_RL directly.

Signed-off-by: Patrick Schaaf <netdev@bof.de>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: remove extra lookups for ICMP packets
Julian Anastasov [Wed, 9 Feb 2011 00:26:38 +0000]
ipvs: remove extra lookups for ICMP packets

  Remove code that should not be called anymore.
Now when ip_vs_out handles replies for local clients at
LOCAL_IN hook we do not need to call conn_out_get and
handle_response_icmp from ip_vs_in_icmp* because such
lookups were already performed for the ICMP packet and no
connection was found.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoipvs: fix timer in get_curr_sync_buff
Tinggong Wang [Wed, 9 Feb 2011 00:21:59 +0000]
ipvs: fix timer in get_curr_sync_buff

  Fix get_curr_sync_buff to keep buffer for 2 seconds
as intended, not just for the current jiffie. By this way
we will sync more connection structures with single packet.

Signed-off-by: Tinggong Wang <wangtinggong@gmail.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agonetfilter: nfnetlink_log: remove unused parameter
Florian Westphal [Tue, 15 Feb 2011 20:59:37 +0000]
netfilter: nfnetlink_log: remove unused parameter

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xt_conntrack: warn about use in raw table
Jan Engelhardt [Mon, 14 Feb 2011 16:28:55 +0000]
netfilter: xt_conntrack: warn about use in raw table

nfct happens to run after the raw table only.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoRevert "netfilter: xt_connlimit: connlimit-above early loop termination"
Stefan Berger [Mon, 14 Feb 2011 15:54:33 +0000]
Revert "netfilter: xt_connlimit: connlimit-above early loop termination"

This reverts commit 44bd4de9c2270b22c3c898310102bc6be9ed2978.

I have to revert the early loop termination in connlimit since it generates
problems when an iptables statement does not use -m state --state NEW before
the connlimit match extension.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agobridge: netfilter: fix information leak
Vasiliy Kulikov [Mon, 14 Feb 2011 15:49:23 +0000]
bridge: netfilter: fix information leak

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xt_connlimit: connlimit-above early loop termination
Stefan Berger [Fri, 11 Feb 2011 17:00:07 +0000]
netfilter: xt_connlimit: connlimit-above early loop termination

The patch below introduces an early termination of the loop that is
counting matches. It terminates once the counter has exceeded the
threshold provided by the user. There's no point in continuing the loop
afterwards and looking at other entries.

It plays together with the following code further below:

return (connections > info->limit) ^ info->inverse;

where connections is the result of the counted connection, which in turn
is the matches variable in the loop. So once

        -> matches = info->limit + 1
alias   -> matches > info->limit
alias   -> matches > threshold

we can terminate the loop.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: add dependency on CONFIG_NETFILTER_NETLINK
Patrick McHardy [Thu, 10 Feb 2011 09:13:07 +0000]
netfilter: ipset: add dependency on CONFIG_NETFILTER_NETLINK

When SYSCTL and PROC_FS and NETFILTER_NETLINK are not enabled:

net/built-in.o: In function `try_to_load_type':
ip_set_core.c:(.text+0x3ab49): undefined reference to `nfnl_unlock'
ip_set_core.c:(.text+0x3ab4e): undefined reference to `nfnl_lock'
...

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoIPVS: precedence bug in ip_vs_sync_switch_mode()
Dan Carpenter [Mon, 7 Feb 2011 08:38:55 +0000]
IPVS: precedence bug in ip_vs_sync_switch_mode()

'!' has higher precedence than '&'.  IP_VS_STATE_MASTER is 0x1 so
the original code is equivelent to if (!ipvs->sync_state) ...

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoIPVS: Use correct lock in SCTP module
Simon Horman [Wed, 2 Feb 2011 22:22:43 +0000]
IPVS: Use correct lock in SCTP module

Use sctp_app_lock instead of tcp_app_lock in the SCTP protocol module.

This appears to be a typo introduced by the netns changes.

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>

8 years agonetfilter: xtables: add device group match
Patrick McHardy [Wed, 2 Feb 2011 23:05:43 +0000]
netfilter: xtables: add device group match

Add a new 'devgroup' match to match on the device group of the
incoming and outgoing network device of a packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: send error message manually
Jozsef Kadlecsik [Wed, 2 Feb 2011 22:56:00 +0000]
netfilter: ipset: send error message manually

When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: fix linking with CONFIG_IPV6=n
Patrick McHardy [Wed, 2 Feb 2011 22:50:01 +0000]
netfilter: ipset: fix linking with CONFIG_IPV6=n

Add a dummy ip_set_get_ip6_port function that unconditionally
returns false for CONFIG_IPV6=n and convert the real function
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables module
when loading ipset.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: add missing break statemtns in ip_set_get_ip_port()
Patrick McHardy [Wed, 2 Feb 2011 08:31:37 +0000]
netfilter: ipset: add missing break statemtns in ip_set_get_ip_port()

Don't fall through in the switch statement, otherwise IPv4 headers
are incorrectly parsed again as IPv6 and the return value will always
be 'false'.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: install ipset related header files
Patrick McHardy [Tue, 1 Feb 2011 17:52:42 +0000]
netfilter: ipset: install ipset related header files

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoIPVS: Remove ip_vs_sync_cleanup from section __exit
Simon Horman [Tue, 1 Feb 2011 17:30:26 +0000]
IPVS: Remove ip_vs_sync_cleanup from section __exit

ip_vs_sync_cleanup() may be called from ip_vs_init() on error
and thus needs to be accesible from section __init

Reporte-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoIPVS: Allow compilation with CONFIG_SYSCTL disabled
Simon Horman [Tue, 1 Feb 2011 17:29:04 +0000]
IPVS: Allow compilation with CONFIG_SYSCTL disabled

This is a rather naieve approach to allowing PVS to compile with
CONFIG_SYSCTL disabled.  I am working on a more comprehensive patch which
will remove compilation of all sysctl-related IPVS code when CONFIG_SYSCTL
is disabled.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoIPVS: Remove unused variables
Simon Horman [Tue, 1 Feb 2011 17:27:51 +0000]
IPVS: Remove unused variables

These variables are unused as a result of the recent netns work.

Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoIPVS: remove duplicate initialisation or rs_table
Simon Horman [Tue, 1 Feb 2011 17:24:09 +0000]
IPVS: remove duplicate initialisation or rs_table

Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoIPVS: use z modifier for sizeof() argument
Simon Horman [Tue, 1 Feb 2011 17:21:53 +0000]
IPVS: use z modifier for sizeof() argument

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ctnetlink: fix ctnetlink_parse_tuple() warning
Patrick McHardy [Tue, 1 Feb 2011 16:26:37 +0000]
netfilter: ctnetlink: fix ctnetlink_parse_tuple() warning

net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_parse_tuple':
net/netfilter/nf_conntrack_netlink.c:832:11: warning: comparison between 'enum ctattr_tuple' and 'enum ctattr_type'

Use ctattr_type for the 'type' parameter since that's the type of all attributes
passed to this function.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: remove unnecessary includes
Patrick McHardy [Tue, 1 Feb 2011 15:57:37 +0000]
netfilter: ipset: remove unnecessary includes

None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: use nla_parse_nested()
Patrick McHardy [Tue, 1 Feb 2011 15:27:25 +0000]
netfilter: ipset: use nla_parse_nested()

Replace calls of the form:

nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy)

by:

nla_parse_nested(tb, ATTR_MAX, attr, policy)

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xtables: "set" match and "SET" target support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:56:00 +0000]
netfilter: xtables: "set" match and "SET" target support

The patch adds the combined module of the "SET" target and "set" match
to netfilter. Both the previous and the current revisions are supported.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: list:set set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:54:59 +0000]
netfilter: ipset: list:set set type support

The module implements the list:set type support in two flavours:
without and with timeout. The sets has two sides: for the userspace,
they store the names of other (non list:set type of) sets: one can add,
delete and test set names. For the kernel, it forms an ordered union of
the member sets: the members sets are tried in order when elements are
added, deleted and tested and the process stops at the first success.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: hash:net,port set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:53:55 +0000]
netfilter: ipset: hash:net,port set type support

The module implements the hash:net,port type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are two dimensional: IPv4/IPv6 network address/prefix and protocol/port
pairs.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: hash:net set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:52:54 +0000]
netfilter: ipset: hash:net set type support

The module implements the hash:net type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are one dimensional: IPv4/IPv6 network address/prefixes.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: hash:ip,port,net set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:51:00 +0000]
netfilter: ipset: hash:ip,port,net set type support

The module implements the hash:ip,port,net type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
network address/prefix triples. The different prefixes are searched/matched
from the longest prefix to the shortes one (most specific to least).
In other words the processing time linearly grows with the number of
different prefixes in the set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: hash:ip,port,ip set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:41:26 +0000]
netfilter: ipset: hash:ip,port,ip set type support

The module implements the hash:ip,port,ip type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
address triples.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: hash:ip,port set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:39:52 +0000]
netfilter: ipset: hash:ip,port set type support

The module implements the hash:ip,port type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are two dimensional: IPv4/IPv6 address and protocol/port pairs. The port
is interpeted for TCP, UPD, ICMP and ICMPv6 (at the latters as type/code
of course).

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: hash:ip set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:38:36 +0000]
netfilter: ipset: hash:ip set type support

The module implements the hash:ip type support in four flavours:
for IPv4 or IPv6, both without and with timeout support.

All the hash types are based on the "array hash" or ahash structure
and functions as a good compromise between minimal memory footprint
and speed. The hashing uses arrays to resolve clashes. The hash table
is resized (doubled) when searching becomes too long. Resizing can be
triggered by userspace add commands only and those are serialized by
the nfnl mutex. During resizing the set is read-locked, so the only
possible concurrent operations are the kernel side readers. Those are
protected by RCU locking.

Because of the four flavours and the other hash types, the functions
are implemented in general forms in the ip_set_ahash.h header file
and the real functions are generated before compiling by macro expansion.
Thus the dereferencing of low-level functions and void pointer arguments
could be avoided: the low-level functions are inlined, the function
arguments are pointers of type-specific structures.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset; bitmap:port set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:37:04 +0000]
netfilter: ipset; bitmap:port set type support

The module implements the bitmap:port type in two flavours, without
and with timeout support to store TCP/UDP ports from a range.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: bitmap:ip,mac type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:35:12 +0000]
netfilter: ipset: bitmap:ip,mac type support

The module implements the bitmap:ip,mac set type in two flavours,
without and with timeout support. In this kind of set one can store
IPv4 address and (source) MAC address pairs. The type supports elements
added without the MAC part filled out: when the first matching from kernel
happens, the MAC part is automatically filled out. The timing out of the
elements stars when an element is complete in the IP,MAC pair.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: bitmap:ip set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:33:17 +0000]
netfilter: ipset: bitmap:ip set type support

The module implements the bitmap:ip set type in two flavours, without
and with timeout support. In this kind of set one can store IPv4
addresses (or network addresses) from a given range.

In order not to waste memory, the timeout version does not rely on
the kernel timer for every element to be timed out but on garbage
collection. All set types use this mechanism.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: ipset: IP set core support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:28:35 +0000]
netfilter: ipset: IP set core support

The patch adds the IP set core support to the kernel.

The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.

The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.

For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.

The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.

There are functional differences between the add/del/test functions
for the kernel and userspace:

- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation  in order to fill
  out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
  on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a set

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:20:14 +0000]
netfilter: NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros

The patch adds the NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros to the
vanilla kernel.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xt_iprange: add IPv6 match debug print code
Thomas Jacob [Fri, 28 Jan 2011 18:33:13 +0000]
netfilter: xt_iprange: add IPv6 match debug print code

Signed-off-by: Thomas Jacob <jacob@internet24.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xt_iprange: typo in IPv4 match debug print code
Thomas Jacob [Thu, 27 Jan 2011 09:56:32 +0000]
netfilter: xt_iprange: typo in IPv4 match debug print code

Signed-off-by: Thomas Jacob <jacob@internet24.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoMerge branch 'connlimit' of git://dev.medozas.de/linux
Patrick McHardy [Wed, 26 Jan 2011 15:28:45 +0000]
Merge branch 'connlimit' of git://dev.medozas.de/linux

8 years agonetfilter: xt_connlimit: pick right dstaddr in NAT scenario
Jan Engelhardt [Wed, 26 Jan 2011 10:50:03 +0000]
netfilter: xt_connlimit: pick right dstaddr in NAT scenario

xt_connlimit normally records the "original" tuples in a hashlist
(such as "1.2.3.4 -> 5.6.7.8"), and looks in this list for iph->daddr
when counting.

When the user however uses DNAT in PREROUTING, looking for
iph->daddr -- which is now 192.168.9.10 -- will not match. Thus in
daddr mode, we need to record the reverse direction tuple
("192.168.9.10 -> 1.2.3.4") instead. In the reverse tuple, the dst
addr is on the src side, which is convenient, as count_them still uses
&conn->tuple.src.u3.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

8 years agonetfilter: ipvs: fix compiler warnings
Changli Gao [Tue, 25 Jan 2011 04:40:18 +0000]
netfilter: ipvs: fix compiler warnings

Fix compiler warnings when IP_VS_DBG() isn't defined.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoIPVS netns BUG, register sysctl for root ns
Hans Schillstrom [Mon, 24 Jan 2011 14:14:41 +0000]
IPVS netns BUG, register sysctl for root ns

The newly created table was not used when register sysctl for a new namespace.
I.e. sysctl doesn't work for other than root namespace (init_net)

Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agoIPVS: Change sock_create_kernel() to __sock_create()
Simon Horman [Sat, 22 Jan 2011 02:48:01 +0000]
IPVS: Change sock_create_kernel() to __sock_create()

The recent netns changes omitted to change
sock_create_kernel() to __sock_create() in ip_vs_sync.c

The effect of this is that the interface will be selected in the
root-namespace, from my point of view it's a major bug.

Reported-by: Hans Schillstrom <hans@schillstrom.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agonetfilter: ipvs: fix compiler warnings
Changli Gao [Fri, 21 Jan 2011 10:02:13 +0000]
netfilter: ipvs: fix compiler warnings

Fix compiler warnings when no transport protocol load balancing support
is configured.

[horms@verge.net.au: removed suprious __ip_vs_cleanup() clean-up hunk]
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

8 years agonetfilter: add a missing include in nf_conntrack_reasm.c
Eric Dumazet [Thu, 20 Jan 2011 20:00:38 +0000]
netfilter: add a missing include in nf_conntrack_reasm.c

After commit ae90bdeaeac6b (netfilter: fix compilation when conntrack is
disabled but tproxy is enabled) we have following warnings :

net/ipv6/netfilter/nf_conntrack_reasm.c:520:16: warning: symbol
'nf_ct_frag6_gather' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:591:6: warning: symbol
'nf_ct_frag6_output' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:612:5: warning: symbol
'nf_ct_frag6_init' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:640:6: warning: symbol
'nf_ct_frag6_cleanup' was not declared. Should it be static?

Fix this including net/netfilter/ipv6/nf_defrag_ipv6.h

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: nf_conntrack: fix linker error with NF_CONNTRACK_TIMESTAMP=n
Patrick McHardy [Thu, 20 Jan 2011 19:46:52 +0000]
netfilter: nf_conntrack: fix linker error with NF_CONNTRACK_TIMESTAMP=n

net/built-in.o: In function `nf_conntrack_init_net':
net/netfilter/nf_conntrack_core.c:1521:
undefined reference to `nf_conntrack_tstamp_init'
net/netfilter/nf_conntrack_core.c:1531:
undefined reference to `nf_conntrack_tstamp_fini'

Add dummy inline functions for the =n case to fix this.

Reported-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xtables: add missing header inclusions for headers_check
Jan Engelhardt [Thu, 20 Jan 2011 16:50:17 +0000]
netfilter: xtables: add missing header inclusions for headers_check

Resolve these warnings on `make headers_check`:

usr/include/linux/netfilter/xt_CT.h:7: found __[us]{8,16,32,64} type
without #include <linux/types.h>
...

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

8 years agonetfilter: nf_nat: place conntrack in source hash after SNAT is done
Changli Gao [Thu, 20 Jan 2011 14:49:52 +0000]
netfilter: nf_nat: place conntrack in source hash after SNAT is done

If SNAT isn't done, the wrong info maybe got by the other cts.

As the filter table is after DNAT table, the packets dropped in filter
table also bother bysource hash table.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoMerge branch 'connlimit' of git://dev.medozas.de/linux
Patrick McHardy [Thu, 20 Jan 2011 13:17:32 +0000]
Merge branch 'connlimit' of git://dev.medozas.de/linux

8 years agonetfilter: xtables: remove duplicate member
Jan Engelhardt [Thu, 20 Jan 2011 13:01:12 +0000]
netfilter: xtables: remove duplicate member

Accidentally missed removing the old out-of-union "inverse" member,
which caused the struct size to change which then gives size mismatch
warnings when using an old iptables.

It is interesting to see that gcc did not warn about this before.
(Filed http://gcc.gnu.org/bugzilla/show_bug.cgi?id=47376 )

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

8 years agoMerge branch 'connlimit' of git://dev.medozas.de/linux
Patrick McHardy [Thu, 20 Jan 2011 09:33:55 +0000]
Merge branch 'connlimit' of git://dev.medozas.de/linux

Conflicts:
Documentation/feature-removal-schedule.txt

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: do not omit re-route check on NF_QUEUE verdict
Florian Westphal [Thu, 20 Jan 2011 09:23:26 +0000]
netfilter: do not omit re-route check on NF_QUEUE verdict

ret != NF_QUEUE only works in the "--queue-num 0" case; for
queues > 0 the test should be '(ret & NF_VERDICT_MASK) != NF_QUEUE'.

However, NF_QUEUE no longer DROPs the skb unconditionally if queueing
fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the
re-route test should also be performed if this flag is set in the
verdict.

The full test would then look something like

&& ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS))

This is rather ugly, so just remove the NF_QUEUE test altogether.

The only effect is that we might perform an unnecessary route lookup
in the NF_QUEUE case.

ip6table_mangle did not have such a check.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
David S. Miller [Thu, 20 Jan 2011 08:06:15 +0000]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-next-2.6

8 years agonetfilter: xtables: remove extraneous header that slipped in
Jan Engelhardt [Thu, 20 Jan 2011 07:48:15 +0000]
netfilter: xtables: remove extraneous header that slipped in

Commit 0b8ad87 (netfilter: xtables: add missing header files to export
list) erroneously added this.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonet_sched: cleanups
Eric Dumazet [Wed, 19 Jan 2011 19:26:56 +0000]
net_sched: cleanups

Cleanup net/sched code to current CodingStyle and practices.

Reduce inline abuse

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agoaf_unix: coding style: remove one level of indentation in unix_shutdown()
Alban Crequy [Wed, 19 Jan 2011 04:56:36 +0000]
af_unix: coding style: remove one level of indentation in unix_shutdown()

Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
Reviewed-by: Ian Molton <ian.molton@collabora.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonet_sched: implement a root container qdisc sch_mqprio
John Fastabend [Mon, 17 Jan 2011 08:06:09 +0000]
net_sched: implement a root container qdisc sch_mqprio

This implements a mqprio queueing discipline that by default creates
a pfifo_fast qdisc per tx queue and provides the needed configuration
interface.

Using the mqprio qdisc the number of tcs currently in use along
with the range of queues alloted to each class can be configured. By
default skbs are mapped to traffic classes using the skb priority.
This mapping is configurable.

Configurable parameters,

struct tc_mqprio_qopt {
__u8    num_tc;
__u8    prio_tc_map[TC_BITMASK + 1];
__u8    hw;
__u16   count[TC_MAX_QUEUE];
__u16   offset[TC_MAX_QUEUE];
};

Here the count/offset pairing give the queue alignment and the
prio_tc_map gives the mapping from skb->priority to tc.

The hw bit determines if the hardware should configure the count
and offset values. If the hardware bit is set then the operation
will fail if the hardware does not implement the ndo_setup_tc
operation. This is to avoid undetermined states where the hardware
may or may not control the queue mapping. Also minimal bounds
checking is done on the count/offset to verify a queue does not
exceed num_tx_queues and that queue ranges do not overlap. Otherwise
it is left to user policy or hardware configuration to create
useful mappings.

It is expected that hardware QOS schemes can be implemented by
creating appropriate mappings of queues in ndo_tc_setup().

One expected use case is drivers will use the ndo_setup_tc to map
queue ranges onto 802.1Q traffic classes. This provides a generic
mechanism to map network traffic onto these traffic classes and
removes the need for lower layer drivers to know specifics about
traffic types.

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonet: implement mechanism for HW based QOS
John Fastabend [Mon, 17 Jan 2011 08:06:04 +0000]
net: implement mechanism for HW based QOS

This patch provides a mechanism for lower layer devices to
steer traffic using skb->priority to tx queues. This allows
for hardware based QOS schemes to use the default qdisc without
incurring the penalties related to global state and the qdisc
lock. While reliably receiving skbs on the correct tx ring
to avoid head of line blocking resulting from shuffling in
the LLD. Finally, all the goodness from txq caching and xps/rps
can still be leveraged.

Many drivers and hardware exist with the ability to implement
QOS schemes in the hardware but currently these drivers tend
to rely on firmware to reroute specific traffic, a driver
specific select_queue or the queue_mapping action in the
qdisc.

By using select_queue for this drivers need to be updated for
each and every traffic type and we lose the goodness of much
of the upstream work. Firmware solutions are inherently
inflexible. And finally if admins are expected to build a
qdisc and filter rules to steer traffic this requires knowledge
of how the hardware is currently configured. The number of tx
queues and the queue offsets may change depending on resources.
Also this approach incurs all the overhead of a qdisc with filters.

With the mechanism in this patch users can set skb priority using
expected methods ie setsockopt() or the stack can set the priority
directly. Then the skb will be steered to the correct tx queues
aligned with hardware QOS traffic classes. In the normal case with
single traffic class and all queues in this class everything
works as is until the LLD enables multiple tcs.

To steer the skb we mask out the lower 4 bits of the priority
and allow the hardware to configure upto 15 distinct classes
of traffic. This is expected to be sufficient for most applications
at any rate it is more then the 8021Q spec designates and is
equal to the number of prio bands currently implemented in
the default qdisc.

This in conjunction with a userspace application such as
lldpad can be used to implement 8021Q transmission selection
algorithms one of these algorithms being the extended transmission
selection algorithm currently being used for DCB.

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonetlink: support setting devgroup parameters
Vlad Dogaru [Thu, 13 Jan 2011 23:38:31 +0000]
netlink: support setting devgroup parameters

If a rtnetlink request specifies a negative or zero ifindex and has no
interface name attribute, but has a group attribute, then the chenges
are made to all the interfaces belonging to the specified group.

Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonet_device: add support for network device groups
Vlad Dogaru [Thu, 13 Jan 2011 23:38:30 +0000]
net_device: add support for network device groups

Net devices can now be grouped, enabling simpler manipulation from
userspace. This patch adds a group field to the net_device structure, as
well as rtnetlink support to query and modify it.

Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonet: cleanup unused macros in net directory
Shan Wei [Thu, 13 Jan 2011 22:19:52 +0000]
net: cleanup unused macros in net directory

Clean up some unused macros in net/*.
1. be left for code change. e.g. PGV_FROM_VMALLOC, PGV_FROM_VMALLOC, KMEM_SAFETYZONE.
2. never be used since introduced to kernel.
   e.g. P9_RDMA_MAX_SGE, UTIL_CTRL_PKT_SIZE.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Acked-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agovxge: update driver version
Jon Mason [Tue, 18 Jan 2011 15:02:22 +0000]
vxge: update driver version

Update vxge driver version to 2.5.2

Signed-off-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agovxge: MSIX one shot mode
Jon Mason [Tue, 18 Jan 2011 15:02:21 +0000]
vxge: MSIX one shot mode

To reduce the possibility of losing an interrupt in the handler due to a
race between an interrupt processing and disable/enable of interrupts,
enable MSIX one shot.

Also, add support for adaptive interrupt coalesing

Signed-off-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: Masroor Vettuparambil <masroor.vettuparambil@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agovxge: correct eprom version detection
Jon Mason [Tue, 18 Jan 2011 15:02:20 +0000]
vxge: correct eprom version detection

The firmware PXE EPROM version detection is failing due to passing the
wrong parameter into firmware query function.  Also, the version
printing function has an extraneous newline.

Signed-off-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: Sivakumar Subramani <sivakumar.subramani@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agovxge: cleanup probe error paths
Jon Mason [Tue, 18 Jan 2011 15:02:19 +0000]
vxge: cleanup probe error paths

Reorder the commands to be in the inverse order of their allocations
(instead of the random order they appear to be in), propagate return
code on errors from pci_request_region and register_netdev, reduce the
config_dev_cnt and total_dev_cnt counters on remove, and return the
correct error code for vdev->vpaths kzalloc failures.  Also, prevent
leaking of vdev->vpaths memory and netdev in vxge_probe error path due
to freeing for these not occurring in vxge_device_unregister.

Signed-off-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: Sivakumar Subramani <sivakumar.subramani@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agoMerge branch 'master' of /repos/git/net-next-2.6
Patrick McHardy [Wed, 19 Jan 2011 22:51:37 +0000]
Merge branch 'master' of /repos/git/net-next-2.6

8 years agonetfilter: nf_conntrack: fix lifetime display for disabled connections
Patrick McHardy [Wed, 19 Jan 2011 18:10:49 +0000]
netfilter: nf_conntrack: fix lifetime display for disabled connections

When no tstamp extension exists, ct_delta_time() returns -1, which is
then assigned to an u64 and tested for negative values to decide
whether to display the lifetime. This obviously doesn't work, use
a s64 and merge the two minor functions into one.

Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonetfilter: xtables: connlimit revision 1
Jan Engelhardt [Tue, 18 Jan 2011 16:32:40 +0000]
netfilter: xtables: connlimit revision 1

This adds destination address-based selection. The old "inverse"
member is overloaded (memory-wise) with a new "flags" variable,
similar to how J.Park did it with xt_string rev 1. Since revision 0
userspace only sets flag 0x1, no great changes are made to explicitly
test for different revisions.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

8 years agonetfilter: nf_conntrack_tstamp: add flow-based timestamp extension
Pablo Neira Ayuso [Wed, 19 Jan 2011 15:00:07 +0000]
netfilter: nf_conntrack_tstamp: add flow-based timestamp extension

This patch adds flow-based timestamping for conntracks. This
conntrack extension is disabled by default. Basically, we use
two 64-bits variables to store the creation timestamp once the
conntrack has been confirmed and the other to store the deletion
time. This extension is disabled by default, to enable it, you
have to:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp

This patch allows to save memory for user-space flow-based
loogers such as ulogd2. In short, ulogd2 does not need to
keep a hashtable with the conntrack in user-space to know
when they were created and destroyed, instead we use the
kernel timestamp. If we want to have a sane IPFIX implementation
in user-space, this nanosecs resolution timestamps are also
useful. Other custom user-space applications can benefit from
this via libnetfilter_conntrack.

This patch modifies the /proc output to display the delta time
in seconds since the flow start. You can also obtain the
flow-start date by means of the conntrack-tools.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

8 years agonet: filter: dont block softirqs in sk_run_filter()
Eric Dumazet [Tue, 18 Jan 2011 07:46:52 +0000]
net: filter: dont block softirqs in sk_run_filter()

Packet filter (BPF) doesnt need to disable softirqs, being fully
re-entrant and lock-less.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agoaf_unix: implement socket filter
Alban Crequy [Tue, 18 Jan 2011 06:39:15 +0000]
af_unix: implement socket filter

Linux Socket Filters can already be successfully attached and detached on unix
sockets with setsockopt(sockfd, SOL_SOCKET, SO_{ATTACH,DETACH}_FILTER, ...).
See: Documentation/networking/filter.txt

But the filter was never used in the unix socket code so it did not work. This
patch uses sk_filter() to filter buffers before delivery.

This short program demonstrates the problem on SOCK_DGRAM.

int main(void) {
  int i, j, ret;
  int sv[2];
  struct pollfd fds[2];
  char *message = "Hello world!";
  char buffer[64];
  struct sock_filter ins[32] = {{0,},};
  struct sock_fprog filter;

  socketpair(AF_UNIX, SOCK_DGRAM, 0, sv);

  for (i = 0 ; i < 2 ; i++) {
    fds[i].fd = sv[i];
    fds[i].events = POLLIN;
    fds[i].revents = 0;
  }

  for(j = 1 ; j < 13 ; j++) {

    /* Set a socket filter to truncate the message */
    memset(ins, 0, sizeof(ins));
    ins[0].code = BPF_RET|BPF_K;
    ins[0].k = j;
    filter.len = 1;
    filter.filter = ins;
    setsockopt(sv[1], SOL_SOCKET, SO_ATTACH_FILTER, &filter, sizeof(filter));

    /* send a message */
    send(sv[0], message, strlen(message) + 1, 0);

    /* The filter should let the message pass but truncated. */
    poll(fds, 2, 0);

    /* Receive the truncated message*/
    ret = recv(sv[1], buffer, 64, 0);
    printf("received %d bytes, expected %d\n", ret, j);
  }

    for (i = 0 ; i < 2 ; i++)
      close(sv[i]);

  return 0;
}

Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
Reviewed-by: Ian Molton <ian.molton@collabora.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
David S. Miller [Wed, 19 Jan 2011 00:28:31 +0000]
Merge branch 'master' of /linux/kernel/git/davem/net-2.6

8 years agogianfar: Fix misleading indentation in startup_gfar()
Anton Vorontsov [Tue, 18 Jan 2011 02:36:02 +0000]
gianfar: Fix misleading indentation in startup_gfar()

Just stumbled upon the issue while looking for another bug.

The code looks correct, the indentation is not.

Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonet/irda/sh_irda: return to RX mode when TX error
Kuninori Morimoto [Thu, 13 Jan 2011 21:47:42 +0000]
net/irda/sh_irda: return to RX mode when TX error

sh_irda can not use RX/TX in same time,
but this driver didn't return to RX mode when TX error occurred.
This patch care xmit error case to solve this issue.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agonet offloading: Do not mask out NETIF_F_HW_VLAN_TX for vlan.
Jesse Gross [Mon, 17 Jan 2011 20:46:00 +0000]
net offloading: Do not mask out NETIF_F_HW_VLAN_TX for vlan.

In netif_skb_features() we return only the features that are valid for vlans
if we have a vlan packet.  However, we should not mask out NETIF_F_HW_VLAN_TX
since it enables transmission of vlan tags and is obviously valid.

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agoUSB CDC NCM: tx_fixup() race condition fix
Alexey Orishko [Mon, 17 Jan 2011 07:07:25 +0000]
USB CDC NCM: tx_fixup() race condition fix

- tx_fixup() can be called from either timer callback or from xmit()
  in usbnet, so spinlock is added to avoid concurrency-related problem.
- minor correction due to checkpatch warning for some line over 80
  chars after previous patch was applied.

Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agons83820: Avoid bad pointer deref in ns83820_init_one().
Jesper Juhl [Mon, 17 Jan 2011 10:24:57 +0000]
ns83820: Avoid bad pointer deref in ns83820_init_one().

In drivers/net/ns83820.c::ns83820_init_one() we dynamically allocate
memory via alloc_etherdev(). We then call PRIV() on the returned storage
which is 'return netdev_priv()'. netdev_priv() takes the pointer it is
passed and adds 'ALIGN(sizeof(struct net_device), NETDEV_ALIGN)' to it and
returns it. Then we test the resulting pointer for NULL, which it is
unlikely to be at this point, and later dereference it. This will go bad
if alloc_etherdev() actually returned NULL.

This patch reworks the code slightly so that we test for a NULL pointer
(and return -ENOMEM) directly after calling alloc_etherdev().

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agoipv6: Silence privacy extensions initialization
Romain Francoise [Mon, 17 Jan 2011 07:59:18 +0000]
ipv6: Silence privacy extensions initialization

When a network namespace is created (via CLONE_NEWNET), the loopback
interface is automatically added to the new namespace, triggering a
printk in ipv6_add_dev() if CONFIG_IPV6_PRIVACY is set.

This is problematic for applications which use CLONE_NEWNET as
part of a sandbox, like Chromium's suid sandbox or recent versions of
vsftpd. On a busy machine, it can lead to thousands of useless
"lo: Disabled Privacy Extensions" messages appearing in dmesg.

It's easy enough to check the status of privacy extensions via the
use_tempaddr sysctl, so just removing the printk seems like the most
sensible solution.

Signed-off-by: Romain Francoise <romain@orebokech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Update bnx2x version to 1.62.00-4
Yaniv Rosner [Tue, 18 Jan 2011 04:33:55 +0000]
bnx2x: Update bnx2x version to 1.62.00-4

Update bnx2x version to 1.62.00-4

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Fix AER setting for BCM57712
Yaniv Rosner [Tue, 18 Jan 2011 04:33:52 +0000]
bnx2x: Fix AER setting for BCM57712

Fix AER settings for BCM57712 to allow accessing all device addresses range in CL45 MDC/MDIO

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Fix BCM84823 LED behavior
Yaniv Rosner [Tue, 18 Jan 2011 04:33:47 +0000]
bnx2x: Fix BCM84823 LED behavior

Fix BCM84823 LED behavior which may show on some systems

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Mark full duplex on some external PHYs
Yaniv Rosner [Tue, 18 Jan 2011 04:33:42 +0000]
bnx2x: Mark full duplex on some external PHYs

Device may show incorrect duplex mode for devices with external PHY

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Fix BCM8073/BCM8727 microcode loading
Yaniv Rosner [Tue, 18 Jan 2011 04:33:36 +0000]
bnx2x: Fix BCM8073/BCM8727 microcode loading

Improve microcode loading verification before proceeding to next stage

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: LED fix for BCM8727 over BCM57712
Yaniv Rosner [Tue, 18 Jan 2011 04:33:31 +0000]
bnx2x: LED fix for BCM8727 over BCM57712

LED on BCM57712+BCM8727 systems requires different settings

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Common init will be executed only once after POR
Yaniv Rosner [Tue, 18 Jan 2011 04:33:24 +0000]
bnx2x: Common init will be executed only once after POR

Common init used to be called by the driver when the first port comes up, mainly to reset and reload external PHY microcode.
However, in case management driver is active on the other port, traffic would halted. So limit the common init to be done only once after POR.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

8 years agobnx2x: Swap BCM8073 PHY polarity if required
Yaniv Rosner [Tue, 18 Jan 2011 04:33:18 +0000]
bnx2x: Swap BCM8073 PHY polarity if required

Enable controlling BCM8073 PN polarity swap through nvm configuration, which is required in certain systems

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>