1. 01 Jul, 2013 3 commits
    • Rony Efraim's avatar
      net/mlx4_core: Add HW enforcement to VF link state · 0a6eac24
      Rony Efraim authored
      When the firmware supports the UPDATE_QP command, if the VF link is disabled,
      block all QPs opened by the VF, by programming the UPDATE_QP command to drop
      all RX & TX traffic to/from these QPs. Operates only in VST mode.
      Signed-off-by: default avatarRony Efraim <ronye@mellanox.com>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0a6eac24
    • Jack Morgenstein's avatar
      net/mlx4_core: Dynamic VST to VST vlan/qos changes · b01978ca
      Jack Morgenstein authored
      Within VST mode, enable modifying the vlan and/or qos
      for a VF without requiring unbind/rebind.
      
      This requires firmware which supports the UPDATE_QP command.
      (If the command is not available, we fall back to requiring
      unbind/bind to activate these changes).
      
      To avoid race conditions with modify-qp on QPs that are affected
      by update-qp, this operation is performed on the comm_wq.
      
      If the update operation succeeds for all the necessary QPs, a
      vlan_unregister is performed for the abandoned vlan id.
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarOr Gerlitz <ogerlitz@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b01978ca
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 4e144d3a
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      The following batch contains Netfilter/IPVS updates for net-next,
      they are:
      
      * Enforce policy to several nfnetlink subsystem, from Daniel
        Borkmann.
      
      * Use xt_socket to match the third packet (to perform simplistic
        socket-based stateful filtering), from Eric Dumazet.
      
      * Avoid large timeout for picked up from the middle TCP flows,
        from Florian Westphal.
      
      * Exclude IPVS from struct net if IPVS is disabled and removal
        of unnecessary included header file, from JunweiZhang.
      
      * Release SCTP connection immediately under load, to mimic current
        TCP behaviour, from Julian Anastasov.
      
      * Replace and enhance SCTP state machine, from Julian Anastasov.
      
      * Add tweak to reduce sync traffic in the presence of persistence,
        also from Julian Anastasov.
      
      * Add tweak for the IPVS SH scheduler not to reject connections
        directed to a server, choose a new one instead, from Alexander
        Frolkin.
      
      * Add support for sloppy TCP and SCTP modes, that creates state
        information on any packet, not only initial handshake packets,
        from Alexander Frolkin.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e144d3a
  2. 30 Jun, 2013 1 commit
    • Florian Westphal's avatar
      netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag · 496e4ae7
      Florian Westphal authored
      The common case is that TCP/IP checksums have already been
      verified, e.g. by hardware (rx checksum offload), or conntrack.
      
      Userspace can use this flag to determine when the checksum
      has not been validated yet.
      
      If the flag is set, this doesn't necessarily mean that the packet has
      an invalid checksum, e.g. if NIC doesn't support rx checksum.
      
      Userspace that sucessfully enabled NFQA_CFG_F_GSO queue feature flag can
      infer that IP/TCP checksum has already been validated if either the
      SKB_INFO attribute is not present or the NFQA_SKB_CSUM_NOTVERIFIED
      flag is unset.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      496e4ae7
  3. 29 Jun, 2013 14 commits
  4. 28 Jun, 2013 6 commits
    • nikolay@redhat.com's avatar
      bonding: when cloning a MAC use NET_ADDR_STOLEN · ae0d6750
      nikolay@redhat.com authored
      A simple semantic change, when a slave's MAC is cloned by the bond
      master then set addr_assign_type to NET_ADDR_STOLEN instead of
      NET_ADDR_SET. Also use bond_set_dev_addr() in BOND_FOM_ACTIVE mode
      to change the bond's MAC address because the assign_type has to be
      set properly.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae0d6750
    • nikolay@redhat.com's avatar
      bonding: remove unnecessary dev_addr_from_first member · 97a1e639
      nikolay@redhat.com authored
      In struct bonding there's a member called dev_addr_from_first which is
      used to denote when the bond dev should clone the first slave's MAC
      address but since we have netdev's addr_assign_type variable that is not
      necessary. We clone the first slave's MAC each time we have a random MAC
      set to the bond device. This has the nice side-effect of also fixing an
      inconsistency - when the MAC address of the bond dev is set after its
      creation, but prior to having slaves, it's not kept and the first slave's
      MAC is cloned. The only way to keep the MAC was to create the bond device
      with the MAC address set (e.g. through ip link). In all cases if the
      bond device is left without any slaves - its MAC gets reset to a random
      one as before.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      97a1e639
    • nikolay@redhat.com's avatar
      bonding: remove unnecessary setup_by_slave member · 8d2ada77
      nikolay@redhat.com authored
      We have a member called setup_by_slave in struct bonding to denote if the
      bond dev has different type than ARPHRD_ETHER, but that is already denoted
      in bond's netdev type variable if it was setup by the slave, so use that
      instead of the member.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d2ada77
    • Pablo Neira's avatar
      netlink: fix splat in skb_clone with large messages · 3a36515f
      Pablo Neira authored
      Since (c05cdb1b netlink: allow large data transfers from user-space),
      netlink splats if it invokes skb_clone on large netlink skbs since:
      
      * skb_shared_info was not correctly initialized.
      * skb->destructor is not set in the cloned skb.
      
      This was spotted by trinity:
      
      [  894.990671] BUG: unable to handle kernel paging request at ffffc9000047b001
      [  894.991034] IP: [<ffffffff81a212c4>] skb_clone+0x24/0xc0
      [...]
      [  894.991034] Call Trace:
      [  894.991034]  [<ffffffff81ad299a>] nl_fib_input+0x6a/0x240
      [  894.991034]  [<ffffffff81c3b7e6>] ? _raw_read_unlock+0x26/0x40
      [  894.991034]  [<ffffffff81a5f189>] netlink_unicast+0x169/0x1e0
      [  894.991034]  [<ffffffff81a601e1>] netlink_sendmsg+0x251/0x3d0
      
      Fix it by:
      
      1) introducing a new netlink_skb_clone function that is used in nl_fib_input,
         that sets our special skb->destructor in the cloned skb. Moreover, handle
         the release of the large cloned skb head area in the destructor path.
      
      2) not allowing large skbuffs in the netlink broadcast path. I cannot find
         any reasonable use of the large data transfer using netlink in that path,
         moreover this helps to skip extra skb_clone handling.
      
      I found two more netlink clients that are cloning the skbs, but they are
      not in the sendmsg path. Therefore, the sole client cloning that I found
      seems to be the fib frontend.
      
      Thanks to Eric Dumazet for helping to address this issue.
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3a36515f
    • Nicolas Dichtel's avatar
      sit: add support of x-netns · 5e6700b3
      Nicolas Dichtel authored
      This patch allows to switch the netns when packet is encapsulated or
      decapsulated. In other word, the encapsulated packet is received in a netns,
      where the lookup is done to find the tunnel. Once the tunnel is found, the
      packet is decapsulated and injecting into the corresponding interface which
      stands to another netns.
      
      When one of the two netns is removed, the tunnel is destroyed.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5e6700b3
    • Nicolas Dichtel's avatar
      dev: introduce skb_scrub_packet() · 621e84d6
      Nicolas Dichtel authored
      The goal of this new function is to perform all needed cleanup before sending
      an skb into another netns.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      621e84d6
  5. 27 Jun, 2013 4 commits
  6. 26 Jun, 2013 12 commits