1. 15 Mar, 2011 19 commits
  2. 14 Mar, 2011 2 commits
  3. 09 Mar, 2011 1 commit
  4. 08 Mar, 2011 1 commit
  5. 28 Feb, 2011 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: nf_ct_tcp: fix out of sync scenario while in SYN_RECV · 8a80c79a
      Pablo Neira Ayuso authored
      This patch fixes the out of sync scenarios while in SYN_RECV state.
      
      Quoting Jozsef, what it happens if we are out of sync if the
      following:
      
      > > b. conntrack entry is outdated, new SYN received
      > >    - (b1) we ignore it but save the initialization data from it
      > >    - (b2) when the reply SYN/ACK receives and it matches the saved data,
      > >      we pick up the new connection
      This is what it should happen if we are in SYN_RECV state. Initially,
      the SYN packet hits b1, thus we save data from it. But the SYN/ACK
      packet is considered a retransmission given that we're in SYN_RECV
      state. Therefore, we never hit b2 and we don't get in sync. To fix
      this, we ignore SYN/ACK if we are in SYN_RECV. If the previous packet
      was a SYN, then we enter the ignore case that get us in sync.
      
      This patch helps a lot to conntrackd in stress scenarios (assumming a
      client that generates lots of small TCP connections). During the failover,
      consider that the new primary has injected one outdated flow in SYN_RECV
      state (this is likely to happen if the conntrack event rate is high
      because the backup will be a bit delayed from the primary). With the
      current code, if the client starts a new fresh connection that matches
      the tuple, the SYN packet will be ignored without updating the state
      tracking, and the SYN+ACK in reply will blocked as it will not pass
      checkings III or IV (since all state tracking in the original direction
      is not initialized because of the SYN packet was ignored and the ignore
      case that get us in sync is not applied).
      
      I posted a couple of patches before this one. Changli Gao spotted
      a simpler way to fix this problem. This patch implements his idea.
      
      Cc: Changli Gao <xiaosuo@gmail.com>
      Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      8a80c79a
  6. 25 Feb, 2011 1 commit
  7. 24 Feb, 2011 1 commit
  8. 22 Feb, 2011 1 commit
  9. 16 Feb, 2011 1 commit
    • Patrick Schaaf's avatar
      ipvs: make "no destination available" message more informative · 41ac51ee
      Patrick Schaaf authored
      When IP_VS schedulers do not find a destination, they output a terse
      "WLC: no destination available" message through kernel syslog, which I
      can not only make sense of because syslog puts them in a logfile
      together with keepalived checker results.
      
      This patch makes the output a bit more informative, by telling you which
      virtual service failed to find a destination.
      
      Example output:
      
      kernel: [1539214.552233] IPVS: wlc: TCP 192.168.8.30:22 - no destination available
      kernel: [1539299.674418] IPVS: wlc: FWM 22 0x00000016 - no destination available
      
      I have tested the code for IPv4 and FWM services, as you can see from
      the example; I do not have an IPv6 setup to test the third code path
      with.
      
      To avoid code duplication, I put a new function ip_vs_scheduler_err()
      into ip_vs_sched.c, and use that from the schedulers instead of calling
      IP_VS_ERR_RL directly.
      Signed-off-by: default avatarPatrick Schaaf <netdev@bof.de>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      41ac51ee
  10. 15 Feb, 2011 3 commits
  11. 14 Feb, 2011 3 commits
  12. 11 Feb, 2011 1 commit
    • Stefan Berger's avatar
      netfilter: xt_connlimit: connlimit-above early loop termination · 44bd4de9
      Stefan Berger authored
      The patch below introduces an early termination of the loop that is
      counting matches. It terminates once the counter has exceeded the
      threshold provided by the user. There's no point in continuing the loop
      afterwards and looking at other entries.
      
      It plays together with the following code further below:
      
      return (connections > info->limit) ^ info->inverse;
      
      where connections is the result of the counted connection, which in turn
      is the matches variable in the loop. So once
      
              -> matches = info->limit + 1
      alias   -> matches > info->limit
      alias   -> matches > threshold
      
      we can terminate the loop.
      Signed-off-by: default avatarStefan Berger <stefanb@linux.vnet.ibm.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      44bd4de9
  13. 10 Feb, 2011 1 commit
  14. 07 Feb, 2011 1 commit
  15. 03 Feb, 2011 1 commit
  16. 02 Feb, 2011 2 commits
    • Patrick McHardy's avatar
      netfilter: xtables: add device group match · 9291747f
      Patrick McHardy authored
      Add a new 'devgroup' match to match on the device group of the
      incoming and outgoing network device of a packet.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      9291747f
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: send error message manually · 5f52bc3c
      Jozsef Kadlecsik authored
      When a message carries multiple commands and one of them triggers
      an error, we have to report to the userspace which one was that.
      The line number of the command plays this role and there's an attribute
      reserved in the header part of the message to be filled out with the error
      line number. In order not to modify the original message received from
      the userspace, we construct a new, complete netlink error message and
      modifies the attribute there, then send it.
      Netlink is notified not to send its ACK/error message.
      
      Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5f52bc3c