- 24 Sep, 2012 4 commits
-
-
Pablo Neira Ayuso authored
This patch adds the NFQA_CAP_LEN attribute that allows us to know what is the real packet size from user-space (even if we decided to retrieve just a few bytes from the packet instead of all of it). Security software that inspects packets should always check for this new attribute to make sure that it is inspecting the entire packet. This also helps to provide a workaround for the problem described in: http://marc.info/?l=netfilter-devel&m=134519473212536&w=2 Original idea from Florian Westphal. Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
The packets that we send via NFQUEUE are encapsulated in the NFQA_PAYLOAD attribute. The length of the packet in userspace is obtained via attr->nla_len field. This field contains the size of the Netlink attribute header plus the packet length. If the maximum packet length is specified, ie. 65535 bytes, and packets in the range of (65531,65535] are sent to userspace, the attr->nla_len overflows and it reports bogus lengths to the application. To fix this, this patch limits the maximum packet length to 65531 bytes. If larger packet length is specified, the packet that we send to user-space is truncated to 65531 bytes. To support 65535 bytes packets, we have to revisit the idea of the 32-bits Netlink attribute length. Reported-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
Pablo Neira Ayuso authored
This patch allows the FTP helper to pickup the sequence tracking from the first packet seen. This is useful to fix the breakage of the first FTP command after the failover while using conntrackd to synchronize states. The seq_aft_nl_num field in struct nf_ct_ftp_info has been shrinked to 16-bits (enough for what it does), so we can use the remaining 16-bits to store the flags while using the same size for the private FTP helper data. Signed-off-by: -
Florian Westphal authored
Currently, if you want to do something like: "match Monday, starting 23:00, for two hours" You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00. The rule: --weekdays Mo --timestart 23:00 --timestop 01:00 looks correct, but it will first match on monday from midnight to 1 a.m. and then again for another hour from 23:00 onwards. This permits userspace to explicitly ignore the day transition and match for a single, continuous time period instead. Signed-off-by:
-
- 22 Sep, 2012 5 commits
-
-
Jozsef Kadlecsik authored
Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by:Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering. Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by:
-
- 21 Sep, 2012 9 commits
-
-
Jozsef Kadlecsik authored
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely. Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jan Engelhardt authored
Combine more modules since the actual code is so small anyway that the kmod metadata and the module in its loaded state totally outweighs the combined actual code size. IP_NF_TARGET_REDIRECT becomes a compat option; IP6_NF_TARGET_REDIRECT is completely eliminated since it has not see a release yet. Signed-off-by:
Jan Engelhardt <jengelh@inai.de> Acked-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Jan Engelhardt authored
Combine more modules since the actual code is so small anyway that the kmod metadata and the module in its loaded state totally outweighs the combined actual code size. IP_NF_TARGET_NETMAP becomes a compat option; IP6_NF_TARGET_NETMAP is completely eliminated since it has not see a release yet. Signed-off-by:
-
Ulrich Weber authored
hlist walk in find_appropriate_src() is not protected anymore by rcu_read_lock(), so rcu_read_unlock() is unnecessary if in_range() matches. This bug was added in (c7232c99 netfilter: add protocol independent NAT core). Signed-off-by:
Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by:
-
Patrick McHardy authored
When unloading a protocol module nf_ct_iterate_cleanup() is used to remove all conntracks using the protocol from the bysource hash and clean their NAT sections. Since the conntrack isn't actually killed, the NAT callback is invoked twice, once for each direction, which causes an oops when trying to delete it from the bysource hash for the second time. The same oops can also happen when removing both an L3 and L4 protocol since the cleanup function doesn't check whether the conntrack has already been cleaned up. Pid: 4052, comm: modprobe Not tainted 3.6.0-rc3-test-nat-unload-fix+ #32 Red Hat KVM RIP: 0010:[<ffffffffa002c303>] [<ffffffffa002c303>] nf_nat_proto_clean+0x73/0xd0 [nf_nat] RSP: 0018:ffff88007808fe18 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8800728550c0 RCX: ffff8800756288b0 RDX: dead000000200200 RSI: ffff88007808fe88 RDI: ffffffffa002f208 RBP: ffff88007808fe28 R08: ffff88007808e000 R09: 0000000000000000 R10: dead000000200200 R11: dead000000100100 R12: ffffffff81c6dc00 R13: ffff8800787582b8 R14: ffff880078758278 R15: ffff88007808fe88 FS: 00007f515985d700(0000) GS:ffff88007cd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f515986a000 CR3: 000000007867a000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 4052, threadinfo ffff88007808e000, task ffff8800756288b0) Stack: ffff88007808fe68 ffffffffa002c290 ffff88007808fe78 ffffffff815614e3 ffffffff00000000 00000aeb00000246 ffff88007808fe68 ffffffff81c6dc00 ffff88007808fe88 ffffffffa00358a0 0000000000000000 000000000040f5b0 Call Trace: [<ffffffffa002c290>] ? nf_nat_net_exit+0x50/0x50 [nf_nat] [<ffffffff815614e3>] nf_ct_iterate_cleanup+0xc3/0x170 [<ffffffffa002c55a>] nf_nat_l3proto_unregister+0x8a/0x100 [nf_nat] [<ffffffff812a0303>] ? compat_prepare_timeout+0x13/0xb0 [<ffffffffa0035848>] nf_nat_l3proto_ipv4_exit+0x10/0x23 [nf_nat_ipv4] ... To fix this, - check whether the conntrack has already been cleaned up in nf_nat_proto_clean - change nf_ct_iterate_cleanup() to only invoke the callback function once for each conntrack (IP_CT_DIR_ORIGINAL). The second change doesn't affect other callers since when conntracks are actually killed, both directions are removed from the hash immediately and the callback is already only invoked once. If it is not killed, the second callback invocation will always return the same decision not to kill it. Reported-by:
Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by:
-
Pablo Neira Ayuso authored
* NF_NAT_IPV6 requires IP6_NF_IPTABLES * IP6_NF_TARGET_MASQUERADE, IP6_NF_TARGET_NETMAP, IP6_NF_TARGET_REDIRECT and IP6_NF_TARGET_NPT require NF_NAT_IPV6. This change just mirrors what IPv4 does in Kconfig, for consistency. Reported-by:
Randy Dunlap <rdunlap@xenotime.net> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-nextDavid S. Miller authored
Jeff Kirsher says: ==================== This series contains updates to igb and ixgbevf. v2: updated patch description in 04 patch (ixgbevf: scheduling while atomic in reset hw path) ... Akeem G. Abodunrin (1): igb: Support to enable EEE on all eee_supported devices Alexander Duyck (2): igb: Remove artificial restriction on RQDPC stat reading ixgbevf: Add support for VF API negotiation John Fastabend (1): ixgbevf: scheduling while atomic in reset hw path ==================== Signed-off-by:David S. Miller <davem@davemloft.net>
-
Joe Perches authored
Remove unnecessary temporary variable and #ifdef DEBUG block. Signed-off-by:
Joe Perches <joe@perches.com> Signed-off-by:
-
- 20 Sep, 2012 9 commits
-
-
Greg Kroah-Hartman authored
The dbg() USB macro is so old, it predates me. The USB networking drivers are the last hold-out using this macro, and we want to get rid of it, so replace the usage of it with the proper netdev_dbg() or dev_dbg() (depending on the context) calls. Some places we end up using a local variable for the debug call, so also convert the other existing dev_* calls to use it as well, to save tiny amounts of code space. Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
-
Alan Cox authored
Both tcp_timewait_state_process and tcp_check_req use the same basic construct of struct tcp_options received tmp_opt; tmp_opt.saw_tstamp = 0; then call tcp_parse_options However if they are fed a frame containing a TCP_SACK then tbe code behaviour is undefined because opt_rx->sack_ok is undefined data. This ought to be documented if it is intentional. Signed-off-by:
Alan Cox <alan@linux.intel.com> Signed-off-by:
-
Christoph Paasch authored
Signed-off-by:
Christoph Paasch <christoph.paasch@uclouvain.be> Acked-by:
H.K. Jerry Chu <hkchu@google.com> Acked-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Or Gerlitz authored
Add rtnl_link_ops to IPoIB, with the first usage being child device create/delete through them. Childs devices are now either legacy ones, created/deleted through the ipoib sysfs entries, or RTNL ones. Adding support for RTNL childs involved refactoring of ipoib_vlan_add which is now used by both the sysfs and the link_ops code. Also, added ndo_uninit entry to support calling unregister_netdevice_queue from the rtnl dellink entry. This required removal of calls to ipoib_dev_cleanup from the driver in flows which use unregister_netdevice, since the networking core will invoke ipoib_uninit which does exactly that. Signed-off-by:
Erez Shitrit <erezsh@mellanox.co.il> Signed-off-by:
Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/bwh/sfc-nextDavid S. Miller authored
Ben Hutchings says: ==================== 1. Extension to PPS/PTP to allow for PHC devices where pulses are subject to a variable but measurable delay. 2. PPS/PTP/PHC support for Solarflare boards with a timestamping peripheral. 3. MTD support for updating the timestamping peripheral on those boards. 4. Fix for potential over-length requests to firmware. ==================== Signed-off-by: -
John Fastabend authored
In ixgbevf_reset_hw_vf() msleep is called while holding mbx_lock resulting in a schedule while atomic bug with trace below. This patch uses mdelay instead. BUG: scheduling while atomic: ip/6539/0x00000002 2 locks held by ip/6539: #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81419cc3>] rtnl_lock+0x17/0x19 #1: (&(&adapter->mbx_lock)->rlock){+.+...}, at: [<ffffffffa0030855>] ixgbevf_reset+0x30/0xc1 [ixgbevf] Modules linked in: ixgbevf ixgbe mdio libfc scsi_transport_fc 8021q scsi_tgt garp stp llc cpufreq_ondemand acpi_cpufreq freq_table mperf ipv6 uinput igb coretemp hwmon crc32c_intel ioatdma i2c_i801 shpchp microcode lpc_ich mfd_core i2c_core joydev dca pcspkr serio_raw pata_acpi ata_generic usb_storage pata_jmicron Pid: 6539, comm: ip Not tainted 3.6.0-rc3jk-net-next+ #104 Call Trace: [<ffffffff81072202>] __schedule_bug+0x6a/0x79 [<ffffffff814bc7e0>] __schedule+0xa2/0x684 [<ffffffff8108f85f>] ? trace_hardirqs_off+0xd/0xf [<ffffffff814bd0c0>] schedule+0x64/0x66 [<ffffffff814bb5e2>] schedule_timeout+0xa6/0xca [<ffffffff810536b9>] ? lock_timer_base+0x52/0x52 [<ffffffff812629e0>] ? __udelay+0x15/0x17 [<ffffffff814bb624>] schedule_timeout_uninterruptible+0x1e/0x20 [<ffffffff810541c0>] msleep+0x1b/0x22 [<ffffffffa002e723>] ixgbevf_reset_hw_vf+0x90/0xe5 [ixgbevf] [<ffffffffa0030860>] ixgbevf_reset+0x3b/0xc1 [ixgbevf] [<ffffffffa0032fba>] ixgbevf_open+0x43/0x43e [ixgbevf] [<ffffffff81409610>] ? dev_set_rx_mode+0x2e/0x33 [<ffffffff8140b0f1>] __dev_open+0xa0/0xe5 [<ffffffff814097ed>] __dev_change_flags+0xbe/0x142 [<ffffffff8140b01c>] dev_change_flags+0x21/0x56 [<ffffffff8141a843>] do_setlink+0x2e2/0x7f4 [<ffffffff81016e36>] ? native_sched_clock+0x37/0x39 [<ffffffff8141b0ac>] rtnl_newlink+0x277/0x4bb [<ffffffff8141aee9>] ? rtnl_newlink+0xb4/0x4bb [<ffffffff812217d1>] ? selinux_capable+0x32/0x3a [<ffffffff8104fb17>] ? ns_capable+0x4f/0x67 [<ffffffff81419cc3>] ? rtnl_lock+0x17/0x19 [<ffffffff81419f28>] rtnetlink_rcv_msg+0x236/0x253 [<ffffffff81419cf2>] ? rtnetlink_rcv+0x2d/0x2d [<ffffffff8142fd42>] netlink_rcv_skb+0x43/0x94 [<ffffffff81419ceb>] rtnetlink_rcv+0x26/0x2d [<ffffffff8142faf1>] netlink_unicast+0xee/0x174 [<ffffffff81430327>] netlink_sendmsg+0x26a/0x288 [<ffffffff813fb04f>] ? rcu_read_unlock+0x56/0x67 [<ffffffff813f5e6d>] __sock_sendmsg_nosec+0x58/0x61 [<ffffffff813f81b7>] __sock_sendmsg+0x3d/0x48 [<ffffffff813f8339>] sock_sendmsg+0x6e/0x87 [<ffffffff81107c9f>] ? might_fault+0xa5/0xac [<ffffffff81402a72>] ? copy_from_user+0x2a/0x2c [<ffffffff81402e62>] ? verify_iovec+0x54/0xaa [<ffffffff813f9834>] __sys_sendmsg+0x206/0x288 [<ffffffff810694fa>] ? up_read+0x23/0x3d [<ffffffff811307e5>] ? fcheck_files+0xac/0xea [<ffffffff8113095e>] ? fget_light+0x3a/0xb9 [<ffffffff813f9a2e>] sys_sendmsg+0x42/0x60 [<ffffffff814c5ba9>] system_call_fastpath+0x16/0x1b CC: Eric Dumazet <edumazet@google.com> Signed-off-by:John Fastabend <john.r.fastabend@intel.com> Tested-By:
Robert Garrett <robertx.e.garrett@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Alexander Duyck authored
This change makes it so that the VF can support the PF/VF API negotiation protocol. Specifically in this case we are adding support for API 1.0 which will mean that the VF is capable of cleaning up buffers that span multiple descriptors without triggering an error. Signed-off-by:
Alexander Duyck <alexander.h.duyck@intel.com> Tested-by:
Sibai Li <sibai.li@intel.com> Signed-off-by:
-
Akeem G. Abodunrin authored
Current implementation enables EEE on only i350 device. This patch enables EEE on all eee_supported devices. Also, configured LPI clock to keep running before EEE is enabled on i210 and i211 devices. Signed-off-by:
Akeem G. Abodunrin <akeem.g.abodunrin@intel.com> Tested-by:
Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by:
-
Alexander Duyck authored
For some reason the reading of the RQDPC register was being artificially limited to 4K. Instead of limiting the value we should read the value and add the full amount. Otherwise this can lead to a misleading number of dropped packets when the actual value is in fact much higher. Signed-off-by:
-
- 19 Sep, 2012 13 commits
-
-
Michal Schmidt authored
The r8169 driver currently limits the DMA burst for TX to 1024 bytes. I have a box where this prevents the interface from using the gigabit line to its full potential. This patch solves the problem by setting TX_DMA_BURST to unlimited. The box has an ASRock B75M motherboard with on-board RTL8168evl/8111evl (XID 0c900880). TSO is enabled. I used netperf (TCP_STREAM test) to measure the dependency of TX throughput on MTU. I did it for three different values of TX_DMA_BURST ('5'=512, '6'=1024, '7'=unlimited). This chart shows the results: http://michich.fedorapeople.org/r8169/r8169-effects-of-TX_DMA_BURST.png Interesting points: - With the current DMA burst limit (1024): - at the default MTU=1500 I get only 842 Mbit/s. - when going from small MTU, the performance rises monotonically with increasing MTU only up to a peak at MTU=1076 (908 MBit/s). Then there's a sudden drop to 762 MBit/s from which the throughput rises monotonically again with further MTU increases. - With a smaller DMA burst limit (512): - there's a similar peak at MTU=1076 and another one at MTU=564. - With unlimited DMA burst: - at the default MTU=1500 I get nice 940 Mbit/s. - the throughput rises monotonically with increasing MTU with no strange peaks. Notice that the peaks occur at MTU sizes that are multiples of the DMA burst limit plus 52. Why 52? Because: 20 (IP header) + 20 (TCP header) + 12 (TCP options) = 52 The Realtek-provided r8168 driver (v8.032.00) uses unlimited TX DMA burst too, except for CFG_METHOD_1 where the TX DMA burst is set to 512 bytes. CFG_METHOD_1 appears to be the oldest MAC version of "RTL8168B/8111B", i.e. RTL_GIGA_MAC_VER_11 in r8169. Not sure if this MAC version really needs the smaller burst limit, or if any other versions have similar requirements. Signed-off-by:Michal Schmidt <mschmidt@redhat.com> Acked-by:
Francois Romieu <romieu@fr.zoreil.com> Signed-off-by:
-
Amerigo Wang authored
Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Kubeček <mkubecek@suse.cz> Cc: David Miller <davem@davemloft.net> Signed-off-by:
Cong Wang <amwang@redhat.com> Signed-off-by:
-
Amerigo Wang authored
Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Kubeček <mkubecek@suse.cz> Cc: David Miller <davem@davemloft.net> Signed-off-by:
-
Amerigo Wang authored
Two years ago, Shan Wei tried to fix this: http://patchwork.ozlabs.org/patch/43905/ The problem is that RFC2460 requires an ICMP Time Exceeded -- Fragment Reassembly Time Exceeded message should be sent to the source of that fragment, if the defragmentation times out. " If insufficient fragments are received to complete reassembly of a packet within 60 seconds of the reception of the first-arriving fragment of that packet, reassembly of that packet must be abandoned and all the fragments that have been received for that packet must be discarded. If the first fragment (i.e., the one with a Fragment Offset of zero) has been received, an ICMP Time Exceeded -- Fragment Reassembly Time Exceeded message should be sent to the source of that fragment. " As Herbert suggested, we could actually use the standard IPv6 reassembly code which follows RFC2460. With this patch applied, I can see ICMP Time Exceeded sent from the receiver when the sender sent out 3/4 fragmented IPv6 UDP packet. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Kubeček <mkubecek@suse.cz> Cc: David Miller <davem@davemloft.net> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Signed-off-by:
-
Amerigo Wang authored
As pointed by Michal, it is necessary to add a new namespace for nf_conntrack_reasm code, this prepares for the second patch. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Kubeček <mkubecek@suse.cz> Cc: David Miller <davem@davemloft.net> Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Signed-off-by:
-
Amerigo Wang authored
In netpoll tx path, we miss the chance of calling ->ndo_select_queue(), thus could cause problems when bonding is involved. This patch makes dev_pick_tx() extern (and rename it to netdev_pick_tx()) to let netpoll call it in netpoll_send_skb_on_dev(). Reported-by:
Sylvain Munaut <s.munaut@whatever-company.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by:
-
stephen hemminger authored
The internal functions for add/deleting addresses don't change their argument. Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Signed-off-by:
-
Mika Westerberg authored
When building 64-bit kernel with this driver we get following warnings from the compiler: drivers/net/ethernet/i825xx/znet.c: In function ‘hardware_init’: drivers/net/ethernet/i825xx/znet.c:863:29: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] drivers/net/ethernet/i825xx/znet.c:870:29: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] Fix these by calling isa_virt_to_bus() before passing the pointers to set_dma_addr(). Signed-off-by:
Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by:
-
Eric Dumazet authored
Add GSO support to GRE tunnels. Signed-off-by:
-
Eric Dumazet authored
Instead of forcing device drivers to provide empty ethtool_ops or tweak net/core/ethtool.c again, we could provide a generic ethtool_ops. This occurred to me when I wanted to add GSO support to GRE tunnels. ethtool -k support should be generic for all drivers. Signed-off-by:
Ben Hutchings <bhutchings@solarflare.com> Signed-off-by:
-
Gao feng authored
When moving a nic from net namespace A to net namespace B, in dev_change_net_namesapce,we call __dev_get_by_name to decide if the netns B has the device has the same name. if the netns B already has the same named device,we call dev_get_valid_name to try to get a valid name for this nic in the netns B,but net_device->nd_net still point to netns A now. this patch fix it. Signed-off-by:
Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by:
-
Li RongQing authored
If dst cache dst_a copies from dst_b, and dst_b copies from dst_c, check if dst_a is expired or not, we should not end with dst_a->dst.from, dst_b, we should check dst_c. CC: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by:
Li RongQing <roy.qing.li@gmail.com> Signed-off-by:
-
Eric Dumazet authored
dev_queue_xmit_nit() should be called right before ndo_start_xmit() calls or we might give wrong packet contents to taps users : Packet checksum can be changed, or packet can be linearized or segmented, and segments partially sent for the later case. Also a memory allocation can fail and packet never really hit the driver entry point. Reported-by:
Jamie Gloudon <jamie.gloudon@gmail.com> Signed-off-by:
-
