- 01 Feb, 2008 40 commits
-
-
Jan Engelhardt authored
Extend the xt_conntrack match revision 1 by port matching (all four {orig,repl}{src,dst}) and by packet direction matching. Signed-off-by:Jan Engelhardt <jengelh@computergmbh.de> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
It should use htonl for the GID, not htons. Signed-off-by:
-
Jan Engelhardt authored
Signed-off-by:
-
Patrick McHardy authored
Before the removal of the deferred output hooks, netoutdev was used in case of VLANs on top of a bridge to store the VLAN device, so the deferred hooks would see the correct output device. This isn't necessary anymore since we're calling the output hooks for the correct device directly in the IP stack. Signed-off-by:
-
Patrick McHardy authored
The hash table is already initialized by nf_ct_alloc_hashtable(). Signed-off-by:
-
Jan Engelhardt authored
Signed-off-by:
-
Eric Dumazet authored
CHECK net/netfilter/nf_conntrack_expect.c net/netfilter/nf_conntrack_expect.c:429:13: warning: context imbalance in 'exp_seq_start' - wrong count at exit net/netfilter/nf_conntrack_expect.c:441:13: warning: context imbalance in 'exp_seq_stop' - unexpected unlock CHECK net/netfilter/nf_log.c net/netfilter/nf_log.c:105:13: warning: context imbalance in 'seq_start' - wrong count at exit net/netfilter/nf_log.c:125:13: warning: context imbalance in 'seq_stop' - unexpected unlock CHECK net/netfilter/nfnetlink_queue.c net/netfilter/nfnetlink_queue.c:363:7: warning: symbol 'size' shadows an earlier one net/netfilter/nfnetlink_queue.c:217:9: originally declared here net/netfilter/nfnetlink_queue.c:847:13: warning: context imbalance in 'seq_start' - wrong count at exit net/netfilter/nfnetlink_queue.c:859:13: warning: context imbalance in 'seq_stop' - unexpected unlock Signed-off-by:
Eric Dumazet <dada1@cosmosbay.com> Signed-off-by:
-
Denis V. Lunev authored
The address of IPv6 raw sockets was shown in the wrong format, from IPv4 ones. The problem has been introduced by the commit 42a73808 ("[RAW]: Consolidate proc interface.") Thanks to Adrian Bunk who originally noticed the problem. Signed-off-by:
Denis V. Lunev <den@openvz.org> Signed-off-by:
-
Denis V. Lunev authored
There is no need to use 128 bytes on the stack at all. Clean the code in the IPv6 style. Signed-off-by:
-
Denis V. Lunev authored
Different hashtables are used for IPv6 and IPv4 raw sockets, so no need to check the socket family in the iterator over hashtables. Clean this out. Signed-off-by:
-
Herbert Xu authored
I made a silly typo by entering IPPROTO_IP (== 0) instead of IPPROTO_IPIP (== 4). This broke the reception of incompressible packets. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Eric Dumazet authored
All but one struct dst_ops static initializations miss explicit initialization of entries field. As this field is atomic_t, we should use ATOMIC_INIT(0), and not rely on atomic_t implementation. Signed-off-by:
-
Ilpo Järvinen authored
NewReno should add cnt per skb (as with FACK) instead of depending on SACKED_ACKED bits which won't be set with it at all. Effectively, NewReno should always exists after the first iteration anyway (or immediately if there's already head in lost_out. This was fixed earlier in net-2.6.25 but got reverted among other stuff and I didn't notice that this is still necessary (actually wasn't even considering this case while trying to figure out the reports because I lived with different kind of code than it in reality was). This should solve the WARN_ONs in TCP code that as a result of this triggered multiple times in every place we check for this invariant. Special thanks to Dave Young <hidave.darkstar@gmail.com> and Krishna Kumar2 <krkumar2@in.ibm.com> for trying with my debug patches. Signed-off-by:
Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Tested-by:
Dave Young <hidave.darkstar@gmail.com> Tested-by:
Krishna Kumar2 <krkumar2@in.ibm.com> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Pavel Emelyanov authored
The comment about "race free view of the set of network namespaces" was a bit hasty. Look (there even can be only one CPU, as discovered by Alexey Dobriyan and Denis Lunev): put_net() if (atomic_dec_and_test(&net->refcnt)) /* true */ __put_net(net); queue_work(...); /* * note: the net now has refcnt 0, but still in * the global list of net namespaces */ == re-schedule == register_pernet_subsys(&some_ops); register_pernet_operations(&some_ops); (*some_ops)->init(net); /* * we call netlink_kernel_create() here * in some places */ netlink_kernel_create(); sk_alloc(); get_net(net); /* refcnt = 1 */ /* * now we drop the net refcount not to * block the net namespace exit in the * future (or this can be done on the * error path) */ put_net(sk->sk_net); if (atomic_dec_and_test(&...)) /* * true. BOOOM! The net is * scheduled for release twice */ When thinking on this problem, I decided, that getting and putting the net in init callback is wrong. If some init callback needs to have a refcount-less reference on the struct net, _it_ has to be careful himself, rather than relying on the infrastructure to handle this correctly. In case of netlink_kernel_create(), the problem is that the sk_alloc() gets the given namespace, but passing the info that we don't want to get it inside this call is too heavy. Instead, I propose to crate the socket inside an init_net namespace and then re-attach it to the desired one right after the socket is created. After doing this, we also have to be careful on error paths not to drop the reference on the namespace, we didn't get the one on. Signed-off-by:Pavel Emelyanov <xemul@openvz.org> Acked-by:
-
Eric Dumazet authored
Signed-off-by:
-
Benjamin Thery authored
Add missing initialization of the new nl_info.nl_net field in rtm_to_fib6_config(). This will be needed the store network namespace associated to the fib6_config struct. Signed-off-by:
Benjamin Thery <benjamin.thery@bull.net> Signed-off-by:
-
Laszlo Attila Toth authored
A userspace program may wish to set the mark for each packets its send without using the netfilter MARK target. Changing the mark can be used for mark based routing without netfilter or for packet filtering. It requires CAP_NET_ADMIN capability. Signed-off-by:
Laszlo Attila Toth <panther@balabit.hu> Acked-by:
-
Jan Engelhardt authored
Signed-off-by:
-
Michael Chan authored
Signed-off-by:
Michael Chan <mchan@broadcom.com> Signed-off-by:
-
Michael Chan authored
Update firmware to support programmable flow control. Signed-off-by:
-
Michael Chan authored
Make use of the programmable high/low water marks in 5709 for 802.3 flow control. Signed-off-by:
-
Michael Chan authored
The CTX_WR macro is unnecessary and obfuscates the code. Signed-off-by:
-
Michael Chan authored
The REG_WR_IND/REG_RD_IND macros are unnecessary and obfuscate the code. Many callers to these macros read and write shared memory from the bp->shmem_base, so we add 2 similar functions that automatically add the shared memory base. Signed-off-by:
-
Michael Chan authored
Make the tx coalescing setup code independent of the MSIX vector. Signed-off-by:
-
Michael Chan authored
1. Correct the MII expansion serdes control register definition. 2. Check an additional RUDI_INVALID bit when determining 5706S link. Signed-off-by:
-
Dave Young authored
The bluetooth hci_conn sysfs add/del executed in the default workqueue. If the del_conn is executed after the new add_conn with same target, add_conn will failed with warning of "same kobject name". Here add btaddconn & btdelconn workqueues, flush the btdelconn workqueue in the add_conn function to avoid the issue. Signed-off-by:
-
Herbert Xu authored
When I moved the nexthdr setting out of IPComp I accidently moved the reading of ipch->nexthdr after the decompression. Unfortunately this means that we'd be reading from a stale ipch pointer which doesn't work very well. This patch moves the reading up so that we get the correct nexthdr value. Signed-off-by:
-
Julian Anastasov authored
Update fib_trie with some fib_hash fixes: - check for duplicate alternative routes for prefix+tos+priority when replacing route - properly insert by matching tos together with priority - fix alias walking to use list_for_each_entry_continue for insertion and deletion when fa_head is not NULL - copy state from fa to new_fa on replace (not a problem for now) - additionally, avoid replacement without error if new route is same, as Joonwoo Park suggests. Signed-off-by:
Julian Anastasov <ja@ssi.bg> Signed-off-by:
-
Julian Anastasov authored
fib_info can be shared by many route prefixes but we don't want duplicate alternative routes for a prefix+tos+priority. Last change was not correct to check fib_treeref because it accounts usage from other prefixes. Additionally, avoid replacement without error if new route is same, as Joonwoo Park suggests. Signed-off-by:
-
Wei Yongjun authored
This patch fix miss of check for report unrecognized HMAC Algorithm parameter. When AUTH is disabled, goto fall through path to report unrecognized parameter, else, just break Signed-off-by:
Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Acked-by:
Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by:
-
Arnaldo Carvalho de Melo authored
Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=9825 The inet_diag_lock_handler function uses ERR_PTR to encode errors but its callers were testing against NULL. This only happens when the only inet_diag modular user, DCCP, is not built into the kernel or available as a module. Also there was a problem with not dropping the mutex lock when a handler was not found, also fixed in this patch. This caused an OOPS and ss would then hang on subsequent calls, as &inet_diag_table_mutex was being left locked. Thanks to spike at ml.yaroslavl.ru for report it after trying 'ss -d' on a kernel that doesn't have DCCP available. This bug was introduced in cset d523a328 ("Fix inet_diag dead-lock regression"), after 2.6.24-rc3, so just 2.6.24 seems to be affected. Signed-off-by:
Arnaldo Carvalho de Melo <acme@redhat.com> Acked-by:
-
Herbert Xu authored
The recent UDP patch exposed this bug in the audit code. It was calling pskb_expand_head without increasing skb->truesize. The caller of pskb_expand_head needs to do so because that function is designed to be called in places where truesize is already fixed and therefore it doesn't update its value. Because the audit system is using it in a place where the truesize has not yet been fixed, it needs to update its value manually. Signed-off-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Herbert Xu authored
When ip_fragment has to hit the slow path the value of skb->truesize may go out of sync because we would have updated it without changing the packet length. This violates the constraints on truesize. This patch postpones the update of skb->truesize to prevent this. Signed-off-by:
-
maximilian attems authored
on the last run overlooked that sfuzz triggable message. move the message to the corresponding comment. Signed-off-by:
maximilian attems <max@stro.at> Signed-off-by:
-
maximilian attems authored
kill ref to old version and dup Linux. Signed-off-by:
-
Ilpo Järvinen authored
Signed-off-by:
Eric Van Hensbergen <ericvh@gmail.com> Signed-off-by:
-
Paul Moore authored
As pointed out by Adrian Bunk, commit 45c950e0 ("fix memory leak in netlabel code") caused a double-free when security_netlbl_sid_to_secattr() fails. This patch fixes this by removing the netlbl_secattr_destroy() call from that function since we are already releasing the secattr memory in selinux_netlbl_sock_setsid(). Signed-off-by:
Paul Moore <paul.moore@hp.com> Signed-off-by:
-
Herbert Xu authored
This patch adds support for combined mode algorithms with GCM being the first algorithm supported. Combined mode algorithms can be added through the xfrm_user interface using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms is identified by its name and the ICV length. For the purposes of matching algorithms in xfrm_tmpl structures, combined mode algorithms occupy the same name space as encryption algorithms. This is in line with how they are negotiated using IKE. Signed-off-by:
-
Herbert Xu authored
Now that ESP uses authenc we can turn on the support for async algorithms in IPsec. Signed-off-by:
-
Herbert Xu authored
This patch converts ESP to use the crypto_aead interface and in particular the authenc algorithm. This lays the foundations for future support of combined mode algorithms. Signed-off-by:
-
