- 14 Dec, 2015 1 commit
-
-
Pablo Neira authored
Add a per-netns list of timeout objects and adjust code to use it. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org>
-
- 09 Dec, 2015 5 commits
-
-
Florian Westphal authored
nf_log_trace() outputs bogus 'TRACE:' strings because I forgot to update the comments array. Fixes: 33d5a7b1 ("netfilter: nf_tables: extend tracing infrastructure") Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
Rosen, Rami authored
Change return type of nfulnl_set_timeout() and nfulnl_set_qthresh() to be void. This patch changes the return type of the static methods nfulnl_set_timeout() and nfulnl_set_qthresh() to be void, as there is no justification and no need for these methods to return int. Signed-off-by:
Rami Rosen <rami.rosen@intel.com> Signed-off-by:
-
Florian Westphal authored
Valdis reports NULL deref in nf_ct_frag6_gather. Problem is bogus use of skb_queue_walk() -- we miss first skb in the list since we start with head->next instead of head. In case the element we're looking for was head->next we won't find a result and then trip over NULL iter. (defrag uses plain NULL-terminated list rather than one terminated by head-of-list-pointer, which is what skb_queue_walk expects). Fixes: 029f7f3b ("netfilter: ipv6: nf_defrag: avoid/free clone operations") Reported-by:
Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Tested-by:
-
Florian Westphal authored
Only needed when meta nftrace rule(s) were added. The assumption is that no such rules are active, so the call to nft_trace_init is "never" needed. When nftrace rules are active, we always call the nft_trace_* functions, but will only send netlink messages when all of the following are true: - traceinfo structure was initialised - skb->nf_trace == 1 - at least one subscriber to trace group. Adding an extra conditional (static_branch ... && skb->nf_trace) nft_trace_init( ..) Is possible but results in a larger nft_do_chain footprint. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Florian Westphal authored
nft monitor mode can then decode and display this trace data. Parts of LL/Network/Transport headers are provided as separate attributes. Otherwise, printing IP address data becomes virtually impossible for userspace since in the case of the netdev family we really don't want userspace to have to know all the possible link layer types and/or sizes just to display/print an ip address. We also don't want userspace to have to follow ipv6 header chains to get the s/dport info, the kernel already did this work for us. To avoid bloating nft_do_chain all data required for tracing is encapsulated in nft_traceinfo. The structure is initialized unconditionally(!) for each nft_do_chain invocation. This unconditionall call will be moved under a static key in a followup patch. With lots of help from Patrick McHardy and Pablo Neira. Signed-off-by:
-
- 25 Nov, 2015 3 commits
-
-
Patrick McHardy authored
Add support for mangling packet payload. Checksum for the specified base header is updated automatically if requested, however no updates for any kind of pseudo headers are supported, meaning no stateless NAT is supported. For checksum updates different checksumming methods can be specified. The currently supported methods are NONE for no checksum updates, and INET for internet type checksums. Signed-off-by:
-
Florian Westphal authored
Signed-off-by:
-
Philip Whineray authored
Various files are owned by root with 0440 permission. Reading them is impossible in an unprivileged user namespace, interfering with firewall tools. For instance, iptables-save relies on /proc/net/ip_tables_names contents to dump only loaded tables. This patch assigned ownership of the following files to root in the current namespace: - /proc/net/*_tables_names - /proc/net/*_tables_matches - /proc/net/*_tables_targets - /proc/net/nf_conntrack - /proc/net/nf_conntrack_expect - /proc/net/netfilter/nfnetlink_log A mapping for root must be available, so this order should be followed: unshare(CLONE_NEWUSER); /* Setup the mapping */ unshare(CLONE_NEWNET); Signed-off-by:
Philip Whineray <phil@firehol.org> Signed-off-by:
-
- 23 Nov, 2015 11 commits
-
-
Florian Westphal authored
The previous patch changed nf_ct_frag6_gather() to morph reassembled skb with the previous one. This means that the return value is always NULL or the skb argument. So change it to an err value. Instead of invoking NF_HOOK recursively with threshold to skip already-called hooks we can now just return NF_ACCEPT to move on to the next hook except for -EINPROGRESS (which means skb has been queued for reassembly), in which case we return NF_STOLEN. Signed-off-by:
-
Florian Westphal authored
commit 6aafeef0 ("netfilter: push reasm skb through instead of original frag skbs") changed ipv6 defrag to not use the original skbs anymore. So rather than keeping the original skbs around just to discard them afterwards just use the original skbs directly for the fraglist of the newly assembled skb and remove the extra clone/free operations. The skb that completes the fragment queue is morphed into a the reassembled one instead, just like ipv4 defrag. openvswitch doesn't need any additional skb_morph magic anymore to deal with this situation so just remove that. A followup patch can then also remove the NF_HOOK (re)invocation in the ipv6 netfilter defrag hook. Cc: Joe Stringer <joestringer@nicira.com> Signed-off-by:
-
stephen hemminger authored
Signed-off-by:
Stephen Hemminger <stephen@networkplumber.org> Signed-off-by:
-
Marcelo Ricardo Leitner authored
ip_ct_sctp is an internal structure, embedded by the union nf_conntrack_proto to store sctp-specific information at conntrack entries. It has no business with UAPI. This patch moves it from UAPI to a saner place, together with similar structs for other protocols. Signed-off-by:
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Ian Morris authored
Eliminate some checkpatch issues by improved layout of if statements. No changes detected by objdiff. Signed-off-by:
Ian Morris <ipm@chirality.org.uk> Signed-off-by:
-
Ian Morris authored
Change brace placement to eliminate checkpatch error. No changes detected by objdiff. Signed-off-by:
-
Ian Morris authored
Changes comments to use netdev style. No changes detected by objdiff. Signed-off-by:
-
Ian Morris authored
Fixes a bunch of issues detected by checkpatch with regards to code indentation. No changes detected by objdiff. Signed-off-by:
-
Mikko Rapeli authored
Add missing header dependencies and other small changes so that each file compiles alone in userspace. Signed-off-by:
Mikko Rapeli <mikko.rapeli@iki.fi> Signed-off-by:
-
Mikko Rapeli authored
Fixes userspace compilation error: linux/netfilter_bridge/ebtables.h:38:2: error: unknown type name ‘uint64_t’ Signed-off-by:
-
Saurabh Sengar authored
use of_property_read_bool() for testing bool property Signed-off-by:
Saurabh Sengar <saurabh.truth@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 22 Nov, 2015 2 commits
-
-
Yuval Mintz authored
Commit 46e8a249423ff "bnx2x: Add FW 7.13.1.0" added said .bin FW to linux-firmware; This patch incorporates the FW in the bnx2x driver. This introduces 2 fixes/enhancements: - In some management protocols there are outer-vlan configurations that can be dynamically changed while device is running. This fixes some corner cases where such a change did not take effect. - Prevent VFs from sending MAC control frames; FW would treat a VF sending such a packet as malicious and block any further communication done by the VF. Signed-off-by:
Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by:
Ariel Elior <Ariel.Elior@qlogic.com> Signed-off-by:
-
David Ahern authored
Add tracepoint to show fib6 table lookups and result. Signed-off-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
- 20 Nov, 2015 18 commits
-
-
Eric Dumazet authored
napi_alloc_skb() can return NULL. We should not crash should this happen. Fixes: 93f93a44 ("net: move skb_mark_napi_id() into core networking stack") Signed-off-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Simon Horman authored
The GTI.TIV may be set to 2GHz^2 / rate, where rate is that of the clock of the device. Rather than assuming a rate of 130MHz use the actual rate of the clock. The motivation for this is to use the correct rate on the r8a7795/Salvator-X which is advertised as 133MHz but may differ depending on the extal present on the Salvator-X. Signed-off-by:
Simon Horman <horms+renesas@verge.net.au> Signed-off-by:
-
Ondrej Zary authored
Add suspend/resume support to dl2k driver. This requires RX/TX rings to be reset so split out the required functionality from alloc_list() into new rio_reset_ring(). Tested on Asus NX1101 (IP1000A) and D-Link DGE-550T (DL-2000). Signed-off-by:
Ondrej Zary <linux@rainbow-software.org> Signed-off-by:
-
Ondrej Zary authored
Move HW init and stop into separate functions. Request IRQ only after the HW has been reset (so interrupts are disabled and no stale interrupts are pending). Signed-off-by:
-
Ondrej Zary authored
If memory allocation fails in alloc_list(), free the already allocated memory and return -ENOMEM. In rio_open(), call alloc_list() first and abort if it fails. Move HW access (set RFDListPtr) out ot alloc_list(). Signed-off-by:
-
David S. Miller authored
Jon Maloy says: ==================== tipc: some cleanups and improvements This series mostly contains cleanups and cosmetic code changes. The only real functional change is in #4 and #5, where we change the locking structure for nodes and links in order to permit full concurrency between links working in parallel on different interfaces. Since the groundwork for this has been done in previous commit series, this change constitutes only the final, small step to achieve that goal. ==================== Signed-off-by: -
Jon Paul Maloy authored
The number of variables with Hungarian notation (l_ptr, n_ptr etc.) has been significantly reduced over the last couple of years. We now root out the last traces of this practice. There are no functional changes in this commit. Reviewed-by:
Ying Xue <ying.xue@windriver.com> Signed-off-by:
Jon Maloy <jon.maloy@ericsson.com> Signed-off-by:
-
Jon Paul Maloy authored
We move the definition of struct tipc_link from link.h to link.c in order to minimize its exposure to the rest of the code. When needed, we define new functions to make it possible for external entities to access and set data in the link. Apart from the above, there are no functional changes. Reviewed-by:
-
Jon Paul Maloy authored
In our effort to have less code and include dependencies between entities such as node, link and bearer, we try to narrow down the exposed interface towards the node as much as possible. In this commit, we move the definition of struct tipc_node, along with many of its associated function declarations, from node.h to node.c. We also move some function definitions from link.c and name_distr.c to node.c, since they access fields in struct tipc_node that should not be externally visible. The moved functions are renamed according to new location, and made static whenever possible. There are no functional changes in this commit. Reviewed-by:
-
Jon Paul Maloy authored
According to the node FSM a node in state SELF_UP_PEER_UP cannot change state inside a lock context, except when a TUNNEL_PROTOCOL (SYNCH or FAILOVER) packet arrives. However, the node's individual links may still change state. Since each link now is protected by its own spinlock, we finally have the conditions in place to convert the node spinlock to an rwlock_t. If the node state and arriving packet type are rigth, we can let the link directly receive the packet under protection of its own spinlock and the node lock in read mode. In all other cases we use the node lock in write mode. This enables full concurrent execution between parallel links during steady-state traffic situations, i.e., 99+ % of the time. This commit implements this change. Reviewed-by:
-
Jon Paul Maloy authored
As a preparation to allow parallel links to work more independently from each other we introduce a per-link spinlock, to be stored in the struct nodes's link entry area. Since the node lock still is a regular spinlock there is no increase in parallellism at this stage. Reviewed-by:
-
Jon Paul Maloy authored
The file name_distr.c currently contains three functions, named_cluster_distribute(), tipc_publ_subcscribe() and tipc_publ_unsubscribe() that all directly access fields in struct tipc_node. We want to eliminate such dependencies, so we move those functions to the file node.c and rename them to tipc_node_broadcast(), tipc_node_subscribe() and tipc_node_unsubscribe() respectively. Reviewed-by:
-
Jon Paul Maloy authored
The function tipc_node_check_state() contains the core logics for handling link synchronization and failover. For this reason, it is important to keep it as comprehensible as possible. In this commit, we make three small cleanups. 1) If the node is in state SELF_DOWN_PEER_LEAVING and the received packet confirms that the peer has lost contact, there will be no further action in this function. To make this clearer, we return from the function directly after the state change. 2) Since commit 0f8b8e28 ("tipc: eliminate risk of stalled link synchronization") only the logically first TUNNEL_PROTO/SYNCH packet can alter the link state and set the synch point, independently of arrival order. Hence, there is not any longer any need to adjust the synch value in case such packets arrive in disorder. We remove this adjustment. 3) It is the intention that any message arriving on any of the links may trig a check for and possible termination of a node SYNCH state. A redundant and unnoticed check for tipc_link_is_synching() obviously beats this purpose, with the effect that only packets arriving on the synching link may currently end the synch state. We remove this check. This change will further shorten the synchronization period between parallel links. Reviewed-by:
-
Jon Paul Maloy authored
In commit 5cbb28a4 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers") we added linearization of NAME_DISTRIBUTOR, LINK_PROTOCOL/RESET and LINK_PROTOCOL/ACTIVATE to the function tipc_udp_recv(). The location of the change was selected in order to make the commit easily appliable to 'net' and 'stable'. We now move this linearization to where it should be done, in the functions tipc_named_rcv() and tipc_link_proto_rcv() respectively. Reviewed-by:
-
David S. Miller authored
Yuval Mintz says: ==================== bnx2x: Statistics patch series This series contains 2 small statistics-related patches, first adding a new SW statistics and the other exposing port stats for multi-function devices. Please consider applying this series to `net-next'. ==================== Signed-off-by: -
Yuval Mintz authored
Today, port statistics are being presented when using `ethool -S' only for single-function devices, but there are some port statistics which are crucial for analyzing bottle-necks. E.g., HW Rx discards due to lack of buffer space [when device isn't handling ingress traffic fast enough]. Judging the pros and cons, it was decided that in-order to better support automatic dump-gathering tools, bnx2x should no longer hide those stats. This leaves only VFs lacking the port statistics. Signed-off-by:
-
Yuval Mintz authored
Driver already has an internal counter for number of times a given queue had to be stopped due to Tx ring exhaustion. This add the counter to the statistics presented by driver, e.g., by using `ethtool -S'. Signed-off-by:
-
David S. Miller authored
Guillaume Nault says: ==================== ppp: Remove PPPOX_ZOMBIE socket state Several issues have been found lately wrt. the PPPOX_ZOMBIE socket state. This state is now only set upon reception of a PADT to stop further transmissions. However this is redundant with the PADT workqueue mechanism introduced by 287f3a94 ("pppoe: Use workqueue to die properly when a PADT is received"). We can thus simplify pppox socket state handling by getting rid of PPPOX_ZOMBIE entirely. ==================== Signed-off-by:
-
