- 21 Jul, 2011 2 commits
-
-
Jozsef Kadlecsik authored
If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by:Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by:
Patrick McHardy <kaber@trash.net>
-
Jozsef Kadlecsik authored
Signed-off-by:
-
- 19 Jul, 2011 2 commits
-
-
Florian Westphal authored
Introduces a new nfnetlink type that applies a given verdict to all queued packets with an id <= the id in the verdict message. If a mark is provided it is applied to all matched packets. This reduces the number of verdicts that have to be sent. Applications that make use of this feature need to maintain a timeout to send a batchverdict periodically to avoid starvation. Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
Eric Dumazet authored
Packet identifier is currently setup in nfqnl_build_packet_message(), using one atomic_inc_return(). Problem is that since several cpus might concurrently call nfqnl_enqueue_packet() for the same queue, we can deliver packets to consumer in non monotonic way (packet N+1 being delivered after packet N) This patch moves the packet id setup from nfqnl_build_packet_message() to nfqnl_enqueue_packet() to guarantee correct delivery order. This also removes one atomic operation. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> CC: Florian Westphal <fw@strlen.de> CC: Pablo Neira Ayuso <pablo@netfilter.org> CC: Eric Leblond <eric@regit.org> Signed-off-by:
-
- 18 Jul, 2011 2 commits
-
-
Eric Dumazet authored
nenetlink_queue operations on SMP are not efficent if several queues are used, because of nfnl_mutex contention when applications give packet verdict. Use new call_rcu field in struct nfnl_callback to advertize a callback that is called under rcu_read_lock instead of nfnl_mutex. On my 2x4x2 machine, I was able to reach 2.000.000 pps going through user land returning NF_ACCEPT verdicts without losses, instead of less than 500.000 pps before patch. Signed-off-by:
-
Eric Dumazet authored
Goal of this patch is to permit nfnetlink providers not mandate nfnl_mutex being held while nfnetlink_rcv_msg() calls them. If struct nfnl_callback contains a non NULL call_rcu(), then nfnetlink_rcv_msg() will use it instead of call() field, holding rcu_read_lock instead of nfnl_mutex Signed-off-by:
-
- 30 Jun, 2011 1 commit
-
-
Mr Dash Four authored
In this revision the conversion of secid to SELinux context and adding it to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a separate helper function - audit_log_secctx - which does both the conversion and logging of SELinux context, thus also preventing internal secid number being leaked to userspace. If conversion is not successful an error is raised. With the introduction of this helper function the work done in xt_AUDIT.c is much more simplified. It also opens the possibility of this helper function being used by other modules (including auditd itself), if desired. With this addition, typical (raw auditd) output after applying the patch would be: type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0 type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0 Acked-by:
Eric Paris <eparis@redhat.com> Signed-off-by:
Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by:
-
- 16 Jun, 2011 17 commits
-
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1 Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type. Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
When creating a set from a range expressed as a network like 10.1.1.172/29, the from address was taken as the IP address part and not masked with the netmask from the cidr. Signed-off-by:
-
Jozsef Kadlecsik authored
The patch "Fix adding ranges to hash types" had got a mistypeing in the timeout variant of the hash types, which actually made the patch ineffective. Fixed! Signed-off-by:
-
Jozsef Kadlecsik authored
The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30 Signed-off-by:
-
Jozsef Kadlecsik authored
A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types. Signed-off-by:
-
Jozsef Kadlecsik authored
When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four. Signed-off-by:
-
Jozsef Kadlecsik authored
Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members. Signed-off-by:
-
Jozsef Kadlecsik authored
The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries. Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist Signed-off-by:
-
-
Patrick McHardy authored
-
- 15 Jun, 2011 16 commits
-
-
Matt Carlson authored
The power source switching code is about to get a little more complex. This patch seeks to simplify future power source switching patches by clarifying the existing code. Signed-off-by:
Matt Carlson <mcarlson@broadcom.com> Reviewed-by:
Michael Chan <mchan@broadcom.com> Reviewed-by:
Benjamin Li <benli@broadcom.com> Signed-off-by:
David S. Miller <davem@conan.davemloft.net>
-
Matt Carlson authored
This patch changes to code to use some of the preprocessor definitions from mii.h over its homegrown equivalents. Signed-off-by:
-
Matt Carlson authored
This patch adds code to present the flow control advertisements through the ethtool get_settings callback. Signed-off-by:
-
Matt Carlson authored
This patch fixes the EEE debounce timer values. Signed-off-by:
-
Matt Carlson authored
This patch adds more selfboot formats to the NVRAM selftest. It also changes the code to return an error on an unsupported NVRAM format. Signed-off-by:
-
Matt Carlson authored
Now that all chips have this bug, the flag checks become useless code. This patch removes the flag. Signed-off-by:
-
Matt Carlson authored
This patch removes the 40BIT_DMA_LIMIT_BUG flag. There already exists a flag for this purpose (TG3_FLAG_40BIT_DMA_BUG) and was already being used in the correct spot. Signed-off-by:
-
Matt Carlson authored
On rare occasions, writing the tag to the interrupt mailbox does not reenable interrupts. This patch fixes the problem by reissuing the mailbox update. Signed-off-by:
-
Vladislav Zolotarov authored
Signed-off-by:
Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by:
Eilon Greenstein <eilong@broadcom.com> Signed-off-by:
-
Dmitry Kravkov authored
Add supoprt for 3 COSes for 578xx devices. Fix HW configuration for PFC feature according to new HSI in link layer. Signed-off-by:
Dmitry Kravkov <dmitry@broadcom.com> Signed-off-by:
-
Yaniv Rosner authored
Signed-off-by:
Yaniv Rosner <yanivr@broadcom.com> Signed-off-by:
-
Yaniv Rosner authored
Signed-off-by:
-
Yaniv Rosner authored
Signed-off-by:
-
Yaniv Rosner authored
Signed-off-by:
-
Yaniv Rosner authored
Signed-off-by:
-
Yaniv Rosner authored
Signed-off-by:
-
