1. 17 Jan, 2005 9 commits
    • Rusty Russell's avatar
      [NETFILTER]: Call NAT helper modules directly from conntrack modules, fixup FTP · 92bb4f8e
      Rusty Russell authored
      Currently connection tracking and NAT helper modules for a protocol
      interact only indirectly (the conntrack module places information in
      the conntrack structure, which the NAT module pulls out).
      
      This leads to several issues:
      1) Both modules must know what port to watch, and must match.
      2) Identifying the particular packet which created the connection
         is cumbersome (TCP) or impossible (UDP).
      3) The connection tracking code sets up an expectation which the
         NAT code then has to change.
      4) The lack of direct symbol dependencies means we have to contrive
         one, since they are functionally dependent.
      
      Here is the current code flow:
      FTP CONTROL PACKET:
      NF_IP_PRE_ROUTING:
         ip_conntrack_in
            resolve_normal_ct
               init_conntrack: sets ct->helper to ip_conntrack_ftp.c:help()
         ct->help(): if PORT/PASV command:
            Sets exp->help.exp_ftp_info to tcp seq number of data.
            ip_conntrack_expect(): expects the connection
      
         ip_nat_setup_info: sets ct->nat.info->helper to ip_nat_ftp.c:help()
         ip_nat_fn:
            proto->exp_matches_pkt: if packet matches expectation
            ct->nat.info->helper(): If packet going client->server,
                  and packet data is one in ct_ftp_info:
               ftp_data_fixup():
                  ip_conntrack_change_expect(): change the expectation
                  Modify packet contents with new address.
      
      NF_IP_POST_ROUTING:
         ip_nat_fn
            ct->nat.info->helper(): If packet going server->client,
                  and packet data is one in ct_ftp_info:
               ftp_data_fixup():
                  ip_conntrack_change_expect(): change the expectation
                  Modify packet contents with new address.
      
      FTP DATA (EXPECTED) CONNECTION FIRST PACKET:
      NF_IP_PRE_ROUTING:
         ip_conntrack_in
            resolve_normal_ct
               init_conntrack: set ct->master.
         ip_nat_fn:
            master->nat.info.helper->expect()
               Set up source NAT mapping to match FTP control connection.
      
      NF_IP_PRE_ROUTING:
         ip_nat_fn:
            master->nat.info.helper->expect()
               Set up dest NAT mapping to match FTP control connection.
      
      
      The new flow looks like this:
      FTP CONTROL PACKET:
      NF_IP_PRE_ROUTING:
         ip_conntrack_in
            resolve_normal_ct
               init_conntrack: sets ct->helper to ip_conntrack_ftp.c:help()
      
      NF_IP_POST_ROUTING:
         ip_confirm:
            ct->helper->help:
               If !ip_nat_ftp_hook: ip_conntrack_expect().
               ip_nat_ftp: 
                  set exp->oldproto to old port.
                  ip_conntrack_change_expect(): change the expectation
                  set exp->expectfn to ftp_nat_expected.
                  Modify packet contents with new address.
      
      FTP DATA (EXPECTED) CONNECTION FIRST PACKET:
      NF_IP_PRE_ROUTING:
         ip_conntrack_in
            resolve_normal_ct
               init_conntrack: set ct->master.
               call exp->expectfn (ftp_nat_expected):
                   call ip_nat_follow_master().
      
      The big changes are that the ip_nat_ftp module sets ip_conntrack_ftp's
      ip_nat_ftp_hook when it initializes, so it calls the NAT code directly
      when a packet containing the expect information is found by the
      conntrack helper: and this interface can carry all the information
      these two want to share.  Also, that conntrack helper is called as the
      packet leaves the box, so there are no issues with expectations being
      set up before the packet has been filtered.  The NAT helper doesn't
      need to register and duplicate the conntrack ports.
      
      The other trick is ip_nat_follow_master(), which does the NAT setup
      all at once (source and destination NAT as required) such that the
      expected connection is NATed the same way the master connection
      was.
      
      We also call ip_conntrack_tcp_update() (which I incidentally neatened)
      after mangling a TCP packet; ip_nat_seq_adjust() does this, but now
      mangling is done at the last possible moment, after
      ip_nat_seq_adjust() was already called.
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      92bb4f8e
    • Rusty Russell's avatar
      [NETFILTER]: Fix overlapping expectations in existing expectation code · 13b9f4df
      Rusty Russell authored
      Change kmem_cache_free() calls in ip_conntrack_expect_related() to
      ip_conntrack_expect_put(): they should be equivalent but allows a hack
      in next patch (caller can keep expect).
      
      More importantly, a previous expectation should only be refreshed and return
      EEXIST if it's owned by the same connection (nfsim found this bug).
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13b9f4df
    • David S. Miller's avatar
      85ef7720
    • Arthur Kepner's avatar
    • Christoph Hellwig's avatar
      [IPV6]: Fix EUI64 generation on S/390. · b74ac55d
      Christoph Hellwig authored
       - put a dev_id field in struct net_device, so that it uses space that
         would be wasted by padding otherwise.
       - if this fields is non-null let ipv6_generate_eui64 use the algorithm
         from the QETH code to generate an EUI that's different for each
         OS instance.  See code comments for details.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b74ac55d
    • Thomas Graf's avatar
      [PKT_SCHED]: Fix c99ism in cls_api.c · 86679f6f
      Thomas Graf authored
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      86679f6f
    • Herbert Xu's avatar
      [NETLINK]: Orphan SKBs in netlink_trim(). · f76f745c
      Herbert Xu authored
      This makes the skb->truesize modifications always OK.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f76f745c
    • David S. Miller's avatar
      Merge bk://kernel.bkbits.net/acme/connection_sock-2.6 · 1255a1e9
      David S. Miller authored
      into nuts.davemloft.net:/disk1/BK/net-2.6
      1255a1e9
    • David S. Miller's avatar
      Merge bk://bk.skbuff.net:20611/linux-2.6-inet6 · 20408758
      David S. Miller authored
      into nuts.davemloft.net:/disk1/BK/net-2.6
      20408758
  2. 16 Jan, 2005 22 commits
  3. 15 Jan, 2005 9 commits
    • Matthew Wilcox's avatar
      [PATCH] Generic IRQ support for PA-RISC · 8953e802
      Matthew Wilcox authored
      Make PA-RISC use the generic interrupt handling code.  We need one tiny
      change to the generic code -- the addition of a data pointer to irq_desc.
      This shouldn't be a problem in terms of increasing size of irq_desc for
      other architectures as the struct is cacheline aligned.  It's now 32
      bytes on 32-bit platforms and 44/48 bytes on 64-bit platforms (assuming
      spinlock_t is 4 bytes on 32-bit and 4 or 8 bytes on 64-bit).
      Signed-off-by: default avatarMatthew Wilcox <matthew@wil.cx>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      8953e802
    • Vadim Lobanov's avatar
      ad8c410c
    • Gabor Egry's avatar
      [PATCH] various Kconfig fixes · b6efa0d0
      Gabor Egry authored
      Here are some Kconfig fixes:
      
      - typo fixes
      - unused token removes (empty or duplicated  'help')
      - non ASCII characters replaces
      - e-mail address and URL format corrections
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      b6efa0d0
    • Matt Mackall's avatar
      [PATCH] random: add_input_randomness · 17d2208b
      Matt Mackall authored
      The input layer wants to send us an entropy event per input event and who are
      we to argue?  Create add_input_randomness with an input-friendly interface and
      kill the remaining two keyboard and mouse sources.
      
      This eliminates lots of duplicate entropy events while covering all the input
      bases nicely.  We now get two events per keystroke as we should, one down and
      one up.
      Signed-off-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      17d2208b
    • Matt Mackall's avatar
      [PATCH] random: periodicity detection fix · 257fd23f
      Matt Mackall authored
      The input layer is now sending us a bunch of events in a row for each actual
      event.  This shows up weaknesses in the periodicity detector and using the
      high clock rate from get_clock: each keystroke is getting accounted as 10
      different maximal-entropy events.
      
      A brief touch on a trackpad will generate as much as 2000 maximal entropy
      events which is more than 2k of /dev/random output.  IOW, we're WAY
      overestimating input entropy.  Here's one keystroke:
      
      random 0024 0000 0000: mouse event
      random 0035 0000 0000: added 11 entropy credits to input
      random 0035 0000 0000: mouse event
      random 0046 0000 0000: added 11 entropy credits to input
      random 0046 0000 0000: mouse event
      random 0056 0000 0000: added 10 entropy credits to input
      random 0056 0000 0000: keyboard event
      random 0067 0000 0000: added 11 entropy credits to input
      random 0067 0000 0000: mouse event
      random 0078 0000 0000: added 11 entropy credits to input
      random 0078 0000 0000: awake
      random 0078 0000 0000: reading 128 bits
      random 0078 0000 0000: going to reseed blocking with 128 bits (128 of 0 requested)
      random 0078 0000 0000: trying to extract 128 bits from input
      random 0006 0000 0000: debiting 72 entropy credits from input
      random 0006 0072 0000: added 72 entropy credits to blocking
      random 0006 0072 0000: trying to extract 128 bits from blocking
      random 0006 0000 0000: debiting 72 entropy credits from blocking
      random 0006 0000 0000: read got 72 bits (56 still needed)
      random 0006 0000 0000: reading 56 bits
      random 0006 0000 0000: going to reseed blocking with 64 bits (56 of 0 requested
      random 0006 0000 0000: trying to extract 64 bits from input
      random 0006 0000 0000: debiting 0 entropy credits from input
      random 0006 0000 0000: trying to extract 56 bits from blocking
      random 0006 0000 0000: debiting 0 entropy credits from blocking
      random 0006 0000 0000: read got 0 bits (56 still needed)
      random 0006 0000 0000: sleeping
      random 0006 0000 0000: mouse event
      random 0017 0000 0000: added 11 entropy credits to input
      random 0017 0000 0000: mouse event
      random 0028 0000 0000: added 11 entropy credits to input
      random 0028 0000 0000: mouse event
      random 0038 0000 0000: added 10 entropy credits to input
      random 0038 0000 0000: keyboard event
      random 0049 0000 0000: added 11 entropy credits to input
      random 0049 0000 0000: mouse event
      random 0060 0000 0000: added 11 entropy credits to input
      
      The first step to fixing this is to check periodicity and estimate entropy
      against a slow clock like jiffies.  We continue to mix in get_clock() rather
      than jiffies where available.
      
      This throws away most of the duplicate events and gives us more sensible
      entropy estimates, but we still duplicates from input.c and keyboard.c.
      Signed-off-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      257fd23f
    • Matt Mackall's avatar
      [PATCH] random: run-time configurable debugging · 354c31a7
      Matt Mackall authored
      Add run-time switchable entropy debugging.  Entire debug infrastructure
      remains compiled out by default.
      Signed-off-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      354c31a7
    • Matt Mackall's avatar
      [PATCH] random: entropy debugging improvements · 9f516363
      Matt Mackall authored
      Print pool entropy counts in all entropy debugging messages
      Signed-off-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      9f516363
    • Matt Mackall's avatar
      [PATCH] random: whitespace doh · ae5c001d
      Matt Mackall authored
      Someone actually spotted this already.
      Signed-off-by: default avatarMatt Mackall <mpm@selenic.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      ae5c001d
    • Vadim Lobanov's avatar
      d6012b1f