1. 19 May, 2015 4 commits
    • David S. Miller's avatar
      Merge branch 'icmp_frag' · 76d7c457
      David S. Miller authored
      Andy Zhou says:
      
      ====================
      fragmentation ICMP
      
      Currently, we send ICMP packets when errors occur during fragmentation or
      de-fragmentation.  However, it is a bug when sending those ICMP packets
      in the context of using netfilter for bridging.
      
      Those ICMP packets are only expected in the context of routing, not in
      bridging mode.
      
      The local stack is not involved in bridging forward decisions, thus
      should be not used for deciding the reverse path for those ICMP messages.
      
      This bug only affects IPV4, not in IPv6.
      
      v1->v2:  restructure the patches into two patches that fix defragmentation and
               fragmentation respectively.
      
      	 A bit is add in IPCB to control whether ICMP packet should be
      	 generated for defragmentation.
      
      	 Fragmentation ICMP is now removed by restructuring the
      	 ip_fragment() API.
      
      v2->v3:  Add droping icmp for bridging contrack users
               drop exporting ip_fragment() API.
      
      v3->v4:  Remove unnecessary parentheses in 'return' statements
      
      v4->v5:  Drop the patch that sets and checks a bit in IPCB
               that prevents ip_defrag to send ICMP.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      76d7c457
    • Andy Zhou's avatar
      bridge_netfilter: No ICMP packet on IPv4 fragmentation error · 49d16b23
      Andy Zhou authored
      When bridge netfilter re-fragments an IP packet for output, all
      packets that can not be re-fragmented to their original input size
      should be silently discarded.
      
      However, current bridge netfilter output path generates an ICMP packet
      with 'size exceeded MTU' message for such packets, this is a bug.
      
      This patch refactors the ip_fragment() API to allow two separate
      use cases. The bridge netfilter user case will not
      send ICMP, the routing output will, as before.
      Signed-off-by: default avatarAndy Zhou <azhou@nicira.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49d16b23
    • Andy Zhou's avatar
      IPv4: skip ICMP for bridge contrack users when defrag expires · 8bc04864
      Andy Zhou authored
      users in [IP_DEFRAG_CONNTRACK_BRIDGE_IN, __IP_DEFRAG_CONNTRACK_BR_IN]
      should not ICMP message also.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarAndy Zhou <azhou@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8bc04864
    • Andy Zhou's avatar
      ipv4: introduce frag_expire_skip_icmp() · 5cf42280
      Andy Zhou authored
      Improve readability of skip ICMP for de-fragmentation expiration logic.
      This change will also make the logic easier to maintain when the
      following patches in this series are applied.
      Signed-off-by: default avatarAndy Zhou <azhou@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5cf42280
  2. 18 May, 2015 26 commits
  3. 17 May, 2015 5 commits
    • Eric Dumazet's avatar
      net: fix two sparse errors · c91d4606
      Eric Dumazet authored
      First one in __skb_checksum_validate_complete() fixes the following
      (and other callers)
      
      make C=2 CF=-D__CHECK_ENDIAN__ net/ipv4/tcp_ipv4.o
        CHECK   net/ipv4/tcp_ipv4.c
      include/linux/skbuff.h:3052:24: warning: incorrect type in return expression (different base types)
      include/linux/skbuff.h:3052:24:    expected restricted __sum16
      include/linux/skbuff.h:3052:24:    got int
      
      Second is fixing gso_make_checksum() :
      
        CHECK   net/ipv4/gre_offload.c
      include/linux/skbuff.h:3360:14: warning: incorrect type in assignment (different base types)
      include/linux/skbuff.h:3360:14:    expected unsigned short [unsigned] [usertype] csum
      include/linux/skbuff.h:3360:14:    got restricted __sum16
      include/linux/skbuff.h:3365:16: warning: incorrect type in return expression (different base types)
      include/linux/skbuff.h:3365:16:    expected restricted __sum16
      include/linux/skbuff.h:3365:16:    got unsigned short [unsigned] [usertype] csum
      
      Fixes: 5a212329 ("net: Support for csum_bad in skbuff")
      Fixes: 7e2b10c1 ("net: Support for multiple checksums with gso")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      CC: Tom Herbert <tom@herbertland.com>
      Acked-by: default avatarTom Herbert <tom@herbertland.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c91d4606
    • Eric Dumazet's avatar
      netfilter: synproxy: fix sparse errors · ba6d0564
      Eric Dumazet authored
      Fix verbose sparse errors :
      
      make C=2 CF=-D__CHECK_ENDIAN__ net/ipv4/netfilter/ipt_SYNPROXY.o
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba6d0564
    • Eric Dumazet's avatar
      ipip: fix one sparse error · 252a8fbe
      Eric Dumazet authored
      make C=2 CF=-D__CHECK_ENDIAN__ net/ipv4/ipip.o
        CHECK   net/ipv4/ipip.c
      net/ipv4/ipip.c:254:27: warning: incorrect type in assignment (different base types)
      net/ipv4/ipip.c:254:27:    expected restricted __be32 [addressable] [usertype] o_key
      net/ipv4/ipip.c:254:27:    got restricted __be16 [addressable] [usertype] i_flags
      
      Fixes: 3b7b514f ("ipip: fix a regression in ioctl")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      252a8fbe
    • Eric Dumazet's avatar
      net: fix sparse error in csum_replace4() · d53a2aa3
      Eric Dumazet authored
      make C=2 CF=-D__CHECK_ENDIAN__ net/ipv4/netfilter/nf_nat_l3proto_ipv4.o
        CHECK   net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
      include/net/checksum.h:125:64: warning: incorrect type in argument 2 (different base types)
      include/net/checksum.h:125:64:    expected restricted __wsum [usertype] addend
      include/net/checksum.h:125:64:    got restricted __be32 [usertype] from
      include/net/checksum.h:125:71: warning: incorrect type in argument 2 (different base types)
      include/net/checksum.h:125:71:    expected restricted __wsum [usertype] addend
      include/net/checksum.h:125:71:    got restricted __be32 [usertype] to
      include/net/checksum.h:125:64: warning: incorrect type in argument 2 (different base types)
      include/net/checksum.h:125:64:    expected restricted __wsum [usertype] addend
      include/net/checksum.h:125:64:    got restricted __be32 [usertype] from
      include/net/checksum.h:125:71: warning: incorrect type in argument 2 (different base types)
      include/net/checksum.h:125:71:    expected restricted __wsum [usertype] addend
      include/net/checksum.h:125:71:    got restricted __be32 [usertype] to
      
      Fixes: 4565af0d ("net: optimise csum_replace4()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d53a2aa3
    • Joe Perches's avatar
      netfilter: Use correct return for seq_show functions · 861fb107
      Joe Perches authored
      Using seq_has_overflowed doesn't produce the right return value.
      Either 0 or -1 is, but 0 is much more common and works well when
      seq allocation retries.
      
      I believe this doesn't matter as the initial allocation is always
      sufficient, this is just a correctness patch.
      
      Miscellanea:
      
      o Don't use strlen, use *ptr to determine if a string
        should be emitted like all the other tests here
      o Delete unnecessary return statements
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      861fb107
  4. 16 May, 2015 1 commit
  5. 15 May, 2015 4 commits