- 23 Nov, 2009 3 commits
-
-
Joe Perches authored
Compile tested only. Signed-off-by:
Joe Perches <joe@perches.com> Signed-off-by:
Patrick McHardy <kaber@trash.net>
-
Florian Westphal authored
commit d6d3f08b (netfilter: xtables: conntrack match revision 2) does break the v1 conntrack match iptables-save output in a subtle way. Problem is as follows: up = kmalloc(sizeof(*up), GFP_KERNEL); [..] /* * The strategy here is to minimize the overhead of v1 matching, * by prebuilding a v2 struct and putting the pointer into the * v1 dataspace. */ memcpy(up, info, offsetof(typeof(*info), state_mask)); [..] *(void **)info = up; As the v2 struct pointer is saved in the match data space, it clobbers the first structure member (->origsrc_addr). Because the _v1 match function grabs this pointer and does not actually look at the v1 origsrc, run time functionality does not break. But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr has been overloaded in this way: $ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT $ iptables-save -A OUTPUT -p tcp ...
-
Pablo Neira Ayuso authored
Without this patch, if we receive a SYN packet from the client while the firewall is out-of-sync, we let it go through. Then, if we see the SYN/ACK reply coming from the server, we destroy the conntrack entry and drop the packet to trigger a new retransmission. Then, the retransmision from the client is used to start a new clean session. This patch improves the current handling. Basically, if we see an unexpected SYN packet, we annotate the TCP options. Then, if we see the reply SYN/ACK, this means that the firewall was indeed out-of-sync. Therefore, we set a clean new session from the existing entry based on the annotated values. This patch adds two new 8-bits fields that fit in a 16-bits gap of the ip_ct_tcp structure. This patch is particularly useful for conntrackd since the asynchronous nature of the state-synchronization allows to have backup nodes that are not perfect copies of the master. This helps to improve the recovery under some worst-case scenarios. I have tested this by creating lots of conntrack entries in wrong state: for ((i=1024;i<65535;i++)); do conntrack -I -p tcp -s 192.168.2.101 -d 192.168.2.2 --sport $i --dport 80 -t 800 --state ESTABLISHED -u ASSURED,SEEN_REPLY; done Then, I make some TCP connections: $ echo GET / | nc 192.168.2.2 80 The events show the result: [UPDATE] tcp 6 60 SYN_RECV src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 120 FIN_WAIT src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 30 LAST_ACK src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] [UPDATE] tcp 6 120 TIME_WAIT src=192.168.2.101 dst=192.168.2.2 sport=33220 dport=80 src=192.168.2.2 dst=192.168.2.101 sport=80 dport=33220 [ASSURED] and tcpdump shows no retransmissions: 20:47:57.271951 IP 192.168.2.101.33221 > 192.168.2.2.www: S 435402517:435402517(0) win 5840 <mss 1460,sackOK,timestamp 4294961827 0,nop,wscale 6> 20:47:57.273538 IP 192.168.2.2.www > 192.168.2.101.33221: S 3509927945:3509927945(0) ack 435402518 win 5792 <mss 1460,sackOK,timestamp 235681024 4294961827,nop,wscale 4> 20:47:57.273608 IP 192.168.2.101.33221 > 192.168.2.2.www: . ack 3509927946 win 92 <nop,nop,timestamp 4294961827 235681024> 20:47:57.273693 IP 192.168.2.101.33221 > 192.168.2.2.www: P 435402518:435402524(6) ack 3509927946 win 92 <nop,nop,timestamp 4294961827 235681024> 20:47:57.275492 IP 192.168.2.2.www > 192.168.2.101.33221: . ack 435402524 win 362 <nop,nop,timestamp 235681024 4294961827> 20:47:57.276492 IP 192.168.2.2.www > 192.168.2.101.33221: P 3509927946:3509928082(136) ack 435402524 win 362 <nop,nop,timestamp 235681025 4294961827> 20:47:57.276515 IP 192.168.2.101.33221 > 192.168.2.2.www: . ack 3509928082 win 108 <nop,nop,timestamp 4294961828 235681025> 20:47:57.276521 IP 192.168.2.2.www > 192.168.2.101.33221: F 3509928082:3509928082(0) ack 435402524 win 362 <nop,nop,timestamp 235681025 4294961827> 20:47:57.277369 IP 192.168.2.101.33221 > 192.168.2.2.www: F 435402524:435402524(0) ack 3509928083 win 108 <nop,nop,timestamp 4294961828 235681025> 20:47:57.279491 IP 192.168.2.2.www > 192.168.2.101.33221: . ack 435402525 win 362 <nop,nop,timestamp 235681025 4294961828> I also added a rule to log invalid packets, with no occurrences :-) . Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Acked-by:
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by:
-
- 06 Nov, 2009 1 commit
-
-
Patrick McHardy authored
The NETLINK_URELEASE notifier is only invoked for bound sockets, so there is no need to check ->pid again. Signed-off-by:
-
- 05 Nov, 2009 2 commits
-
-
Hannes Eder authored
The variable 'other_way' gets initialized but is not read afterwards, so remove it. Pass the right arguments to a pr_debug call. While being at tidy up a bit and it fix this checkpatch warning: WARNING: suspect code indent for conditional statements Signed-off-by:
Hannes Eder <heder@google.com> Signed-off-by:
-
Changli Gao authored
Signed-off-by:
Changli Gao <xiaosuo@gmail.com> Signed-off-by:
-
- 04 Nov, 2009 1 commit
-
-
Eric Dumazet authored
nf_unregister_queue_handlers() already does a synchronize_rcu() call, we dont need to do it again in callers. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
-
- 29 Oct, 2009 33 commits
-
-
Jan Engelhardt authored
This should make it possible to test for the existence of local sockets in the INPUT path. References: http://marc.info/?l=netfilter-devel&m=125380481517129&w=2 Signed-off-by:
Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
Balazs Scheidler <bazsi@balabit.hu> Signed-off-by:
-
-
Eric Dumazet authored
Some workloads hit dev_base_lock rwlock pretty hard. We can use RCU lookups to avoid touching this rwlock. netdevices are already freed after a RCU grace period, so this patch adds no penalty at device dismantle time. dev_ifname() converted to dev_get_by_index_rcu() Signed-off-by:
David S. Miller <davem@davemloft.net>
-
roel kluin authored
The variables are unsigned so the `< 0' test always fails, the other part of the test catches wrapped values. Signed-off-by:
Roel Kluin <roel.kluin@gmail.com> Signed-off-by:
-
roel kluin authored
optlen is unsigned so the `< 0' test is never true. Signed-off-by:
-
roel kluin authored
If there is data, the unsigned skb->len is greater than 0. rt.sigdigits is unsigned as well, so the test `>= 0' is always true, the other part of the test catches wrapped values. Signed-off-by:
-
Tilman Schmidt authored
Replace the sequence of strcmp calls for interpreting ZSAU parameter strings by a table of known strings and lookup loop to improve readability. Impact: readability improvement, no functional change Signed-off-by:
Tilman Schmidt <tilman@imap.cc> Signed-off-by:
-
Tilman Schmidt authored
On more step towards the holy grail of checkpatch.pl silence. Impact: cosmetic Signed-off-by:
-
Tilman Schmidt authored
On the quest for the holy grail of checkpatch.pl silence. Impact: cosmetic Signed-off-by:
-
Tilman Schmidt authored
Duly uglified as demanded by checkpatch.pl. Impact: cosmetic Signed-off-by:
-
Tilman Schmidt authored
Dum sanctis checkpatch.pl'ae legibus obsequimur. Impact: cosmetic Signed-off-by:
-
Tilman Schmidt authored
Reorganize the code of the Gigaset M10x driver to make it more readable, less redundant, better aligned to the style of other parts of the driver, and cause fewer checkpatch.pl complaints. Impact: code reorganization, no functional change Signed-off-by:
-
Tilman Schmidt authored
The CAPI interface incorrectly assumed that CAPI messages would always start at the beginning of the data buffer: fix by treating DATA_B3 messages as the link layer header to their payload data. This fix changes the way acknowledgement information is propagated through the hardware specific modules and thereby impacts the ISDN4Linux variant of the driver, too. Also some assumptions about methods not being called from interrupt context turned out to be unwarranted; fix by using dev_kfree_skb_any() wherever non-interrupt context isn't guaranteed. Impact: bugfix Signed-off-by:
-
Tilman Schmidt authored
A missing dot lead to garbage characters being included in the dial command generated from a CAPI CONNECT_REQ message, which interestingly enough worked anyway, illustrating the resilience of the device. Impact: bugfix Signed-off-by:
-
Tilman Schmidt authored
Replace the "ignoring Additional Info" warning message by better readable ones citing the specific subparameters being ignored. Make parts of the code more readable by using a local cmsg pointer variable. Impact: readability improvement Signed-off-by:
-
Gilad Ben-Yossef authored
Add and use no DSCAK bit in the features field. Signed-off-by:
Gilad Ben-Yossef <gilad@codefidence.com> Sigend-off-by:
Ori Finkelman <ori@comsleep.com> Sigend-off-by:
Yony Amit <yony@comsleep.com> Signed-off-by:
-
Gilad Ben-Yossef authored
Add and use no window scale bit in the features field. Note that this is not the same as setting a window scale of 0 as would happen with window limit on route. Signed-off-by:
-
Gilad Ben-Yossef authored
Implement querying and acting upon the no timestamp bit in the feature field. Signed-off-by:
-
Gilad Ben-Yossef authored
Implement querying and acting upon the no sack bit in the features field. Signed-off-by:
-
Gilad Ben-Yossef authored
Adding an accessor to existing dst_entry feautres field and refactor the only supported feature (allfrag) to use it. Signed-off-by:
-
Gilad Ben-Yossef authored
We need tcp_parse_options to be aware of dst_entry to take into account per dst_entry TCP options settings Signed-off-by:
-
Gilad Ben-Yossef authored
Since we only use tcp_parse_options here to check for the exietence of TCP timestamp option in the header, it is better to call with the "established" flag on. Signed-off-by:
-
Eric Dumazet authored
Speedup module unloading by factorizing synchronize_rcu() calls Signed-off-by:
-
Eric Dumazet authored
Speedup module unloading by factorizing synchronize_rcu() calls Signed-off-by:
-
Eric Dumazet authored
Speedup module unloading by factorizing synchronize_rcu() calls Signed-off-by:
-
Eric Dumazet authored
Speedup module unloading by factorizing synchronize_rcu() calls Signed-off-by:
-
Eric Dumazet authored
Speedup module unloading by factorizing synchronize_rcu() calls Signed-off-by:
-
Ajit Khaparde authored
This patch adds the PCI IDs for the next generation chip to the PCI_DEVICE_ID table. Signed-off-by:
Ajit Khaparde <ajitk@serverengines.com> Signed-off-by:
-
Bruce Allan authored
When changing flow control (pause) parameters, the flow control thresholds (i.e. when to send XON/XOFF frames) may not be setup correctly on parts with copper media. Call the existing e1000_set_fc_watermarks() function to set these thresholds. Signed-off-by:
Bruce Allan <bruce.w.allan@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
-
Yi Zou authored
Implements the netdev_ops.ndo_fcoe_get_wwn for VLAN device. Signed-off-by:
Yi Zou <yi.zou@intel.com> Signed-off-by:
-
Yi Zou authored
Implements the netdev_ops.ndo_fcoe_get_wwn in 82599 if it finds valid prefix for the World Wide Node Name (WWNN) or World Wide Port Name (WWPN), as well as valid SAN MAC address. Signed-off-by:
-
Yi Zou authored
Add ndo_fcoe_get_wwn so Fiber Channel over Ethernet (FCoE) can make use of the provided World Wide Port Name (WWPN) and World Wide Node Name (WWNN) from the underlying network interface driver. Signed-off-by:
-
Yi Zou authored
The 82599 EEPROM supports alternative prefix for World Wide Node Name (WWNN) and World Wide Port Name (WWPN). The prefixes can be used together with the SAN MAC address to form the WWNN and WWPN, which can be used by upper layer drivers such as Fiber Channel over Ethernet (FCoE). Signed-off-by:
Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by:
-
