- 19 Jun, 2012 6 commits
-
-
Merav Sicron authored
This change enables to do self-test with external loopback via ethtool. Signed-off-by:
Merav Sicron <meravs@broadcom.com> Signed-off-by:
Eilon Greenstein <eilong@broadcom.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
stigge@antcom.de authored
This patch removes some nowadays superfluous definitions (one unused define and an obsolete function forward declaration) and corrects a netdev_err() to netdev_dbg(). Signed-off-by:
Roland Stigge <stigge@antcom.de> Signed-off-by:
Alexandre Pereira da Silva <aletes.xgr@gmail.com> Signed-off-by:
-
Pablo Neira Ayuso authored
ERROR: "nfqnl_ct_parse" [net/netfilter/nfnetlink_queue.ko] undefined! ERROR: "nfqnl_ct_seq_adjust" [net/netfilter/nfnetlink_queue.ko] undefined! ERROR: "nfqnl_ct_put" [net/netfilter/nfnetlink_queue.ko] undefined! ERROR: "nfqnl_ct_get" [net/netfilter/nfnetlink_queue.ko] undefined! We have to use CONFIG_NETFILTER_NETLINK_QUEUE_CT in include/net/netfilter/nfnetlink_queue.h, not CONFIG_NF_CONNTRACK. Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
-
git://1984.lsi.us.es/nf-nextDavid S. Miller authored
Pablo says: ==================== The following patchset provides fixes for issues that were recently introduced by my new cthelper infrastructure. They have been spotted by Randy Dunlap, Andrew Morton and Dan Carpenter. The patches provide: * compilation fixes if CONFIG_NF_CONNTRACK is disabled: I moved all the conntrack code from nfnetlink_queue.c to nfnetlink_queue_ct.c to avoid peppering the entire code with lots of ifdefs. I needed to rename nfnetlink_queue.c to nfnetlink_queue_core.c to get it working with the Makefile tweaks I've added. * fix NULL pointer dereference via ctnetlink while trying to change the helper for an existing conntrack entry. I don't find any reasonable use case for changing the helper from one to another in run-time. Thus, now ctnetlink returns -EOPNOTSUPP for this operation. * fix possible out-of-bound zeroing of the conntrack extension area due to the helper automatic assignation routine. ==================== Signed-off-by: -
git://git.open-mesh.org/linux-mergeDavid S. Miller authored
Included changes: * major skb->data pointer usage fix * interval version update * added get_ethtool_stats() support * endianess clean up * routing protocol API improvement wrt TT commit code * fix locking in hash table code * minor cleanups and fixes
-
Pablo Neira Ayuso authored
In "9cb01766 netfilter: add glue code to integrate nfnetlink_queue and ctnetlink" the compilation with NF_CONNTRACK disabled is broken. This patch fixes this issue. I have moved the conntrack part into nfnetlink_queue_ct.c to avoid peppering the entire nfnetlink_queue.c code with ifdefs. I also needed to rename nfnetlink_queue.c to nfnetlink_queue_pkt.c to update the net/netfilter/Makefile to support conditional compilation of the conntrack integration. This patch also adds CONFIG_NETFILTER_QUEUE_CT in case you want to explicitly disable the integration between nf_conntrack and nfnetlink_queue. Reported-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
- 18 Jun, 2012 23 commits
-
-
Pablo Neira Ayuso authored
This patch fixes the compilation of net/netfilter/nfnetlink_cthelper.c if CONFIG_NF_CONNTRACK is not set. This patch also moves the definition of the cthelper infrastructure to the scope of NF_CONNTRACK things. I have also renamed NETFILTER_NETLINK_CTHELPER by NF_CT_NETLINK_HELPER, to use similar names to other nf_conntrack_netlink extensions. Better now that this has been only for two days in David's tree. Two new dependencies have been added: * NF_CT_NETLINK * NETFILTER_NETLINK_QUEUE Since these infrastructure requires both ctnetlink and nfqueue. Reported-by:
Randy Dunlap <rdunlap@xenotime.net> Signed-off-by:
-
Pablo Neira Ayuso authored
This patch modifies __nf_ct_try_assign_helper in a way that invalidates support for the following scenario: 1) attach the helper A for first time when the conntrack is created 2) attach new (different) helper B due to changes the reply tuple caused by NAT eg. port redirection from TCP/21 to TCP/5060 with both FTP and SIP helpers loaded, which seems to be a quite unorthodox scenario. I can provide a more elaborated patch to support this scenario but explicit helper attachment provides a better solution for this since now the use can attach the helpers consistently, without relying on the automatic helper lookup magic. This patch fixes a possible out of bound zeroing of the conntrack helper extension if the helper B uses more memory for its private data than helper A. Signed-off-by: -
Pablo Neira Ayuso authored
The patch 1afc5679: "netfilter: nf_ct_helper: implement variable length helper private data" from Jun 7, 2012, leads to the following Smatch complaint: net/netfilter/nf_conntrack_netlink.c:1231 ctnetlink_change_helper() error: we previously assumed 'help->helper' could be null (see line 1228) This NULL dereference can be triggered with the following sequence: 1) attach the helper for first time when the conntrack is created. 2) remove the helper module or detach the helper from the conntrack via ctnetlink. 3) attach helper again (the same or different one, no matter) to the that existing conntrack again via ctnetlink. This patch fixes the problem by removing the use case that allows you to re-assign again a helper for one conntrack entry via ctnetlink since I cannot find any practical use for it. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Marek Lindner authored
Signed-off-by:
Marek Lindner <lindner_marek@yahoo.de> Signed-off-by:
Sven Eckelmann <sven@narfation.org>
-
Matthias Schiffer authored
To ensure an entry isn't added twice all comparisons have to be protected by the hash line write spinlock. This doesn't really hurt as the case that it is tried to add an element already present to the hash shouldn't occur very often, so in most cases the lock would have have to be taken anyways. Signed-off-by:
Matthias Schiffer <mschiffer@universe-factory.net> Acked-by:
-
Antonio Quartulli authored
Each time a new log level is added the developer must change either the DBG_ALL enum definition and the hard coded value in the bat_sysfs.c for the log_level attribute max value. This is extremely error prone. With this patch the code directly uses DBG_ALL in the sysfs definition Signed-off-by:
Antonio Quartulli <ordex@autistici.org> Signed-off-by:
-
Marek Lindner authored
Prior to this patch the translation table code made assumptions about how the routing protocol works and where its buffers are stored (to directly modify them). Each protocol now calls the tt code with the relevant pointers, thereby abstracting the code. Signed-off-by:
-
Matthias Schiffer authored
The primary entry and the corresponding secondary entries are missing when there are no neighbors on the primary interface. This also causes the TT entries to miss and makes nodes with multiply secondary interface fall apart since there is no way to see they are related without a primary entry. Fix this by always emitting a primary entry. Signed-off-by:
-
Al Viro authored
Keep it net-endian Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Al Viro authored
just keep it net-endian all along Signed-off-by:
-
Sven Eckelmann authored
Signed-off-by: -
Al Viro authored
Signed-off-by:
-
Al Viro authored
Signed-off-by:
-
Al Viro authored
memcpy() arguments are void *, precisely to avoid that kind of pointless casts. Signed-off-by:
-
Marek Lindner authored
Signed-off-by:
-
Marek Lindner authored
Signed-off-by:
-
Marek Lindner authored
Reported-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
Martin Hundebøll authored
Added additional counters in a bat_stats structure, which are exported through the ethtool api. The counters are specific to batman-adv and includes: forwarded packets and bytes management packets and bytes (aggregated OGMs at this point) translation table packets New counters are added by extending "enum bat_counters" in types.h and adding corresponding descriptive string(s) to bat_counters_strings in soft-iface.c. Counters are increased by calling batadv_add_counter() and incremented by one by calling batadv_inc_counter(). Signed-off-by:
Martin Hundebøll <martin@hundeboll.net> Signed-off-by:
-
Antonio Quartulli authored
In the code we neever need to atomically check and set the bat_priv->tt_crc field value. It is simply set and read once in different pieces of the code. Therefore this field can be safely be converted from atomic_t to uint16_t. Reported-by:
-
Sven Eckelmann authored
The hash for claim and backbone hash in the bridge loop avoidance code receive the same key because they are getting initialized by hash_new with the same key. Lockdep will create a backtrace when they are used recursively. This can be avoided by reinitializing the key directly after the hash_new. Signed-off-by: -
Antonio Quartulli authored
skb_linearize(skb) possibly rearranges the skb internal data and then changes the skb->data pointer value. For this reason any other pointer in the code that was assigned skb->data before invoking skb_linearise(skb) must be re-assigned. In the current tt_query message handling code this is not done and therefore, in case of skb linearization, the pointer used to handle the packet header ends up in pointing to poisoned memory. The packet is then dropped but the translation-table mechanism is corrupted. Signed-off-by:
-
Sven Eckelmann authored
Signed-off-by: -
David S. Miller authored
It makes no sense to execute this limit test every time we create a routing cache entry. We can't simply error out on these things since we've silently accepted and truncated them forever. Signed-off-by:
-
- 17 Jun, 2012 6 commits
-
-
Eric Dumazet authored
Transmitted skbs can be freed immediately in lpc_eth_hard_start_xmit() instead of at TX completion, since driver copies the frames in DMA area. Signed-off-by:
Eric Dumazet <edumazet@google.com> Tested-by:
-
Yuval Mintz authored
Commit c8c60d88 contained an incorrect logic which enabled a buffer overflow when accessing an array during LPI pass-through configuration. This patch fixes this issue by removing that logic altogether. Signed-off-by:
Yuval Mintz <yuvalmin@broadcom.com> Signed-off-by:
Yaniv Rosner <yaniv.rosner@broadcom.com> Signed-off-by:
-
Michael Chan authored
Signed-off-by:
Michael Chan <mchan@broadcom.com> Signed-off-by:
-
Michael Chan authored
so that it will work on any hypervisor. Signed-off-by:
-
Michael Chan authored
Signed-off-by:
-
Michael Chan authored
to help debug tx timeouts reported in the field. Reviewed-by Benjamin Li <benli@broadcom.com> Signed-off-by:
-
- 16 Jun, 2012 5 commits
-
-
git://1984.lsi.us.es/nf-nextDavid S. Miller authored
Pablo says: ==================== This is the second batch of Netfilter updates for net-next. It contains the kernel changes for the new user-space connection tracking helper infrastructure. More details on this infrastructure are provides here: http://lwn.net/Articles/500196/ Still, I plan to provide some official documentation through the conntrack-tools user manual on how to setup user-space utilities for this. So far, it provides two helper in user-space, one for NFSv3 and another for Oracle/SQLnet/TNS. Yet in my TODO list. ==================== Signed-off-by:
-
Eldad Zack authored
Fix code style - place the asterisk where it belongs. Signed-off-by:
Eldad Zack <eldad@fogrefinery.com> Signed-off-by:
-
Pablo Neira Ayuso authored
There are good reasons to supports helpers in user-space instead: * Rapid connection tracking helper development, as developing code in user-space is usually faster. * Reliability: A buggy helper does not crash the kernel. Moreover, we can monitor the helper process and restart it in case of problems. * Security: Avoid complex string matching and mangling in kernel-space running in privileged mode. Going further, we can even think about running user-space helpers as a non-root process. * Extensibility: It allows the development of very specific helpers (most likely non-standard proprietary protocols) that are very likely not to be accepted for mainline inclusion in the form of kernel-space connection tracking helpers. This patch adds the infrastructure to allow the implementation of user-space conntrack helpers by means of the new nfnetlink subsystem `nfnetlink_cthelper' and the existing queueing infrastructure (nfnetlink_queue). I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into two pieces. This change is required not to break NAT sequence adjustment and conntrack confirmation for traffic that is enqueued to our user-space conntrack helpers. Basic operation, in a few steps: 1) Register user-space helper by means of `nfct': nfct helper add ftp inet tcp [ It must be a valid existing helper supported by conntrack-tools ] 2) Add rules to enable the FTP user-space helper which is used to track traffic going to TCP port 21. For locally generated packets: iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp For non-locally generated packets: iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp 3) Run the test conntrackd in helper mode (see example files under doc/helper/conntrackd.conf conntrackd 4) Generate FTP traffic going, if everything is OK, then conntrackd should create expectations (you can check that with `conntrack': conntrack -E expect [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp [DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp This confirms that our test helper is receiving packets including the conntrack information, and adding expectations in kernel-space. The user-space helper can also store its private tracking information in the conntrack structure in the kernel via the CTA_HELP_INFO. The kernel will consider this a binary blob whose layout is unknown. This information will be included in the information that is transfered to user-space via glue code that integrates nfnetlink_queue and ctnetlink. Signed-off-by: -
Pablo Neira Ayuso authored
This attribute can be used to modify and to dump the internal protocol information. Signed-off-by: -
Pablo Neira Ayuso authored
User-space programs that receive traffic via NFQUEUE may mangle packets. If NAT is enabled, this usually puzzles sequence tracking, leading to traffic disruptions. With this patch, nfnl_queue will make the corresponding NAT TCP sequence adjustment if: 1) The packet has been mangled, 2) the NFQA_CFG_F_CONNTRACK flag has been set, and 3) NAT is detected. There are some records on the Internet complaning about this issue: http://stackoverflow.com/questions/260757/packet-mangling-utilities-besides-iptables By now, we only support TCP since we have no helpers for DCCP or SCTP. Better to add this if we ever have some helper over those layer 4 protocols. Signed-off-by:
-
