openwrt/staging/blogic.git
13 years agonetfilter ebtables: fix xt_AUDIT to work with ebtables
Thomas Graf [Wed, 16 Mar 2011 17:32:13 +0000 (18:32 +0100)]
netfilter ebtables: fix xt_AUDIT to work with ebtables

Even though ebtables uses xtables it still requires targets to
return EBT_CONTINUE instead of XT_CONTINUE. This prevented
xt_AUDIT to work as ebt module.

Upon Jan's suggestion, use a separate struct xt_target for
NFPROTO_BRIDGE having its own target callback returning
EBT_CONTINUE instead of cloning the module.

Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_addrtype: ipv6 support
Florian Westphal [Tue, 15 Mar 2011 19:17:44 +0000 (20:17 +0100)]
netfilter: xt_addrtype: ipv6 support

The kernel will refuse certain types that do not work in ipv6 mode.
We can then add these features incrementally without risk of userspace
breakage.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipt_addrtype: rename to xt_addrtype
Florian Westphal [Tue, 15 Mar 2011 19:16:20 +0000 (20:16 +0100)]
netfilter: ipt_addrtype: rename to xt_addrtype

Followup patch will add ipv6 support.

ipt_addrtype.h is retained for compatibility reasons, but no longer used
by the kernel.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoipv6: netfilter: ip6_tables: fix infoleak to userspace
Vasiliy Kulikov [Tue, 15 Mar 2011 12:37:13 +0000 (13:37 +0100)]
ipv6: netfilter: ip6_tables: fix infoleak to userspace

Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second was
introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ip_tables: fix infoleak to userspace
Vasiliy Kulikov [Tue, 15 Mar 2011 12:36:05 +0000 (13:36 +0100)]
netfilter: ip_tables: fix infoleak to userspace

Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first and the third bugs were introduced before the git epoch; the
second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
one should have CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: arp_tables: fix infoleak to userspace
Vasiliy Kulikov [Tue, 15 Mar 2011 12:35:21 +0000 (13:35 +0100)]
netfilter: arp_tables: fix infoleak to userspace

Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second is
introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_connlimit: remove connlimit_rnd_inited
Changli Gao [Tue, 15 Mar 2011 12:26:32 +0000 (13:26 +0100)]
netfilter: xt_connlimit: remove connlimit_rnd_inited

A potential race condition when generating connlimit_rnd is also fixed.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_connlimit: use hlist instead
Changli Gao [Tue, 15 Mar 2011 12:25:42 +0000 (13:25 +0100)]
netfilter: xt_connlimit: use hlist instead

The header of hlist is smaller than list.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_connlimit: use kmalloc() instead of kzalloc()
Changli Gao [Tue, 15 Mar 2011 12:24:56 +0000 (13:24 +0100)]
netfilter: xt_connlimit: use kmalloc() instead of kzalloc()

All the members are initialized after kzalloc().

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_connlimit: fix daddr connlimit in SNAT scenario
Changli Gao [Tue, 15 Mar 2011 12:23:28 +0000 (13:23 +0100)]
netfilter: xt_connlimit: fix daddr connlimit in SNAT scenario

We use the reply tuples when limiting the connections by the destination
addresses, however, in SNAT scenario, the final reply tuples won't be
ready until SNAT is done in POSTROUING or INPUT chain, and the following
nf_conntrack_find_get() in count_tem() will get nothing, so connlimit
can't work as expected.

In this patch, the original tuples are always used, and an additional
member addr is appended to save the address in either end.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: Conditionally include sysctl members of struct netns_ipvs
Simon Horman [Fri, 4 Feb 2011 09:33:02 +0000 (18:33 +0900)]
IPVS: Conditionally include sysctl members of struct netns_ipvs

There is now no need to include sysctl members of struct netns_ipvs
unless CONFIG_SYSCTL is defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add __ip_vs_control_{init,cleanup}_sysctl()
Simon Horman [Fri, 4 Feb 2011 09:33:02 +0000 (18:33 +0900)]
IPVS: Add __ip_vs_control_{init,cleanup}_sysctl()

Break out the portions of __ip_vs_control_init() and
__ip_vs_control_cleanup() where aren't necessary when
CONFIG_SYSCTL is undefined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Conditionally define and use ip_vs_lblc{r}_table
Simon Horman [Fri, 4 Feb 2011 09:33:02 +0000 (18:33 +0900)]
IPVS: Conditionally define and use ip_vs_lblc{r}_table

ip_vs_lblc_table and ip_vs_lblcr_table, and code that uses them
are unnecessary when CONFIG_SYSCTL is undefined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Minimise ip_vs_leave when CONFIG_SYSCTL is undefined
Simon Horman [Fri, 4 Feb 2011 09:33:02 +0000 (18:33 +0900)]
IPVS: Minimise ip_vs_leave when CONFIG_SYSCTL is undefined

Much of ip_vs_leave() is unnecessary if CONFIG_SYSCTL is undefined.

I tried an approach of breaking the now #ifdef'ed portions out
into a separate function. However this appeared to grow the
compiled code on x86_64 by about 200 bytes in the case where
CONFIG_SYSCTL is defined. So I have gone with the simpler though
less elegant #ifdef'ed solution for now.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Conditional ip_vs_conntrack_enabled()
Simon Horman [Fri, 4 Feb 2011 09:33:02 +0000 (18:33 +0900)]
IPVS: Conditional ip_vs_conntrack_enabled()

ip_vs_conntrack_enabled() becomes a noop when CONFIG_SYSCTL is undefined.

In preparation for not including sysctl_conntrack in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: ip_vs_todrop() becomes a noop when CONFIG_SYSCTL is undefined
Simon Horman [Fri, 4 Feb 2011 09:33:02 +0000 (18:33 +0900)]
IPVS: ip_vs_todrop() becomes a noop when CONFIG_SYSCTL is undefined

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Conditinally use sysctl_lblc{r}_expiration
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Conditinally use sysctl_lblc{r}_expiration

In preparation for not including sysctl_lblc{r}_expiration in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add expire_quiescent_template()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add expire_quiescent_template()

In preparation for not including sysctl_expire_quiescent_template in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add sysctl_expire_nodest_conn()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add sysctl_expire_nodest_conn()

In preparation for not including sysctl_expire_nodest_conn in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add sysctl_sync_ver()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add sysctl_sync_ver()

In preparation for not including sysctl_sync_ver in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add {sysctl_sync_threshold,period}()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add {sysctl_sync_threshold,period}()

In preparation for not including sysctl_sync_threshold in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add sysctl_nat_icmp_send()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add sysctl_nat_icmp_send()

In preparation for not including sysctl_nat_icmp_send in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add sysctl_snat_reroute()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add sysctl_snat_reroute()

In preparation for not including sysctl_snat_reroute in
struct netns_ipvs when CONFIG_SYCTL is not defined.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Add ip_vs_route_me_harder()
Simon Horman [Fri, 4 Feb 2011 09:33:01 +0000 (18:33 +0900)]
IPVS: Add ip_vs_route_me_harder()

Add ip_vs_route_me_harder() to avoid repeating the same code twice.

Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: rename estimator functions
Julian Anastasov [Sun, 13 Mar 2011 23:44:28 +0000 (01:44 +0200)]
ipvs: rename estimator functions

  Rename ip_vs_new_estimator to ip_vs_start_estimator
and ip_vs_kill_estimator to ip_vs_stop_estimator to better
match their logic.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: optimize rates reading
Julian Anastasov [Sun, 13 Mar 2011 23:41:54 +0000 (01:41 +0200)]
ipvs: optimize rates reading

  Move the estimator reading from estimation_timer to user
context. ip_vs_read_estimator() will be used to decode the rate
values. As the decoded rates are not set by estimation timer
there is no need to reset them in ip_vs_zero_stats.

  There is no need ip_vs_new_estimator() to encode stats
to rates, if the destination is in trash both the stats and the
rates are inactive.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: remove unused seqcount stats
Julian Anastasov [Sun, 13 Mar 2011 23:39:18 +0000 (01:39 +0200)]
ipvs: remove unused seqcount stats

  Remove ustats_seq, IPVS_STAT_INC and IPVS_STAT_ADD
because they are not used. They were replaced with u64_stats.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: properly zero stats and rates
Julian Anastasov [Sun, 13 Mar 2011 23:37:49 +0000 (01:37 +0200)]
ipvs: properly zero stats and rates

  Currently, the new percpu counters are not zeroed and
the zero commands do not work as expected, we still show the old
sum of percpu values. OTOH, we can not reset the percpu counters
from user context without causing the incrementing to use old
and bogus values.

  So, as Eric Dumazet suggested fix that by moving all overhead
to stats reading in user context. Do not introduce overhead in
timer context (estimator) and incrementing (packet handling in
softirqs).

  The new ustats0 field holds the zero point for all
counter values, the rates always use 0 as base value as before.
When showing the values to user space just give the difference
between counters and the base values. The only drawback is that
percpu stats are not zeroed, they are accessible only from /proc
and are new interface, so it should not be a compatibility problem
as long as the sum stats are correct after zeroing.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: reorganize tot_stats
Julian Anastasov [Fri, 4 Mar 2011 10:20:35 +0000 (12:20 +0200)]
ipvs: reorganize tot_stats

  The global tot_stats contains cpustats field just like the
stats for dest and svc, so better use it to simplify the usage
in estimation_timer. As tot_stats is registered as estimator
we can remove the special ip_vs_read_cpu_stats call for
tot_stats. Fix ip_vs_read_cpu_stats to be called under
stats lock because it is still used as synchronization between
estimation timer and user context (the stats readers).

  Also, make sure ip_vs_stats_percpu_show reads properly
the u64 stats from user context.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: move struct netns_ipvs
Julian Anastasov [Fri, 4 Mar 2011 10:18:07 +0000 (12:18 +0200)]
ipvs: move struct netns_ipvs

  Remove include/net/netns/ip_vs.h because it depends on
structures from include/net/ip_vs.h. As ipvs is pointer in
struct net it is better to move struct netns_ipvs into
include/net/ip_vs.h, so that we can easily use other structures
in struct netns_ipvs.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Fix variable assignment in ip_vs_notrack
Jesper Juhl [Wed, 9 Mar 2011 21:55:05 +0000 (22:55 +0100)]
IPVS: Fix variable assignment in ip_vs_notrack

There's no sense to 'ct = ct = ' in ip_vs_notrack(). Just assign
nf_ct_get()'s return value directly to the pointer variable 'ct' once.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agonetfilter:ipvs: use kmemdup
Shan Wei [Mon, 7 Mar 2011 02:11:34 +0000 (10:11 +0800)]
netfilter:ipvs: use kmemdup

The semantic patch that makes this output is available
in scripts/coccinelle/api/memdup.cocci.

More information about semantic patching is available at
http://coccinelle.lip6.fr/

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: remove _bh from percpu stats reading
Julian Anastasov [Fri, 4 Mar 2011 10:28:20 +0000 (12:28 +0200)]
ipvs: remove _bh from percpu stats reading

  ip_vs_read_cpu_stats is called only from timer, so
no need for _bh locks.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: avoid lookup for fwmark 0
Julian Anastasov [Fri, 4 Mar 2011 10:26:17 +0000 (12:26 +0200)]
ipvs: avoid lookup for fwmark 0

  Restore the previous behaviour to lookup for fwmark
service only when fwmark is non-null. This saves only CPU.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agonetfilter: nf_conntrack: fix sysctl memory leak
Stephen Hemminger [Mon, 14 Mar 2011 18:20:44 +0000 (19:20 +0100)]
netfilter: nf_conntrack: fix sysctl memory leak

Message in log because sysctl table was not empty at netns exit
 WARNING: at net/sysctl_net.c:84 sysctl_net_exit+0x2a/0x2c()

Instrumenting showed that the nf_conntrack_timestamp was the entry
that was being created but not cleared.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: x_tables: return -ENOENT for non-existant matches/targets
Patrick McHardy [Mon, 14 Mar 2011 18:11:44 +0000 (19:11 +0100)]
netfilter: x_tables: return -ENOENT for non-existant matches/targets

As Stephen correctly points out, we need to return -ENOENT in
xt_find_match()/xt_find_target() after the patch "netfilter: x_tables:
misuse of try_then_request_module" in order to properly indicate
a non-existant module to the caller.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: x_tables: misuse of try_then_request_module
Stephen Hemminger [Wed, 9 Mar 2011 13:14:26 +0000 (14:14 +0100)]
netfilter: x_tables: misuse of try_then_request_module

Since xt_find_match() returns ERR_PTR(xx) on error not NULL,
the macro try_then_request_module won't work correctly here.
The macro expects its first argument will be zero if condition
fails. But ERR_PTR(-ENOENT) is not zero.

The correct solution is to propagate the error value
back.

Found by inspection, and compile tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: fix the compile warning in ip_set_create
Shan Wei [Tue, 8 Mar 2011 14:37:27 +0000 (15:37 +0100)]
netfilter: ipset: fix the compile warning in ip_set_create

net/netfilter/ipset/ip_set_core.c:615: warning: ‘clash’ may be used uninitialized in this function

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: nf_ct_tcp: fix out of sync scenario while in SYN_RECV
Pablo Neira Ayuso [Mon, 28 Feb 2011 16:59:15 +0000 (17:59 +0100)]
netfilter: nf_ct_tcp: fix out of sync scenario while in SYN_RECV

This patch fixes the out of sync scenarios while in SYN_RECV state.

Quoting Jozsef, what it happens if we are out of sync if the
following:

> > b. conntrack entry is outdated, new SYN received
> >    - (b1) we ignore it but save the initialization data from it
> >    - (b2) when the reply SYN/ACK receives and it matches the saved data,
> >      we pick up the new connection
This is what it should happen if we are in SYN_RECV state. Initially,
the SYN packet hits b1, thus we save data from it. But the SYN/ACK
packet is considered a retransmission given that we're in SYN_RECV
state. Therefore, we never hit b2 and we don't get in sync. To fix
this, we ignore SYN/ACK if we are in SYN_RECV. If the previous packet
was a SYN, then we enter the ignore case that get us in sync.

This patch helps a lot to conntrackd in stress scenarios (assumming a
client that generates lots of small TCP connections). During the failover,
consider that the new primary has injected one outdated flow in SYN_RECV
state (this is likely to happen if the conntrack event rate is high
because the backup will be a bit delayed from the primary). With the
current code, if the client starts a new fresh connection that matches
the tuple, the SYN packet will be ignored without updating the state
tracking, and the SYN+ACK in reply will blocked as it will not pass
checkings III or IV (since all state tracking in the original direction
is not initialized because of the SYN packet was ignored and the ignore
case that get us in sync is not applied).

I posted a couple of patches before this one. Changli Gao spotted
a simpler way to fix this problem. This patch implements his idea.

Cc: Changli Gao <xiaosuo@gmail.com>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoipvs: unify the formula to estimate the overhead of processing connections
Changli Gao [Sat, 19 Feb 2011 09:32:28 +0000 (17:32 +0800)]
ipvs: unify the formula to estimate the overhead of processing connections

lc and wlc use the same formula, but lblc and lblcr use another one. There
is no reason for using two different formulas for the lc variants.

The formula used by lc is used by all the lc variants in this patch.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Wensong Zhang <wensong@linux-vs.org>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: use enum to instead of magic numbers
Changli Gao [Thu, 24 Feb 2011 00:19:57 +0000 (08:19 +0800)]
ipvs: use enum to instead of magic numbers

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: use hlist instead of list
Changli Gao [Sat, 19 Feb 2011 10:05:08 +0000 (18:05 +0800)]
ipvs: use hlist instead of list

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: make "no destination available" message more informative
Patrick Schaaf [Fri, 11 Feb 2011 13:01:12 +0000 (14:01 +0100)]
ipvs: make "no destination available" message more informative

When IP_VS schedulers do not find a destination, they output a terse
"WLC: no destination available" message through kernel syslog, which I
can not only make sense of because syslog puts them in a logfile
together with keepalived checker results.

This patch makes the output a bit more informative, by telling you which
virtual service failed to find a destination.

Example output:

kernel: [1539214.552233] IPVS: wlc: TCP 192.168.8.30:22 - no destination available
kernel: [1539299.674418] IPVS: wlc: FWM 22 0x00000016 - no destination available

I have tested the code for IPv4 and FWM services, as you can see from
the example; I do not have an IPv6 setup to test the third code path
with.

To avoid code duplication, I put a new function ip_vs_scheduler_err()
into ip_vs_sched.c, and use that from the schedulers instead of calling
IP_VS_ERR_RL directly.

Signed-off-by: Patrick Schaaf <netdev@bof.de>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: remove extra lookups for ICMP packets
Julian Anastasov [Wed, 9 Feb 2011 00:26:38 +0000 (02:26 +0200)]
ipvs: remove extra lookups for ICMP packets

  Remove code that should not be called anymore.
Now when ip_vs_out handles replies for local clients at
LOCAL_IN hook we do not need to call conn_out_get and
handle_response_icmp from ip_vs_in_icmp* because such
lookups were already performed for the ICMP packet and no
connection was found.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoipvs: fix timer in get_curr_sync_buff
Tinggong Wang [Wed, 9 Feb 2011 00:21:59 +0000 (02:21 +0200)]
ipvs: fix timer in get_curr_sync_buff

  Fix get_curr_sync_buff to keep buffer for 2 seconds
as intended, not just for the current jiffie. By this way
we will sync more connection structures with single packet.

Signed-off-by: Tinggong Wang <wangtinggong@gmail.com>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agonetfilter: nfnetlink_log: remove unused parameter
Florian Westphal [Tue, 15 Feb 2011 20:59:37 +0000 (21:59 +0100)]
netfilter: nfnetlink_log: remove unused parameter

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_conntrack: warn about use in raw table
Jan Engelhardt [Mon, 14 Feb 2011 16:28:55 +0000 (17:28 +0100)]
netfilter: xt_conntrack: warn about use in raw table

nfct happens to run after the raw table only.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoRevert "netfilter: xt_connlimit: connlimit-above early loop termination"
Stefan Berger [Mon, 14 Feb 2011 15:54:33 +0000 (16:54 +0100)]
Revert "netfilter: xt_connlimit: connlimit-above early loop termination"

This reverts commit 44bd4de9c2270b22c3c898310102bc6be9ed2978.

I have to revert the early loop termination in connlimit since it generates
problems when an iptables statement does not use -m state --state NEW before
the connlimit match extension.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agobridge: netfilter: fix information leak
Vasiliy Kulikov [Mon, 14 Feb 2011 15:49:23 +0000 (16:49 +0100)]
bridge: netfilter: fix information leak

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_connlimit: connlimit-above early loop termination
Stefan Berger [Fri, 11 Feb 2011 17:00:07 +0000 (18:00 +0100)]
netfilter: xt_connlimit: connlimit-above early loop termination

The patch below introduces an early termination of the loop that is
counting matches. It terminates once the counter has exceeded the
threshold provided by the user. There's no point in continuing the loop
afterwards and looking at other entries.

It plays together with the following code further below:

return (connections > info->limit) ^ info->inverse;

where connections is the result of the counted connection, which in turn
is the matches variable in the loop. So once

        -> matches = info->limit + 1
alias   -> matches > info->limit
alias   -> matches > threshold

we can terminate the loop.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: add dependency on CONFIG_NETFILTER_NETLINK
Patrick McHardy [Thu, 10 Feb 2011 09:13:07 +0000 (10:13 +0100)]
netfilter: ipset: add dependency on CONFIG_NETFILTER_NETLINK

When SYSCTL and PROC_FS and NETFILTER_NETLINK are not enabled:

net/built-in.o: In function `try_to_load_type':
ip_set_core.c:(.text+0x3ab49): undefined reference to `nfnl_unlock'
ip_set_core.c:(.text+0x3ab4e): undefined reference to `nfnl_lock'
...

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: precedence bug in ip_vs_sync_switch_mode()
Dan Carpenter [Mon, 7 Feb 2011 08:38:55 +0000 (11:38 +0300)]
IPVS: precedence bug in ip_vs_sync_switch_mode()

'!' has higher precedence than '&'.  IP_VS_STATE_MASTER is 0x1 so
the original code is equivelent to if (!ipvs->sync_state) ...

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Use correct lock in SCTP module
Simon Horman [Wed, 2 Feb 2011 22:22:43 +0000 (07:22 +0900)]
IPVS: Use correct lock in SCTP module

Use sctp_app_lock instead of tcp_app_lock in the SCTP protocol module.

This appears to be a typo introduced by the netns changes.

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
13 years agonetfilter: xtables: add device group match
Patrick McHardy [Wed, 2 Feb 2011 23:05:43 +0000 (00:05 +0100)]
netfilter: xtables: add device group match

Add a new 'devgroup' match to match on the device group of the
incoming and outgoing network device of a packet.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: send error message manually
Jozsef Kadlecsik [Wed, 2 Feb 2011 22:56:00 +0000 (23:56 +0100)]
netfilter: ipset: send error message manually

When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: fix linking with CONFIG_IPV6=n
Patrick McHardy [Wed, 2 Feb 2011 22:50:01 +0000 (23:50 +0100)]
netfilter: ipset: fix linking with CONFIG_IPV6=n

Add a dummy ip_set_get_ip6_port function that unconditionally
returns false for CONFIG_IPV6=n and convert the real function
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables module
when loading ipset.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: add missing break statemtns in ip_set_get_ip_port()
Patrick McHardy [Wed, 2 Feb 2011 08:31:37 +0000 (09:31 +0100)]
netfilter: ipset: add missing break statemtns in ip_set_get_ip_port()

Don't fall through in the switch statement, otherwise IPv4 headers
are incorrectly parsed again as IPv6 and the return value will always
be 'false'.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: install ipset related header files
Patrick McHardy [Tue, 1 Feb 2011 17:52:42 +0000 (18:52 +0100)]
netfilter: ipset: install ipset related header files

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: Remove ip_vs_sync_cleanup from section __exit
Simon Horman [Tue, 1 Feb 2011 17:30:26 +0000 (18:30 +0100)]
IPVS: Remove ip_vs_sync_cleanup from section __exit

ip_vs_sync_cleanup() may be called from ip_vs_init() on error
and thus needs to be accesible from section __init

Reporte-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: Allow compilation with CONFIG_SYSCTL disabled
Simon Horman [Tue, 1 Feb 2011 17:29:04 +0000 (18:29 +0100)]
IPVS: Allow compilation with CONFIG_SYSCTL disabled

This is a rather naieve approach to allowing PVS to compile with
CONFIG_SYSCTL disabled.  I am working on a more comprehensive patch which
will remove compilation of all sysctl-related IPVS code when CONFIG_SYSCTL
is disabled.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: Remove unused variables
Simon Horman [Tue, 1 Feb 2011 17:27:51 +0000 (18:27 +0100)]
IPVS: Remove unused variables

These variables are unused as a result of the recent netns work.

Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: remove duplicate initialisation or rs_table
Simon Horman [Tue, 1 Feb 2011 17:24:09 +0000 (18:24 +0100)]
IPVS: remove duplicate initialisation or rs_table

Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoIPVS: use z modifier for sizeof() argument
Simon Horman [Tue, 1 Feb 2011 17:21:53 +0000 (18:21 +0100)]
IPVS: use z modifier for sizeof() argument

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Tested-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ctnetlink: fix ctnetlink_parse_tuple() warning
Patrick McHardy [Tue, 1 Feb 2011 16:26:37 +0000 (17:26 +0100)]
netfilter: ctnetlink: fix ctnetlink_parse_tuple() warning

net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_parse_tuple':
net/netfilter/nf_conntrack_netlink.c:832:11: warning: comparison between 'enum ctattr_tuple' and 'enum ctattr_type'

Use ctattr_type for the 'type' parameter since that's the type of all attributes
passed to this function.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: remove unnecessary includes
Patrick McHardy [Tue, 1 Feb 2011 15:57:37 +0000 (16:57 +0100)]
netfilter: ipset: remove unnecessary includes

None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: use nla_parse_nested()
Patrick McHardy [Tue, 1 Feb 2011 15:27:25 +0000 (16:27 +0100)]
netfilter: ipset: use nla_parse_nested()

Replace calls of the form:

nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy)

by:

nla_parse_nested(tb, ATTR_MAX, attr, policy)

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xtables: "set" match and "SET" target support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:56:00 +0000 (15:56 +0100)]
netfilter: xtables: "set" match and "SET" target support

The patch adds the combined module of the "SET" target and "set" match
to netfilter. Both the previous and the current revisions are supported.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: list:set set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:54:59 +0000 (15:54 +0100)]
netfilter: ipset: list:set set type support

The module implements the list:set type support in two flavours:
without and with timeout. The sets has two sides: for the userspace,
they store the names of other (non list:set type of) sets: one can add,
delete and test set names. For the kernel, it forms an ordered union of
the member sets: the members sets are tried in order when elements are
added, deleted and tested and the process stops at the first success.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: hash:net,port set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:53:55 +0000 (15:53 +0100)]
netfilter: ipset: hash:net,port set type support

The module implements the hash:net,port type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are two dimensional: IPv4/IPv6 network address/prefix and protocol/port
pairs.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: hash:net set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:52:54 +0000 (15:52 +0100)]
netfilter: ipset: hash:net set type support

The module implements the hash:net type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are one dimensional: IPv4/IPv6 network address/prefixes.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: hash:ip,port,net set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:51:00 +0000 (15:51 +0100)]
netfilter: ipset: hash:ip,port,net set type support

The module implements the hash:ip,port,net type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
network address/prefix triples. The different prefixes are searched/matched
from the longest prefix to the shortes one (most specific to least).
In other words the processing time linearly grows with the number of
different prefixes in the set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: hash:ip,port,ip set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:41:26 +0000 (15:41 +0100)]
netfilter: ipset: hash:ip,port,ip set type support

The module implements the hash:ip,port,ip type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
address triples.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: hash:ip,port set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:39:52 +0000 (15:39 +0100)]
netfilter: ipset: hash:ip,port set type support

The module implements the hash:ip,port type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are two dimensional: IPv4/IPv6 address and protocol/port pairs. The port
is interpeted for TCP, UPD, ICMP and ICMPv6 (at the latters as type/code
of course).

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: hash:ip set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:38:36 +0000 (15:38 +0100)]
netfilter: ipset: hash:ip set type support

The module implements the hash:ip type support in four flavours:
for IPv4 or IPv6, both without and with timeout support.

All the hash types are based on the "array hash" or ahash structure
and functions as a good compromise between minimal memory footprint
and speed. The hashing uses arrays to resolve clashes. The hash table
is resized (doubled) when searching becomes too long. Resizing can be
triggered by userspace add commands only and those are serialized by
the nfnl mutex. During resizing the set is read-locked, so the only
possible concurrent operations are the kernel side readers. Those are
protected by RCU locking.

Because of the four flavours and the other hash types, the functions
are implemented in general forms in the ip_set_ahash.h header file
and the real functions are generated before compiling by macro expansion.
Thus the dereferencing of low-level functions and void pointer arguments
could be avoided: the low-level functions are inlined, the function
arguments are pointers of type-specific structures.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset; bitmap:port set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:37:04 +0000 (15:37 +0100)]
netfilter: ipset; bitmap:port set type support

The module implements the bitmap:port type in two flavours, without
and with timeout support to store TCP/UDP ports from a range.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: bitmap:ip,mac type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:35:12 +0000 (15:35 +0100)]
netfilter: ipset: bitmap:ip,mac type support

The module implements the bitmap:ip,mac set type in two flavours,
without and with timeout support. In this kind of set one can store
IPv4 address and (source) MAC address pairs. The type supports elements
added without the MAC part filled out: when the first matching from kernel
happens, the MAC part is automatically filled out. The timing out of the
elements stars when an element is complete in the IP,MAC pair.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: bitmap:ip set type support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:33:17 +0000 (15:33 +0100)]
netfilter: ipset: bitmap:ip set type support

The module implements the bitmap:ip set type in two flavours, without
and with timeout support. In this kind of set one can store IPv4
addresses (or network addresses) from a given range.

In order not to waste memory, the timeout version does not rely on
the kernel timer for every element to be timed out but on garbage
collection. All set types use this mechanism.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: IP set core support
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:28:35 +0000 (15:28 +0100)]
netfilter: ipset: IP set core support

The patch adds the IP set core support to the kernel.

The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.

The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.

For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.

The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.

There are functional differences between the add/del/test functions
for the kernel and userspace:

- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation  in order to fill
  out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
  on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a set

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros
Jozsef Kadlecsik [Tue, 1 Feb 2011 14:20:14 +0000 (15:20 +0100)]
netfilter: NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros

The patch adds the NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros to the
vanilla kernel.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_iprange: add IPv6 match debug print code
Thomas Jacob [Fri, 28 Jan 2011 18:33:13 +0000 (19:33 +0100)]
netfilter: xt_iprange: add IPv6 match debug print code

Signed-off-by: Thomas Jacob <jacob@internet24.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xt_iprange: typo in IPv4 match debug print code
Thomas Jacob [Thu, 27 Jan 2011 09:56:32 +0000 (10:56 +0100)]
netfilter: xt_iprange: typo in IPv4 match debug print code

Signed-off-by: Thomas Jacob <jacob@internet24.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoMerge branch 'connlimit' of git://dev.medozas.de/linux
Patrick McHardy [Wed, 26 Jan 2011 15:28:45 +0000 (16:28 +0100)]
Merge branch 'connlimit' of git://dev.medozas.de/linux

13 years agonetfilter: xt_connlimit: pick right dstaddr in NAT scenario
Jan Engelhardt [Wed, 26 Jan 2011 10:50:03 +0000 (11:50 +0100)]
netfilter: xt_connlimit: pick right dstaddr in NAT scenario

xt_connlimit normally records the "original" tuples in a hashlist
(such as "1.2.3.4 -> 5.6.7.8"), and looks in this list for iph->daddr
when counting.

When the user however uses DNAT in PREROUTING, looking for
iph->daddr -- which is now 192.168.9.10 -- will not match. Thus in
daddr mode, we need to record the reverse direction tuple
("192.168.9.10 -> 1.2.3.4") instead. In the reverse tuple, the dst
addr is on the src side, which is convenient, as count_them still uses
&conn->tuple.src.u3.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agonetfilter: ipvs: fix compiler warnings
Changli Gao [Tue, 25 Jan 2011 04:40:18 +0000 (12:40 +0800)]
netfilter: ipvs: fix compiler warnings

Fix compiler warnings when IP_VS_DBG() isn't defined.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS netns BUG, register sysctl for root ns
Hans Schillstrom [Mon, 24 Jan 2011 14:14:41 +0000 (15:14 +0100)]
IPVS netns BUG, register sysctl for root ns

The newly created table was not used when register sysctl for a new namespace.
I.e. sysctl doesn't work for other than root namespace (init_net)

Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agoIPVS: Change sock_create_kernel() to __sock_create()
Simon Horman [Sat, 22 Jan 2011 02:48:01 +0000 (13:48 +1100)]
IPVS: Change sock_create_kernel() to __sock_create()

The recent netns changes omitted to change
sock_create_kernel() to __sock_create() in ip_vs_sync.c

The effect of this is that the interface will be selected in the
root-namespace, from my point of view it's a major bug.

Reported-by: Hans Schillstrom <hans@schillstrom.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agonetfilter: ipvs: fix compiler warnings
Changli Gao [Fri, 21 Jan 2011 10:02:13 +0000 (18:02 +0800)]
netfilter: ipvs: fix compiler warnings

Fix compiler warnings when no transport protocol load balancing support
is configured.

[horms@verge.net.au: removed suprious __ip_vs_cleanup() clean-up hunk]
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
13 years agonetfilter: add a missing include in nf_conntrack_reasm.c
Eric Dumazet [Thu, 20 Jan 2011 20:00:38 +0000 (21:00 +0100)]
netfilter: add a missing include in nf_conntrack_reasm.c

After commit ae90bdeaeac6b (netfilter: fix compilation when conntrack is
disabled but tproxy is enabled) we have following warnings :

net/ipv6/netfilter/nf_conntrack_reasm.c:520:16: warning: symbol
'nf_ct_frag6_gather' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:591:6: warning: symbol
'nf_ct_frag6_output' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:612:5: warning: symbol
'nf_ct_frag6_init' was not declared. Should it be static?
net/ipv6/netfilter/nf_conntrack_reasm.c:640:6: warning: symbol
'nf_ct_frag6_cleanup' was not declared. Should it be static?

Fix this including net/netfilter/ipv6/nf_defrag_ipv6.h

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: KOVACS Krisztian <hidden@balabit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: nf_conntrack: fix linker error with NF_CONNTRACK_TIMESTAMP=n
Patrick McHardy [Thu, 20 Jan 2011 19:46:52 +0000 (20:46 +0100)]
netfilter: nf_conntrack: fix linker error with NF_CONNTRACK_TIMESTAMP=n

net/built-in.o: In function `nf_conntrack_init_net':
net/netfilter/nf_conntrack_core.c:1521:
undefined reference to `nf_conntrack_tstamp_init'
net/netfilter/nf_conntrack_core.c:1531:
undefined reference to `nf_conntrack_tstamp_fini'

Add dummy inline functions for the =n case to fix this.

Reported-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: xtables: add missing header inclusions for headers_check
Jan Engelhardt [Thu, 20 Jan 2011 16:50:17 +0000 (17:50 +0100)]
netfilter: xtables: add missing header inclusions for headers_check

Resolve these warnings on `make headers_check`:

usr/include/linux/netfilter/xt_CT.h:7: found __[us]{8,16,32,64} type
without #include <linux/types.h>
...

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agonetfilter: nf_nat: place conntrack in source hash after SNAT is done
Changli Gao [Thu, 20 Jan 2011 14:49:52 +0000 (15:49 +0100)]
netfilter: nf_nat: place conntrack in source hash after SNAT is done

If SNAT isn't done, the wrong info maybe got by the other cts.

As the filter table is after DNAT table, the packets dropped in filter
table also bother bysource hash table.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoMerge branch 'connlimit' of git://dev.medozas.de/linux
Patrick McHardy [Thu, 20 Jan 2011 13:17:32 +0000 (14:17 +0100)]
Merge branch 'connlimit' of git://dev.medozas.de/linux

13 years agonetfilter: xtables: remove duplicate member
Jan Engelhardt [Thu, 20 Jan 2011 13:01:12 +0000 (14:01 +0100)]
netfilter: xtables: remove duplicate member

Accidentally missed removing the old out-of-union "inverse" member,
which caused the struct size to change which then gives size mismatch
warnings when using an old iptables.

It is interesting to see that gcc did not warn about this before.
(Filed http://gcc.gnu.org/bugzilla/show_bug.cgi?id=47376 )

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
13 years agoMerge branch 'connlimit' of git://dev.medozas.de/linux
Patrick McHardy [Thu, 20 Jan 2011 09:33:55 +0000 (10:33 +0100)]
Merge branch 'connlimit' of git://dev.medozas.de/linux

Conflicts:
Documentation/feature-removal-schedule.txt

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: do not omit re-route check on NF_QUEUE verdict
Florian Westphal [Thu, 20 Jan 2011 09:23:26 +0000 (10:23 +0100)]
netfilter: do not omit re-route check on NF_QUEUE verdict

ret != NF_QUEUE only works in the "--queue-num 0" case; for
queues > 0 the test should be '(ret & NF_VERDICT_MASK) != NF_QUEUE'.

However, NF_QUEUE no longer DROPs the skb unconditionally if queueing
fails (due to NF_VERDICT_FLAG_QUEUE_BYPASS verdict flag), so the
re-route test should also be performed if this flag is set in the
verdict.

The full test would then look something like

&& ((ret & NF_VERDICT_MASK) == NF_QUEUE && (ret & NF_VERDICT_FLAG_QUEUE_BYPASS))

This is rather ugly, so just remove the NF_QUEUE test altogether.

The only effect is that we might perform an unnecessary route lookup
in the NF_QUEUE case.

ip6table_mangle did not have such a check.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
David S. Miller [Thu, 20 Jan 2011 08:06:15 +0000 (00:06 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-next-2.6

13 years agonetfilter: xtables: remove extraneous header that slipped in
Jan Engelhardt [Thu, 20 Jan 2011 07:48:15 +0000 (08:48 +0100)]
netfilter: xtables: remove extraneous header that slipped in

Commit 0b8ad87 (netfilter: xtables: add missing header files to export
list) erroneously added this.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonet_sched: cleanups
Eric Dumazet [Wed, 19 Jan 2011 19:26:56 +0000 (19:26 +0000)]
net_sched: cleanups

Cleanup net/sched code to current CodingStyle and practices.

Reduce inline abuse

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoaf_unix: coding style: remove one level of indentation in unix_shutdown()
Alban Crequy [Wed, 19 Jan 2011 04:56:36 +0000 (04:56 +0000)]
af_unix: coding style: remove one level of indentation in unix_shutdown()

Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
Reviewed-by: Ian Molton <ian.molton@collabora.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet_sched: implement a root container qdisc sch_mqprio
John Fastabend [Mon, 17 Jan 2011 08:06:09 +0000 (08:06 +0000)]
net_sched: implement a root container qdisc sch_mqprio

This implements a mqprio queueing discipline that by default creates
a pfifo_fast qdisc per tx queue and provides the needed configuration
interface.

Using the mqprio qdisc the number of tcs currently in use along
with the range of queues alloted to each class can be configured. By
default skbs are mapped to traffic classes using the skb priority.
This mapping is configurable.

Configurable parameters,

struct tc_mqprio_qopt {
__u8    num_tc;
__u8    prio_tc_map[TC_BITMASK + 1];
__u8    hw;
__u16   count[TC_MAX_QUEUE];
__u16   offset[TC_MAX_QUEUE];
};

Here the count/offset pairing give the queue alignment and the
prio_tc_map gives the mapping from skb->priority to tc.

The hw bit determines if the hardware should configure the count
and offset values. If the hardware bit is set then the operation
will fail if the hardware does not implement the ndo_setup_tc
operation. This is to avoid undetermined states where the hardware
may or may not control the queue mapping. Also minimal bounds
checking is done on the count/offset to verify a queue does not
exceed num_tx_queues and that queue ranges do not overlap. Otherwise
it is left to user policy or hardware configuration to create
useful mappings.

It is expected that hardware QOS schemes can be implemented by
creating appropriate mappings of queues in ndo_tc_setup().

One expected use case is drivers will use the ndo_setup_tc to map
queue ranges onto 802.1Q traffic classes. This provides a generic
mechanism to map network traffic onto these traffic classes and
removes the need for lower layer drivers to know specifics about
traffic types.

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>