1. 28 Sep, 2012 3 commits
  2. 10 Sep, 2012 2 commits
  3. 30 Aug, 2012 4 commits
    • Julia Lawall's avatar
      ipvs: fix error return code · 0a54e939
      Julia Lawall authored
      Initialize return variable before exiting on an error path.
      A simplified version of the semantic match that finds this problem is as
      follows: (http://coccinelle.lip6.fr/
      // <smpl>
      if@p1 (\(ret < 0\|ret != 0\))
       { ... return ret; }
      ret@p1 = 0
      ... when != ret = e1
          when != &ret
        ... when != ret = e2
            when forall
       return ret;
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Acked-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    • Patrick McHardy's avatar
      netfilter: nf_nat: add protoff argument to packet mangling functions · 051966c0
      Patrick McHardy authored
      For mangling IPv6 packets the protocol header offset needs to be known
      by the NAT packet mangling functions. Add a so far unused protoff argument
      and convert the conntrack and NAT helpers to use it in preparation of
      IPv6 NAT.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    • Patrick McHardy's avatar
      netfilter: nf_conntrack_ipv6: improve fragmentation handling · 4cdd3408
      Patrick McHardy authored
      The IPv6 conntrack fragmentation currently has a couple of shortcomings.
      Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the
      defragmented packet is then passed to conntrack, the resulting conntrack
      information is attached to each original fragment and the fragments then
      continue their way through the stack.
      Helper invocation occurs in the POSTROUTING hook, at which point only
      the original fragments are available. The result of this is that
      fragmented packets are never passed to helpers.
      This patch improves the situation in the following way:
      - If a reassembled packet belongs to a connection that has a helper
        assigned, the reassembled packet is passed through the stack instead
        of the original fragments.
      - During defragmentation, the largest received fragment size is stored.
        On output, the packet is refragmented if required. If the largest
        received fragment size exceeds the outgoing MTU, a "packet too big"
        message is generated, thus behaving as if the original fragments
        were passed through the stack from an outside point of view.
      - The ipv6_helper() hook function can't receive fragments anymore for
        connections using a helper, so it is switched to use ipv6_skip_exthdr()
        instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the
        reassembled packets are passed to connection tracking helpers.
      The result of this is that we can properly track fragmented packets, but
      still generate ICMPv6 Packet too big messages if we would have before.
      This patch is also required as a precondition for IPv6 NAT, where NAT
      helpers might enlarge packets up to a point that they require
      fragmentation. In that case we can't generate Packet too big messages
      since the proper MTU can't be calculated in all cases (f.i. when
      changing textual representation of a variable amount of addresses),
      so the packet is transparently fragmented iff the original packet or
      fragments would have fit the outgoing MTU.
      IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    • Jesper Dangaard Brouer's avatar
      ipvs: IPv6 MTU checking cleanup and bugfix · 590e3f79
      Jesper Dangaard Brouer authored
      Cleaning up the IPv6 MTU checking in the IPVS xmit code, by using
      a common helper function __mtu_check_toobig_v6().
      The MTU check for tunnel mode can also use this helper as
      ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr) is qual to
      skb->len.  And the 'mtu' variable have been adjusted before
      calling helper.
      Notice, this also fixes a bug, as the the MTU check in ip_vs_dr_xmit_v6()
      were missing a check for skb_is_gso().
      This bug e.g. caused issues for KVM IPVS setups, where different
      Segmentation Offloading techniques are utilized, between guests,
      via the virtio driver.  This resulted in very bad performance,
      due to the ICMPv6 "too big" messages didn't affect the sender.
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
  4. 16 Aug, 2012 1 commit
  5. 10 Aug, 2012 5 commits
    • Julian Anastasov's avatar
      ipvs: add pmtu_disc option to disable IP DF for TUN packets · 3654e611
      Julian Anastasov authored
      	Disabling PMTU discovery can increase the output packet
      rate but some users have enough resources and prefer to fragment
      than to drop traffic. By default, we copy the DF bit but if
      pmtu_disc is disabled we do not send FRAG_NEEDED messages anymore.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
    • Julian Anastasov's avatar
      ipvs: implement passive PMTUD for IPIP packets · f2edb9f7
      Julian Anastasov authored
      	IPVS is missing the logic to update PMTU in routing
      for its IPIP packets. We monitor the dst_mtu and can return
      FRAG_NEEDED messages but if the tunneled packets get ICMP
      error we can not rely on other traffic to save the lowest
      	The following patch adds ICMP handling for IPIP
      packets in incoming direction, from some remote host to
      our local IP used as saddr in the outer header. By this
      way we can forward any related ICMP traffic if it is for IPVS
      TUN connection. For the special case of PMTUD we update the
      routing and if client requested DF we can forward the
      	To properly update the routing we have to bind
      the cached route (dest->dst_cache) to the selected saddr
      because ipv4_update_pmtu uses saddr for dst lookup.
      Add IP_VS_RT_MODE_CONNECT flag to force such binding with
      second route.
      	Update ip_vs_tunnel_xmit to provide IP_VS_RT_MODE_CONNECT
      and change the code to copy DF. For now we prefer not to
      force PMTU discovery (outer DF=1) because we don't have
      configuration option to enable or disable PMTUD. As we
      do not keep any packets to resend, we prefer not to
      play games with packets without DF bit because the sender
      is not informed when they are rejected.
      	Also, change ops->update_pmtu to be called only
      for local clients because there is no point to update
      MTU for input routes, in our case skb->dst->dev is lo.
      It seems the code is copied from ipip.c where the skb
      dst points to tunnel device.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
    • Claudiu Ghioc's avatar
      ipvs: fixed sparse warning · 2b2d2808
      Claudiu Ghioc authored
      Removed the following sparse warnings, wether CONFIG_SYSCTL
      is defined or not:
      *       warning: symbol 'ip_vs_control_net_init_sysctl' was not
      	declared. Should it be static?
      *       warning: symbol 'ip_vs_control_net_cleanup_sysctl' was
      	not declared. Should it be static?
      Signed-off-by: default avatarClaudiu Ghioc <claudiu.ghioc@gmail.com>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
    • Julian Anastasov's avatar
      ipvs: generalize app registration in netns · be97fdb5
      Julian Anastasov authored
      	Get rid of the ftp_app pointer and allow applications
      to be registered without adding fields in the netns_ipvs structure.
      v2: fix coding style as suggested by Pablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
    • Julian Anastasov's avatar
      ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper · aaea4ed7
      Julian Anastasov authored
      	The FTP application indirectly depends on the
      nf_conntrack_ftp helper for proper NAT support. If the
      module is not loaded, IPVS can resize the packets for the
      command connection, eg. PASV response but the SEQ adjustment
      logic in ipv4_confirm is not called without helper.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
  6. 17 Jul, 2012 2 commits
  7. 25 Jun, 2012 1 commit
  8. 07 Jun, 2012 1 commit
  9. 04 Jun, 2012 1 commit
  10. 08 May, 2012 17 commits
  11. 30 Apr, 2012 3 commits