1. 19 Mar, 2013 1 commit
  2. 28 Feb, 2013 1 commit
    • Sasha Levin's avatar
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin authored
      
      
      I'm not sure why, but the hlist for each entry iterators were conceived
      
              list_for_each_entry(pos, head, member)
      
      The hlist ones were greedy and wanted an extra parameter:
      
              hlist_for_each_entry(tpos, pos, head, member)
      
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      
      Besides the semantic patch, there was some manual work required:
      
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      
      @@
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      @@
      
      -T b;
          <+... when != b
      (
      hlist_for_each_entry(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue(a,
      - b,
      c) S
      |
      hlist_for_each_entry_from(a,
      - b,
      c) S
      |
      hlist_for_each_entry_rcu(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_rcu_bh(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue_rcu_bh(a,
      - b,
      c) S
      |
      for_each_busy_worker(a, c,
      - b,
      d) S
      |
      ax25_uid_for_each(a,
      - b,
      c) S
      |
      ax25_for_each(a,
      - b,
      c) S
      |
      inet_bind_bucket_for_each(a,
      - b,
      c) S
      |
      sctp_for_each_hentry(a,
      - b,
      c) S
      |
      sk_for_each(a,
      - b,
      c) S
      |
      sk_for_each_rcu(a,
      - b,
      c) S
      |
      sk_for_each_from
      -(a, b)
      +(a)
      S
      + sk_for_each_from(a) S
      |
      sk_for_each_safe(a,
      - b,
      c, d) S
      |
      sk_for_each_bound(a,
      - b,
      c) S
      |
      hlist_for_each_entry_safe(a,
      - b,
      c, d, e) S
      |
      hlist_for_each_entry_continue_rcu(a,
      - b,
      c) S
      |
      nr_neigh_for_each(a,
      - b,
      c) S
      |
      nr_neigh_for_each_safe(a,
      - b,
      c, d) S
      |
      nr_node_for_each(a,
      - b,
      c) S
      |
      nr_node_for_each_safe(a,
      - b,
      c, d) S
      |
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      |
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      |
      for_each_host(a,
      - b,
      c) S
      |
      for_each_host_safe(a,
      - b,
      c, d) S
      |
      for_each_mesh_entry(a,
      - b,
      c, d) S
      )
          ...+>
      
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b67bfe0d
  3. 18 Feb, 2013 2 commits
  4. 06 Feb, 2013 1 commit
    • Daniel Borkmann's avatar
      ipvs: sctp: fix checksumming on snat and dnat handlers · 4b47bc9a
      Daniel Borkmann authored
      In our test lab, we have a simple SCTP client connecting to a SCTP
      server via an IPVS load balancer. On some machines, load balancing
      works, but on others the initial handshake just fails, thus no
      SCTP connection whatsoever can be established!
      
      We observed that the SCTP INIT-ACK handshake reply from the IPVS
      machine to the client had a correct IP checksum, but corrupt SCTP
      checksum when forwarded, thus on the client-side the packet was
      dropped and an intial handshake retriggered until all attempts
      run into the void.
      
      To fix this issue, this patch i) adds a missing CHECKSUM_UNNECESSARY
      after the full checksum (re-)calculation (as done in IPVS TCP and UDP
      code as well), ii) calculates the checksum in little-endian format
      (as fixed with the SCTP code in commit 4458f04c
      
      : sctp: Clean up sctp
      checksumming code) and iii) refactors duplicate checksum code into a
      common function. Tested by myself.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      4b47bc9a
  5. 04 Feb, 2013 1 commit
  6. 28 Jan, 2013 1 commit
  7. 19 Nov, 2012 3 commits
  8. 28 Oct, 2012 1 commit
  9. 09 Oct, 2012 1 commit
    • Arnd Bergmann's avatar
      ipvs: initialize returned data in do_ip_vs_get_ctl · b61a602e
      Arnd Bergmann authored
      
      
      As reported by a gcc warning, the do_ip_vs_get_ctl does not initalize
      all the members of the ip_vs_timeout_user structure it returns if
      at least one of the TCP or UDP protocols is disabled for ipvs.
      
      This makes sure that the data is always initialized, before it is
      returned as a response to IPVS_CMD_GET_CONFIG or printed as a
      debug message in IPVS_CMD_SET_CONFIG.
      
      Without this patch, building ARM ixp4xx_defconfig results in:
      
      net/netfilter/ipvs/ip_vs_ctl.c: In function 'ip_vs_genl_set_cmd':
      net/netfilter/ipvs/ip_vs_ctl.c:2238:47: warning: 't.udp_timeout' may be used uninitialized in this function [-Wuninitialized]
      net/netfilter/ipvs/ip_vs_ctl.c:3322:28: note: 't.udp_timeout' was declared here
      net/netfilter/ipvs/ip_vs_ctl.c:2238:47: warning: 't.tcp_fin_timeout' may be used uninitialized in this function [-Wuninitialized]
      net/netfilter/ipvs/ip_vs_ctl.c:3322:28: note: 't.tcp_fin_timeout' was declared here
      net/netfilter/ipvs/ip_vs_ctl.c:2238:47: warning: 't.tcp_timeout' may be used uninitialized in this function [-Wuninitialized]
      net/netfilter/ipvs/ip_vs_ctl.c:3322:28: note: 't.tcp_timeout' was declared here
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      b61a602e
  10. 08 Oct, 2012 1 commit
  11. 28 Sep, 2012 6 commits
  12. 10 Sep, 2012 2 commits
  13. 30 Aug, 2012 4 commits
    • Julia Lawall's avatar
      ipvs: fix error return code · 0a54e939
      Julia Lawall authored
      Initialize return variable before exiting on an error path.
      
      A simplified version of the semantic match that finds this problem is as
      follows: (http://coccinelle.lip6.fr/
      
      )
      
      // <smpl>
      (
      if@p1 (\(ret < 0\|ret != 0\))
       { ... return ret; }
      |
      ret@p1 = 0
      )
      ... when != ret = e1
          when != &ret
      *if(...)
      {
        ... when != ret = e2
            when forall
       return ret;
      }
      
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Acked-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0a54e939
    • Patrick McHardy's avatar
      netfilter: nf_nat: add protoff argument to packet mangling functions · 051966c0
      Patrick McHardy authored
      
      
      For mangling IPv6 packets the protocol header offset needs to be known
      by the NAT packet mangling functions. Add a so far unused protoff argument
      and convert the conntrack and NAT helpers to use it in preparation of
      IPv6 NAT.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      051966c0
    • Patrick McHardy's avatar
      netfilter: nf_conntrack_ipv6: improve fragmentation handling · 4cdd3408
      Patrick McHardy authored
      
      
      The IPv6 conntrack fragmentation currently has a couple of shortcomings.
      Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the
      defragmented packet is then passed to conntrack, the resulting conntrack
      information is attached to each original fragment and the fragments then
      continue their way through the stack.
      
      Helper invocation occurs in the POSTROUTING hook, at which point only
      the original fragments are available. The result of this is that
      fragmented packets are never passed to helpers.
      
      This patch improves the situation in the following way:
      
      - If a reassembled packet belongs to a connection that has a helper
        assigned, the reassembled packet is passed through the stack instead
        of the original fragments.
      
      - During defragmentation, the largest received fragment size is stored.
        On output, the packet is refragmented if required. If the largest
        received fragment size exceeds the outgoing MTU, a "packet too big"
        message is generated, thus behaving as if the original fragments
        were passed through the stack from an outside point of view.
      
      - The ipv6_helper() hook function can't receive fragments anymore for
        connections using a helper, so it is switched to use ipv6_skip_exthdr()
        instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the
        reassembled packets are passed to connection tracking helpers.
      
      The result of this is that we can properly track fragmented packets, but
      still generate ICMPv6 Packet too big messages if we would have before.
      
      This patch is also required as a precondition for IPv6 NAT, where NAT
      helpers might enlarge packets up to a point that they require
      fragmentation. In that case we can't generate Packet too big messages
      since the proper MTU can't be calculated in all cases (f.i. when
      changing textual representation of a variable amount of addresses),
      so the packet is transparently fragmented iff the original packet or
      fragments would have fit the outgoing MTU.
      
      IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      4cdd3408
    • Jesper Dangaard Brouer's avatar
      ipvs: IPv6 MTU checking cleanup and bugfix · 590e3f79
      Jesper Dangaard Brouer authored
      
      
      Cleaning up the IPv6 MTU checking in the IPVS xmit code, by using
      a common helper function __mtu_check_toobig_v6().
      
      The MTU check for tunnel mode can also use this helper as
      ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr) is qual to
      skb->len.  And the 'mtu' variable have been adjusted before
      calling helper.
      
      Notice, this also fixes a bug, as the the MTU check in ip_vs_dr_xmit_v6()
      were missing a check for skb_is_gso().
      
      This bug e.g. caused issues for KVM IPVS setups, where different
      Segmentation Offloading techniques are utilized, between guests,
      via the virtio driver.  This resulted in very bad performance,
      due to the ICMPv6 "too big" messages didn't affect the sender.
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      590e3f79
  14. 16 Aug, 2012 1 commit
  15. 10 Aug, 2012 5 commits
    • Julian Anastasov's avatar
      ipvs: add pmtu_disc option to disable IP DF for TUN packets · 3654e611
      Julian Anastasov authored
      
      
      	Disabling PMTU discovery can increase the output packet
      rate but some users have enough resources and prefer to fragment
      than to drop traffic. By default, we copy the DF bit but if
      pmtu_disc is disabled we do not send FRAG_NEEDED messages anymore.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      3654e611
    • Julian Anastasov's avatar
      ipvs: implement passive PMTUD for IPIP packets · f2edb9f7
      Julian Anastasov authored
      
      
      	IPVS is missing the logic to update PMTU in routing
      for its IPIP packets. We monitor the dst_mtu and can return
      FRAG_NEEDED messages but if the tunneled packets get ICMP
      error we can not rely on other traffic to save the lowest
      MTU.
      
      	The following patch adds ICMP handling for IPIP
      packets in incoming direction, from some remote host to
      our local IP used as saddr in the outer header. By this
      way we can forward any related ICMP traffic if it is for IPVS
      TUN connection. For the special case of PMTUD we update the
      routing and if client requested DF we can forward the
      error.
      
      	To properly update the routing we have to bind
      the cached route (dest->dst_cache) to the selected saddr
      because ipv4_update_pmtu uses saddr for dst lookup.
      Add IP_VS_RT_MODE_CONNECT flag to force such binding with
      second route.
      
      	Update ip_vs_tunnel_xmit to provide IP_VS_RT_MODE_CONNECT
      and change the code to copy DF. For now we prefer not to
      force PMTU discovery (outer DF=1) because we don't have
      configuration option to enable or disable PMTUD. As we
      do not keep any packets to resend, we prefer not to
      play games with packets without DF bit because the sender
      is not informed when they are rejected.
      
      	Also, change ops->update_pmtu to be called only
      for local clients because there is no point to update
      MTU for input routes, in our case skb->dst->dev is lo.
      It seems the code is copied from ipip.c where the skb
      dst points to tunnel device.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      f2edb9f7
    • Claudiu Ghioc's avatar
      ipvs: fixed sparse warning · 2b2d2808
      Claudiu Ghioc authored
      
      
      Removed the following sparse warnings, wether CONFIG_SYSCTL
      is defined or not:
      *       warning: symbol 'ip_vs_control_net_init_sysctl' was not
      	declared. Should it be static?
      *       warning: symbol 'ip_vs_control_net_cleanup_sysctl' was
      	not declared. Should it be static?
      Signed-off-by: default avatarClaudiu Ghioc <claudiu.ghioc@gmail.com>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      2b2d2808
    • Julian Anastasov's avatar
      ipvs: generalize app registration in netns · be97fdb5
      Julian Anastasov authored
      
      
      	Get rid of the ftp_app pointer and allow applications
      to be registered without adding fields in the netns_ipvs structure.
      
      v2: fix coding style as suggested by Pablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      be97fdb5
    • Julian Anastasov's avatar
      ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper · aaea4ed7
      Julian Anastasov authored
      
      
      	The FTP application indirectly depends on the
      nf_conntrack_ftp helper for proper NAT support. If the
      module is not loaded, IPVS can resize the packets for the
      command connection, eg. PASV response but the SEQ adjustment
      logic in ipv4_confirm is not called without helper.
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      aaea4ed7
  16. 17 Jul, 2012 2 commits
  17. 25 Jun, 2012 1 commit
  18. 07 Jun, 2012 1 commit
  19. 04 Jun, 2012 1 commit
  20. 08 May, 2012 4 commits