* Re: [PATCH 1/3] at91sam9263: add at91_can device to generic device definition
From: Andrew Victor @ 2009-09-21 21:23 UTC (permalink / raw)
To: Marc Kleine-Budde; +Cc: netdev, Socketcan-core, Hans J. Koch, linux-arm-kernel
In-Reply-To: <1253094405-3216-2-git-send-email-mkl@pengutronix.de>
hi Marc,
> This patch adds the device definition for the at91_can device to
> the generic device definiton file for the at91sam9263.
>
> Signed-off-by: Hans J. Koch <hjk@linutronix.de>
> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Acked-by: Andrew Victor <linux@maxim.org.za>
^ permalink raw reply
* Re: [PATCH 02/13] TProxy: add lookup type checks for UDP in nf_tproxy_get_sock_v4()
From: Jan Engelhardt @ 2009-09-21 21:20 UTC (permalink / raw)
To: Balazs Scheidler; +Cc: netfilter-devel, netdev
In-Reply-To: <1253548005.12519.2.camel@bzorp.balabit>
On Saturday 2009-08-15 14:01, Balazs Scheidler wrote:
>+ case IPPROTO_UDP:
>+ sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
>+ in->ifindex);
You might want to add IPPROTO_UDPLITE in all places.
^ permalink raw reply
* Re: [net-2.6 PATCH 2/6] net: remove kfree_skb on a NULL pointer in af_netlink.c
From: David Miller @ 2009-09-21 20:54 UTC (permalink / raw)
To: john.r.fastabend; +Cc: jeffrey.t.kirsher, netdev, gospo, linux-scsi
In-Reply-To: <4AB76BD3.80802@intel.com>
From: John Fastabend <john.r.fastabend@intel.com>
Date: Mon, 21 Sep 2009 12:04:35 +0000
>>
> OK, but this depends on the unlikely() macro in kfree_skb() to catch a
> case that is the expected non-error case. Would it be better to wrap
> the kfree_skb() in an if statement to avoid hitting the unlikely()
> macro? Or is the performance hit from the unlikely() macro so small
> this is not an issue? Thanks for looking at these.
>
Expands too much code inline, that's why we don't do it that
way.
^ permalink raw reply
* Re: fanotify as syscalls
From: Jamie Lokier @ 2009-09-21 20:28 UTC (permalink / raw)
To: Andreas Gruenbacher
Cc: Eric Paris, Linus Torvalds, Evgeniy Polyakov, David Miller,
linux-kernel, linux-fsdevel, netdev, viro, alan, hch
In-Reply-To: <200909212204.51077.agruen@suse.de>
Andreas Gruenbacher wrote:
> On Saturday, 19 September 2009 5:04:31 Eric Paris wrote:
> > Let me start by saying I am agreeing I should pursue subtree
> > notification. It's what I think everyone really wants. It's a great
> > idea, and I think you might have a simple way to get close. Clearly
> > these are avenues I'm willing and hoping to pursue. Also I say it
> > again, I believe the interface as proposed (except maybe some of my
> > exclusion stuff) is flexible enough to implement any of these ideas.
> > Does anyone disagree?
>
> It does seem flexible enough. However, the current interface assumes "global"
> listeners (the mask argument of fanotify_init):
>
> int fanotify_init(int flags, int f_flags, __u64 mask,
> unsigned int priority);
>
> Once subtree support is added, this parameter becomes obsolete. That's pretty
> broken for a syscall yet to be introduced.
>
> > BUT to solve one of the main problems fanotify is intending to solve it
> > needs a way to be the 'fscking all notifier.' It needs to be the whole
> > damn system.
>
> Think of a system after boot, with a single global namespace. Whatever you
> access by filename is reachable from the namespace root. At this point,
> nothing more global exists. A listener can watch the mount points of
> interest, and everything's fine.
>
> What's a bit more tricky is to ensure that this listener will continue to
> receive all events from whatever else is mounted anywhere, irrespective of
> namespaces. I think we can get there.
I think so to, and that'd be a great all round solution.
We _have_ to receive mount & umount events to do this. But even
inotify-style tracking needs those if it's to be accurate, so it's not
an additional burden.
It would be logical if fanotify could block and ack those in the same
way as it can block and ack other accesses (with the usual filtering
rules on which inodes trigger events, and which don't or are cached).
As in to prevent: mount --bind innocent .bash_login, but also to
ensure it always knows what's mounted when another event occurs.
> By the way, Documentation/filesystems/sharedsubtree.txt describes how
> filesystem namespaces work.
Fortunately, after making a new namespace you can read the mounts in
the new namespace from /proc/self/mount* (I think) without having to
know anything about the shared subtree rules.
So to follow monitoring/checking across all namespaces, it would (I
think) be enough to receive a fanotify "new namespace" event, and Ack
that event to allow the CLONE_NS to proceed. It's still tricky stuff
though.
-- Jamie
^ permalink raw reply
* Re: [AX25] kernel panic
From: Jarek Poplawski @ 2009-09-21 20:11 UTC (permalink / raw)
To: Bernard Pidoux; +Cc: Ralf Baechle DL5RB, Linux Netdev List, linux-hams
<20090910142436.GB10547@linux-mips.org> <4AA9288B.2070205@upmc.fr>
<20090911120557.GA12175@linux-mips.org> <4AB5EAE5.6070605@upmc.fr>
<20090920210242.GA9804@del.dom.local> <4AB73CDE.4030709@upmc.fr>
In-Reply-To: <4AB73CDE.4030709@upmc.fr>
Bernard Pidoux wrote, On 09/21/2009 10:44 AM:
> Hi Jarek,
>
> Good fishing !
>
> During the night I catched the following two identical AX25_DBG
> messages with netconsole
> sending already reported message: kernel BUG at kernel/timer.c:913!
> and followed by kernel
> panics and the machine rebooting.
>
>
> Sep 21 03:24:06 f6bvp-11 klogd: ------------[ cut here ]------------
> Sep 21 03:24:06 f6bvp-11 klogd: WARNING: at include/net/ax25.h:260
> ax25_kiss_rcv+0x650/0xab0 [ax25]()
Thanks for testing. Alas I don't get how it's possible at this place
(unless I miss the place), especially with a nosmp kernel. So here is
take 2 (to apply after reverting the previous one).
Regards,
Jarek P.
--- (debugging patch, take 2)
include/net/ax25.h | 36 ++++++++++++++++++++++++++++++++++++
net/ax25/af_ax25.c | 12 ++++++++++++
2 files changed, 48 insertions(+), 0 deletions(-)
diff --git a/include/net/ax25.h b/include/net/ax25.h
index 717e219..7fefbb0 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -252,9 +252,45 @@ typedef struct ax25_cb {
#define ax25_cb_hold(__ax25) \
atomic_inc(&((__ax25)->refcount))
+static __inline__ int ax25_timers_warn(ax25_cb *ax25)
+{
+ int err = 0;
+
+ if (del_timer(&ax25->timer)) {
+ WARN_ON_ONCE(1);
+ err = 1;
+ }
+ if (del_timer(&ax25->t1timer)) {
+ WARN_ON_ONCE(1);
+ err += 2;
+ }
+ if (del_timer(&ax25->t2timer)) {
+ WARN_ON_ONCE(1);
+ err += 4;
+ }
+ if (del_timer(&ax25->t3timer)) {
+ WARN_ON_ONCE(1);
+ err += 8;
+ }
+ if (del_timer(&ax25->idletimer)) {
+ WARN_ON_ONCE(1);
+ err += 16;
+ }
+ if (del_timer(&ax25->dtimer)) {
+ WARN_ON_ONCE(1);
+ err += 32;
+ }
+ if (err)
+ printk(KERN_WARNING "AX25_DBG: %d %p %u %s %d\n", err, ax25,
+ ax25->state, __func__, __LINE__);
+
+ return err;
+}
+
static __inline__ void ax25_cb_put(ax25_cb *ax25)
{
if (atomic_dec_and_test(&ax25->refcount)) {
+ ax25_timers_warn(ax25);
kfree(ax25->digipeat);
kfree(ax25);
}
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index da0f64f..f1f515c 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -58,6 +58,9 @@ static const struct proto_ops ax25_proto_ops;
static void ax25_free_sock(struct sock *sk)
{
+ if (ax25_timers_warn(ax25_sk(sk)))
+ printk(KERN_WARNING "AX25_DBG: %p %u %u %u\n", sk,
+ sk->sk_family, sk->sk_type, sk->sk_protocol);
ax25_cb_put(ax25_sk(sk));
}
@@ -222,6 +225,8 @@ ax25_cb *ax25_find_cb(ax25_address *src_addr, ax25_address *dest_addr,
if (s->ax25_dev == NULL)
continue;
if (ax25cmp(&s->source_addr, src_addr) == 0 && ax25cmp(&s->dest_addr, dest_addr) == 0 && s->ax25_dev->dev == dev) {
+ int ref;
+
if (digi != NULL && digi->ndigi != 0) {
if (s->digipeat == NULL)
continue;
@@ -231,6 +236,13 @@ ax25_cb *ax25_find_cb(ax25_address *src_addr, ax25_address *dest_addr,
if (s->digipeat != NULL && s->digipeat->ndigi != 0)
continue;
}
+ ref = atomic_read(&s->refcount);
+ if (ref < 2) {
+ WARN_ON_ONCE(1);
+ printk(KERN_WARNING "AX25_DBG: %d %p %d %s\n",
+ ref, s, s->state, __func__);
+ }
+
ax25_cb_hold(s);
spin_unlock_bh(&ax25_list_lock);
^ permalink raw reply related
* Re: fanotify as syscalls
From: Andreas Gruenbacher @ 2009-09-21 20:04 UTC (permalink / raw)
To: Eric Paris
Cc: Jamie Lokier, Linus Torvalds, Evgeniy Polyakov, David Miller,
linux-kernel, linux-fsdevel, netdev, viro, alan, hch
In-Reply-To: <1253329471.2630.30.camel@dhcp231-106.rdu.redhat.com>
On Saturday, 19 September 2009 5:04:31 Eric Paris wrote:
> Let me start by saying I am agreeing I should pursue subtree
> notification. It's what I think everyone really wants. It's a great
> idea, and I think you might have a simple way to get close. Clearly
> these are avenues I'm willing and hoping to pursue. Also I say it
> again, I believe the interface as proposed (except maybe some of my
> exclusion stuff) is flexible enough to implement any of these ideas.
> Does anyone disagree?
It does seem flexible enough. However, the current interface assumes "global"
listeners (the mask argument of fanotify_init):
int fanotify_init(int flags, int f_flags, __u64 mask,
unsigned int priority);
Once subtree support is added, this parameter becomes obsolete. That's pretty
broken for a syscall yet to be introduced.
> BUT to solve one of the main problems fanotify is intending to solve it
> needs a way to be the 'fscking all notifier.' It needs to be the whole
> damn system.
Think of a system after boot, with a single global namespace. Whatever you
access by filename is reachable from the namespace root. At this point,
nothing more global exists. A listener can watch the mount points of
interest, and everything's fine.
What's a bit more tricky is to ensure that this listener will continue to
receive all events from whatever else is mounted anywhere, irrespective of
namespaces. I think we can get there.
By the way, Documentation/filesystems/sharedsubtree.txt describes how
filesystem namespaces work.
Thanks,
Andreas
^ permalink raw reply
* [PATCH] bcm63xx_enet: timeout off by one in do_mdio_op()
From: Roel Kluin @ 2009-09-21 20:08 UTC (permalink / raw)
To: mbizon, netdev, Andrew Morton
`while (limit-- >= 0)' reaches -2 after the loop upon timeout.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Small chance to occur, probably.
diff --git a/drivers/net/bcm63xx_enet.c b/drivers/net/bcm63xx_enet.c
index 09d2709..ba29dc3 100644
--- a/drivers/net/bcm63xx_enet.c
+++ b/drivers/net/bcm63xx_enet.c
@@ -90,7 +90,7 @@ static int do_mdio_op(struct bcm_enet_priv *priv, unsigned int data)
if (enet_readl(priv, ENET_IR_REG) & ENET_IR_MII)
break;
udelay(1);
- } while (limit-- >= 0);
+ } while (limit-- > 0);
return (limit < 0) ? 1 : 0;
}
^ permalink raw reply related
* Re: [net-2.6 PATCH 2/6] net: remove kfree_skb on a NULL pointer in af_netlink.c
From: John Fastabend @ 2009-09-21 12:04 UTC (permalink / raw)
To: David Miller
Cc: Kirsher, Jeffrey T, netdev@vger.kernel.org, gospo@redhat.com,
linux-scsi@vger.kernel.org
In-Reply-To: <20090917.182445.240085155.davem@davemloft.net>
David Miller wrote:
> From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
> Date: Thu, 17 Sep 2009 17:57:29 -0700
>
>
>> From: John Fastabend <john.r.fastabend@intel.com>
>>
>> This removes a kfree_skb that is being called on a NULL pointer when
>> do_one_broadcast() is sucessful. And moves the kfree_skb into
>> do_one_broadcast() for the error case.
>>
>> Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
>> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
>>
>
> kfree_skb() on a NULL pointer is completely legal.
>
OK, but this depends on the unlikely() macro in kfree_skb() to catch a
case that is the expected non-error case. Would it be better to wrap the
kfree_skb() in an if statement to avoid hitting the unlikely() macro?
Or is the performance hit from the unlikely() macro so small this is not
an issue? Thanks for looking at these.
john.
^ permalink raw reply
* Re: "cfg80211: fix SME connect" breaks iwl3945
From: Christian Lamparter @ 2009-09-21 19:14 UTC (permalink / raw)
To: Jens Axboe; +Cc: Linux Kernel, johannes, netdev
In-Reply-To: <20090921190150.GC23126@kernel.dk>
On Monday 21 September 2009 21:01:50 Jens Axboe wrote:
> Since the latest net pull that contains our above commit
> (bbac31f4c0339f6c51afbd0edfb4959df9b53fa9 in tree), my iwl3945 based x60
> laptop doesn't want to connect to my access point at all. Reverting this
> commit makes it work.
>
> Let me know if you need more info.
Can you try "[PATCH] cfg80211: don't overwrite privacy setting"
from [1]?
[1] http://marc.info/?l=linux-wireless&m=125323296617306&w=2
Regards,
Chr
^ permalink raw reply
* Re: "cfg80211: fix SME connect" breaks iwl3945
From: Jens Axboe @ 2009-09-21 19:20 UTC (permalink / raw)
To: Christian Lamparter; +Cc: Linux Kernel, johannes, netdev
In-Reply-To: <200909212114.06642.chunkeey@googlemail.com>
On Mon, Sep 21 2009, Christian Lamparter wrote:
> On Monday 21 September 2009 21:01:50 Jens Axboe wrote:
> > Since the latest net pull that contains our above commit
> > (bbac31f4c0339f6c51afbd0edfb4959df9b53fa9 in tree), my iwl3945 based x60
> > laptop doesn't want to connect to my access point at all. Reverting this
> > commit makes it work.
> >
> > Let me know if you need more info.
>
> Can you try "[PATCH] cfg80211: don't overwrite privacy setting"
> from [1]?
>
> [1] http://marc.info/?l=linux-wireless&m=125323296617306&w=2
Seems to bring the network back as well, it associates fine and gets a
dhcp address.
--
Jens Axboe
^ permalink raw reply
* "cfg80211: fix SME connect" breaks iwl3945
From: Jens Axboe @ 2009-09-21 19:01 UTC (permalink / raw)
To: Linux Kernel; +Cc: johannes, netdev
Hi Johannes,
Since the latest net pull that contains our above commit
(bbac31f4c0339f6c51afbd0edfb4959df9b53fa9 in tree), my iwl3945 based x60
laptop doesn't want to connect to my access point at all. Reverting this
commit makes it work.
Let me know if you need more info.
--
Jens Axboe
^ permalink raw reply
* Re: [PANIC] pktgen panic on load
From: Simon Holm Thøgersen @ 2009-09-21 18:49 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: Jesse Brandeburg, netdev
In-Reply-To: <20090921095451.5ce95767@s6510>
> > > > just got this today after cloning Linus' tree, please let me know if you
> > > > want .config or full dmesg
> > >
> > > config would help (hrt, nohz, preempt, ...), and was it just on module load?
> > > or had you started it sending?
> >
> > I have the similar trace below on a simple 'modprobe pktgen'. I've
> > attached my config for v2.6.31-6456-g78f28b7.
>
> Could you do a git bisect, although pktgen changed recently, the changes were
> not related to the thread initialization, so I suspect something outside
> the scope of networking (ie scheduler, vm, etc)
Seems like this was fixed by commit 3f04e8c ("sched: Re-add lost
cpu_allowed check to sched_fair.c::select_task_rq_fair()") according to
Ingo [1]. Indeed, using Linus' current tree works for me.
[1] http://marc.info/?l=linux-netdev&m=125355156524237&w=2
Simon Holm Thøgersen
^ permalink raw reply
* Re: bugfix: wireless bug causing working setups to loose net connectivity
From: Oliver Hartkopp @ 2009-09-21 18:44 UTC (permalink / raw)
To: Arkadiusz Miskiewicz; +Cc: Johannes Berg, netdev
In-Reply-To: <200909212035.50592.a.miskiewicz@gmail.com>
Arkadiusz Miskiewicz wrote:
> Could
> http://marc.info/?l=linux-wireless&m=125323296617306&w=2
> be merged without waiting for separate wireless pull request?
>
> Currently previously working setups are no longer able to connect to AP (in my
> case WPA2PSK via wpasupplicant).
>
> AFAIK there was some kind of policy where bugfixes that break basic
> functionality are supposed to be merged fast to allow to actually use and test
> git kernel.
For me it was
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=bbac31f4c0339f6c51afbd0edfb4959df9b53fa9
as written here:
http://marc.info/?l=linux-netdev&m=125352781320953&w=2
Maybe you can try to revert this patch in your setup too, to check whether it
also solves your issue.
Regards,
Oliver
^ permalink raw reply
* bugfix: wireless bug causing working setups to loose net connectivity
From: Arkadiusz Miskiewicz @ 2009-09-21 18:35 UTC (permalink / raw)
To: Johannes Berg; +Cc: netdev
Could
http://marc.info/?l=linux-wireless&m=125323296617306&w=2
be merged without waiting for separate wireless pull request?
Currently previously working setups are no longer able to connect to AP (in my
case WPA2PSK via wpasupplicant).
AFAIK there was some kind of policy where bugfixes that break basic
functionality are supposed to be merged fast to allow to actually use and test
git kernel.
Thanks,
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
^ permalink raw reply
* Re: [PATCH 13/13] TProxy: use the interface primary IP address as a default value for --on-ip
From: Brian Haley @ 2009-09-21 18:00 UTC (permalink / raw)
To: Balazs Scheidler; +Cc: netfilter-devel, netdev
In-Reply-To: <1253548005.12519.13.camel@bzorp.balabit>
Balazs Scheidler wrote:
> #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
> +
> +static inline const struct in6_addr *
> +tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, const struct in6_addr *daddr)
> +{
> + struct inet6_dev *indev;
> + struct inet6_ifaddr *ifa;
> + struct in6_addr *laddr;
> +
> + if (!ipv6_addr_any(user_laddr))
> + return user_laddr;
> +
> + laddr = NULL;
> + rcu_read_lock();
> + indev = __in6_dev_get(skb->dev);
> + if (indev && (ifa = indev->addr_list)) {
> + laddr = &ifa->addr;
> + }
> + rcu_read_unlock();
> +
> + return laddr ? laddr : daddr;
> +}
You should call ipv6_dev_get_saddr() to get a source address based on the target
destination address.
-Brian
^ permalink raw reply
* Re: [PATCH 12/13] TProxy: added IPv6 support to the socket match
From: Brian Haley @ 2009-09-21 17:59 UTC (permalink / raw)
To: Balazs Scheidler; +Cc: netfilter-devel, netdev
In-Reply-To: <1253548005.12519.12.camel@bzorp.balabit>
Balazs Scheidler wrote:
> +static bool
> +socket_mt6_v1(const struct sk_buff *skb, const struct xt_match_param *par)
> +{
> + struct ipv6hdr *iph = ipv6_hdr(skb);
> + struct udphdr _hdr, *hp = NULL;
> + struct sock *sk;
> + struct in6_addr *daddr, *saddr;
> + __be16 dport, sport;
> + int thoff;
> + u8 tproto;
> + const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
> +
> + tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
> + if (tproto < 0) {
> + pr_debug("socket match: Unable to find transport header in IPv6 packet, dropping\n");
> + return NF_DROP;
> + }
> +
> + if (tproto == IPPROTO_UDP || tproto == IPPROTO_TCP) {
> + hp = skb_header_pointer(skb, thoff,
> + sizeof(_hdr), &_hdr);
> + if (hp == NULL)
> + return false;
> +
> + saddr = &iph->saddr;
> + sport = hp->source;
> + daddr = &iph->daddr;
> + dport = hp->dest;
> +
> + } else if (tproto == IPPROTO_ICMP) {
> + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
> + &sport, &dport))
> + return false;
> + } else {
> + return false;
> + }
Shouldn't this be IPPROTO_ICMPV6?
-Brian
^ permalink raw reply
* Re: SO_TIMESTAMPING fix and design decisions
From: John Ronciak @ 2009-09-21 17:59 UTC (permalink / raw)
To: Christopher Zimmermann; +Cc: netdev
In-Reply-To: <20090920205047.0f2df70c@pundit>
On Sun, Sep 20, 2009 at 11:50 AM, Christopher Zimmermann
<madroach@zakweb.de> wrote:
> It will need to be modified. If you want to avoid this, one could keep
> the HWTSTAMP_FILTER_PTP_.... defines and just redifine them to reflect
> the new interface.
> Where can I find this ptpd userspace daemon, which supports hardware
> timestamps using the ioctl interface? ptpd.sourceforge.net doesn't.
You can find a version of the modified ptpd on the e1000 Sourceforge
site http://e1000.sf.net. It has a version of the igb driver that
also supports this interface though it's a bit behind the regular igb
driver version.
I'm review your comments that start this thread and should have some
comments soon.
--
Cheers,
John
^ permalink raw reply
* Re: [PANIC] pktgen panic on load
From: Stephen Hemminger @ 2009-09-21 16:54 UTC (permalink / raw)
To: Simon Holm Thøgersen; +Cc: Jesse Brandeburg, netdev
In-Reply-To: <1253547857.2810.6.camel@odie>
On Mon, 21 Sep 2009 17:44:17 +0200
Simon Holm Thøgersen <odie@cs.aau.dk> wrote:
> søn, 20 09 2009 kl. 21:35 -0700, skrev Stephen Hemminger:
> > On Sun, 20 Sep 2009 15:45:47 -0700
> > Jesse Brandeburg <jesse.brandeburg@intel.com> wrote:
> >
> > > just got this today after cloning Linus' tree, please let me know if you
> > > want .config or full dmesg
> >
> > config would help (hrt, nohz, preempt, ...), and was it just on module load?
> > or had you started it sending?
>
> I have the similar trace below on a simple 'modprobe pktgen'. I've
> attached my config for v2.6.31-6456-g78f28b7.
>
> > [ 2302.386665] pktgen 2.72: Packet Generator for packet performance testing.
> > [ 2302.386783] ------------[ cut here ]------------
> > [ 2302.386790] kernel BUG at net/core/pktgen.c:3503!
> > [ 2302.386796] invalid opcode: 0000 [#1] SMP
> > [ 2302.386803] last sysfs file: /sys/devices/pci0000:00/0000:00:1c.1/0000:02:00.0/ieee80211/phy0/rfkill1/state
> > [ 2302.386812] CPU 1
> > [ 2302.386817] Modules linked in: pktgen(+) i915 drm i2c_algo_bit cfbcopyarea cfbimgblt cfbfillrect binfmt_misc ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack bnep ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc kvm_intel kvm tun snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_oss arc4 ecb snd_seq_midi_event snd_seq iwlagn snd_timer snd_seq_device iwlcore mac80211 uvcvideo snd video sdhci_pci soundcore snd_page_alloc cfg80211 ricoh_mmc videodev v4l1_compat v4l2_compat_ioctl32 intel_agp psmouse e1000e output sdhci led_class btusb
> > [ 2302.386920] Pid: 2897, comm: kpktgend_0 Not tainted 2.6.31-debug #8 HP EliteBook 6930p
> > [ 2302.386926] RIP: 0010:[<ffffffffa035483c>] [<ffffffffa035483c>] pktgen_thread_worker+0x19ac/0x1a40 [pktgen]
> > [ 2302.386945] RSP: 0018:ffff880050755d30 EFLAGS: 00010297
> > [ 2302.386950] RAX: 0000000000000001 RBX: ffff880057ae18c0 RCX: ffff880057ae18c0
> > [ 2302.386956] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff88006637d400
> > [ 2302.386961] RBP: ffff880050755ee0 R08: ffff880050754000 R09: 0000000000000000
> > [ 2302.386967] R10: 0000000000000001 R11: 0000000000000400 R12: ffff88005ae61db0
> > [ 2302.386973] R13: ffff88006637d400 R14: ffffffffa0352e90 R15: ffff88006637d400
> > [ 2302.386980] FS: 0000000000000000(0000) GS:ffff880006080000(0000) knlGS:0000000000000000
> > [ 2302.386986] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
> > [ 2302.386991] CR2: 00007f861ee0e080 CR3: 0000000057a2a000 CR4: 00000000000026a0
> > [ 2302.386997] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [ 2302.387003] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > [ 2302.387010] Process kpktgend_0 (pid: 2897, threadinfo ffff880050754000, task ffff880057ae18c0)
> > [ 2302.387014] Stack:
> > [ 2302.387018] 0000000000000000 ffff880057ae18f8 ffff88000609bc58 ffff880057ae18f8
> > [ 2302.387027] <0> ffff880050755d80 ffffffff81043726 ffff88000609bc30 ffff880057ae18f8
> > [ 2302.387037] <0> 0000000000000001 ffff88000609bc30 ffff880050755db0 ffff88005ae1ca78
> > [ 2302.387048] Call Trace:
> > [ 2302.387064] [<ffffffff81043726>] ? update_curr+0xe6/0x190
> > [ 2302.387073] [<ffffffff8103586e>] ? update_stats_wait_end+0xae/0xf0
> > [ 2302.387084] [<ffffffff81009e0d>] ? __switch_to+0xcd/0x320
> > [ 2302.387092] [<ffffffff81040a13>] ? finish_task_switch+0x43/0xd0
> > [ 2302.387103] [<ffffffff81444638>] ? thread_return+0x3e/0x6c6
> > [ 2302.387113] [<ffffffff81066ed0>] ? autoremove_wake_function+0x0/0x40
> > [ 2302.387125] [<ffffffffa0352e90>] ? pktgen_thread_worker+0x0/0x1a40 [pktgen]
> > [ 2302.387136] [<ffffffffa0352e90>] ? pktgen_thread_worker+0x0/0x1a40 [pktgen]
> > [ 2302.387143] [<ffffffff81066aa6>] kthread+0x96/0xb0
> > [ 2302.387151] [<ffffffff8100c68a>] child_rip+0xa/0x20
> > [ 2302.387158] [<ffffffff81066a10>] ? kthread+0x0/0xb0
> > [ 2302.387164] [<ffffffff8100c680>] ? child_rip+0x0/0x20
> > [ 2302.387168] Code: 89 df 31 db e8 36 2d 00 e1 e9 0d f0 ff ff 90 89 da 48 8b b5 b0 fe ff ff 48 c7 c7 ce 5e 35 a0 31 c0 e8 86 f6 0e e1 e9 fa f5 ff ff <0f> 0b eb fe 49 8b 85 48 02 00 00 48 89 de 4c 89 ef ff 50 30 89
> > [ 2302.387243] RIP [<ffffffffa035483c>] pktgen_thread_worker+0x19ac/0x1a40 [pktgen]
> > [ 2302.387256] RSP <ffff880050755d30>
> > [ 2302.387281] ---[ end trace 120a26c5c90348c4 ]---
Could you do a git bisect, although pktgen changed recently, the changes were
not related to the thread initialization, so I suspect something outside
the scope of networking (ie scheduler, vm, etc)
^ permalink raw reply
* Re: [crash] kernel BUG at net/core/pktgen.c:3503!
From: Ingo Molnar @ 2009-09-21 16:45 UTC (permalink / raw)
To: David Miller
Cc: gorcunov, torvalds, akpm, netdev, linux-kernel, Peter Zijlstra
In-Reply-To: <20090917174448.GA9548@elte.hu>
* Ingo Molnar <mingo@elte.hu> wrote:
>
> * David Miller <davem@davemloft.net> wrote:
>
> > From: Cyrill Gorcunov <gorcunov@gmail.com>
> > Date: Tue, 15 Sep 2009 22:51:12 +0400
> >
> > > [Ingo Molnar - Tue, Sep 15, 2009 at 08:36:47PM +0200]
> > > |
> > > | not sure which merge caused this, but i got this boot crash with latest
> > > | -git:
> > > |
> > > | calling flow_cache_init+0x0/0x1b9 @ 1
> > > | initcall flow_cache_init+0x0/0x1b9 returned 0 after 64 usecs
> > > | calling pg_init+0x0/0x37c @ 1
> > > | pktgen 2.72: Packet Generator for packet performance testing.
> > > | ------------[ cut here ]------------
> > > | kernel BUG at net/core/pktgen.c:3503!
> > > | invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> > > | last sysfs file:
> > > |
> > >
> > > Hi Ingo,
> > >
> > > just curious, will the following patch fix the problem?
> > > I've been fixing problem with familiar symthoms on
> > > system with custome virtual cpu implementation so
> > > it may not help in mainline but anyway :)
> >
> > Ingo, does Cyrill's patch help?
>
> For now i've turned pktgen off in my tests. Will check it again once
> things have calmed down somewhat.
>
> Also, i just tried to reproduce the pktgen crash with latest -git and
> the config i sent - no luck, so i cannot test Cyrill's patch either.
>
> Btw., we are seeing some other preempt count and task related
> weirdnesses as well in other code, maybe it's related. No good pattern
> yet to act upon.
>
> Anyway - please disregard this bugreport until i've investigated it
> closer.
Update: i've further investigated it and this bug was caused by a
scheduler bug introduced in this merge window, which got fixed in:
3f04e8c: sched: Re-add lost cpu_allowed check to sched_fair.c::select_task_rq_fair()
This bug caused CPU affinities to not work in essence - breaking kthread
per-cpu assumptions in net/core/pktgen.c.
I've confirmed this by re-enabling pktgen in my tests and the crash has
no reappeared.
Thanks,
Ingo
^ permalink raw reply
* Re: [RFC] Virtual Machine Device Queues(VMDq) support on KVM
From: Chris Wright @ 2009-09-21 16:27 UTC (permalink / raw)
To: Stephen Hemminger
Cc: Rusty Russell, virtualization, Xin, Xiaohui, kvm@vger.kernel.org,
mst@redhat.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org, hpa@zytor.com,
mingo@elte.hu, akpm@linux-foundation.org
In-Reply-To: <20090921092130.30984dbd@s6510>
* Stephen Hemminger (shemminger@vyatta.com) wrote:
> On Mon, 21 Sep 2009 16:37:22 +0930
> Rusty Russell <rusty@rustcorp.com.au> wrote:
>
> > > > Actually this framework can apply to traditional network adapters which have
> > > > just one tx/rx queue pair. And applications using the same user/kernel interface
> > > > can utilize this framework to send/receive network traffic directly thru a tx/rx
> > > > queue pair in a network adapter.
> > > >
>
> More importantly, when virtualizations is used with multi-queue NIC's the virtio-net
> NIC is a single CPU bottleneck. The virtio-net NIC should preserve the parallelism (lock
> free) using multiple receive/transmit queues. The number of queues should equal the
> number of CPUs.
Yup, multiqueue virtio is on todo list ;-)
thanks,
-chris
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
^ permalink raw reply
* [PATCH 11/13] TProxy: added IPv6 support to the TPROXY target
From: Balazs Scheidler @ 2009-08-24 12:51 UTC (permalink / raw)
To: netfilter-devel, netdev
This requires a new revision as the old target structure was
IPv4 specific.
Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
---
include/linux/netfilter/xt_TPROXY.h | 15 ++-
net/netfilter/xt_TPROXY.c | 246 +++++++++++++++++++++++++++++------
2 files changed, 216 insertions(+), 45 deletions(-)
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 152e8f9..7b4e06d 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,14 +1,21 @@
-#ifndef _XT_TPROXY_H_target
-#define _XT_TPROXY_H_target
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
/* TPROXY target is capable of marking the packet to perform
* redirection. We can get rid of that whenever we get support for
* mutliple targets in the same rule. */
-struct xt_tproxy_target_info {
+struct xt_tproxy_target_info_v0 {
u_int32_t mark_mask;
u_int32_t mark_value;
__be32 laddr;
__be16 lport;
};
-#endif /* _XT_TPROXY_H_target */
+struct xt_tproxy_target_info_v1 {
+ u_int32_t mark_mask;
+ u_int32_t mark_value;
+ union nf_inet_addr laddr;
+ __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 5592b72..4a345cd 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -19,52 +19,173 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/xt_TPROXY.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#include <net/netfilter/nf_tproxy_core.h>
static unsigned int
-tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
+tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport, u_int32_t mark_mask, u_int32_t mark_value)
{
const struct iphdr *iph = ip_hdr(skb);
- const struct xt_tproxy_target_info *tgi = par->targinfo;
- struct tcphdr _hdr, *hp;
+ struct udphdr _hdr, *hp;
struct sock *sk;
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
- if (hp == NULL)
+ if (hp == NULL) {
+ pr_debug("TPROXY: packet is too short to contain a transport header, dropping\n");
return NF_DROP;
+ }
+ /* check if there's an ongoing connection on the packet
+ * addresses, this happens if the redirect already happened
+ * and the current packet belongs to an already established
+ * connection */
sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
iph->saddr, iph->daddr,
hp->source, hp->dest,
- par->in, NFT_LOOKUP_ESTABLISHED);
+ skb->dev, NFT_LOOKUP_ESTABLISHED);
/* udp has no TCP_TIME_WAIT state, so we never enter here */
- if (sk && sk->sk_state == TCP_TIME_WAIT &&
- hp->syn && !hp->rst && !hp->ack && !hp->fin) {
- struct sock *sk2;
-
- /* Hm.. we got a SYN to a TIME_WAIT socket, let's see if
- * there's a listener on the redirected port
- */
- sk2 = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
- iph->saddr, tgi->laddr ? tgi->laddr : iph->daddr,
- hp->source, tgi->lport ? tgi->lport : hp->dest,
- par->in, NFT_LOOKUP_LISTENER);
- if (sk2) {
+ if (sk && sk->sk_state == TCP_TIME_WAIT) {
+ struct tcphdr _hdr, *hp;
- /* yeah, there's one, let's kill the TIME_WAIT
- * socket and redirect to the listener
+ hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
+ if (hp == NULL)
+ return NF_DROP;
+
+ if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
+ struct sock *sk2;
+
+ /* Hm.. we got a SYN to a TIME_WAIT socket, let's see if
+ * there's a listener on the redirected port
*/
- inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
- inet_twsk_put(inet_twsk(sk));
- sk = sk2;
+ sk2 = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
+ iph->saddr, laddr ? laddr : iph->daddr,
+ hp->source, lport ? lport : hp->dest,
+ skb->dev, NFT_LOOKUP_LISTENER);
+ if (sk2) {
+
+ /* yeah, there's one, let's kill the TIME_WAIT
+ * socket and redirect to the listener
+ */
+ inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
+ inet_twsk_put(inet_twsk(sk));
+ sk = sk2;
+ }
}
} else if (!sk) {
+ /* no there's no established connection, check if
+ * there's a listener on the redirected addr/port */
sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
- iph->saddr, tgi->laddr ? tgi->laddr : iph->daddr,
+ iph->saddr, laddr ? laddr : iph->daddr,
+ hp->source, lport ? lport : hp->dest,
+ skb->dev, NFT_LOOKUP_LISTENER);
+ }
+ /* NOTE: assign_sock consumes our sk reference */
+ if (sk && nf_tproxy_assign_sock(skb, sk)) {
+ /* This should be in a separate target, but we don't do multiple
+ targets on the same rule yet */
+ skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
+
+ pr_debug("TPROXY: redirecting: proto %u %08x:%u -> %08x:%u, mark: %x\n",
+ iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
+ ntohl(laddr), ntohs(lport), skb->mark);
+ return NF_ACCEPT;
+ }
+
+ pr_debug("TPROXY: no socket, dropping: proto %u %08x:%u -> %08x:%u, mark: %x\n",
+ iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
+ ntohl(laddr), ntohs(lport), skb->mark);
+ return NF_DROP;
+}
+
+static unsigned int
+tproxy_tg4_v0(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct xt_tproxy_target_info_v0 *tgi = par->targinfo;
+
+ return tproxy_tg4(skb, tgi->laddr, tgi->lport, tgi->mark_mask, tgi->mark_value);
+}
+
+static unsigned int
+tproxy_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
+
+ return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int
+tproxy_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
+ struct udphdr _hdr, *hp;
+ struct sock *sk;
+ int thoff;
+ int tproto;
+
+ tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
+ if (tproto < 0) {
+ pr_debug("TPROXY: Unable to find transport header in IPv6 packet, dropping\n");
+ return NF_DROP;
+ }
+
+ hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
+ if (hp == NULL) {
+ pr_debug("TPROXY: Unable to grab transport header contents in IPv6 packet, dropping\n");
+ return NF_DROP;
+ }
+
+ /* check if there's an ongoing connection on the packet
+ * addresses, this happens if the redirect already happened
+ * and the current packet belongs to an already established
+ * connection */
+ sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
+ &iph->saddr, &iph->daddr,
+ hp->source, hp->dest,
+ par->in, NFT_LOOKUP_ESTABLISHED);
+
+ /* udp has no TCP_TIME_WAIT state, so we never enter here */
+ if (sk && sk->sk_state == TCP_TIME_WAIT) {
+ struct tcphdr _hdr, *hp;
+
+ hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
+ if (hp == NULL) {
+ pr_debug("TPROXY: Unable to grab TCP transport header contents in IPv6 packet, dropping\n");
+ return NF_DROP;
+ }
+
+ if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
+ struct sock *sk2;
+
+
+ /* Hm.. we got a SYN to a TIME_WAIT socket, let's see if
+ * there's a listener on the redirected port
+ */
+ sk2 = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
+ &iph->saddr, !ipv6_addr_any(&tgi->laddr.in6) ? &tgi->laddr.in6 : &iph->daddr,
+ hp->source, tgi->lport ? tgi->lport : hp->dest,
+ par->in, NFT_LOOKUP_LISTENER);
+ if (sk2) {
+
+ /* yeah, there's one, let's kill the TIME_WAIT
+ * socket and redirect to the listener
+ */
+ inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
+ inet_twsk_put(inet_twsk(sk));
+ sk = sk2;
+ }
+ }
+ } else if (!sk) {
+ /* no there's no established connection, check if
+ * there's a listener on the redirected addr/port */
+ sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
+ &iph->saddr, !ipv6_addr_any(&tgi->laddr.in6) ? &tgi->laddr.in6 : &iph->daddr,
hp->source, tgi->lport ? tgi->lport : hp->dest,
par->in, NFT_LOOKUP_LISTENER);
}
@@ -74,51 +195,93 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
targets on the same rule yet */
skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
- pr_debug("redirecting: proto %u %08x:%u -> %08x:%u, mark: %x\n",
- iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
- ntohl(tgi->laddr), ntohs(tgi->lport), skb->mark);
+ pr_debug("TPROXY: redirecting: proto %u %pI6:%u -> %pI6:%u, mark: %x\n",
+ tproto, &iph->saddr, ntohs(hp->dest),
+ &tgi->laddr.in6, ntohs(tgi->lport), skb->mark);
return NF_ACCEPT;
}
- pr_debug("no socket, dropping: proto %u %08x:%u -> %08x:%u, mark: %x\n",
- iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
- ntohl(tgi->laddr), ntohs(tgi->lport), skb->mark);
+ pr_debug("TPROXY: no socket, dropping: proto %u %pI6:%u -> %pI6:%u, mark: %x\n",
+ tproto, &iph->saddr, ntohs(hp->dest),
+ &tgi->laddr.in6, ntohs(tgi->lport), skb->mark);
return NF_DROP;
}
+#endif
+
-static bool tproxy_tg_check(const struct xt_tgchk_param *par)
+static bool tproxy_tg4_check(const struct xt_tgchk_param *par)
{
const struct ipt_ip *i = par->entryinfo;
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
&& !(i->invflags & IPT_INV_PROTO))
return true;
+ pr_info("xt_TPROXY: Can be used only in combination with "
+ "either -p tcp or -p udp\n");
+ return false;
+}
+
+static bool tproxy_tg6_check(const struct xt_tgchk_param *par)
+{
+ const struct ip6t_ip6 *i = par->entryinfo;
+ if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
+ && !(i->flags & IP6T_INV_PROTO))
+ return true;
pr_info("xt_TPROXY: Can be used only in combination with "
"either -p tcp or -p udp\n");
return false;
}
-static struct xt_target tproxy_tg_reg __read_mostly = {
- .name = "TPROXY",
- .family = AF_INET,
- .table = "mangle",
- .target = tproxy_tg,
- .targetsize = sizeof(struct xt_tproxy_target_info),
- .checkentry = tproxy_tg_check,
- .hooks = 1 << NF_INET_PRE_ROUTING,
- .me = THIS_MODULE,
+static struct xt_target tproxy_tg_reg[] __read_mostly = {
+ {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV4,
+ .table = "mangle",
+ .target = tproxy_tg4_v0,
+ .revision = 0,
+ .targetsize = sizeof(struct xt_tproxy_target_info_v0),
+ .checkentry = tproxy_tg4_check,
+ .hooks = 1 << NF_INET_PRE_ROUTING,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV4,
+ .table = "mangle",
+ .target = tproxy_tg4_v1,
+ .revision = 1,
+ .targetsize = sizeof(struct xt_tproxy_target_info_v1),
+ .checkentry = tproxy_tg4_check,
+ .hooks = 1 << NF_INET_PRE_ROUTING,
+ .me = THIS_MODULE,
+ },
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV6,
+ .table = "mangle",
+ .target = tproxy_tg6_v1,
+ .revision = 1,
+ .targetsize = sizeof(struct xt_tproxy_target_info_v1),
+ .checkentry = tproxy_tg6_check,
+ .hooks = 1 << NF_INET_PRE_ROUTING,
+ .me = THIS_MODULE,
+ },
+#endif
+
};
static int __init tproxy_tg_init(void)
{
nf_defrag_ipv4_enable();
- return xt_register_target(&tproxy_tg_reg);
+ nf_defrag_ipv6_enable();
+ return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
}
static void __exit tproxy_tg_exit(void)
{
- xt_unregister_target(&tproxy_tg_reg);
+ xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
}
module_init(tproxy_tg_init);
@@ -127,3 +290,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Krisztian Kovacs");
MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
MODULE_ALIAS("ipt_TPROXY");
+MODULE_ALIAS("ip6t_TPROXY");
--
1.6.0.4
^ permalink raw reply related
* [PATCH 12/13] TProxy: added IPv6 support to the socket match
From: Balazs Scheidler @ 2009-08-24 12:52 UTC (permalink / raw)
To: netfilter-devel, netdev
The ICMP extraction bits were contributed by Harry Mason.
Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
---
net/netfilter/xt_socket.c | 152 +++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 146 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 12a7140..b375532 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -14,6 +14,7 @@
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/tcp.h>
#include <net/udp.h>
#include <net/icmp.h>
@@ -21,6 +22,7 @@
#include <net/inet_sock.h>
#include <net/netfilter/nf_tproxy_core.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#include <linux/netfilter/xt_socket.h>
@@ -30,7 +32,7 @@
#endif
static int
-extract_icmp_fields(const struct sk_buff *skb,
+extract_icmp4_fields(const struct sk_buff *skb,
u8 *protocol,
__be32 *raddr,
__be32 *laddr,
@@ -115,7 +117,7 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
dport = hp->dest;
} else if (iph->protocol == IPPROTO_ICMP) {
- if (extract_icmp_fields(skb, &protocol, &saddr, &daddr,
+ if (extract_icmp4_fields(skb, &protocol, &saddr, &daddr,
&sport, &dport))
return false;
} else {
@@ -175,23 +177,148 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
}
static bool
-socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_mt4_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
return socket_match(skb, par, NULL);
}
static bool
-socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_mt4_v1(const struct sk_buff *skb, const struct xt_match_param *par)
{
return socket_match(skb, par, par->matchinfo);
}
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+
+static int
+extract_icmp6_fields(const struct sk_buff *skb,
+ unsigned int outside_hdrlen,
+ u8 *protocol,
+ struct in6_addr **raddr,
+ struct in6_addr **laddr,
+ __be16 *rport,
+ __be16 *lport)
+{
+ struct ipv6hdr *inside_iph, _inside_iph;
+ struct icmp6hdr *icmph, _icmph;
+ __be16 *ports, _ports[2];
+ u8 inside_nexthdr;
+ int inside_hdrlen;
+
+ icmph = skb_header_pointer(skb, outside_hdrlen,
+ sizeof(_icmph), &_icmph);
+ if (icmph == NULL)
+ return 1;
+
+ if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK)
+ return 1;
+
+ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph);
+ if (inside_iph == NULL)
+ return 1;
+ inside_nexthdr = inside_iph->nexthdr;
+
+ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), &inside_nexthdr);
+ if (inside_hdrlen < 0)
+ return 1; /* hjm: Packet has no/incomplete transport layer headers. */
+
+ if (inside_nexthdr != IPPROTO_TCP &&
+ inside_nexthdr != IPPROTO_UDP)
+ return 1;
+
+ ports = skb_header_pointer(skb, inside_hdrlen,
+ sizeof(_ports), &_ports);
+ if (ports == NULL)
+ return 1;
+
+ /* the inside IP packet is the one quoted from our side, thus
+ * its saddr is the local address */
+ *protocol = inside_nexthdr;
+ *laddr = &inside_iph->saddr;
+ *lport = ports[0];
+ *raddr = &inside_iph->daddr;
+ *rport = ports[1];
+
+ return 0;
+}
+
+static bool
+socket_mt6_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+ struct ipv6hdr *iph = ipv6_hdr(skb);
+ struct udphdr _hdr, *hp = NULL;
+ struct sock *sk;
+ struct in6_addr *daddr, *saddr;
+ __be16 dport, sport;
+ int thoff;
+ u8 tproto;
+ const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
+
+ tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
+ if (tproto < 0) {
+ pr_debug("socket match: Unable to find transport header in IPv6 packet, dropping\n");
+ return NF_DROP;
+ }
+
+ if (tproto == IPPROTO_UDP || tproto == IPPROTO_TCP) {
+ hp = skb_header_pointer(skb, thoff,
+ sizeof(_hdr), &_hdr);
+ if (hp == NULL)
+ return false;
+
+ saddr = &iph->saddr;
+ sport = hp->source;
+ daddr = &iph->daddr;
+ dport = hp->dest;
+
+ } else if (tproto == IPPROTO_ICMP) {
+ if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
+ &sport, &dport))
+ return false;
+ } else {
+ return false;
+ }
+
+ sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
+ saddr, daddr, sport, dport, par->in, NFT_LOOKUP_ANY);
+ if (sk != NULL) {
+ bool wildcard;
+ bool transparent = true;
+
+ /* Ignore sockets listening on INADDR_ANY */
+ wildcard = (sk->sk_state != TCP_TIME_WAIT &&
+ ipv6_addr_any(&inet6_sk(sk)->rcv_saddr));
+
+ /* Ignore non-transparent sockets,
+ if XT_SOCKET_TRANSPARENT is used */
+ if (info && info->flags & XT_SOCKET_TRANSPARENT)
+ transparent = ((sk->sk_state != TCP_TIME_WAIT &&
+ inet_sk(sk)->transparent) ||
+ (sk->sk_state == TCP_TIME_WAIT &&
+ inet_twsk(sk)->tw_transparent));
+
+ nf_tproxy_put_sock(sk);
+
+ if (wildcard || !transparent)
+ sk = NULL;
+ }
+
+ pr_debug("socket match: proto %u %pI6:%u -> %pI6:%u "
+ "(orig %pI6:%u) sock %p\n",
+ tproto, saddr, ntohs(sport),
+ daddr, ntohs(dport),
+ &iph->daddr, hp ? ntohs(hp->dest) : 0, sk);
+
+ return (sk != NULL);
+}
+#endif
+
static struct xt_match socket_mt_reg[] __read_mostly = {
{
.name = "socket",
.revision = 0,
.family = NFPROTO_IPV4,
- .match = socket_mt_v0,
+ .match = socket_mt4_v0,
.hooks = 1 << NF_INET_PRE_ROUTING,
.me = THIS_MODULE,
},
@@ -199,16 +326,28 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.name = "socket",
.revision = 1,
.family = NFPROTO_IPV4,
- .match = socket_mt_v1,
+ .match = socket_mt4_v1,
+ .matchsize = sizeof(struct xt_socket_mtinfo1),
+ .hooks = 1 << NF_INET_PRE_ROUTING,
+ .me = THIS_MODULE,
+ },
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+ {
+ .name = "socket",
+ .revision = 1,
+ .family = NFPROTO_IPV6,
+ .match = socket_mt6_v1,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = 1 << NF_INET_PRE_ROUTING,
.me = THIS_MODULE,
},
+#endif
};
static int __init socket_mt_init(void)
{
nf_defrag_ipv4_enable();
+ nf_defrag_ipv6_enable();
return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
}
@@ -224,3 +363,4 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler");
MODULE_DESCRIPTION("x_tables socket match module");
MODULE_ALIAS("ipt_socket");
+MODULE_ALIAS("ip6t_socket");
--
1.6.0.4
^ permalink raw reply related
* [PATCH 2/2] TProxy: added IPv6 support to the TPROXY target
From: Balazs Scheidler @ 2009-08-28 5:58 UTC (permalink / raw)
To: netfilter-devel, netdev
---
extensions/libxt_TPROXY.c | 213 +++++++++++++++++++++++++++++------
include/linux/netfilter/xt_TPROXY.h | 15 ++-
2 files changed, 187 insertions(+), 41 deletions(-)
diff --git a/extensions/libxt_TPROXY.c b/extensions/libxt_TPROXY.c
index d410c52..72edd4f 100644
--- a/extensions/libxt_TPROXY.c
+++ b/extensions/libxt_TPROXY.c
@@ -1,7 +1,7 @@
/*
* Shared library add-on to iptables to add TPROXY target support.
*
- * Copyright (C) 2002-2008 BalaBit IT Ltd.
+ * Copyright (C) 2002-2009 BalaBit IT Ltd.
*/
#include <getopt.h>
#include <stdbool.h>
@@ -36,65 +36,114 @@ static void tproxy_tg_help(void)
" --tproxy-mark value[/mask] Mark packets with the given value/mask\n\n");
}
-static void parse_tproxy_lport(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_lport(const char *s, unsigned short *lport)
{
- unsigned int lport;
+ unsigned int value;
- if (xtables_strtoui(s, NULL, &lport, 0, UINT16_MAX))
- info->lport = htons(lport);
+ if (xtables_strtoui(s, NULL, &value, 0, UINT16_MAX))
+ *lport = htons(value);
else
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-port", s);
}
-static void parse_tproxy_laddr(const char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_laddr_v0(const char *s, __be32 *laddr)
{
- struct in_addr *laddr;
+ struct in_addr *ina;
- if ((laddr = xtables_numeric_to_ipaddr(s)) == NULL)
+ if ((ina = xtables_numeric_to_ipaddr(s)) == NULL)
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
- info->laddr = laddr->s_addr;
+ *laddr = ina->s_addr;
}
-static void parse_tproxy_mark(char *s, struct xt_tproxy_target_info *info)
+static void parse_tproxy_laddr(const char *s, int family, union nf_inet_addr *laddr)
+{
+
+ if (family == NFPROTO_IPV6) {
+ struct in6_addr *addr6;
+
+ if ((addr6 = xtables_numeric_to_ip6addr(s))) {
+ laddr->in6 = *addr6;
+ } else {
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
+ }
+ } else {
+ struct in_addr *addr;
+
+ if ((addr = xtables_numeric_to_ipaddr(s))) {
+ laddr->in = *addr;
+ } else {
+ xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--on-ip", s);
+ }
+
+ }
+}
+
+static void parse_tproxy_mark(char *s, unsigned int *value, unsigned int *mask)
{
- unsigned int value, mask = UINT32_MAX;
char *end;
- if (!xtables_strtoui(s, &end, &value, 0, UINT32_MAX))
+ *mask = UINT32_MAX;
+ if (!xtables_strtoui(s, &end, value, 0, UINT32_MAX))
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
if (*end == '/')
- if (!xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
+ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX))
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
if (*end != '\0')
xtables_param_act(XTF_BAD_VALUE, "TPROXY", "--tproxy-mark", s);
+}
+
+static int tproxy_tg_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ struct xt_tproxy_target_info_v0 *tproxyinfo = (void *)(*target)->data;
+
+ switch (c) {
+ case '1':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
+ parse_tproxy_lport(optarg, &tproxyinfo->lport);
+ *flags |= PARAM_ONPORT;
+ return 1;
+ case '2':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
+ parse_tproxy_laddr_v0(optarg, &tproxyinfo->laddr);
+ *flags |= PARAM_ONIP;
+ return 1;
+ case '3':
+ xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
+ xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
+ parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask);
+ *flags |= PARAM_MARK;
+ return 1;
+ }
- info->mark_mask = mask;
- info->mark_value = value;
+ return 0;
}
-static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+static int tproxy_tg_parse_v1(int family, int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_target **target)
{
- struct xt_tproxy_target_info *tproxyinfo = (void *)(*target)->data;
+ struct xt_tproxy_target_info_v1 *tproxyinfo = (void *)(*target)->data;
switch (c) {
case '1':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-port", *flags & PARAM_ONPORT);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-port", invert);
- parse_tproxy_lport(optarg, tproxyinfo);
+ parse_tproxy_lport(optarg, &tproxyinfo->lport);
*flags |= PARAM_ONPORT;
return 1;
case '2':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--on-ip", *flags & PARAM_ONIP);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--on-ip", invert);
- parse_tproxy_laddr(optarg, tproxyinfo);
+ parse_tproxy_laddr(optarg, family, &tproxyinfo->laddr);
*flags |= PARAM_ONIP;
return 1;
case '3':
xtables_param_act(XTF_ONLY_ONCE, "TPROXY", "--tproxy-mark", *flags & PARAM_MARK);
xtables_param_act(XTF_NO_INVERT, "TPROXY", "--tproxy-mark", invert);
- parse_tproxy_mark(optarg, tproxyinfo);
+ parse_tproxy_mark(optarg, &tproxyinfo->mark_value, &tproxyinfo->mark_mask);
*flags |= PARAM_MARK;
return 1;
}
@@ -102,6 +151,18 @@ static int tproxy_tg_parse(int c, char **argv, int invert, unsigned int *flags,
return 0;
}
+static int tproxy_tg_parse4_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ return tproxy_tg_parse_v1(NFPROTO_IPV4, c, argv, invert, flags, entry, target);
+}
+
+static int tproxy_tg_parse6_v1(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_target **target)
+{
+ return tproxy_tg_parse_v1(NFPROTO_IPV6, c, argv, invert, flags, entry, target);
+}
+
static void tproxy_tg_check(unsigned int flags)
{
if (!(flags & PARAM_ONPORT))
@@ -109,19 +170,43 @@ static void tproxy_tg_check(unsigned int flags)
"TPROXY target: Parameter --on-port is required");
}
-static void tproxy_tg_print(const void *ip, const struct xt_entry_target *target,
+static void tproxy_tg_print_v0(const void *ip, const struct xt_entry_target *target,
int numeric)
{
- const struct xt_tproxy_target_info *info = (const void *)target->data;
+ const struct xt_tproxy_target_info_v0 *info = (const void *)target->data;
printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
xtables_ipaddr_to_numeric((const struct in_addr *)&info->laddr),
ntohs(info->lport), (unsigned int)info->mark_value,
(unsigned int)info->mark_mask);
}
-static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
+static void tproxy_tg_print_v1(int family, const void *ip, const struct xt_entry_target *target,
+ int numeric)
{
- const struct xt_tproxy_target_info *info = (const void *)target->data;
+ const struct xt_tproxy_target_info_v1 *info = (const void *)target->data;
+ printf("TPROXY redirect %s:%u mark 0x%x/0x%x",
+ family == AF_INET
+ ? xtables_ipaddr_to_numeric(&info->laddr.in)
+ : xtables_ip6addr_to_numeric(&info->laddr.in6),
+ ntohs(info->lport), (unsigned int)info->mark_value,
+ (unsigned int)info->mark_mask);
+}
+
+static void tproxy_tg_print4_v1(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ return tproxy_tg_print_v1(NFPROTO_IPV4, ip, target, numeric);
+}
+
+static void tproxy_tg_print6_v1(const void *ip, const struct xt_entry_target *target,
+ int numeric)
+{
+ return tproxy_tg_print_v1(NFPROTO_IPV6, ip, target, numeric);
+}
+
+static void tproxy_tg_save_v0(const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info_v0 *info = (const void *)target->data;
printf("--on-port %u ", ntohs(info->lport));
printf("--on-ip %s ",
@@ -130,21 +215,75 @@ static void tproxy_tg_save(const void *ip, const struct xt_entry_target *target)
(unsigned int)info->mark_value, (unsigned int)info->mark_mask);
}
-static struct xtables_target tproxy_tg_reg = {
- .name = "TPROXY",
- .family = NFPROTO_IPV4,
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info)),
- .help = tproxy_tg_help,
- .parse = tproxy_tg_parse,
- .final_check = tproxy_tg_check,
- .print = tproxy_tg_print,
- .save = tproxy_tg_save,
- .extra_opts = tproxy_tg_opts,
+static void tproxy_tg_save_v1(int family, const void *ip, const struct xt_entry_target *target)
+{
+ const struct xt_tproxy_target_info_v1 *info = (const void *)target->data;
+
+ printf("--on-port %u ", ntohs(info->lport));
+ printf("--on-ip %s ",
+ family == AF_INET
+ ? xtables_ipaddr_to_numeric(&info->laddr.in)
+ : xtables_ip6addr_to_numeric(&info->laddr.in6));
+ printf("--tproxy-mark 0x%x/0x%x ",
+ (unsigned int)info->mark_value, (unsigned int)info->mark_mask);
+}
+
+static void tproxy_tg_save4_v1(const void *ip, const struct xt_entry_target *target)
+{
+ return tproxy_tg_save_v1(NFPROTO_IPV4, ip, target);
+}
+
+static void tproxy_tg_save6_v1(const void *ip, const struct xt_entry_target *target)
+{
+ return tproxy_tg_save_v1(NFPROTO_IPV6, ip, target);
+}
+
+
+static struct xtables_target tproxy_tg_reg[] = {
+ {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v0)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v0)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse_v0,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print_v0,
+ .save = tproxy_tg_save_v0,
+ .extra_opts = tproxy_tg_opts,
+ },
+ {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV4,
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse4_v1,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print4_v1,
+ .save = tproxy_tg_save4_v1,
+ .extra_opts = tproxy_tg_opts,
+ },
+ {
+ .name = "TPROXY",
+ .family = NFPROTO_IPV6,
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_tproxy_target_info_v1)),
+ .help = tproxy_tg_help,
+ .parse = tproxy_tg_parse6_v1,
+ .final_check = tproxy_tg_check,
+ .print = tproxy_tg_print6_v1,
+ .save = tproxy_tg_save6_v1,
+ .extra_opts = tproxy_tg_opts,
+ },
};
void _init(void)
{
- xtables_register_target(&tproxy_tg_reg);
+ xtables_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
}
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 152e8f9..7b4e06d 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,14 +1,21 @@
-#ifndef _XT_TPROXY_H_target
-#define _XT_TPROXY_H_target
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
/* TPROXY target is capable of marking the packet to perform
* redirection. We can get rid of that whenever we get support for
* mutliple targets in the same rule. */
-struct xt_tproxy_target_info {
+struct xt_tproxy_target_info_v0 {
u_int32_t mark_mask;
u_int32_t mark_value;
__be32 laddr;
__be16 lport;
};
-#endif /* _XT_TPROXY_H_target */
+struct xt_tproxy_target_info_v1 {
+ u_int32_t mark_mask;
+ u_int32_t mark_value;
+ union nf_inet_addr laddr;
+ __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */
--
1.6.0.4
^ permalink raw reply related
* [PATCH 09/13] TProxy: allow non-local binds of IPv6 sockets if IP_TRANSPARENT is enabled
From: Balazs Scheidler @ 2009-08-24 12:48 UTC (permalink / raw)
To: netfilter-devel, netdev
Signed-off-by: Balazs Scheidler <bazsi@balabit.hu>
---
net/ipv6/af_inet6.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index caa0278..5fa0f44 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -338,7 +338,7 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
*/
v4addr = LOOPBACK4_IPV6;
if (!(addr_type & IPV6_ADDR_MULTICAST)) {
- if (!ipv6_chk_addr(net, &addr->sin6_addr,
+ if (!inet->transparent && !ipv6_chk_addr(net, &addr->sin6_addr,
dev, 0)) {
if (dev)
dev_put(dev);
--
1.6.0.4
^ permalink raw reply related
* [PATCH 0/2] TProxy IPv6 support, 2nd round, iptables portion
From: Balazs Scheidler @ 2009-09-21 15:43 UTC (permalink / raw)
To: netfilter-devel, netdev
This series accompanies the TProxy IPv6 2nd round patches and adds userspace
support for the TPROXY target and the socket match.
Since the last post, I've fixed the xt_socket.h header file which contained
an obsolete struct declaration for the xt_socket matchinfo, but this is not
incompatible with the previous patch, thus you don't need to recompile
iptables if you already have the old binaries.
Balazs Scheidler (2):
TProxy: added IPv6 support for socket match
TProxy: added IPv6 support to the TPROXY target
extensions/libxt_TPROXY.c | 213 +++++++++++++++++++++++++++++------
extensions/libxt_socket.c | 103 ++++++++++++++++--
extensions/libxt_socket.man | 6 +-
include/linux/netfilter/xt_TPROXY.h | 15 ++-
include/linux/netfilter/xt_socket.h | 12 ++
5 files changed, 299 insertions(+), 50 deletions(-)
create mode 100644 include/linux/netfilter/xt_socket.h
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox