* [net-next-2.6 PATCH] ixgbe: use netif_<level> instead of netdev_<level>
From: Jeff Kirsher @ 2010-07-02 6:05 UTC (permalink / raw)
To: davem; +Cc: netdev, gospo, bphilips, Joe Perches, Emil Tantilov, Jeff Kirsher
From: Emil Tantilov <emil.s.tantilov@intel.com>
This patch restores the ability to set msglvl through ethtool.
The issue was introduced by:
commit 849c45423c0c108e08d67644728cc9b0ed225fa1
CC: Joe Perches <joe@perches.com>
Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
drivers/net/ixgbe/ixgbe_82599.c | 2 -
drivers/net/ixgbe/ixgbe_common.h | 19 ++++-----
drivers/net/ixgbe/ixgbe_dcb_nl.c | 2 -
drivers/net/ixgbe/ixgbe_ethtool.c | 40 ++++++++++---------
drivers/net/ixgbe/ixgbe_fcoe.c | 26 ++++++------
drivers/net/ixgbe/ixgbe_main.c | 79 +++++++++++++++++++------------------
drivers/net/ixgbe/ixgbe_sriov.c | 7 ++-
7 files changed, 89 insertions(+), 86 deletions(-)
diff --git a/drivers/net/ixgbe/ixgbe_82599.c b/drivers/net/ixgbe/ixgbe_82599.c
index 0ee175a..3e06a61 100644
--- a/drivers/net/ixgbe/ixgbe_82599.c
+++ b/drivers/net/ixgbe/ixgbe_82599.c
@@ -715,7 +715,7 @@ static s32 ixgbe_setup_mac_link_smartspeed(struct ixgbe_hw *hw,
out:
if (link_up && (link_speed == IXGBE_LINK_SPEED_1GB_FULL))
- e_info("Smartspeed has downgraded the link speed from "
+ e_info(hw, "Smartspeed has downgraded the link speed from "
"the maximum advertised\n");
return status;
}
diff --git a/drivers/net/ixgbe/ixgbe_common.h b/drivers/net/ixgbe/ixgbe_common.h
index d5d3aae..5cf15aa 100644
--- a/drivers/net/ixgbe/ixgbe_common.h
+++ b/drivers/net/ixgbe/ixgbe_common.h
@@ -108,16 +108,6 @@ s32 ixgbe_blink_led_stop_generic(struct ixgbe_hw *hw, u32 index);
extern struct net_device *ixgbe_get_hw_dev(struct ixgbe_hw *hw);
#define hw_dbg(hw, format, arg...) \
netdev_dbg(ixgbe_get_hw_dev(hw), format, ##arg)
-#define e_err(format, arg...) \
- netdev_err(adapter->netdev, format, ## arg)
-#define e_info(format, arg...) \
- netdev_info(adapter->netdev, format, ## arg)
-#define e_warn(format, arg...) \
- netdev_warn(adapter->netdev, format, ## arg)
-#define e_notice(format, arg...) \
- netdev_notice(adapter->netdev, format, ## arg)
-#define e_crit(format, arg...) \
- netdev_crit(adapter->netdev, format, ## arg)
#define e_dev_info(format, arg...) \
dev_info(&adapter->pdev->dev, format, ## arg)
#define e_dev_warn(format, arg...) \
@@ -126,5 +116,12 @@ extern struct net_device *ixgbe_get_hw_dev(struct ixgbe_hw *hw);
dev_err(&adapter->pdev->dev, format, ## arg)
#define e_dev_notice(format, arg...) \
dev_notice(&adapter->pdev->dev, format, ## arg)
-
+#define e_info(msglvl, format, arg...) \
+ netif_info(adapter, msglvl, adapter->netdev, format, ## arg)
+#define e_err(msglvl, format, arg...) \
+ netif_err(adapter, msglvl, adapter->netdev, format, ## arg)
+#define e_warn(msglvl, format, arg...) \
+ netif_warn(adapter, msglvl, adapter->netdev, format, ## arg)
+#define e_crit(msglvl, format, arg...) \
+ netif_crit(adapter, msglvl, adapter->netdev, format, ## arg)
#endif /* IXGBE_COMMON */
diff --git a/drivers/net/ixgbe/ixgbe_dcb_nl.c b/drivers/net/ixgbe/ixgbe_dcb_nl.c
index 6576235..b53b465 100644
--- a/drivers/net/ixgbe/ixgbe_dcb_nl.c
+++ b/drivers/net/ixgbe/ixgbe_dcb_nl.c
@@ -121,7 +121,7 @@ static u8 ixgbe_dcbnl_set_state(struct net_device *netdev, u8 state)
goto out;
if (!(adapter->flags & IXGBE_FLAG_MSIX_ENABLED)) {
- e_err("Enable failed, needs MSI-X\n");
+ e_err(drv, "Enable failed, needs MSI-X\n");
err = 1;
goto out;
}
diff --git a/drivers/net/ixgbe/ixgbe_ethtool.c b/drivers/net/ixgbe/ixgbe_ethtool.c
index 5275e9c..b35ef36 100644
--- a/drivers/net/ixgbe/ixgbe_ethtool.c
+++ b/drivers/net/ixgbe/ixgbe_ethtool.c
@@ -301,7 +301,7 @@ static int ixgbe_set_settings(struct net_device *netdev,
hw->mac.autotry_restart = true;
err = hw->mac.ops.setup_link(hw, advertised, true, true);
if (err) {
- e_info("setup link failed with code %d\n", err);
+ e_info(probe, "setup link failed with code %d\n", err);
hw->mac.ops.setup_link(hw, old, true, true);
}
} else {
@@ -1194,8 +1194,8 @@ static struct ixgbe_reg_test reg_test_82598[] = {
writel((_test[pat] & W), (adapter->hw.hw_addr + R)); \
val = readl(adapter->hw.hw_addr + R); \
if (val != (_test[pat] & W & M)) { \
- e_err("pattern test reg %04X failed: got " \
- "0x%08X expected 0x%08X\n", \
+ e_err(drv, "pattern test reg %04X failed: got " \
+ "0x%08X expected 0x%08X\n", \
R, val, (_test[pat] & W & M)); \
*data = R; \
writel(before, adapter->hw.hw_addr + R); \
@@ -1212,8 +1212,8 @@ static struct ixgbe_reg_test reg_test_82598[] = {
writel((W & M), (adapter->hw.hw_addr + R)); \
val = readl(adapter->hw.hw_addr + R); \
if ((W & M) != (val & M)) { \
- e_err("set/check reg %04X test failed: got 0x%08X " \
- "expected 0x%08X\n", R, (val & M), (W & M)); \
+ e_err(drv, "set/check reg %04X test failed: got 0x%08X " \
+ "expected 0x%08X\n", R, (val & M), (W & M)); \
*data = R; \
writel(before, (adapter->hw.hw_addr + R)); \
return 1; \
@@ -1246,8 +1246,8 @@ static int ixgbe_reg_test(struct ixgbe_adapter *adapter, u64 *data)
IXGBE_WRITE_REG(&adapter->hw, IXGBE_STATUS, toggle);
after = IXGBE_READ_REG(&adapter->hw, IXGBE_STATUS) & toggle;
if (value != after) {
- e_err("failed STATUS register test got: 0x%08X expected: "
- "0x%08X\n", after, value);
+ e_err(drv, "failed STATUS register test got: 0x%08X "
+ "expected: 0x%08X\n", after, value);
*data = 1;
return 1;
}
@@ -1347,8 +1347,8 @@ static int ixgbe_intr_test(struct ixgbe_adapter *adapter, u64 *data)
*data = 1;
return -1;
}
- e_info("testing %s interrupt\n", shared_int ?
- "shared" : "unshared");
+ e_info(hw, "testing %s interrupt\n", shared_int ?
+ "shared" : "unshared");
/* Disable all the interrupts */
IXGBE_WRITE_REG(&adapter->hw, IXGBE_EIMC, 0xFFFFFFFF);
@@ -1853,7 +1853,7 @@ static void ixgbe_diag_test(struct net_device *netdev,
if (eth_test->flags == ETH_TEST_FL_OFFLINE) {
/* Offline tests */
- e_info("offline testing starting\n");
+ e_info(hw, "offline testing starting\n");
/* Link test performed before hardware reset so autoneg doesn't
* interfere with test result */
@@ -1886,17 +1886,17 @@ static void ixgbe_diag_test(struct net_device *netdev,
else
ixgbe_reset(adapter);
- e_info("register testing starting\n");
+ e_info(hw, "register testing starting\n");
if (ixgbe_reg_test(adapter, &data[0]))
eth_test->flags |= ETH_TEST_FL_FAILED;
ixgbe_reset(adapter);
- e_info("eeprom testing starting\n");
+ e_info(hw, "eeprom testing starting\n");
if (ixgbe_eeprom_test(adapter, &data[1]))
eth_test->flags |= ETH_TEST_FL_FAILED;
ixgbe_reset(adapter);
- e_info("interrupt testing starting\n");
+ e_info(hw, "interrupt testing starting\n");
if (ixgbe_intr_test(adapter, &data[2]))
eth_test->flags |= ETH_TEST_FL_FAILED;
@@ -1904,13 +1904,14 @@ static void ixgbe_diag_test(struct net_device *netdev,
* loopback diagnostic. */
if (adapter->flags & (IXGBE_FLAG_SRIOV_ENABLED |
IXGBE_FLAG_VMDQ_ENABLED)) {
- e_info("Skip MAC loopback diagnostic in VT mode\n");
+ e_info(hw, "Skip MAC loopback diagnostic in VT "
+ "mode\n");
data[3] = 0;
goto skip_loopback;
}
ixgbe_reset(adapter);
- e_info("loopback testing starting\n");
+ e_info(hw, "loopback testing starting\n");
if (ixgbe_loopback_test(adapter, &data[3]))
eth_test->flags |= ETH_TEST_FL_FAILED;
@@ -1921,7 +1922,7 @@ skip_loopback:
if (if_running)
dev_open(netdev);
} else {
- e_info("online testing starting\n");
+ e_info(hw, "online testing starting\n");
/* Online tests */
if (ixgbe_link_test(adapter, &data[4]))
eth_test->flags |= ETH_TEST_FL_FAILED;
@@ -2139,7 +2140,8 @@ static int ixgbe_set_coalesce(struct net_device *netdev,
adapter->flags2 &= ~IXGBE_FLAG2_RSC_ENABLED;
if (netdev->features & NETIF_F_LRO) {
netdev->features &= ~NETIF_F_LRO;
- e_info("rx-usecs set to 0, disabling RSC\n");
+ e_info(probe, "rx-usecs set to 0, "
+ "disabling RSC\n");
}
need_reset = true;
}
@@ -2239,8 +2241,8 @@ static int ixgbe_set_flags(struct net_device *netdev, u32 data)
} else if (!adapter->rx_itr_setting) {
netdev->features &= ~NETIF_F_LRO;
if (data & ETH_FLAG_LRO)
- e_info("rx-usecs set to 0, "
- "LRO/RSC cannot be enabled.\n");
+ e_info(probe, "rx-usecs set to 0, "
+ "LRO/RSC cannot be enabled.\n");
}
}
diff --git a/drivers/net/ixgbe/ixgbe_fcoe.c b/drivers/net/ixgbe/ixgbe_fcoe.c
index 84e1194..f6ef4cd 100644
--- a/drivers/net/ixgbe/ixgbe_fcoe.c
+++ b/drivers/net/ixgbe/ixgbe_fcoe.c
@@ -164,20 +164,20 @@ int ixgbe_fcoe_ddp_get(struct net_device *netdev, u16 xid,
adapter = netdev_priv(netdev);
if (xid >= IXGBE_FCOE_DDP_MAX) {
- e_warn("xid=0x%x out-of-range\n", xid);
+ e_warn(drv, "xid=0x%x out-of-range\n", xid);
return 0;
}
fcoe = &adapter->fcoe;
if (!fcoe->pool) {
- e_warn("xid=0x%x no ddp pool for fcoe\n", xid);
+ e_warn(drv, "xid=0x%x no ddp pool for fcoe\n", xid);
return 0;
}
ddp = &fcoe->ddp[xid];
if (ddp->sgl) {
- e_err("xid 0x%x w/ non-null sgl=%p nents=%d\n",
- xid, ddp->sgl, ddp->sgc);
+ e_err(drv, "xid 0x%x w/ non-null sgl=%p nents=%d\n",
+ xid, ddp->sgl, ddp->sgc);
return 0;
}
ixgbe_fcoe_clear_ddp(ddp);
@@ -185,14 +185,14 @@ int ixgbe_fcoe_ddp_get(struct net_device *netdev, u16 xid,
/* setup dma from scsi command sgl */
dmacount = pci_map_sg(adapter->pdev, sgl, sgc, DMA_FROM_DEVICE);
if (dmacount == 0) {
- e_err("xid 0x%x DMA map error\n", xid);
+ e_err(drv, "xid 0x%x DMA map error\n", xid);
return 0;
}
/* alloc the udl from our ddp pool */
ddp->udl = pci_pool_alloc(fcoe->pool, GFP_KERNEL, &ddp->udp);
if (!ddp->udl) {
- e_err("failed allocated ddp context\n");
+ e_err(drv, "failed allocated ddp context\n");
goto out_noddp_unmap;
}
ddp->sgl = sgl;
@@ -205,7 +205,7 @@ int ixgbe_fcoe_ddp_get(struct net_device *netdev, u16 xid,
while (len) {
/* max number of buffers allowed in one DDP context */
if (j >= IXGBE_BUFFCNT_MAX) {
- e_err("xid=%x:%d,%d,%d:addr=%llx "
+ e_err(drv, "xid=%x:%d,%d,%d:addr=%llx "
"not enough descriptors\n",
xid, i, j, dmacount, (u64)addr);
goto out_noddp_free;
@@ -385,7 +385,7 @@ int ixgbe_fso(struct ixgbe_adapter *adapter,
struct fc_frame_header *fh;
if (skb_is_gso(skb) && (skb_shinfo(skb)->gso_type != SKB_GSO_FCOE)) {
- e_err("Wrong gso type %d:expecting SKB_GSO_FCOE\n",
+ e_err(drv, "Wrong gso type %d:expecting SKB_GSO_FCOE\n",
skb_shinfo(skb)->gso_type);
return -EINVAL;
}
@@ -412,7 +412,7 @@ int ixgbe_fso(struct ixgbe_adapter *adapter,
fcoe_sof_eof |= IXGBE_ADVTXD_FCOEF_SOF;
break;
default:
- e_warn("unknown sof = 0x%x\n", sof);
+ e_warn(drv, "unknown sof = 0x%x\n", sof);
return -EINVAL;
}
@@ -439,7 +439,7 @@ int ixgbe_fso(struct ixgbe_adapter *adapter,
fcoe_sof_eof |= IXGBE_ADVTXD_FCOEF_EOF_A;
break;
default:
- e_warn("unknown eof = 0x%x\n", eof);
+ e_warn(drv, "unknown eof = 0x%x\n", eof);
return -EINVAL;
}
@@ -515,7 +515,7 @@ void ixgbe_configure_fcoe(struct ixgbe_adapter *adapter)
adapter->pdev, IXGBE_FCPTR_MAX,
IXGBE_FCPTR_ALIGN, PAGE_SIZE);
if (!fcoe->pool)
- e_err("failed to allocated FCoE DDP pool\n");
+ e_err(drv, "failed to allocated FCoE DDP pool\n");
spin_lock_init(&fcoe->lock);
}
@@ -611,7 +611,7 @@ int ixgbe_fcoe_enable(struct net_device *netdev)
if (adapter->flags & IXGBE_FLAG_FCOE_ENABLED)
goto out_enable;
- e_info("Enabling FCoE offload features.\n");
+ e_info(drv, "Enabling FCoE offload features.\n");
if (netif_running(netdev))
netdev->netdev_ops->ndo_stop(netdev);
@@ -657,7 +657,7 @@ int ixgbe_fcoe_disable(struct net_device *netdev)
if (!(adapter->flags & IXGBE_FLAG_FCOE_ENABLED))
goto out_disable;
- e_info("Disabling FCoE offload features.\n");
+ e_info(drv, "Disabling FCoE offload features.\n");
if (netif_running(netdev))
netdev->netdev_ops->ndo_stop(netdev);
diff --git a/drivers/net/ixgbe/ixgbe_main.c b/drivers/net/ixgbe/ixgbe_main.c
index dd46345..8c7617b 100644
--- a/drivers/net/ixgbe/ixgbe_main.c
+++ b/drivers/net/ixgbe/ixgbe_main.c
@@ -696,7 +696,7 @@ static inline bool ixgbe_check_tx_hang(struct ixgbe_adapter *adapter,
/* detected Tx unit hang */
union ixgbe_adv_tx_desc *tx_desc;
tx_desc = IXGBE_TX_DESC_ADV(*tx_ring, eop);
- e_err("Detected Tx Unit Hang\n"
+ e_err(drv, "Detected Tx Unit Hang\n"
" Tx Queue <%d>\n"
" TDH, TDT <%x>, <%x>\n"
" next_to_use <%x>\n"
@@ -812,8 +812,8 @@ static bool ixgbe_clean_tx_irq(struct ixgbe_q_vector *q_vector,
if (adapter->detect_tx_hung) {
if (ixgbe_check_tx_hang(adapter, tx_ring, i)) {
/* schedule immediate reset if we believe we hung */
- e_info("tx hang %d detected, resetting adapter\n",
- adapter->tx_timeout_count + 1);
+ e_info(probe, "tx hang %d detected, resetting "
+ "adapter\n", adapter->tx_timeout_count + 1);
ixgbe_tx_timeout(adapter->netdev);
}
}
@@ -1652,8 +1652,8 @@ static void ixgbe_check_overtemp_task(struct work_struct *work)
return;
break;
}
- e_crit("Network adapter has been stopped because it "
- "has over heated. Restart the computer. If the problem "
+ e_crit(drv, "Network adapter has been stopped because it has "
+ "over heated. Restart the computer. If the problem "
"persists, power off the system and replace the "
"adapter\n");
/* write to clear the interrupt */
@@ -1667,7 +1667,7 @@ static void ixgbe_check_fan_failure(struct ixgbe_adapter *adapter, u32 eicr)
if ((adapter->flags & IXGBE_FLAG_FAN_FAIL_CAPABLE) &&
(eicr & IXGBE_EICR_GPI_SDP1)) {
- e_crit("Fan has stopped, replace the adapter\n");
+ e_crit(probe, "Fan has stopped, replace the adapter\n");
/* write to clear the interrupt */
IXGBE_WRITE_REG(hw, IXGBE_EICR, IXGBE_EICR_GPI_SDP1);
}
@@ -2153,7 +2153,7 @@ static int ixgbe_request_msix_irqs(struct ixgbe_adapter *adapter)
handler, 0, adapter->name[vector],
adapter->q_vector[vector]);
if (err) {
- e_err("request_irq failed for MSIX interrupt: "
+ e_err(probe, "request_irq failed for MSIX interrupt "
"Error: %d\n", err);
goto free_queue_irqs;
}
@@ -2163,7 +2163,7 @@ static int ixgbe_request_msix_irqs(struct ixgbe_adapter *adapter)
err = request_irq(adapter->msix_entries[vector].vector,
ixgbe_msix_lsc, 0, adapter->name[vector], netdev);
if (err) {
- e_err("request_irq for msix_lsc failed: %d\n", err);
+ e_err(probe, "request_irq for msix_lsc failed: %d\n", err);
goto free_queue_irqs;
}
@@ -2349,7 +2349,7 @@ static int ixgbe_request_irq(struct ixgbe_adapter *adapter)
}
if (err)
- e_err("request_irq failed, Error %d\n", err);
+ e_err(probe, "request_irq failed, Error %d\n", err);
return err;
}
@@ -2420,7 +2420,7 @@ static void ixgbe_configure_msi_and_legacy(struct ixgbe_adapter *adapter)
map_vector_to_rxq(adapter, 0, 0);
map_vector_to_txq(adapter, 0, 0);
- e_info("Legacy interrupt IVAR setup done\n");
+ e_info(hw, "Legacy interrupt IVAR setup done\n");
}
/**
@@ -3316,7 +3316,7 @@ static inline void ixgbe_rx_desc_queue_enable(struct ixgbe_adapter *adapter,
msleep(1);
}
if (k >= IXGBE_MAX_RX_DESC_POLL) {
- e_err("RXDCTL.ENABLE on Rx queue %d not set within "
+ e_err(drv, "RXDCTL.ENABLE on Rx queue %d not set within "
"the polling period\n", rxr);
}
ixgbe_release_rx_desc(&adapter->hw, adapter->rx_ring[rxr],
@@ -3446,7 +3446,7 @@ static int ixgbe_up_complete(struct ixgbe_adapter *adapter)
} while (--wait_loop &&
!(txdctl & IXGBE_TXDCTL_ENABLE));
if (!wait_loop)
- e_err("Could not enable Tx Queue %d\n", j);
+ e_err(drv, "Could not enable Tx Queue %d\n", j);
}
}
@@ -3494,7 +3494,7 @@ static int ixgbe_up_complete(struct ixgbe_adapter *adapter)
if (adapter->flags & IXGBE_FLAG_FAN_FAIL_CAPABLE) {
u32 esdp = IXGBE_READ_REG(hw, IXGBE_ESDP);
if (esdp & IXGBE_ESDP_SDP1)
- e_crit("Fan has stopped, replace the adapter\n");
+ e_crit(drv, "Fan has stopped, replace the adapter\n");
}
/*
@@ -3523,7 +3523,7 @@ static int ixgbe_up_complete(struct ixgbe_adapter *adapter)
} else {
err = ixgbe_non_sfp_link_config(hw);
if (err)
- e_err("link_config FAILED %d\n", err);
+ e_err(probe, "link_config FAILED %d\n", err);
}
for (i = 0; i < adapter->num_tx_queues; i++)
@@ -3977,12 +3977,12 @@ static inline bool ixgbe_set_fcoe_queues(struct ixgbe_adapter *adapter)
adapter->num_tx_queues = 1;
#ifdef CONFIG_IXGBE_DCB
if (adapter->flags & IXGBE_FLAG_DCB_ENABLED) {
- e_info("FCoE enabled with DCB\n");
+ e_info(probe, "FCoE enabled with DCB\n");
ixgbe_set_dcb_queues(adapter);
}
#endif
if (adapter->flags & IXGBE_FLAG_RSS_ENABLED) {
- e_info("FCoE enabled with RSS\n");
+ e_info(probe, "FCoE enabled with RSS\n");
if ((adapter->flags & IXGBE_FLAG_FDIR_HASH_CAPABLE) ||
(adapter->flags & IXGBE_FLAG_FDIR_PERFECT_CAPABLE))
ixgbe_set_fdir_queues(adapter);
@@ -4633,8 +4633,8 @@ int ixgbe_init_interrupt_scheme(struct ixgbe_adapter *adapter)
}
e_dev_info("Multiqueue %s: Rx Queue count = %u, Tx Queue count = %u\n",
- (adapter->num_rx_queues > 1) ? "Enabled" : "Disabled",
- adapter->num_rx_queues, adapter->num_tx_queues);
+ (adapter->num_rx_queues > 1) ? "Enabled" : "Disabled",
+ adapter->num_rx_queues, adapter->num_tx_queues);
set_bit(__IXGBE_DOWN, &adapter->state);
@@ -4711,7 +4711,7 @@ static void ixgbe_sfp_task(struct work_struct *work)
"supported module.\n");
unregister_netdev(adapter->netdev);
} else {
- e_info("detected SFP+: %d\n", hw->phy.sfp_type);
+ e_info(probe, "detected SFP+: %d\n", hw->phy.sfp_type);
}
/* don't need this routine any more */
clear_bit(__IXGBE_SFP_MODULE_NOT_FOUND, &adapter->state);
@@ -4891,7 +4891,7 @@ int ixgbe_setup_tx_resources(struct ixgbe_adapter *adapter,
err:
vfree(tx_ring->tx_buffer_info);
tx_ring->tx_buffer_info = NULL;
- e_err("Unable to allocate memory for the Tx descriptor ring\n");
+ e_err(probe, "Unable to allocate memory for the Tx descriptor ring\n");
return -ENOMEM;
}
@@ -4913,7 +4913,7 @@ static int ixgbe_setup_all_tx_resources(struct ixgbe_adapter *adapter)
err = ixgbe_setup_tx_resources(adapter, adapter->tx_ring[i]);
if (!err)
continue;
- e_err("Allocation for Tx Queue %u failed\n", i);
+ e_err(probe, "Allocation for Tx Queue %u failed\n", i);
break;
}
@@ -4938,7 +4938,8 @@ int ixgbe_setup_rx_resources(struct ixgbe_adapter *adapter,
if (!rx_ring->rx_buffer_info)
rx_ring->rx_buffer_info = vmalloc(size);
if (!rx_ring->rx_buffer_info) {
- e_err("vmalloc allocation failed for the Rx desc ring\n");
+ e_err(probe, "vmalloc allocation failed for the Rx "
+ "descriptor ring\n");
goto alloc_failed;
}
memset(rx_ring->rx_buffer_info, 0, size);
@@ -4951,7 +4952,8 @@ int ixgbe_setup_rx_resources(struct ixgbe_adapter *adapter,
&rx_ring->dma, GFP_KERNEL);
if (!rx_ring->desc) {
- e_err("Memory allocation failed for the Rx desc ring\n");
+ e_err(probe, "Memory allocation failed for the Rx "
+ "descriptor ring\n");
vfree(rx_ring->rx_buffer_info);
goto alloc_failed;
}
@@ -4984,7 +4986,7 @@ static int ixgbe_setup_all_rx_resources(struct ixgbe_adapter *adapter)
err = ixgbe_setup_rx_resources(adapter, adapter->rx_ring[i]);
if (!err)
continue;
- e_err("Allocation for Rx Queue %u failed\n", i);
+ e_err(probe, "Allocation for Rx Queue %u failed\n", i);
break;
}
@@ -5083,7 +5085,7 @@ static int ixgbe_change_mtu(struct net_device *netdev, int new_mtu)
if ((new_mtu < 68) || (max_frame > IXGBE_MAX_JUMBO_FRAME_SIZE))
return -EINVAL;
- e_info("changing MTU from %d to %d\n", netdev->mtu, new_mtu);
+ e_info(probe, "changing MTU from %d to %d\n", netdev->mtu, new_mtu);
/* must set new MTU before calling down or up */
netdev->mtu = new_mtu;
@@ -5598,7 +5600,7 @@ static void ixgbe_fdir_reinit_task(struct work_struct *work)
set_bit(__IXGBE_FDIR_INIT_DONE,
&(adapter->tx_ring[i]->reinit_state));
} else {
- e_err("failed to finish FDIR re-initialization, "
+ e_err(probe, "failed to finish FDIR re-initialization, "
"ignored adding FDIR ATR filters\n");
}
/* Done FDIR Re-initialization, enable transmits */
@@ -5670,7 +5672,7 @@ static void ixgbe_watchdog_task(struct work_struct *work)
flow_tx = !!(rmcs & IXGBE_RMCS_TFCE_802_3X);
}
- e_info("NIC Link is Up %s, Flow Control: %s\n",
+ e_info(drv, "NIC Link is Up %s, Flow Control: %s\n",
(link_speed == IXGBE_LINK_SPEED_10GB_FULL ?
"10 Gbps" :
(link_speed == IXGBE_LINK_SPEED_1GB_FULL ?
@@ -5688,7 +5690,7 @@ static void ixgbe_watchdog_task(struct work_struct *work)
adapter->link_up = false;
adapter->link_speed = 0;
if (netif_carrier_ok(netdev)) {
- e_info("NIC Link is Down\n");
+ e_info(drv, "NIC Link is Down\n");
netif_carrier_off(netdev);
}
}
@@ -5864,8 +5866,9 @@ static bool ixgbe_tx_csum(struct ixgbe_adapter *adapter,
break;
default:
if (unlikely(net_ratelimit())) {
- e_warn("partial checksum but "
- "proto=%x!\n", skb->protocol);
+ e_warn(probe, "partial checksum "
+ "but proto=%x!\n",
+ skb->protocol);
}
break;
}
@@ -6475,7 +6478,7 @@ static void __devinit ixgbe_probe_vf(struct ixgbe_adapter *adapter,
adapter->flags |= IXGBE_FLAG_SRIOV_ENABLED;
err = pci_enable_sriov(adapter->pdev, adapter->num_vfs);
if (err) {
- e_err("Failed to enable PCI sriov: %d\n", err);
+ e_err(probe, "Failed to enable PCI sriov: %d\n", err);
goto err_novfs;
}
/* If call to enable VFs succeeded then allocate memory
@@ -6499,8 +6502,8 @@ static void __devinit ixgbe_probe_vf(struct ixgbe_adapter *adapter,
}
/* Oh oh */
- e_err("Unable to allocate memory for VF Data Storage - SRIOV "
- "disabled\n");
+ e_err(probe, "Unable to allocate memory for VF Data Storage - "
+ "SRIOV disabled\n");
pci_disable_sriov(adapter->pdev);
err_novfs:
@@ -6670,7 +6673,7 @@ static int __devinit ixgbe_probe(struct pci_dev *pdev,
if (adapter->flags & IXGBE_FLAG_FAN_FAIL_CAPABLE) {
u32 esdp = IXGBE_READ_REG(hw, IXGBE_ESDP);
if (esdp & IXGBE_ESDP_SDP1)
- e_crit("Fan has stopped, replace the adapter\n");
+ e_crit(probe, "Fan has stopped, replace the adapter\n");
}
/* reset_hw fills in the perm_addr as well */
@@ -6701,7 +6704,7 @@ static int __devinit ixgbe_probe(struct pci_dev *pdev,
ixgbe_probe_vf(adapter, ii);
- netdev->features = NETIF_F_SG |
+ netdev->features = NETIF_F_SG |
NETIF_F_IP_CSUM |
NETIF_F_HW_VLAN_TX |
NETIF_F_HW_VLAN_RX |
@@ -6854,7 +6857,7 @@ static int __devinit ixgbe_probe(struct pci_dev *pdev,
}
#endif
if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED) {
- e_info("IOV is enabled with %d VFs\n", adapter->num_vfs);
+ e_info(probe, "IOV is enabled with %d VFs\n", adapter->num_vfs);
for (i = 0; i < adapter->num_vfs; i++)
ixgbe_vf_configuration(pdev, (i | 0x10000000));
}
@@ -7002,7 +7005,7 @@ static pci_ers_result_t ixgbe_io_slot_reset(struct pci_dev *pdev)
int err;
if (pci_enable_device_mem(pdev)) {
- e_err("Cannot re-enable PCI device after reset.\n");
+ e_err(probe, "Cannot re-enable PCI device after reset.\n");
result = PCI_ERS_RESULT_DISCONNECT;
} else {
pci_set_master(pdev);
@@ -7040,7 +7043,7 @@ static void ixgbe_io_resume(struct pci_dev *pdev)
if (netif_running(netdev)) {
if (ixgbe_up(adapter)) {
- e_info("ixgbe_up failed after reset\n");
+ e_info(probe, "ixgbe_up failed after reset\n");
return;
}
}
diff --git a/drivers/net/ixgbe/ixgbe_sriov.c b/drivers/net/ixgbe/ixgbe_sriov.c
index 6e6dee0..49661a1 100644
--- a/drivers/net/ixgbe/ixgbe_sriov.c
+++ b/drivers/net/ixgbe/ixgbe_sriov.c
@@ -185,7 +185,8 @@ int ixgbe_vf_configuration(struct pci_dev *pdev, unsigned int event_mask)
if (enable) {
random_ether_addr(vf_mac_addr);
- e_info("IOV: VF %d is enabled MAC %pM\n", vfn, vf_mac_addr);
+ e_info(probe, "IOV: VF %d is enabled MAC %pM\n",
+ vfn, vf_mac_addr);
/*
* Store away the VF "permananet" MAC address, it will ask
* for it later.
@@ -244,7 +245,7 @@ static int ixgbe_rcv_msg_from_vf(struct ixgbe_adapter *adapter, u32 vf)
if (msgbuf[0] == IXGBE_VF_RESET) {
unsigned char *vf_mac = adapter->vfinfo[vf].vf_mac_addresses;
u8 *addr = (u8 *)(&msgbuf[1]);
- e_info("VF Reset msg received from vf %d\n", vf);
+ e_info(probe, "VF Reset msg received from vf %d\n", vf);
adapter->vfinfo[vf].clear_to_send = false;
ixgbe_vf_reset_msg(adapter, vf);
adapter->vfinfo[vf].clear_to_send = true;
@@ -297,7 +298,7 @@ static int ixgbe_rcv_msg_from_vf(struct ixgbe_adapter *adapter, u32 vf)
retval = ixgbe_set_vf_vlan(adapter, add, vid, vf);
break;
default:
- e_err("Unhandled Msg %8.8x\n", msgbuf[0]);
+ e_err(drv, "Unhandled Msg %8.8x\n", msgbuf[0]);
retval = IXGBE_ERR_MBX;
break;
}
^ permalink raw reply related
* Re: [PATCH] igbvf: avoid name clash between PF and VF
From: Stefan Assmann @ 2010-07-02 6:37 UTC (permalink / raw)
To: Casey Leedom
Cc: e1000-devel, netdev, gregory.v.rose, jeffrey.t.kirsher,
Andy Gospodarek
In-Reply-To: <201007011012.48236.leedom@chelsio.com>
On 01.07.2010 19:12, Casey Leedom wrote:
> | From: Stefan Assmann <sassmann@redhat.com>
> | Date: Wednesday, June 30, 2010 11:37 pm
> |
> | You're correct, the problem shouldn't occur with cxgb4vf and therefore
> | this change shouldn't be necessary. However we might consider a
> | consistent naming scheme for VFs in all drivers. But I don't have a
> | strong opinion about this, either way would be fine by me.
>
> Sorry, I hadn't meant to imply any criticism of your naming proposal. I was
> just trying to clarify when/where such a scheme might be necessary.
Sure, that's the reason why we're discussing this here.
>
> On the naming proposal itself, it strikes me that the most common use of PCI-E
> SR-IOV Virtual Functions will be to export them to KVM Virtual Machines via PCI
> "Pass Through." So there shouldn't be any naming conflict there, right? Or is
> it the same scenario you described before: that the VF NIC device might be found
> before the normal "eth0", etc. withing the Virtual Machine?
I haven't had a scenario were passing multiple VF NICs to the guest was
necessary. In theory it might happen there as well, if you have multiple
NICs (with persistent and random MACs) in the guest. But usually you
just have a single VF inside the guest and then you're fine.
The scenario that I'm targeting is on the host side mostly.
Stefan
--
Stefan Assmann | Red Hat GmbH
Software Engineer | Otto-Hahn-Strasse 20, 85609 Dornach
| HR: Amtsgericht Muenchen HRB 153243
| GF: Brendan Lane, Charlie Peters,
sassmann at redhat.com | Michael Cunningham, Charles Cachera
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
^ permalink raw reply
* [PATCH] netfilter: fix a dst leak in ipv6 REJECT
From: Eric Dumazet @ 2010-07-02 7:06 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Development Mailinglist, netdev, stable
We should release dst if dst->error is set.
Bug introduced in 2.6.14 by commit e104411b82f5c
([XFRM]: Always release dst_entry on error in xfrm_lookup)
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
net/ipv6/netfilter/ip6t_REJECT.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 47d2277..2933396 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -97,9 +97,11 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
fl.fl_ip_dport = otcph.source;
security_skb_classify_flow(oldskb, &fl);
dst = ip6_route_output(net, NULL, &fl);
- if (dst == NULL)
+ if (dst == NULL || dst->error) {
+ dst_release(dst);
return;
- if (dst->error || xfrm_lookup(net, &dst, &fl, NULL, 0))
+ }
+ if (xfrm_lookup(net, &dst, &fl, NULL, 0))
return;
hh_len = (dst->dev->hard_header_len + 15)&~15;
^ permalink raw reply related
* Re: [PATCH] ethtool: Fix list of hash options in manual page
From: Jeff Garzik @ 2010-07-02 7:21 UTC (permalink / raw)
To: Ben Hutchings; +Cc: Aníbal Monsalve Salazar, netdev
In-Reply-To: <1274836511.19775.3.camel@localhost>
On 05/25/2010 09:15 PM, Ben Hutchings wrote:
> 'p' is not a valid option.
> The 'm' option was missing a preceding 'B' for bold.
>
> Signed-off-by: Ben Hutchings<ben@decadent.org.uk>
applied
^ permalink raw reply
* Re: [PATCH ethtool 2/2] ethtool: Add support for control of RX flow hash indirection
From: Jeff Garzik @ 2010-07-02 7:25 UTC (permalink / raw)
To: Ben Hutchings; +Cc: Jeff Garzik, netdev, linux-net-drivers
In-Reply-To: <1277910792.2082.18.camel@achroite.uk.solarflarecom.com>
On 06/30/2010 11:13 AM, Ben Hutchings wrote:
> Many NICs use an indirection table to map an RX flow hash value to one
> of an arbitrary number of queues (not necessarily a power of 2). It
> can be useful to remove some queues from this indirection table so
> that they are only used for flows that are specifically filtered
> there. It may also be useful to weight the mapping to account for
> user processes with the same CPU-affinity as the RX interrupts.
>
> Signed-off-by: Ben Hutchings<bhutchings@solarflare.com>
applied 1-2, after making requested printf correction
^ permalink raw reply
* Re: [PATCH] bridge: add per bridge device controls for invoking iptables
From: Patrick McHardy @ 2010-07-02 7:34 UTC (permalink / raw)
To: David Miller; +Cc: shemminger, netdev
In-Reply-To: <20100630.142717.123424464.davem@davemloft.net>
David Miller wrote:
> From: Stephen Hemminger <shemminger@vyatta.com>
> Date: Wed, 30 Jun 2010 14:24:40 -0700
>
>
>> On Mon, 28 Jun 2010 14:47:00 +0200
>> kaber@trash.net wrote:
>>
>>
>>> From: Patrick McHardy <kaber@trash.net>
>>>
>>> Support more fine grained control of bridge netfilter iptables invocation
>>> by adding seperate brnf_call_*tables parameters for each device using the
>>> sysfs interface. Packets are passed to layer 3 netfilter when either the
>>> global parameter or the per bridge parameter is enabled.
>>>
>>> Signed-off-by: Patrick McHardy <kaber@trash.net>
>>>
>> Looks like a good idea.
>>
>> Acked-by: Stephen Hemminger <shemminger@vyatta.com>
>>
>
> Acked-by: David S. Miller <davem@davemloft.net>
>
> Patrick since this is mostly netfilter'ish, please toss it into one
> of your trees.
>
Will do, thanks.
^ permalink raw reply
* Re: [PATCH] nf_conntrack_reasm: add fast path for in-order fragments
From: Patrick McHardy @ 2010-07-02 7:53 UTC (permalink / raw)
To: Changli Gao
Cc: David S. Miller, Alexey Kuznetsov, Pekka Savola (ipv6),
James Morris, Hideaki YOSHIFUJI, Eric Dumazet, netfilter-devel,
netdev, Mitchell Erblich
In-Reply-To: <1277956710-22313-1-git-send-email-xiaosuo@gmail.com>
Changli Gao wrote:
> nf_conntrack_reasm: add fast path for in-order fragments
>
> As the fragments are sent in order in most of OSes, such as Windows, Darwin and
> FreeBSD, it is likely the new fragments are at the end of the inet_frag_queue.
> In the fast path, we check if the skb at the end of the inet_frag_queue is the
> prev we expect.
>
>
I'll apply this when merging with net-next the next time since this depends
on your "fragment: add fast path for in-order fragments" patch.
^ permalink raw reply
* Re: [PATCH] netfilter: fix a dst leak in ipv6 REJECT
From: Patrick McHardy @ 2010-07-02 8:07 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Netfilter Development Mailinglist, netdev, stable
In-Reply-To: <1278054411.2597.13.camel@edumazet-laptop>
Eric Dumazet wrote:
> We should release dst if dst->error is set.
>
> Bug introduced in 2.6.14 by commit e104411b82f5c
> ([XFRM]: Always release dst_entry on error in xfrm_lookup)
>
Applied, thanks Eric.
^ permalink raw reply
* [PATCH net-next-2.6] ipv4: use skb_dst_copy() in ip_copy_metadata()
From: Eric Dumazet @ 2010-07-02 9:48 UTC (permalink / raw)
To: David Miller; +Cc: netdev
Avoid touching dst refcount in ip_fragment().
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
net/ipv4/ip_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 7d1f4b4..d647852 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -411,7 +411,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
to->priority = from->priority;
to->protocol = from->protocol;
skb_dst_drop(to);
- skb_dst_set(to, dst_clone(skb_dst(from)));
+ skb_dst_copy(to, from);
to->dev = from->dev;
to->mark = from->mark;
^ permalink raw reply related
* [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Patrick McHardy <kaber@trash.net>
2.6.34 introduced 'conntrack zones' to deal with cases where packets
from multiple identical networks are handled by conntrack/NAT. Packets
are looped through veth devices, during which they are NATed to private
addresses, after which they can continue normally through the stack
and possibly have NAT rules applied a second time.
This works well, but is needlessly complicated for cases where only
a single SNAT/DNAT mapping needs to be applied to these packets. In that
case, all that needs to be done is to assign each network to a seperate
zone and perform NAT as usual. However this doesn't work for packets
destined for the machine performing NAT itself since its corrently not
possible to configure SNAT mappings for the LOCAL_IN chain.
This patch adds a new INPUT chain to the NAT table and changes the
targets performing SNAT to be usable in that chain.
Example usage with two identical networks (192.168.0.0/24) on eth0/eth1:
iptables -t raw -A PREROUTING -i eth0 -j CT --zone 1
iptables -t raw -A PREROUTING -i eth0 -j MARK --set-mark 1
iptables -t raw -A PREROUTING -i eth1 -j CT --zone 2
iptabels -t raw -A PREROUTING -i eth1 -j MARK --set-mark 2
iptables -t nat -A INPUT -m mark --mark 1 -j NETMAP --to 10.0.0.0/24
iptables -t nat -A POSTROUTING -m mark --mark 1 -j NETMAP --to 10.0.0.0/24
iptables -t nat -A INPUT -m mark --mark 2 -j NETMAP --to 10.0.1.0/24
iptables -t nat -A POSTROUTING -m mark --mark 2 -j NETMAP --to 10.0.1.0/24
iptables -t raw -A PREROUTING -d 10.0.0.0/24 -j CT --zone 1
iptables -t raw -A OUTPUT -d 10.0.0.0/24 -j CT --zone 1
iptables -t raw -A PREROUTING -d 10.0.1.0/24 -j CT --zone 2
iptables -t raw -A OUTPUT -d 10.0.1.0/24 -j CT --zone 2
iptables -t nat -A PREROUTING -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A OUTPUT -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A PREROUTING -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A OUTPUT -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
include/net/netfilter/nf_nat_rule.h | 2 --
net/ipv4/netfilter/ipt_NETMAP.c | 6 ++++--
net/ipv4/netfilter/nf_nat_rule.c | 10 ++++++----
net/ipv4/netfilter/nf_nat_standalone.c | 8 +-------
4 files changed, 11 insertions(+), 15 deletions(-)
diff --git a/include/net/netfilter/nf_nat_rule.h b/include/net/netfilter/nf_nat_rule.h
index e4a18ae..2890bdc 100644
--- a/include/net/netfilter/nf_nat_rule.h
+++ b/include/net/netfilter/nf_nat_rule.h
@@ -12,6 +12,4 @@ extern int nf_nat_rule_find(struct sk_buff *skb,
const struct net_device *out,
struct nf_conn *ct);
-extern unsigned int
-alloc_null_binding(struct nf_conn *ct, unsigned int hooknum);
#endif /* _NF_NAT_RULE_H */
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index f43867d..6cdb298 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
par->hooknum == NF_INET_POST_ROUTING ||
- par->hooknum == NF_INET_LOCAL_OUT);
+ par->hooknum == NF_INET_LOCAL_OUT ||
+ par->hooknum == NF_INET_LOCAL_IN);
ct = nf_ct_get(skb, &ctinfo);
netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = {
.table = "nat",
.hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_POST_ROUTING) |
- (1 << NF_INET_LOCAL_OUT),
+ (1 << NF_INET_LOCAL_OUT) |
+ (1 << NF_INET_LOCAL_IN),
.checkentry = netmap_tg_check,
.me = THIS_MODULE
};
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 98ed782..ebbd319 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,7 +28,8 @@
#define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
(1 << NF_INET_POST_ROUTING) | \
- (1 << NF_INET_LOCAL_OUT))
+ (1 << NF_INET_LOCAL_OUT) | \
+ (1 << NF_INET_LOCAL_IN))
static const struct xt_table nat_table = {
.name = "nat",
@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
enum ip_conntrack_info ctinfo;
const struct nf_nat_multi_range_compat *mr = par->targinfo;
- NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING);
+ NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
+ par->hooknum == NF_INET_LOCAL_IN);
ct = nf_ct_get(skb, &ctinfo);
@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
return 0;
}
-unsigned int
+static unsigned int
alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
{
/* Force range to this IP; let proto decide mapping for
@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
.target = ipt_snat_target,
.targetsize = sizeof(struct nf_nat_multi_range_compat),
.table = "nat",
- .hooks = 1 << NF_INET_POST_ROUTING,
+ .hooks = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN),
.checkentry = ipt_snat_checkentry,
.family = AF_INET,
};
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 6723c68..95481fe 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum,
if (!nf_nat_initialized(ct, maniptype)) {
unsigned int ret;
- if (hooknum == NF_INET_LOCAL_IN)
- /* LOCAL_IN hook doesn't have a chain! */
- ret = alloc_null_binding(ct, hooknum);
- else
- ret = nf_nat_rule_find(skb, hooknum, in, out,
- ct);
-
+ ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
if (ret != NF_ACCEPT)
return ret;
} else
--
1.7.0.4
^ permalink raw reply related
* [PATCH 2/9] IPVS: one-packet scheduling
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Nick Chalk <nick@loadbalancer.org>
Allow one-packet scheduling for UDP connections. When the fwmark-based or
normal virtual service is marked with '-o' or '--ops' options all
connections are created only to schedule one packet. Useful to schedule UDP
packets from same client port to different real servers. Recommended with
RR or WRR schedulers (the connections are not visible with ipvsadm -L).
Signed-off-by: Nick Chalk <nick@loadbalancer.org>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
include/linux/ip_vs.h | 2 ++
net/netfilter/ipvs/ip_vs_conn.c | 10 +++++++---
net/netfilter/ipvs/ip_vs_core.c | 20 ++++++++++++++++----
net/netfilter/ipvs/ip_vs_ctl.c | 10 ++++++----
4 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/include/linux/ip_vs.h b/include/linux/ip_vs.h
index dfc1703..9708de2 100644
--- a/include/linux/ip_vs.h
+++ b/include/linux/ip_vs.h
@@ -19,6 +19,7 @@
*/
#define IP_VS_SVC_F_PERSISTENT 0x0001 /* persistent port */
#define IP_VS_SVC_F_HASHED 0x0002 /* hashed entry */
+#define IP_VS_SVC_F_ONEPACKET 0x0004 /* one-packet scheduling */
/*
* Destination Server Flags
@@ -85,6 +86,7 @@
#define IP_VS_CONN_F_SEQ_MASK 0x0600 /* in/out sequence mask */
#define IP_VS_CONN_F_NO_CPORT 0x0800 /* no client port set yet */
#define IP_VS_CONN_F_TEMPLATE 0x1000 /* template, not connection */
+#define IP_VS_CONN_F_ONE_PACKET 0x2000 /* forward only one packet */
#define IP_VS_SCHEDNAME_MAXLEN 16
#define IP_VS_IFNAME_MAXLEN 16
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index d8f7e8e..717e623 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -158,6 +158,9 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
unsigned hash;
int ret;
+ if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
+ return 0;
+
/* Hash by protocol, client address and port */
hash = ip_vs_conn_hashkey(cp->af, cp->protocol, &cp->caddr, cp->cport);
@@ -355,8 +358,9 @@ struct ip_vs_conn *ip_vs_conn_out_get
*/
void ip_vs_conn_put(struct ip_vs_conn *cp)
{
- /* reset it expire in its timeout */
- mod_timer(&cp->timer, jiffies+cp->timeout);
+ unsigned long t = (cp->flags & IP_VS_CONN_F_ONE_PACKET) ?
+ 0 : cp->timeout;
+ mod_timer(&cp->timer, jiffies+t);
__ip_vs_conn_put(cp);
}
@@ -649,7 +653,7 @@ static void ip_vs_conn_expire(unsigned long data)
/*
* unhash it if it is hashed in the conn table
*/
- if (!ip_vs_conn_unhash(cp))
+ if (!ip_vs_conn_unhash(cp) && !(cp->flags & IP_VS_CONN_F_ONE_PACKET))
goto expire_later;
/*
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 1cd6e3f..50907d8 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -194,6 +194,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
struct ip_vs_dest *dest;
struct ip_vs_conn *ct;
__be16 dport; /* destination port to forward */
+ __be16 flags;
union nf_inet_addr snet; /* source network of the client,
after masking */
@@ -340,6 +341,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
dport = ports[1];
}
+ flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
+ && iph.protocol == IPPROTO_UDP)?
+ IP_VS_CONN_F_ONE_PACKET : 0;
+
/*
* Create a new connection according to the template
*/
@@ -347,7 +352,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
&iph.saddr, ports[0],
&iph.daddr, ports[1],
&dest->addr, dport,
- 0,
+ flags,
dest);
if (cp == NULL) {
ip_vs_conn_put(ct);
@@ -377,7 +382,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
struct ip_vs_conn *cp = NULL;
struct ip_vs_iphdr iph;
struct ip_vs_dest *dest;
- __be16 _ports[2], *pptr;
+ __be16 _ports[2], *pptr, flags;
ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
@@ -407,6 +412,10 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
return NULL;
}
+ flags = (svc->flags & IP_VS_SVC_F_ONEPACKET
+ && iph.protocol == IPPROTO_UDP)?
+ IP_VS_CONN_F_ONE_PACKET : 0;
+
/*
* Create a connection entry.
*/
@@ -414,7 +423,7 @@ ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
&iph.saddr, pptr[0],
&iph.daddr, pptr[1],
&dest->addr, dest->port ? dest->port : pptr[1],
- 0,
+ flags,
dest);
if (cp == NULL)
return NULL;
@@ -464,6 +473,9 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
int ret, cs;
struct ip_vs_conn *cp;
+ __u16 flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
+ iph.protocol == IPPROTO_UDP)?
+ IP_VS_CONN_F_ONE_PACKET : 0;
union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
ip_vs_service_put(svc);
@@ -474,7 +486,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
&iph.saddr, pptr[0],
&iph.daddr, pptr[1],
&daddr, 0,
- IP_VS_CONN_F_BYPASS,
+ IP_VS_CONN_F_BYPASS | flags,
NULL);
if (cp == NULL)
return NF_DROP;
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 36dc1d8..0f0c079 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1864,14 +1864,16 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
svc->scheduler->name);
else
#endif
- seq_printf(seq, "%s %08X:%04X %s ",
+ seq_printf(seq, "%s %08X:%04X %s %s ",
ip_vs_proto_name(svc->protocol),
ntohl(svc->addr.ip),
ntohs(svc->port),
- svc->scheduler->name);
+ svc->scheduler->name,
+ (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
} else {
- seq_printf(seq, "FWM %08X %s ",
- svc->fwmark, svc->scheduler->name);
+ seq_printf(seq, "FWM %08X %s %s",
+ svc->fwmark, svc->scheduler->name,
+ (svc->flags & IP_VS_SVC_F_ONEPACKET)?"ops ":"");
}
if (svc->flags & IP_VS_SVC_F_PERSISTENT)
--
1.7.0.4
^ permalink raw reply related
* [PATCH 3/9] netfilter: xt_IDLETIMER needs kdev_t.h
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Randy Dunlap <randy.dunlap@oracle.com>
Add header file to fix build error:
net/netfilter/xt_IDLETIMER.c:276: error: implicit declaration of function 'MKDEV'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/netfilter/xt_IDLETIMER.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index e11090a..be1f22e 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -36,6 +36,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_IDLETIMER.h>
+#include <linux/kdev_t.h>
#include <linux/kobject.h>
#include <linux/workqueue.h>
#include <linux/sysfs.h>
--
1.7.0.4
^ permalink raw reply related
* [PATCH 5/9] netfilter: xt_connbytes: Force CT accounting to be enabled
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Tim Gardner <tim.gardner@canonical.com>
Check at rule install time that CT accounting is enabled. Force it
to be enabled if not while also emitting a warning since this is not
the default state.
This is in preparation for deprecating CONFIG_NF_CT_ACCT upon which
CONFIG_NETFILTER_XT_MATCH_CONNBYTES depended being set.
Added 2 CT accounting support functions:
nf_ct_acct_enabled() - Get CT accounting state.
nf_ct_set_acct() - Enable/disable CT accountuing.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
include/net/netfilter/nf_conntrack_acct.h | 12 ++++++++++++
net/netfilter/xt_connbytes.c | 10 ++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h
index 03e218f..4e9c63a 100644
--- a/include/net/netfilter/nf_conntrack_acct.h
+++ b/include/net/netfilter/nf_conntrack_acct.h
@@ -45,6 +45,18 @@ struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
extern unsigned int
seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir);
+/* Check if connection tracking accounting is enabled */
+static inline bool nf_ct_acct_enabled(struct net *net)
+{
+ return net->ct.sysctl_acct != 0;
+}
+
+/* Enable/disable connection tracking accounting */
+static inline void nf_ct_set_acct(struct net *net, bool enable)
+{
+ net->ct.sysctl_acct = enable;
+}
+
extern int nf_conntrack_acct_init(struct net *net);
extern void nf_conntrack_acct_fini(struct net *net);
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 7351783..5b13850 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,6 +112,16 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
if (ret < 0)
pr_info("cannot load conntrack support for proto=%u\n",
par->family);
+
+ /*
+ * This filter cannot function correctly unless connection tracking
+ * accounting is enabled, so complain in the hope that someone notices.
+ */
+ if (!nf_ct_acct_enabled(par->net)) {
+ pr_warning("Forcing CT accounting to be enabled\n");
+ nf_ct_set_acct(par->net, true);
+ }
+
return ret;
}
--
1.7.0.4
^ permalink raw reply related
* [PATCH 6/9] netfilter: complete the deprecation of CONFIG_NF_CT_ACCT
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Tim Gardner <tim.gardner@canonical.com>
CONFIG_NF_CT_ACCT has been deprecated for awhile and
was originally scheduled for removal by 2.6.29.
Removing support for this config option also stops
this deprecation warning message in the kernel log.
[ 61.669627] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[ 61.669850] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
[ 61.669852] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
[ 61.669853] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
[Patrick: changed default value to 0]
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
Documentation/feature-removal-schedule.txt | 9 ---------
Documentation/kernel-parameters.txt | 3 +--
net/netfilter/Kconfig | 22 ----------------------
net/netfilter/nf_conntrack_acct.c | 14 +-------------
4 files changed, 2 insertions(+), 46 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 672be01..92f021a 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -303,15 +303,6 @@ Who: Johannes Berg <johannes@sipsolutions.net>
---------------------------
-What: CONFIG_NF_CT_ACCT
-When: 2.6.29
-Why: Accounting can now be enabled/disabled without kernel recompilation.
- Currently used only to set a default value for a feature that is also
- controlled by a kernel/module/sysfs/sysctl parameter.
-Who: Krzysztof Piotr Oledzki <ole@ans.pl>
-
----------------------------
-
What: sysfs ui for changing p4-clockmod parameters
When: September 2009
Why: See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 1808f11..cee6251 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1597,8 +1597,7 @@ and is between 256 and 4096 characters. It is defined in the file
[NETFILTER] Enable connection tracking flow accounting
0 to disable accounting
1 to enable accounting
- Default value depends on CONFIG_NF_CT_ACCT that is
- going to be removed in 2.6.29.
+ Default value is 0.
nfsaddrs= [NFS]
See Documentation/filesystems/nfs/nfsroot.txt.
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 21be535..aa2f106 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -40,27 +40,6 @@ config NF_CONNTRACK
if NF_CONNTRACK
-config NF_CT_ACCT
- bool "Connection tracking flow accounting"
- depends on NETFILTER_ADVANCED
- help
- If this option is enabled, the connection tracking code will
- keep per-flow packet and byte counters.
-
- Those counters can be used for flow-based accounting or the
- `connbytes' match.
-
- Please note that currently this option only sets a default state.
- You may change it at boot time with nf_conntrack.acct=0/1 kernel
- parameter or by loading the nf_conntrack module with acct=0/1.
-
- You may also disable/enable it on a running system with:
- sysctl net.netfilter.nf_conntrack_acct=0/1
-
- This option will be removed in 2.6.29.
-
- If unsure, say `N'.
-
config NF_CONNTRACK_MARK
bool 'Connection mark tracking support'
depends on NETFILTER_ADVANCED
@@ -630,7 +609,6 @@ config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NF_CONNTRACK
depends on NETFILTER_ADVANCED
- select NF_CT_ACCT
help
This option adds a `connbytes' match, which allows you to match the
number of bytes and/or packets for each direction within a connection.
diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
index ab81b38..5178c69 100644
--- a/net/netfilter/nf_conntrack_acct.c
+++ b/net/netfilter/nf_conntrack_acct.c
@@ -17,13 +17,7 @@
#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_acct.h>
-#ifdef CONFIG_NF_CT_ACCT
-#define NF_CT_ACCT_DEFAULT 1
-#else
-#define NF_CT_ACCT_DEFAULT 0
-#endif
-
-static int nf_ct_acct __read_mostly = NF_CT_ACCT_DEFAULT;
+static int nf_ct_acct __read_mostly;
module_param_named(acct, nf_ct_acct, bool, 0644);
MODULE_PARM_DESC(acct, "Enable connection tracking flow accounting.");
@@ -114,12 +108,6 @@ int nf_conntrack_acct_init(struct net *net)
net->ct.sysctl_acct = nf_ct_acct;
if (net_eq(net, &init_net)) {
-#ifdef CONFIG_NF_CT_ACCT
- printk(KERN_WARNING "CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use\n");
- printk(KERN_WARNING "nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or\n");
- printk(KERN_WARNING "sysctl net.netfilter.nf_conntrack_acct=1 to enable it.\n");
-#endif
-
ret = nf_ct_extend_register(&acct_extend);
if (ret < 0) {
printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n");
--
1.7.0.4
^ permalink raw reply related
* [PATCH 8/9] netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Patrick McHardy <kaber@trash.net>
The LOG targets print the entire MAC header as one long string, which is not
readable very well:
IN=eth0 OUT= MAC=00:15:f2:24:91:f8:00:1b:24:dc:61:e6:08:00 ...
Add an option to decode known header formats (currently just ARPHRD_ETHER devices)
in their individual fields:
IN=eth0 OUT= MACSRC=00:1b:24:dc:61:e6 MACDST=00:15:f2:24:91:f8 MACPROTO=0800 ...
IN=eth0 OUT= MACSRC=00:1b:24:dc:61:e6 MACDST=00:15:f2:24:91:f8 MACPROTO=86dd ...
The option needs to be explicitly enabled by userspace to avoid breaking
existing parsers.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
include/linux/netfilter_ipv4/ipt_LOG.h | 3 +-
include/linux/netfilter_ipv6/ip6t_LOG.h | 3 +-
net/ipv4/netfilter/ipt_LOG.c | 54 +++++++++++++++-----
net/ipv6/netfilter/ip6t_LOG.c | 81 ++++++++++++++++++++-----------
4 files changed, 97 insertions(+), 44 deletions(-)
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
index 90fa652..dcdbadf 100644
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -7,7 +7,8 @@
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
-#define IPT_LOG_MASK 0x1f
+#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */
+#define IPT_LOG_MASK 0x2f
struct ipt_log_info {
unsigned char level;
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
index 0d0119b..9dd5579 100644
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -7,7 +7,8 @@
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
-#define IP6T_LOG_MASK 0x1f
+#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */
+#define IP6T_LOG_MASK 0x2f
struct ip6t_log_info {
unsigned char level;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 0a452a5..915fc17 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -13,6 +13,7 @@
#include <linux/module.h>
#include <linux/spinlock.h>
#include <linux/skbuff.h>
+#include <linux/if_arp.h>
#include <linux/ip.h>
#include <net/icmp.h>
#include <net/udp.h>
@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info,
/* maxlen = 230+ 91 + 230 + 252 = 803 */
}
+static void dump_mac_header(const struct nf_loginfo *info,
+ const struct sk_buff *skb)
+{
+ struct net_device *dev = skb->dev;
+ unsigned int logflags = 0;
+
+ if (info->type == NF_LOG_TYPE_LOG)
+ logflags = info->u.log.logflags;
+
+ if (!(logflags & IPT_LOG_MACDECODE))
+ goto fallback;
+
+ switch (dev->type) {
+ case ARPHRD_ETHER:
+ printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
+ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
+ ntohs(eth_hdr(skb)->h_proto));
+ return;
+ default:
+ break;
+ }
+
+fallback:
+ printk("MAC=");
+ if (dev->hard_header_len &&
+ skb->mac_header != skb->network_header) {
+ const unsigned char *p = skb_mac_header(skb);
+ unsigned int i;
+
+ printk("%02x", *p++);
+ for (i = 1; i < dev->hard_header_len; i++, p++)
+ printk(":%02x", *p);
+ }
+ printk(" ");
+}
+
static struct nf_loginfo default_loginfo = {
.type = NF_LOG_TYPE_LOG,
.u = {
@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf,
}
#endif
- if (in && !out) {
- /* MAC logging for input chain only. */
- printk("MAC=");
- if (skb->dev && skb->dev->hard_header_len &&
- skb->mac_header != skb->network_header) {
- int i;
- const unsigned char *p = skb_mac_header(skb);
-
- printk("%02x", *p++);
- for (i = 1; i < skb->dev->hard_header_len; i++, p++)
- printk(":%02x", *p);
- }
- printk(" ");
- }
+ /* MAC logging for input path only. */
+ if (in && !out)
+ dump_mac_header(loginfo, skb);
dump_packet(loginfo, skb, 0);
printk("\n");
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 4c7ddac..0a07ae7 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -373,6 +373,56 @@ static void dump_packet(const struct nf_loginfo *info,
printk("MARK=0x%x ", skb->mark);
}
+static void dump_mac_header(const struct nf_loginfo *info,
+ const struct sk_buff *skb)
+{
+ struct net_device *dev = skb->dev;
+ unsigned int logflags = 0;
+
+ if (info->type == NF_LOG_TYPE_LOG)
+ logflags = info->u.log.logflags;
+
+ if (!(logflags & IP6T_LOG_MACDECODE))
+ goto fallback;
+
+ switch (dev->type) {
+ case ARPHRD_ETHER:
+ printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
+ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
+ ntohs(eth_hdr(skb)->h_proto));
+ return;
+ default:
+ break;
+ }
+
+fallback:
+ printk("MAC=");
+ if (dev->hard_header_len &&
+ skb->mac_header != skb->network_header) {
+ const unsigned char *p = skb_mac_header(skb);
+ unsigned int len = dev->hard_header_len;
+ unsigned int i;
+
+ if (dev->type == ARPHRD_SIT &&
+ (p -= ETH_HLEN) < skb->head)
+ p = NULL;
+
+ if (p != NULL) {
+ printk("%02x", *p++);
+ for (i = 1; i < len; i++)
+ printk(":%02x", p[i]);
+ }
+ printk(" ");
+
+ if (dev->type == ARPHRD_SIT) {
+ const struct iphdr *iph =
+ (struct iphdr *)skb_mac_header(skb);
+ printk("TUNNEL=%pI4->%pI4 ", &iph->saddr, &iph->daddr);
+ }
+ } else
+ printk(" ");
+}
+
static struct nf_loginfo default_loginfo = {
.type = NF_LOG_TYPE_LOG,
.u = {
@@ -400,35 +450,10 @@ ip6t_log_packet(u_int8_t pf,
prefix,
in ? in->name : "",
out ? out->name : "");
- if (in && !out) {
- unsigned int len;
- /* MAC logging for input chain only. */
- printk("MAC=");
- if (skb->dev && (len = skb->dev->hard_header_len) &&
- skb->mac_header != skb->network_header) {
- const unsigned char *p = skb_mac_header(skb);
- int i;
-
- if (skb->dev->type == ARPHRD_SIT &&
- (p -= ETH_HLEN) < skb->head)
- p = NULL;
-
- if (p != NULL) {
- printk("%02x", *p++);
- for (i = 1; i < len; i++)
- printk(":%02x", p[i]);
- }
- printk(" ");
- if (skb->dev->type == ARPHRD_SIT) {
- const struct iphdr *iph =
- (struct iphdr *)skb_mac_header(skb);
- printk("TUNNEL=%pI4->%pI4 ",
- &iph->saddr, &iph->daddr);
- }
- } else
- printk(" ");
- }
+ /* MAC logging for input path only. */
+ if (in && !out)
+ dump_mac_header(loginfo, skb);
dump_packet(loginfo, skb, skb_network_offset(skb), 1);
printk("\n");
--
1.7.0.4
^ permalink raw reply related
* [PATCH 9/9] bridge: add per bridge device controls for invoking iptables
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Patrick McHardy <kaber@trash.net>
Support more fine grained control of bridge netfilter iptables invocation
by adding seperate brnf_call_*tables parameters for each device using the
sysfs interface. Packets are passed to layer 3 netfilter when either the
global parameter or the per bridge parameter is enabled.
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/bridge/br_netfilter.c | 31 ++++++++++++++-----
net/bridge/br_private.h | 3 ++
net/bridge/br_sysfs_br.c | 72 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 97 insertions(+), 9 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 6bb6f7c..f1d49ae 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -55,6 +55,9 @@ static int brnf_call_arptables __read_mostly = 1;
static int brnf_filter_vlan_tagged __read_mostly = 0;
static int brnf_filter_pppoe_tagged __read_mostly = 0;
#else
+#define brnf_call_iptables 1
+#define brnf_call_ip6tables 1
+#define brnf_call_arptables 1
#define brnf_filter_vlan_tagged 0
#define brnf_filter_pppoe_tagged 0
#endif
@@ -543,25 +546,30 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+ struct net_bridge_port *p;
+ struct net_bridge *br;
struct iphdr *iph;
__u32 len = nf_bridge_encap_header_len(skb);
if (unlikely(!pskb_may_pull(skb, len)))
goto out;
+ p = rcu_dereference(in->br_port);
+ if (p == NULL)
+ goto out;
+ br = p->br;
+
if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
IS_PPPOE_IPV6(skb)) {
-#ifdef CONFIG_SYSCTL
- if (!brnf_call_ip6tables)
+ if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
return NF_ACCEPT;
-#endif
+
nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
}
-#ifdef CONFIG_SYSCTL
- if (!brnf_call_iptables)
+
+ if (!brnf_call_iptables && !br->nf_call_iptables)
return NF_ACCEPT;
-#endif
if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) &&
!IS_PPPOE_IP(skb))
@@ -714,12 +722,17 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+ struct net_bridge_port *p;
+ struct net_bridge *br;
struct net_device **d = (struct net_device **)(skb->cb);
-#ifdef CONFIG_SYSCTL
- if (!brnf_call_arptables)
+ p = rcu_dereference(out->br_port);
+ if (p == NULL)
+ return NF_ACCEPT;
+ br = p->br;
+
+ if (!brnf_call_arptables && !br->nf_call_arptables)
return NF_ACCEPT;
-#endif
if (skb->protocol != htons(ETH_P_ARP)) {
if (!IS_VLAN_ARP(skb))
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index c83519b..7484065 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -164,6 +164,9 @@ struct net_bridge
unsigned long feature_mask;
#ifdef CONFIG_BRIDGE_NETFILTER
struct rtable fake_rtable;
+ bool nf_call_iptables;
+ bool nf_call_ip6tables;
+ bool nf_call_arptables;
#endif
unsigned long flags;
#define BR_SET_MAC_ADDR 0x00000001
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 486b8f3..5c1e555 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -611,6 +611,73 @@ static DEVICE_ATTR(multicast_startup_query_interval, S_IRUGO | S_IWUSR,
show_multicast_startup_query_interval,
store_multicast_startup_query_interval);
#endif
+#ifdef CONFIG_BRIDGE_NETFILTER
+static ssize_t show_nf_call_iptables(
+ struct device *d, struct device_attribute *attr, char *buf)
+{
+ struct net_bridge *br = to_bridge(d);
+ return sprintf(buf, "%u\n", br->nf_call_iptables);
+}
+
+static int set_nf_call_iptables(struct net_bridge *br, unsigned long val)
+{
+ br->nf_call_iptables = val ? true : false;
+ return 0;
+}
+
+static ssize_t store_nf_call_iptables(
+ struct device *d, struct device_attribute *attr, const char *buf,
+ size_t len)
+{
+ return store_bridge_parm(d, buf, len, set_nf_call_iptables);
+}
+static DEVICE_ATTR(nf_call_iptables, S_IRUGO | S_IWUSR,
+ show_nf_call_iptables, store_nf_call_iptables);
+
+static ssize_t show_nf_call_ip6tables(
+ struct device *d, struct device_attribute *attr, char *buf)
+{
+ struct net_bridge *br = to_bridge(d);
+ return sprintf(buf, "%u\n", br->nf_call_ip6tables);
+}
+
+static int set_nf_call_ip6tables(struct net_bridge *br, unsigned long val)
+{
+ br->nf_call_ip6tables = val ? true : false;
+ return 0;
+}
+
+static ssize_t store_nf_call_ip6tables(
+ struct device *d, struct device_attribute *attr, const char *buf,
+ size_t len)
+{
+ return store_bridge_parm(d, buf, len, set_nf_call_ip6tables);
+}
+static DEVICE_ATTR(nf_call_ip6tables, S_IRUGO | S_IWUSR,
+ show_nf_call_ip6tables, store_nf_call_ip6tables);
+
+static ssize_t show_nf_call_arptables(
+ struct device *d, struct device_attribute *attr, char *buf)
+{
+ struct net_bridge *br = to_bridge(d);
+ return sprintf(buf, "%u\n", br->nf_call_arptables);
+}
+
+static int set_nf_call_arptables(struct net_bridge *br, unsigned long val)
+{
+ br->nf_call_arptables = val ? true : false;
+ return 0;
+}
+
+static ssize_t store_nf_call_arptables(
+ struct device *d, struct device_attribute *attr, const char *buf,
+ size_t len)
+{
+ return store_bridge_parm(d, buf, len, set_nf_call_arptables);
+}
+static DEVICE_ATTR(nf_call_arptables, S_IRUGO | S_IWUSR,
+ show_nf_call_arptables, store_nf_call_arptables);
+#endif
static struct attribute *bridge_attrs[] = {
&dev_attr_forward_delay.attr,
@@ -645,6 +712,11 @@ static struct attribute *bridge_attrs[] = {
&dev_attr_multicast_query_response_interval.attr,
&dev_attr_multicast_startup_query_interval.attr,
#endif
+#ifdef CONFIG_BRIDGE_NETFILTER
+ &dev_attr_nf_call_iptables.attr,
+ &dev_attr_nf_call_ip6tables.attr,
+ &dev_attr_nf_call_arptables.attr,
+#endif
NULL
};
--
1.7.0.4
^ permalink raw reply related
* [PATCH 0/9] netfilter: netfilter update
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
Hi Dave,
following is a small netfilter update for net-next, containing:
- a patch to support user-defined SNAT rules in the nat/INPUT chain,
from myself
- one-packet scheduling for IPVS from Nick Chalk
- missing kdev_t.h inclusion in xt_IDLETIMER from Randy Dunlap
- the removal of CONFIG_NF_CT_ACCT, originally scheduled for 2.6.29,
from Tim Gardner
- a patch to support MAC header decoding in the netfilter LOG targets,
from myself
- a patch for per bridge device controls for iptables invocation, from
myself
Please apply or pull from:
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master
Thanks!
Arnd Hannemann (1):
netfilter: fix simple typo in KConfig for netfiltert xt_TEE
Nick Chalk (1):
IPVS: one-packet scheduling
Patrick McHardy (4):
netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
netfilter: ipt_LOG/ip6t_LOG: remove comparison within loop
netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header
bridge: add per bridge device controls for invoking iptables
Randy Dunlap (1):
netfilter: xt_IDLETIMER needs kdev_t.h
Tim Gardner (2):
netfilter: xt_connbytes: Force CT accounting to be enabled
netfilter: complete the deprecation of CONFIG_NF_CT_ACCT
^ permalink raw reply
* [PATCH 4/9] netfilter: fix simple typo in KConfig for netfiltert xt_TEE
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Arnd Hannemann <hannemann@nets.rwth-aachen.de>
Destination was spelled wrong in KConfig.
Signed-off-by: Arnd Hannemann <hannemann@nets.rwth-aachen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/netfilter/Kconfig | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 413ed24..21be535 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -515,7 +515,7 @@ config NETFILTER_XT_TARGET_RATEEST
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_TARGET_TEE
- tristate '"TEE" - packet cloning to alternate destiantion'
+ tristate '"TEE" - packet cloning to alternate destination'
depends on NETFILTER_ADVANCED
depends on (IPV6 || IPV6=n)
depends on !NF_CONNTRACK || NF_CONNTRACK
--
1.7.0.4
^ permalink raw reply related
* [PATCH 7/9] netfilter: ipt_LOG/ip6t_LOG: remove comparison within loop
From: kaber @ 2010-07-02 9:52 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1278064342-19059-1-git-send-email-kaber@trash.net>
From: Patrick McHardy <kaber@trash.net>
Remove the comparison within the loop to print the macheader by prepending
the colon to all but the first printk.
Based on suggestion by Jan Engelhardt <jengelh@medozas.de>.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/ipv4/netfilter/ipt_LOG.c | 12 ++++++------
net/ipv6/netfilter/ip6t_LOG.c | 6 +++---
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 5234f4f..0a452a5 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -411,12 +411,12 @@ ipt_log_packet(u_int8_t pf,
skb->mac_header != skb->network_header) {
int i;
const unsigned char *p = skb_mac_header(skb);
- for (i = 0; i < skb->dev->hard_header_len; i++,p++)
- printk("%02x%c", *p,
- i==skb->dev->hard_header_len - 1
- ? ' ':':');
- } else
- printk(" ");
+
+ printk("%02x", *p++);
+ for (i = 1; i < skb->dev->hard_header_len; i++, p++)
+ printk(":%02x", *p);
+ }
+ printk(" ");
}
dump_packet(loginfo, skb, 0);
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index af4ee11..4c7ddac 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -414,9 +414,9 @@ ip6t_log_packet(u_int8_t pf,
p = NULL;
if (p != NULL) {
- for (i = 0; i < len; i++)
- printk("%02x%s", p[i],
- i == len - 1 ? "" : ":");
+ printk("%02x", *p++);
+ for (i = 1; i < len; i++)
+ printk(":%02x", p[i]);
}
printk(" ");
--
1.7.0.4
^ permalink raw reply related
* Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
From: Jan Engelhardt @ 2010-07-02 10:14 UTC (permalink / raw)
To: kaber; +Cc: davem, netfilter-devel, netdev
In-Reply-To: <1278064342-19059-2-git-send-email-kaber@trash.net>
On Friday 2010-07-02 11:52, kaber@trash.net wrote:
>
>2.6.34 introduced 'conntrack zones' to deal with cases where packets
>from multiple identical networks are handled by conntrack/NAT. Packets
>are looped through veth devices, during which they are NATed to private
>addresses, after which they can continue normally through the stack
>and possibly have NAT rules applied a second time.
>
>This works well, but is needlessly complicated for cases where only
>a single SNAT/DNAT mapping needs to be applied to these packets.
I still have not grasped why SNAT is needed in the INPUT path. For the
tunnel scenario that you wanted to build I could not find a reason to
do SNAT in that place - since the non-encapsulated packets don't go
through INPUT anyway.
^ permalink raw reply
* Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
From: Patrick McHardy @ 2010-07-02 10:17 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: davem, netfilter-devel, netdev
In-Reply-To: <alpine.LSU.2.01.1007021212490.16691@obet.zrqbmnf.qr>
Jan Engelhardt wrote:
> On Friday 2010-07-02 11:52, kaber@trash.net wrote:
>
>> 2.6.34 introduced 'conntrack zones' to deal with cases where packets
>>
> >from multiple identical networks are handled by conntrack/NAT. Packets
>
>> are looped through veth devices, during which they are NATed to private
>> addresses, after which they can continue normally through the stack
>> and possibly have NAT rules applied a second time.
>>
>> This works well, but is needlessly complicated for cases where only
>> a single SNAT/DNAT mapping needs to be applied to these packets.
>>
>
> I still have not grasped why SNAT is needed in the INPUT path. For the
> tunnel scenario that you wanted to build I could not find a reason to
> do SNAT in that place - since the non-encapsulated packets don't go
> through INPUT anyway.
>
Sure they do, if they are destined for the host itself. I'm not sure
what's so hard to understand about this patch, you have f.i. multiple
tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
them to seperate networks based on criteria like the network device or
the IPsec tunnel to be able to distinguish them.
^ permalink raw reply
* [PATCH] xfrm bugs with mark logic
From: Peter Kosyh @ 2010-07-02 10:40 UTC (permalink / raw)
To: netdev
Hello! I am currently working with 2.6.34, trying to use iptables ...
-j MARK with XFRM policy. So, i found at least
two bugs in 2.6.34 kernel.
First bug is just typo in xfrm_mark_get (net/xfrm.h):
memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(m));
must be:
memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(*m));
The second one, is clearing mark in flowi structure via memset in
_decode_session4 (net/ipv4/xfrm4_policy.c).
(see net/ipv4/netfilter.c, ip_route_me_harder function)
int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
/* ... */
if (addr_type == RTN_LOCAL) {
/* ... */
fl.mark = skb->mark; /* here, set mark from skb */
/* ... */
#ifdef CONFIG_XFRM
if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
xfrm_decode_session(skb, &fl, AF_INET) == 0) { /* here
fl->mark will be zeroed */
/* ... */
if (xfrm_lookup(net, &dst, &fl, skb->sk, 0)) /* here
policy lookup will fail */
Do not know about ipv6 anything, but it's like that it affected by
this bug too. :(
P.S. Sorry for my bad English. :)
w.b.r. Peter Kosyh
diff -Nur linux-2.6.34/include/net/xfrm.h linux-2.6.34.fix/include/net/xfrm.h
--- linux-2.6.34/include/net/xfrm.h 2010-05-16 21:17:36.000000000 +0000
+++ linux-2.6.34.fix/include/net/xfrm.h 2010-07-02 10:05:33.000000000 +0000
@@ -1587,7 +1587,7 @@
static inline int xfrm_mark_get(struct nlattr **attrs, struct xfrm_mark *m)
{
if (attrs[XFRMA_MARK])
- memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(m));
+ memcpy(m, nla_data(attrs[XFRMA_MARK]), sizeof(*m));
else
m->v = m->m = 0;
diff -Nur linux-2.6.34/net/ipv4/xfrm4_policy.c
linux-2.6.34.fix/net/ipv4/xfrm4_policy.c
--- linux-2.6.34/net/ipv4/xfrm4_policy.c 2010-05-16 21:17:36.000000000 +0000
+++ linux-2.6.34.fix/net/ipv4/xfrm4_policy.c 2010-07-02 10:17:51.000000000 +0000
@@ -186,6 +186,7 @@
fl->fl4_dst = reverse ? iph->saddr : iph->daddr;
fl->fl4_src = reverse ? iph->daddr : iph->saddr;
fl->fl4_tos = iph->tos;
+ fl->mark = skb->mark;
}
static inline int xfrm4_garbage_collect(struct dst_ops *ops)
^ permalink raw reply
* [PATCH 0/1] netfilter: netfilter fix
From: kaber @ 2010-07-02 11:40 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
the following patch for 2.6.35 fixes a dst leak in ip6t_REJECT when
dst->error is set, from Eric Dumazet.
Please apply or pull from:
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
Thanks!
^ permalink raw reply
* [PATCH] netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT
From: kaber @ 2010-07-02 11:42 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
From: Eric Dumazet <eric.dumazet@gmail.com>
We should release dst if dst->error is set.
Bug introduced in 2.6.14 by commit e104411b82f5c
([XFRM]: Always release dst_entry on error in xfrm_lookup)
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/ipv6/netfilter/ip6t_REJECT.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 47d2277..2933396 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -97,9 +97,11 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
fl.fl_ip_dport = otcph.source;
security_skb_classify_flow(oldskb, &fl);
dst = ip6_route_output(net, NULL, &fl);
- if (dst == NULL)
+ if (dst == NULL || dst->error) {
+ dst_release(dst);
return;
- if (dst->error || xfrm_lookup(net, &dst, &fl, NULL, 0))
+ }
+ if (xfrm_lookup(net, &dst, &fl, NULL, 0))
return;
hh_len = (dst->dev->hard_header_len + 15)&~15;
--
1.7.0.4
^ permalink raw reply related
* Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
From: Jan Engelhardt @ 2010-07-02 12:17 UTC (permalink / raw)
To: Patrick McHardy; +Cc: davem, netfilter-devel, netdev
In-Reply-To: <4C2DBCD3.20208@trash.net>
On Friday 2010-07-02 12:17, Patrick McHardy wrote:
>>
>> I still have not grasped why SNAT is needed in the INPUT path. For the
>> tunnel scenario that you wanted to build I could not find a reason to
>> do SNAT in that place - since the non-encapsulated packets don't go
>> through INPUT anyway.
>
> Sure they do, if they are destined for the host itself. I'm not sure
> what's so hard to understand about this patch, you have f.i. multiple
> tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
> them to seperate networks based on criteria like the network device or
> the IPsec tunnel to be able to distinguish them.
But they are already distinguishable by the ctmark that is applied
to these connections to do routing of the reply, are they not?
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox