* Re: Yet another bridge netfilter crash
From: Patrick McHardy @ 2010-07-23 14:18 UTC (permalink / raw)
To: Herbert Xu; +Cc: Stephen Hemminger, netdev
In-Reply-To: <20100723134208.GA6655@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 1003 bytes --]
On 23.07.2010 15:42, Herbert Xu wrote:
> Hi:
>
> I was cced on the following bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=617268
>
>>From what I've seen in the crash dump, this would appear to be
> yet another manifestation of the evil relationship between the
> bridge and IPv4 through netfilter.
>
> In particular, bridge netfilter invokes IPv4's PRE_ROUTING rules,
> one of which assembles packets for connection tracking.
>
> Unfortunately, the same cache is used for reassembling bridge
> packets and non-bridge packets.
>
> Now we already knew about this and its potential security effects.
> However, what we didn't know is that this can also cause a packet
> to appear in the bridge pre_routing code with nf_bridge set to
> NULL when it must not be NULL.
>
> This happens if the non-bridge fragment appeared first.
>
> So now is the time to fix this properly by giving the bridge its
> own separate conntrack namespace/zone.
I think we've already fixed this by commit 8fa9ff6:
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 4090 bytes --]
commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497
Author: Patrick McHardy <kaber@trash.net>
Date: Tue Dec 15 16:59:59 2009 +0100
netfilter: fix crashes in bridge netfilter caused by fragment jumps
When fragments from bridge netfilter are passed to IPv4 or IPv6 conntrack
and a reassembly queue with the same fragment key already exists from
reassembling a similar packet received on a different device (f.i. with
multicasted fragments), the reassembled packet might continue on a different
codepath than where the head fragment originated. This can cause crashes
in bridge netfilter when a fragment received on a non-bridge device (and
thus with skb->nf_bridge == NULL) continues through the bridge netfilter
code.
Add a new reassembly identifier for packets originating from bridge
netfilter and use it to put those packets in insolated queues.
Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14805
Reported-and-Tested-by: Chong Qiao <qiaochong@loongson.cn>
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/net/ip.h b/include/net/ip.h
index e6b9d12..85108cf 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -337,6 +337,7 @@ enum ip_defrag_users {
IP_DEFRAG_CALL_RA_CHAIN,
IP_DEFRAG_CONNTRACK_IN,
IP_DEFRAG_CONNTRACK_OUT,
+ IP_DEFRAG_CONNTRACK_BRIDGE_IN,
IP_DEFRAG_VS_IN,
IP_DEFRAG_VS_OUT,
IP_DEFRAG_VS_FWD
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index d691603..ccab594 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -354,6 +354,7 @@ enum ip6_defrag_users {
IP6_DEFRAG_LOCAL_DELIVER,
IP6_DEFRAG_CONNTRACK_IN,
IP6_DEFRAG_CONNTRACK_OUT,
+ IP6_DEFRAG_CONNTRACK_BRIDGE_IN,
};
struct ip6_create_arg {
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index fa2d6b6..331ead3 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -14,6 +14,7 @@
#include <net/route.h>
#include <net/ip.h>
+#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv4.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
@@ -34,6 +35,20 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
return err;
}
+static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
+ struct sk_buff *skb)
+{
+#ifdef CONFIG_BRIDGE_NETFILTER
+ if (skb->nf_bridge &&
+ skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+ return IP_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
+ if (hooknum == NF_INET_PRE_ROUTING)
+ return IP_DEFRAG_CONNTRACK_IN;
+ else
+ return IP_DEFRAG_CONNTRACK_OUT;
+}
+
static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
@@ -50,10 +65,8 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
#endif
/* Gather fragments. */
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
- if (nf_ct_ipv4_gather_frags(skb,
- hooknum == NF_INET_PRE_ROUTING ?
- IP_DEFRAG_CONNTRACK_IN :
- IP_DEFRAG_CONNTRACK_OUT))
+ enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
+ if (nf_ct_ipv4_gather_frags(skb, user))
return NF_STOLEN;
}
return NF_ACCEPT;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c0a82fe..0956eba 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -20,6 +20,7 @@
#include <net/ipv6.h>
#include <net/inet_frag.h>
+#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv6.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_helper.h>
@@ -190,6 +191,11 @@ out:
static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
struct sk_buff *skb)
{
+#ifdef CONFIG_BRIDGE_NETFILTER
+ if (skb->nf_bridge &&
+ skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+ return IP6_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
if (hooknum == NF_INET_PRE_ROUTING)
return IP6_DEFRAG_CONNTRACK_IN;
else
^ permalink raw reply related
* Re: [PATCH] ip6tables: use skb->len for accounting
From: Patrick McHardy @ 2010-07-23 14:21 UTC (permalink / raw)
To: Changli Gao
Cc: Jan Engelhardt, David S. Miller, Alexey Kuznetsov,
Pekka Savola (ipv6), James Morris, Hideaki YOSHIFUJI,
netfilter-devel, netdev
In-Reply-To: <AANLkTi=PAVfcX4ttUsSgm+A_WMYcfXt4FLvYunccgtjS@mail.gmail.com>
On 23.07.2010 15:05, Changli Gao wrote:
> On Fri, Jul 23, 2010 at 7:48 PM, Patrick McHardy <kaber@trash.net> wrote:
>> On 23.07.2010 08:38, Changli Gao wrote:
>>>
>>> For the packets received, ip_rcv, ipv6_rcv and bridge all call
>>> pskb_trim_rcsum before feeding them to netfilter. The raw packets are
>>> sent via dev_queue_xmit(), and they don't pass through the output path
>>> of netfilter.
>>
>> That's not true, raw packets also pass through netfilter. However
>> I agree that this patch makes sense to properly deal with jumbo
>> frames, but you should also update xt_length for consistency.
>>
>
> In order to support jumbo frames, we have to change the type of min
> and max in xt_length_info to u32.
I see. In that case I'll apply your skb->len patches as they are,
so please make the xt_length change in a new patch.
> I'll change xt_match.revision to 1,
> do I need to support the current revision 0 at the same time?
You should simply keep the revision 0 code as it is. Revision 1,
using skb->len, can be used for both IPv4 and IPv6.
^ permalink raw reply
* Re: 2.6.35-rc6: Reported regressions from 2.6.34
From: Larry Finger @ 2010-07-23 14:21 UTC (permalink / raw)
To: Rafael J. Wysocki
Cc: Linux SCSI List, Network Development, Linux Wireless List,
Linux Kernel Mailing List, DRI, Linux ACPI, Andrew Morton,
Kernel Testers List, Linus Torvalds, Linux PM List,
Maciej Rutecki
In-Reply-To: <Lupw7pePXBO.A.fZH.G2XSMB@chimera>
On 07/23/2010 06:42 AM, Rafael J. Wysocki wrote:
> This message contains a list of some regressions from 2.6.34,
> for which there are no fixes in the mainline known to the tracking team.
> If any of them have been fixed already, please let us know.
> Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=16312
> Subject : WARNING: at fs/fs-writeback.c:1127 __mark_inode_dirty
> Submitter : Zdenek Kabelac<zdenek.kabelac@gmail.com>
> Date : 2010-06-28 9:40 (26 days old)
> Message-ID :<AANLkTin24fr5O4_q5Xbo9Y_NKkEmtcp6Hgmr9_4qXaFz@mail.gmail.com>
> References : http://marc.info/?l=linux-kernel&m=127771804806465&w=2
I still have this in 2.6.35-rc5.
Larry
^ permalink raw reply
* Re: [PATCH] ip6tables: use skb->len for accounting
From: Patrick McHardy @ 2010-07-23 14:24 UTC (permalink / raw)
To: Changli Gao
Cc: David S. Miller, Alexey Kuznetsov, Pekka Savola (ipv6),
James Morris, Hideaki YOSHIFUJI, netfilter-devel, netdev
In-Reply-To: <1279855877-8945-1-git-send-email-xiaosuo@gmail.com>
On 23.07.2010 05:31, Changli Gao wrote:
> ip6tables: use skb->len for accounting
>
> ipv6_hdr(skb)->payload_len is ZERO and can't be used for accounting, if the
> payload is a Jumbo Payload specified in RFC2675.
Applied, thanks.
^ permalink raw reply
* Re: [PATCH] iptables: use skb->len for accounting
From: Patrick McHardy @ 2010-07-23 14:25 UTC (permalink / raw)
To: Changli Gao; +Cc: David S. Miller, netfilter-devel, netdev
In-Reply-To: <1279856088-9004-1-git-send-email-xiaosuo@gmail.com>
On 23.07.2010 05:34, Changli Gao wrote:
> iptables: use skb->len for accounting
>
> use skb->len for accounting as xt_quota does.
>
Applied, thanks.
^ permalink raw reply
* [RFC v2 0/1] netfilter: xtables: xt_condition inclusion with namespace fix
From: Luciano Coelho @ 2010-07-23 14:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: netdev, kaber, jengelh, sameo
Hi,
This is a respin of the patch Jan sent to the list some time ago. I've made
the changes proposed by Patrick in order to support multiple namespaces
correctly.
I still need to reapply my condition target and the u32 changes to the
condition on top of this, but I'd like to get some comments before I continue.
In v2 I've made a few changes as discussed in the review:
* Removed per-netns module parameters
* Use par->net instead of current->nsproxy->net_ns
* Fix file-leak in procfs when exiting the netns
Please let me know how it looks after these changes.
Cheers,
Luca.
Luciano Coelho (1):
netfilter: xtables: inclusion of xt_condition
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_condition.h | 14 ++
net/netfilter/Kconfig | 8 +
net/netfilter/Makefile | 1 +
net/netfilter/xt_condition.c | 265 ++++++++++++++++++++++++++++++++
5 files changed, 289 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_condition.h
create mode 100644 net/netfilter/xt_condition.c
^ permalink raw reply
* [RFC v2 1/1] netfilter: xtables: inclusion of xt_condition
From: Luciano Coelho @ 2010-07-23 14:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: netdev, kaber, jengelh, sameo
In-Reply-To: <1279895320-12958-1-git-send-email-luciano.coelho@nokia.com>
xt_condition can be used by userspace to influence decisions in rules
by means of togglable variables without having to reload the entire
ruleset.
This is a respin of the module in Xtables-addons, with support for
multiple namespaces and other small improvements. Some of the changes
were made by Jan Engelhardt.
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
---
in v2:
o Removed per-netns module parameters
o Use par->net instead of current->nsproxy->net_ns
o Fix file-leak in procfs when exiting the netns
include/linux/netfilter/Kbuild | 1 +
include/linux/netfilter/xt_condition.h | 14 ++
net/netfilter/Kconfig | 8 +
net/netfilter/Makefile | 1 +
net/netfilter/xt_condition.c | 265 ++++++++++++++++++++++++++++++++
5 files changed, 289 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_condition.h
create mode 100644 net/netfilter/xt_condition.c
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index bb103f4..d873f67 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -20,6 +20,7 @@ header-y += xt_TCPOPTSTRIP.h
header-y += xt_TEE.h
header-y += xt_TPROXY.h
header-y += xt_comment.h
+header-y += xt_condition.h
header-y += xt_connbytes.h
header-y += xt_connlimit.h
header-y += xt_connmark.h
diff --git a/include/linux/netfilter/xt_condition.h b/include/linux/netfilter/xt_condition.h
new file mode 100644
index 0000000..4faf3ca
--- /dev/null
+++ b/include/linux/netfilter/xt_condition.h
@@ -0,0 +1,14 @@
+#ifndef _XT_CONDITION_H
+#define _XT_CONDITION_H
+
+#include <linux/types.h>
+
+struct xt_condition_mtinfo {
+ char name[31];
+ __u8 invert;
+
+ /* Used internally by the kernel */
+ void *condvar __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CONDITION_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index aa2f106..8c114b8 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -605,6 +605,14 @@ config NETFILTER_XT_MATCH_COMMENT
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
+config NETFILTER_XT_MATCH_CONDITION
+ tristate '"condition" match support'
+ depends on NETFILTER_ADVANCED
+ depends on PROC_FS
+ ---help---
+ This option allows you to match firewall rules against condition
+ variables stored in the /proc/net/nf_condition directory.
+
config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index e28420a..474dd06 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -66,6 +66,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_IDLETIMER) += xt_IDLETIMER.o
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_CONDITION) += xt_condition.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
diff --git a/net/netfilter/xt_condition.c b/net/netfilter/xt_condition.c
new file mode 100644
index 0000000..a78d832
--- /dev/null
+++ b/net/netfilter/xt_condition.c
@@ -0,0 +1,265 @@
+/*
+ * "condition" match extension for Xtables
+ *
+ * Description: This module allows firewall rules to match using
+ * condition variables available through procfs.
+ *
+ * Authors:
+ * Stephane Ouellette <ouellettes [at] videotron ca>, 2002-10-22
+ * Massimiliano Hofer <max [at] nucleus it>, 2006-05-15
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License; either version 2
+ * or 3 of the License, as published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/module.h>
+#include <linux/proc_fs.h>
+#include <linux/spinlock.h>
+#include <linux/string.h>
+#include <linux/version.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_condition.h>
+#include <net/netns/generic.h>
+#include <asm/uaccess.h>
+
+/* Defaults, these can be overridden on the module command-line. */
+static unsigned int condition_list_perms = S_IRUGO | S_IWUSR;
+static unsigned int condition_uid_perms = 0;
+static unsigned int condition_gid_perms = 0;
+
+MODULE_AUTHOR("Stephane Ouellette <ouellettes@videotron.ca>");
+MODULE_AUTHOR("Massimiliano Hofer <max@nucleus.it>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Allows rules to match against condition variables");
+MODULE_LICENSE("GPL");
+module_param(condition_list_perms, uint, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(condition_list_perms, "default permissions on /proc/net/nf_condition/* files");
+module_param(condition_uid_perms, uint, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(condition_uid_perms, "default user owner of /proc/net/nf_condition/* files");
+module_param(condition_gid_perms, uint, S_IRUSR | S_IWUSR);
+MODULE_PARM_DESC(condition_gid_perms, "default group owner of /proc/net/nf_condition/* files");
+MODULE_ALIAS("ipt_condition");
+MODULE_ALIAS("ip6t_condition");
+
+struct condition_variable {
+ struct list_head list;
+ struct proc_dir_entry *status_proc;
+ unsigned int refcount;
+ bool enabled;
+};
+
+struct condition_net {
+ struct list_head list;
+ struct proc_dir_entry *proc_dir;
+};
+
+static int condition_net_id;
+static inline struct condition_net *condition_pernet(struct net *net)
+{
+ return net_generic(net, condition_net_id);
+}
+
+/* proc_lock is a user context only semaphore used for write access */
+/* to the conditions' list. */
+static DEFINE_MUTEX(proc_lock);
+
+static int condition_proc_read(char __user *buffer, char **start, off_t offset,
+ int length, int *eof, void *data)
+{
+ const struct condition_variable *var = data;
+
+ buffer[0] = var->enabled ? '1' : '0';
+ buffer[1] = '\n';
+ if (length >= 2)
+ *eof = true;
+ return 2;
+}
+
+static int condition_proc_write(struct file *file, const char __user *buffer,
+ unsigned long length, void *data)
+{
+ struct condition_variable *var = data;
+ char newval;
+
+ if (length > 0) {
+ if (get_user(newval, buffer) != 0)
+ return -EFAULT;
+ /* Match only on the first character */
+ switch (newval) {
+ case '0':
+ var->enabled = false;
+ break;
+ case '1':
+ var->enabled = true;
+ break;
+ }
+ }
+ return length;
+}
+
+static bool
+condition_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+ const struct xt_condition_mtinfo *info = par->matchinfo;
+ const struct condition_variable *var = info->condvar;
+
+ return var->enabled ^ info->invert;
+}
+
+static int condition_mt_check(const struct xt_mtchk_param *par)
+{
+ struct xt_condition_mtinfo *info = par->matchinfo;
+ struct condition_variable *var;
+ struct condition_net *cond_net = condition_pernet(par->net);
+
+ /* Forbid certain names */
+ if (*info->name == '\0' || *info->name == '.' ||
+ info->name[sizeof(info->name)-1] != '\0' ||
+ memchr(info->name, '/', sizeof(info->name)) != NULL) {
+ pr_info("name not allowed or too long: \"%.*s\"\n",
+ (unsigned int)sizeof(info->name), info->name);
+ return -EINVAL;
+ }
+
+ /*
+ * Let's acquire the lock, check for the condition and add it
+ * or increase the reference counter.
+ */
+ mutex_lock(&proc_lock);
+ list_for_each_entry(var, &cond_net->list, list) {
+ if (strcmp(info->name, var->status_proc->name) == 0) {
+ ++var->refcount;
+ mutex_unlock(&proc_lock);
+ info->condvar = var;
+ return 0;
+ }
+ }
+
+ /* At this point, we need to allocate a new condition variable. */
+ var = kmalloc(sizeof(struct condition_variable), GFP_KERNEL);
+ if (var == NULL) {
+ mutex_unlock(&proc_lock);
+ return -ENOMEM;
+ }
+
+ /* Create the condition variable's proc file entry. */
+ var->status_proc = create_proc_entry(info->name,
+ condition_list_perms,
+ cond_net->proc_dir);
+ if (var->status_proc == NULL) {
+ kfree(var);
+ mutex_unlock(&proc_lock);
+ return -ENOMEM;
+ }
+
+ var->refcount = 1;
+ var->enabled = false;
+ var->status_proc->data = var;
+ var->status_proc->read_proc = condition_proc_read;
+ var->status_proc->write_proc = condition_proc_write;
+ var->status_proc->uid = condition_uid_perms;
+ var->status_proc->gid = condition_gid_perms;
+ list_add(&var->list, &cond_net->list);
+ mutex_unlock(&proc_lock);
+ info->condvar = var;
+ return 0;
+}
+
+static void condition_mt_destroy(const struct xt_mtdtor_param *par)
+{
+ const struct xt_condition_mtinfo *info = par->matchinfo;
+ struct condition_variable *var = info->condvar;
+ struct condition_net *cond_net = condition_pernet(par->net);
+
+ mutex_lock(&proc_lock);
+ if (--var->refcount == 0) {
+ list_del(&var->list);
+ /* status_proc may be null in case of ns exit */
+ if (var->status_proc)
+ remove_proc_entry(var->status_proc->name,
+ cond_net->proc_dir);
+ mutex_unlock(&proc_lock);
+ kfree(var);
+ return;
+ }
+ mutex_unlock(&proc_lock);
+}
+
+static struct xt_match condition_mt_reg __read_mostly = {
+ .name = "condition",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .matchsize = sizeof(struct xt_condition_mtinfo),
+ .match = condition_mt,
+ .checkentry = condition_mt_check,
+ .destroy = condition_mt_destroy,
+ .me = THIS_MODULE,
+};
+
+static const char *const dir_name = "nf_condition";
+
+static int __net_init condnet_mt_init(struct net *net)
+{
+ struct condition_net *cond_net = condition_pernet(net);
+
+ INIT_LIST_HEAD(&cond_net->list);
+
+ cond_net->proc_dir = proc_mkdir(dir_name, net->proc_net);
+
+ return (cond_net->proc_dir == NULL) ? -EACCES : 0;
+}
+
+static void __net_exit condnet_mt_exit(struct net *net)
+{
+ struct condition_net *cond_net = condition_pernet(net);
+ struct condition_variable *var, *tmp;
+
+ mutex_lock(&proc_lock);
+ list_for_each_entry_safe(var, tmp, &cond_net->list, list) {
+ remove_proc_entry(var->status_proc->name,
+ cond_net->proc_dir);
+ /* set to null so we don't double remove in mt_destroy */
+ var->status_proc = NULL;
+ }
+
+ mutex_unlock(&proc_lock);
+
+ remove_proc_entry(dir_name, net->proc_net);
+}
+
+static struct pernet_operations condition_mt_netops = {
+ .init = condnet_mt_init,
+ .exit = condnet_mt_exit,
+ .id = &condition_net_id,
+ .size = sizeof(struct condition_net),
+};
+
+static int __init condition_mt_init(void)
+{
+ int ret;
+
+ mutex_init(&proc_lock);
+ ret = xt_register_match(&condition_mt_reg);
+ if (ret < 0)
+ return ret;
+
+ ret = register_pernet_subsys(&condition_mt_netops);
+ if (ret < 0) {
+ xt_unregister_match(&condition_mt_reg);
+ return ret;
+ }
+
+ return 0;
+}
+
+static void __exit condition_mt_exit(void)
+{
+ unregister_pernet_subsys(&condition_mt_netops);
+ xt_unregister_match(&condition_mt_reg);
+}
+
+module_init(condition_mt_init);
+module_exit(condition_mt_exit);
--
1.7.0.4
^ permalink raw reply related
* Re: CONNMARK getsockopt/setsockopt functionality
From: Daniel Wagner @ 2010-07-23 14:50 UTC (permalink / raw)
To: netdev
In-Reply-To: <20100721072006.GA17965@pc0043.bmw-carit.intra>
Hi,
> There used to be a way to mark packets in userspace by invoking the
> setsocketopt with SO_CONNMARK as it was proposed by Krisztian [1].
> This code was superseeded by Jan's work [2]. Now I wonder how I get
> the same result out of the new code. Something with conditions?
Silly me, the above statement is completely wrong. I was looking for
SO_MARK which is obviously still there. Sorry for the noise.
thanks,
daniel
^ permalink raw reply
* Re: [PATCH V3] Export SMBIOS provided firmware instance and label to sysfs
From: Matt Domsch @ 2010-07-23 14:58 UTC (permalink / raw)
To: Greg KH
Cc: Narendra K, netdev, linux-hotplug, linux-pci, charles_rose,
jordan_hargrave, vijay_nijhawan
In-Reply-To: <20100723135557.GA3624@kroah.com>
On Fri, Jul 23, 2010 at 06:55:57AM -0700, Greg KH wrote:
> On Fri, Jul 23, 2010 at 08:34:56AM -0500, Narendra K wrote:
> > --- a/Documentation/ABI/testing/sysfs-bus-pci
> > +++ b/Documentation/ABI/testing/sysfs-bus-pci
> > @@ -179,3 +179,30 @@ Contact: linux-pci@vger.kernel.org
> > Description:
> > This symbolic link points to the PCI hotplug controller driver
> > module that manages the hotplug slot.
> > +
> > +What: /sys/bus/pci/devices/.../label
> > +Date: July 2010
> > +Contact: linux-bugs@dell.com
>
> that's not your email address. Please don't hide behind some random
> address, Linux is about contacting developers directly were ever
> possible.
That's actually the public email address for the whole Linux
engineering team (including engineers and managers) at Dell, of which
Narendra is a part. It's the address we publish for people to include
on the cc: list of bugzilla issues on the kernel.org, Novell, and Red
Hat bugzillas. This ensures someone on the team will see bug reports
or patches and act accordingly, likely Narendra, but could be anyone
in the future once Narendra is promoted or changes responsibilities
(or even employers).
-Matt
--
Matt Domsch
Technology Strategist
Dell | Office of the CTO
^ permalink raw reply
* Re: Yet another bridge netfilter crash
From: Herbert Xu @ 2010-07-23 15:00 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Stephen Hemminger, netdev
In-Reply-To: <4C49A4C6.4070503@trash.net>
On Fri, Jul 23, 2010 at 04:18:46PM +0200, Patrick McHardy wrote:
>
> I think we've already fixed this by commit 8fa9ff6:
>
> commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497
> Author: Patrick McHardy <kaber@trash.net>
> Date: Tue Dec 15 16:59:59 2009 +0100
>
> netfilter: fix crashes in bridge netfilter caused by fragment jumps
Thanks for the pointer Patrick.
Your memory is much better than mine, as I was in that thread too :)
BTW, do you have any plans on addressing the deeper issue of
separating the connection tracking as well?
There's also the matter of fragments jumping between bridges.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply
* Re: IPv6 Anycast?
From: Stuart Sheldon @ 2010-07-23 15:12 UTC (permalink / raw)
To: Mikael Abrahamsson; +Cc: netdev, Stuart Sheldon
In-Reply-To: <alpine.DEB.1.10.1007230748380.9875@uplift.swm.pp.se>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mikael,
Thanks for stepping up and helping me with this... I am aware of the
method of using the loopback adapter. This method is suggested when
doing things like DNS in a Anycast setup, and also works well with IPv4.
Here is a more detailed explanation of what I'm trying to make work...
If this is better addressed by another kernel group, please let me know,
as I'm unsure where this should be directed.
Currently, when you enable IPv6 forwarding on Linux, Linux automatically
creates an Anycast address for each interface. Here is an example:
cat /proc/net/anycast6
<empty_file>
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
cat /proc/net/anycast6
1 lo 00000000000000000000000000000001 1
2 eth0 2607ff38000000000000000000000000 1
2 eth0 fe800000000000000000000000000000 1
3 eth1 fe800000000000000000000000000000 1
3 eth1 2607ff38000000010000000000000000 1
4 eth2 fe800000000000000000000000000000 1
5 eth3 2607ff38000000020000000000000000 1
5 eth3 fe800000000000000000000000000000 1
6 eth4 fe800000000000000000000000000000 1
If you ping one of these auto configured Anycast addresses, let's say
eth0's 2607:ff38:: from another host on the eth0 network, you will get a
reply from the Linux route box. This allows you to set the default route
of that host to the Anycast address 2607:ff38:: and if you have multiple
routers on that LAN, it will add the one that responds first to it's
neighbor table. This way if one goes down, the host will automatically
swing over to another router (once the neighbor cache expires)...
Anycast addresses are addresses that are never used as a source address,
and are exempt from duplicate address detection (as per RFC 3513).
It would appear that the Linux kernel is automatically implementing the
reserved Anycast address referenced in RFC 2526. This would be cool,
except for a few things. what if you don't want the router to act as an
Anycast router on a particular network? How do you remove an Anycast
address? And, what if you want to use another address that isn't the
reserved address as your Anycast router address? How do you add / change
an Anycast address? The RFC regarding Anycast addresses is very clear
that it and be ANY unicast address.
What I'm looking for is an answer to how I can add/remove/change these
Anycast addresses.
Again, if I'm asking the wrong list, please point me in the right direction.
Thanks again!
Stu Sheldon
ACT USA
Mikael Abrahamsson wrote:
> On Thu, 22 Jul 2010, Stuart Sheldon wrote:
>
>> Yea, I'm sure...
>>
>> We use Linux for routers as well as servers and workstations. Since I
>> sent this I've discovered that by default, when a Linux system has IPv6
>> forwarding turned on, it adds the <network>::/64 anycast router
>> addresses on all the interfaces (as per rfc 2526).
>>
>> What I'm actually looking to do is (change / add) other addresses the to
>> anycast6 list to work in an existing configuration that does not use the
>> rfc 2526 anycast router address.
>>
>> Is there a command line method of setting up these anycast addresses?
>
> In routers, this is done by adding the IP address to a loopback
> interface and announcing the address using a routing protocol, I don't
> see why this can't be done on a linux box?
>
- --
And you run and you run to catch up with the sun, but its sinking
And racing around to come up behind you again
The sun is the same in the relative way, but youre older
Shorter of breath and one day closer to death
-- Pink Floyd - "Time Lyrics"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJMSbFfAAoJEFKVLITDJSGSmcYP/jdhuORDnqIY9+Z9tyKxgeIo
pC5I4PsIGM4ZQkHitkCnouB8Q42Ac9JDpip8wf3ViMm+yW5MC9wkEpWQHrFeHv8N
jO8AaJVG7BtP8bUUTRDYiEO+5A/U6ls6kf3bVAAvBMTNHVeiEtXY0Lqf1I9gA0gI
tB0Ozzsp38uJ0vAeIM7b30lM24+kwqAGWILf3+zNm/sHz+M2KXUJYZs0qen/fKYd
kJu35Rdj3fpg47Gz2QQwftVfE5MI7SnQ+BhxnSCriLEkLe5tGWOEFvt15VsLmWM+
akrJI/JJlm+vIyfMgSZU7BPoJQrQ2XCFf4XEyA8kiSHYNUHoReKzgPdft747Vfo9
ZTy8QhJURp/PNNoDYsPa98Y9A0eFUQh/9t4QHz+UcdgO9cC9hjGi/C5bWfAjnAwl
0lCTffYww9MdyoRTQypVs02+iypCLODFZvyf2pblXluciBiv3u+8vKdVEfidy6FM
QEfb02d8h2SUS3QKUdGDWwlS9FUU+MXDE6tGSwyxfKsne/rXkk5TvTKPie+wGKVu
X0308iA0F2sUZ71t8PGVgVsIbnda00e+8M+a89E1UPHAHe6XW2WvY3/3QOZo6FRD
yCcHhl0JaM5NBrMHQJElW2eEKLOZd1ITal2ZhXPNw2JvBM3cb4QnuSxZuhJ6jA9u
hy8zTkXmmVBJKNOqXsZZ
=fE94
-----END PGP SIGNATURE-----
^ permalink raw reply
* Re: Yet another bridge netfilter crash
From: Patrick McHardy @ 2010-07-23 15:17 UTC (permalink / raw)
To: Herbert Xu; +Cc: Stephen Hemminger, netdev
In-Reply-To: <20100723150041.GA7301@gondor.apana.org.au>
On 23.07.2010 17:00, Herbert Xu wrote:
> On Fri, Jul 23, 2010 at 04:18:46PM +0200, Patrick McHardy wrote:
>>
>> I think we've already fixed this by commit 8fa9ff6:
>>
>
>> commit 8fa9ff6849bb86c59cc2ea9faadf3cb2d5223497
>> Author: Patrick McHardy <kaber@trash.net>
>> Date: Tue Dec 15 16:59:59 2009 +0100
>>
>> netfilter: fix crashes in bridge netfilter caused by fragment jumps
>
> Thanks for the pointer Patrick.
>
> Your memory is much better than mine, as I was in that thread too :)
>
> BTW, do you have any plans on addressing the deeper issue of
> separating the connection tracking as well?
No concrete plans yet, but its something I'm definitely planning
to try at some point.
> There's also the matter of fragments jumping between bridges.
Conntrack zones can be used to avoid that, but that currently needs
manual configuration.
^ permalink raw reply
* [PATCH nf-next-2.6] netfilter: {ip,ip6,arp}_tables: dont block bottom half more than necessary
From: Eric Dumazet @ 2010-07-23 15:23 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Development Mailinglist, netdev
We currently disable BH for the whole duration of get_counters()
On machines with a lot of cpus and large tables, this might be too long.
We can disable preemption during the whole function, and disable BH only
while fetching counters for the current cpu.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
net/ipv4/netfilter/arp_tables.c | 10 ++++++----
net/ipv4/netfilter/ip_tables.c | 10 ++++++----
net/ipv6/netfilter/ip6_tables.c | 10 ++++++----
3 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index c868dd5..6bccba3 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -710,7 +710,7 @@ static void get_counters(const struct xt_table_info *t,
struct arpt_entry *iter;
unsigned int cpu;
unsigned int i;
- unsigned int curcpu;
+ unsigned int curcpu = get_cpu();
/* Instead of clearing (by a previous call to memset())
* the counters and using adds, we set the counters
@@ -720,14 +720,16 @@ static void get_counters(const struct xt_table_info *t,
* if new softirq were to run and call ipt_do_table
*/
local_bh_disable();
- curcpu = smp_processor_id();
-
i = 0;
xt_entry_foreach(iter, t->entries[curcpu], t->size) {
SET_COUNTER(counters[i], iter->counters.bcnt,
iter->counters.pcnt);
++i;
}
+ local_bh_enable();
+ /* Processing counters from other cpus, we can let bottom half enabled,
+ * (preemption is disabled)
+ */
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
@@ -741,7 +743,7 @@ static void get_counters(const struct xt_table_info *t,
}
xt_info_wrunlock(cpu);
}
- local_bh_enable();
+ put_cpu();
}
static struct xt_counters *alloc_counters(const struct xt_table *table)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3c584a6..c439721 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -884,7 +884,7 @@ get_counters(const struct xt_table_info *t,
struct ipt_entry *iter;
unsigned int cpu;
unsigned int i;
- unsigned int curcpu;
+ unsigned int curcpu = get_cpu();
/* Instead of clearing (by a previous call to memset())
* the counters and using adds, we set the counters
@@ -894,14 +894,16 @@ get_counters(const struct xt_table_info *t,
* if new softirq were to run and call ipt_do_table
*/
local_bh_disable();
- curcpu = smp_processor_id();
-
i = 0;
xt_entry_foreach(iter, t->entries[curcpu], t->size) {
SET_COUNTER(counters[i], iter->counters.bcnt,
iter->counters.pcnt);
++i;
}
+ local_bh_enable();
+ /* Processing counters from other cpus, we can let bottom half enabled,
+ * (preemption is disabled)
+ */
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
@@ -915,7 +917,7 @@ get_counters(const struct xt_table_info *t,
}
xt_info_wrunlock(cpu);
}
- local_bh_enable();
+ put_cpu();
}
static struct xt_counters *alloc_counters(const struct xt_table *table)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 33113c1..5359ef4 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -897,7 +897,7 @@ get_counters(const struct xt_table_info *t,
struct ip6t_entry *iter;
unsigned int cpu;
unsigned int i;
- unsigned int curcpu;
+ unsigned int curcpu = get_cpu();
/* Instead of clearing (by a previous call to memset())
* the counters and using adds, we set the counters
@@ -907,14 +907,16 @@ get_counters(const struct xt_table_info *t,
* if new softirq were to run and call ipt_do_table
*/
local_bh_disable();
- curcpu = smp_processor_id();
-
i = 0;
xt_entry_foreach(iter, t->entries[curcpu], t->size) {
SET_COUNTER(counters[i], iter->counters.bcnt,
iter->counters.pcnt);
++i;
}
+ local_bh_enable();
+ /* Processing counters from other cpus, we can let bottom half enabled,
+ * (preemption is disabled)
+ */
for_each_possible_cpu(cpu) {
if (cpu == curcpu)
@@ -928,7 +930,7 @@ get_counters(const struct xt_table_info *t,
}
xt_info_wrunlock(cpu);
}
- local_bh_enable();
+ put_cpu();
}
static struct xt_counters *alloc_counters(const struct xt_table *table)
^ permalink raw reply related
* Re: Yet another bridge netfilter crash
From: Herbert Xu @ 2010-07-23 15:26 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Stephen Hemminger, netdev
In-Reply-To: <4C49B296.10009@trash.net>
On Fri, Jul 23, 2010 at 05:17:42PM +0200, Patrick McHardy wrote:
>
> No concrete plans yet, but its something I'm definitely planning
> to try at some point.
Great!
> > There's also the matter of fragments jumping between bridges.
>
> Conntrack zones can be used to avoid that, but that currently needs
> manual configuration.
I think this is something that we need to fix. Because as it
stands, it can still crash if you get the wrong nf_bridge.
The reason is that skb->dev does not hold a ref count. So the
reassembly code just throws it away and always uses the dev of
the last fragment.
This breaks when two bridges combine to reassemble a single
packet, as the nf_bridge attribute of the reassembled packet
may come from an skb whose device is now dead. This is then
used to fill in the skb->dev (via nf_bridge->physindev).
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply
* Re: [PATCH 6/6] pcmcia: remove cs_types.h
From: Marcel Holtmann @ 2010-07-23 15:28 UTC (permalink / raw)
To: Dominik Brodowski
Cc: linux-pcmcia, netdev, linux-wireless, linux-ide, linux-usb,
laforge, linux-mtd, linux-bluetooth, alsa-devel, linux-serial
In-Reply-To: <1279874305-21191-6-git-send-email-linux@dominikbrodowski.net>
Hi Dominik,
> Remove cs_types.h which is no longer needed: Most definitions aren't
> used at all, a few can be made away with, and two remaining definitions
> (typedefs, unfortunatley) may be moved to more specific places.
>
> CC: netdev@vger.kernel.org
> CC: linux-wireless@vger.kernel.org
> CC: linux-ide@vger.kernel.org
> CC: linux-usb@vger.kernel.org
> CC: laforge@gnumonks.org
> CC: linux-mtd@lists.infradead.org
> CC: linux-bluetooth@vger.kernel.org
> CC: alsa-devel@alsa-project.org
> CC: linux-serial@vger.kernel.org
> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
> ---
> Documentation/pcmcia/driver-changes.txt | 5 +++
> drivers/ata/pata_pcmcia.c | 1 -
> drivers/bluetooth/bluecard_cs.c | 1 -
> drivers/bluetooth/bt3c_cs.c | 1 -
> drivers/bluetooth/btuart_cs.c | 1 -
> drivers/bluetooth/dtl1_cs.c | 1 -
> drivers/char/pcmcia/cm4000_cs.c | 1 -
> drivers/char/pcmcia/cm4040_cs.c | 1 -
> drivers/char/pcmcia/ipwireless/main.h | 1 -
> drivers/char/pcmcia/ipwireless/tty.h | 1 -
> drivers/char/pcmcia/synclink_cs.c | 1 -
> drivers/ide/ide-cs.c | 1 -
> drivers/isdn/hardware/avm/avm_cs.c | 1 -
> drivers/isdn/hisax/avma1_cs.c | 1 -
> drivers/isdn/hisax/elsa_cs.c | 1 -
> drivers/isdn/hisax/sedlbauer_cs.c | 1 -
> drivers/isdn/hisax/teles_cs.c | 1 -
> drivers/mmc/host/sdricoh_cs.c | 1 -
> drivers/mtd/maps/pcmciamtd.c | 1 -
> drivers/net/pcmcia/3c574_cs.c | 1 -
> drivers/net/pcmcia/3c589_cs.c | 1 -
> drivers/net/pcmcia/axnet_cs.c | 1 -
> drivers/net/pcmcia/com20020_cs.c | 1 -
> drivers/net/pcmcia/fmvj18x_cs.c | 1 -
> drivers/net/pcmcia/ibmtr_cs.c | 1 -
> drivers/net/pcmcia/nmclan_cs.c | 1 -
> drivers/net/pcmcia/pcnet_cs.c | 5 +--
> drivers/net/pcmcia/smc91c92_cs.c | 1 -
> drivers/net/pcmcia/xirc2ps_cs.c | 1 -
> drivers/net/wireless/airo_cs.c | 1 -
> drivers/net/wireless/atmel_cs.c | 1 -
> drivers/net/wireless/b43/pcmcia.c | 1 -
> drivers/net/wireless/hostap/hostap_cs.c | 3 +-
> drivers/net/wireless/libertas/if_cs.c | 1 -
> drivers/net/wireless/orinoco/orinoco_cs.c | 1 -
> drivers/net/wireless/orinoco/spectrum_cs.c | 1 -
> drivers/net/wireless/ray_cs.c | 1 -
> drivers/net/wireless/wl3501_cs.c | 10 +-----
> drivers/parport/parport_cs.c | 1 -
> drivers/pcmcia/au1000_generic.h | 1 -
> drivers/pcmcia/au1000_pb1x00.c | 2 -
> drivers/pcmcia/cistpl.c | 1 -
> drivers/pcmcia/cs.c | 1 -
> drivers/pcmcia/db1xxx_ss.c | 1 -
> drivers/pcmcia/ds.c | 1 -
> drivers/pcmcia/i82092.c | 1 -
> drivers/pcmcia/i82365.c | 1 -
> drivers/pcmcia/m32r_cfc.c | 1 -
> drivers/pcmcia/m32r_pcc.c | 1 -
> drivers/pcmcia/m8xx_pcmcia.c | 1 -
> drivers/pcmcia/pcmcia_cis.c | 1 -
> drivers/pcmcia/pcmcia_resource.c | 1 -
> drivers/pcmcia/pd6729.c | 1 -
> drivers/pcmcia/pxa2xx_base.c | 1 -
> drivers/pcmcia/rsrc_iodyn.c | 1 -
> drivers/pcmcia/rsrc_mgr.c | 1 -
> drivers/pcmcia/rsrc_nonstatic.c | 1 -
> drivers/pcmcia/sa1100_generic.c | 1 -
> drivers/pcmcia/soc_common.h | 1 -
> drivers/pcmcia/socket_sysfs.c | 1 -
> drivers/pcmcia/tcic.c | 1 -
> drivers/pcmcia/xxs1500_ss.c | 1 -
> drivers/pcmcia/yenta_socket.c | 1 -
> drivers/scsi/pcmcia/aha152x_stub.c | 1 -
> drivers/scsi/pcmcia/fdomain_stub.c | 1 -
> drivers/scsi/pcmcia/nsp_cs.c | 1 -
> drivers/scsi/pcmcia/qlogic_stub.c | 1 -
> drivers/scsi/pcmcia/sym53c500_cs.c | 1 -
> drivers/serial/serial_cs.c | 1 -
> drivers/ssb/main.c | 1 -
> drivers/ssb/pcmcia.c | 1 -
> drivers/ssb/scan.c | 1 -
> drivers/staging/comedi/drivers/cb_das16_cs.c | 1 -
> drivers/staging/comedi/drivers/das08_cs.c | 1 -
> drivers/staging/comedi/drivers/ni_daq_700.c | 1 -
> drivers/staging/comedi/drivers/ni_daq_dio24.c | 1 -
> drivers/staging/comedi/drivers/ni_labpc_cs.c | 1 -
> drivers/staging/comedi/drivers/ni_mio_cs.c | 1 -
> drivers/staging/comedi/drivers/quatech_daqp_cs.c | 1 -
> drivers/staging/wlags49_h2/wl_cs.c | 1 -
> drivers/staging/wlags49_h2/wl_internal.h | 1 -
> drivers/telephony/ixj_pcmcia.c | 1 -
> drivers/usb/host/sl811_cs.c | 5 +--
> include/pcmcia/cistpl.h | 2 +
> include/pcmcia/cs.h | 10 +-----
> include/pcmcia/cs_types.h | 40 ----------------------
> include/pcmcia/ds.h | 3 +-
> include/pcmcia/ss.h | 1 -
> sound/pcmcia/pdaudiocf/pdaudiocf.h | 1 -
> sound/pcmcia/vx/vxpocket.h | 1 -
> 90 files changed, 14 insertions(+), 151 deletions(-)
> delete mode 100644 include/pcmcia/cs_types.h
for drivers/bluetooth/
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Regards
Marcel
^ permalink raw reply
* Re: [PATCH] iproute2: use int instead of long for RTAX_HOPLIMIT compare
From: Stephen Hemminger @ 2010-07-23 16:01 UTC (permalink / raw)
To: Ulrich Weber; +Cc: netdev
In-Reply-To: <20100723133910.GC12942@babylon>
On Fri, 23 Jul 2010 15:39:10 +0200
Ulrich Weber <uweber@astaro.com> wrote:
> otherwise "if ((int)val == -1)" will never match on 64 bit systems
>
> Signed-off-by: Ulrich Weber <uweber@astaro.com>
> ---
> ip/iproute.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/ip/iproute.c b/ip/iproute.c
> index 04b253a..711576e 100644
> --- a/ip/iproute.c
> +++ b/ip/iproute.c
> @@ -494,7 +494,7 @@ int print_route(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
> val = *(unsigned*)RTA_DATA(mxrta[i]);
> switch (i) {
> case RTAX_HOPLIMIT:
> - if ((long)val == -1)
> + if ((int)val == -1)
> val = 0;
> /* fall through */
> default:
All applied
--
^ permalink raw reply
* Re: [iproute2] iproute2: Fix batch-mode for mrules.
From: Stephen Hemminger @ 2010-07-23 16:03 UTC (permalink / raw)
To: Ben Greear; +Cc: netdev
In-Reply-To: <1279234090-18624-1-git-send-email-greearb@candelatech.com>
On Thu, 15 Jul 2010 15:48:10 -0700
Ben Greear <greearb@candelatech.com> wrote:
> The do_multirule logic was broken in batch mode because
> it expected the preferred_family to be AF_INET or AF_INET6,
> but it then assigned it to RTNL_FAMILY_IPMR or RTNL_FAMILY_IP6MR.
> So, the next iteration of the batch processing, it failed
> the check for AF_INET or AF_INET6.
>
> Signed-off-by: Ben Greear <greearb@candelatech.com>
> ---
> :100644 100644 9c8c6ef... d3b97e2... M ip/iprule.c
> ip/iprule.c | 6 +++++-
> 1 files changed, 5 insertions(+), 1 deletions(-)
>
> diff --git a/ip/iprule.c b/ip/iprule.c
> index 9c8c6ef..d3b97e2 100644
> --- a/ip/iprule.c
> +++ b/ip/iprule.c
> @@ -446,8 +446,12 @@ int do_multirule(int argc, char **argv)
> case AF_INET6:
> preferred_family = RTNL_FAMILY_IP6MR;
> break;
> + case RTNL_FAMILY_IPMR:
> + case RTNL_FAMILY_IP6MR:
> + break;
> default:
> - fprintf(stderr, "Multicast rules are only supported for IPv4/IPv6\n");
> + fprintf(stderr, "Multicast rules are only supported for IPv4/IPv6, was: %i\n",
> + preferred_family);
> exit(-1);
> }
>
Applied
--
^ permalink raw reply
* Re: [iproute2] iproute2: Fix batch-mode for mrules.
From: Ben Greear @ 2010-07-23 16:09 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: netdev
In-Reply-To: <20100723090327.2af5ad1f@nehalam>
On 07/23/2010 09:03 AM, Stephen Hemminger wrote:
> On Thu, 15 Jul 2010 15:48:10 -0700
> Ben Greear<greearb@candelatech.com> wrote:
>
>> The do_multirule logic was broken in batch mode because
>> it expected the preferred_family to be AF_INET or AF_INET6,
>> but it then assigned it to RTNL_FAMILY_IPMR or RTNL_FAMILY_IP6MR.
>> So, the next iteration of the batch processing, it failed
>> the check for AF_INET or AF_INET6.
>>
>> Signed-off-by: Ben Greear<greearb@candelatech.com>
>> ---
>> :100644 100644 9c8c6ef... d3b97e2... M ip/iprule.c
>> ip/iprule.c | 6 +++++-
>> 1 files changed, 5 insertions(+), 1 deletions(-)
>>
>> diff --git a/ip/iprule.c b/ip/iprule.c
>> index 9c8c6ef..d3b97e2 100644
>> --- a/ip/iprule.c
>> +++ b/ip/iprule.c
>> @@ -446,8 +446,12 @@ int do_multirule(int argc, char **argv)
>> case AF_INET6:
>> preferred_family = RTNL_FAMILY_IP6MR;
>> break;
>> + case RTNL_FAMILY_IPMR:
>> + case RTNL_FAMILY_IP6MR:
>> + break;
>> default:
>> - fprintf(stderr, "Multicast rules are only supported for IPv4/IPv6\n");
>> + fprintf(stderr, "Multicast rules are only supported for IPv4/IPv6, was: %i\n",
>> + preferred_family);
>> exit(-1);
>> }
>>
>
> Applied
Thanks. I recently realized this patch is not quite enough
for full flexibility.
It does help the case where you have 'normal' cmds followed by
mrule commands, but it doesn't fix the case where you have 'normal' commands
after the mrule commands.
I was thinking maybe we should pass the preferred_family in as an argument
to the method(s) instead of twiddling the global value?
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply
* Re: [patch -next v2] mv643xx_eth: potential null dereference
From: walter harms @ 2010-07-23 16:30 UTC (permalink / raw)
To: Dan Carpenter
Cc: Joe Perches, Lennert Buytenhek, David S. Miller, Jiri Pirko,
Denis Kirjanov, Saeed Bishara, netdev, kernel-janitors
In-Reply-To: <20100723110504.GG26313@bicker>
Dan Carpenter schrieb:
> We assume that "pd" can be null on the previous line, and throughout the
> function so we should check it here as well. This was introduced by
> 9b2c2ff7a1c0 "mv643xx_eth: use sw csum for big packets"
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> v2: style change
>
> diff --git a/drivers/net/mv643xx_eth.c b/drivers/net/mv643xx_eth.c
> index 73bb8ea..f5e72fe 100644
> --- a/drivers/net/mv643xx_eth.c
> +++ b/drivers/net/mv643xx_eth.c
> @@ -2670,7 +2670,8 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
> * Detect hardware parameters.
> */
> msp->t_clk = (pd != NULL && pd->t_clk != 0) ? pd->t_clk : 133000000;
> - msp->tx_csum_limit = pd->tx_csum_limit ? pd->tx_csum_limit : 9 * 1024;
> + msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ?
> + pd->tx_csum_limit : 9 * 1024;
> infer_hw_params(msp);
>
> platform_set_drvdata(pdev, msp);
this is a bit complicated, IMHO ppl have a bigger chance to discover what is going on
with this version:
if (!pd ) {
msp->t_clk = 133000000;
msp->tx_csum_limit = 9 * 1024;
}
else
{
msp->t_clk = pd->t_clk ? pd->t_clk : 133000000 ;
msp->tx_csum_limit = pd->tx_csum_limit ? pd->tx_csum_limit : 9 * 1024;
}
re,
wh
^ permalink raw reply
* Re: [PATCH net-next] sysfs: add entry to indicate network interfaces with random MAC address
From: Casey Leedom @ 2010-07-23 16:35 UTC (permalink / raw)
To: Stefan Assmann
Cc: Rose, Gregory V, David Miller, shemminger, andy, harald,
bhutchings, netdev, linux-kernel, gospo, Duyck, Alexander H
In-Reply-To: <4C494DEE.3010101@redhat.com>
| From: Stefan Assmann <sassmann@redhat.com>
| Date: Friday, July 23, 2010 01:08 am
|
| On 23.07.2010 02:26, Casey Leedom wrote:
| > Or you simply don't have the VF Driver loaded in the "Domain 0" Control
| > OS. When we install the cxgb4 PF Driver with "num_vf=..." this enables
| > the PCI-E SR-IOV Capabilities within the various PFs and the
| > corresponding VF PCI Devices are instantiated and discovered by the
| > Domain 0 Linux OS. But without a cxgb4vf VF Driver loaded, those
| > devices just sit there available for "Device Assignment" to VMs.
|
| Just out of curiosity, how do you prevent the VF driver from getting
| loaded in the host? Except from blacklisting it.
I don't install them. :-)
I'm actually fairly unfamiliar with the details of managing/administering
Linux systems so I'm guessing that there are much better ways of controlling for
which devices a Linux system will attempt to load drivers. For instance, I
didn't know about the concept of "blacklisting" a driver.
Casey
^ permalink raw reply
* [PATCH] net: s2io: fix buffer overflow
From: Kulikov Vasiliy @ 2010-07-23 16:36 UTC (permalink / raw)
To: kernel-janitors
Cc: Ramkrishna Vepa, Sivakumar Subramani, Sreenivasa Honnur,
Jon Mason, David S. Miller, Joe Perches, Jiri Pirko, netdev
vpd_data[] is allocated as kmalloc(256, GFP_KERNEL), so if cnt = 255
then (cnt + 3) overflows 256. memset() is executed without checking.
vpd_data[cnt+2] must be less than 256-cnt-2 as the latter is number of
vpd_data[] elements to copy.
Do not fill with zero the beginning of nic->serial_num as it will
be filled with vpd_data[].
String in product_name[] should be terminated by '\0'.
Signed-off-by: Kulikov Vasiliy <segooon@gmail.com>
---
drivers/net/s2io.c | 28 ++++++++++++++++++----------
1 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/drivers/net/s2io.c b/drivers/net/s2io.c
index b8b8584..18bc5b7 100644
--- a/drivers/net/s2io.c
+++ b/drivers/net/s2io.c
@@ -5796,7 +5796,7 @@ static void s2io_vpd_read(struct s2io_nic *nic)
{
u8 *vpd_data;
u8 data;
- int i = 0, cnt, fail = 0;
+ int i = 0, cnt, len, fail = 0;
int vpd_addr = 0x80;
struct swStat *swstats = &nic->mac_control.stats_info->sw_stat;
@@ -5837,20 +5837,28 @@ static void s2io_vpd_read(struct s2io_nic *nic)
if (!fail) {
/* read serial number of adapter */
- for (cnt = 0; cnt < 256; cnt++) {
+ for (cnt = 0; cnt < 252; cnt++) {
if ((vpd_data[cnt] == 'S') &&
- (vpd_data[cnt+1] == 'N') &&
- (vpd_data[cnt+2] < VPD_STRING_LEN)) {
- memset(nic->serial_num, 0, VPD_STRING_LEN);
- memcpy(nic->serial_num, &vpd_data[cnt + 3],
- vpd_data[cnt+2]);
- break;
+ (vpd_data[cnt+1] == 'N')) {
+ len = vpd_data[cnt+2];
+ if (len < min(VPD_STRING_LEN, 256-cnt-2)) {
+ memcpy(nic->serial_num,
+ &vpd_data[cnt + 3],
+ len);
+ memset(nic->serial_num+len,
+ 0,
+ VPD_STRING_LEN-len);
+ break;
+ }
}
}
}
- if ((!fail) && (vpd_data[1] < VPD_STRING_LEN))
- memcpy(nic->product_name, &vpd_data[3], vpd_data[1]);
+ if ((!fail) && (vpd_data[1] < VPD_STRING_LEN)) {
+ len = vpd_data[1];
+ memcpy(nic->product_name, &vpd_data[3], len);
+ nic->product_name[len] = 0;
+ }
kfree(vpd_data);
swstats->mem_freed += 256;
}
--
1.7.0.4
^ permalink raw reply related
* Re: [PATCH] ip6tables: use skb->len for accounting
From: Jan Engelhardt @ 2010-07-23 16:40 UTC (permalink / raw)
To: Changli Gao
Cc: Patrick McHardy, David S. Miller, Alexey Kuznetsov,
Pekka Savola (ipv6), James Morris, Hideaki YOSHIFUJI,
netfilter-devel, netdev
In-Reply-To: <AANLkTi=PAVfcX4ttUsSgm+A_WMYcfXt4FLvYunccgtjS@mail.gmail.com>
On Friday 2010-07-23 15:05, Changli Gao wrote:
>On Fri, Jul 23, 2010 at 7:48 PM, Patrick McHardy <kaber@trash.net> wrote:
>> On 23.07.2010 08:38, Changli Gao wrote:
>>>
>>> For the packets received, ip_rcv, ipv6_rcv and bridge all call
>>> pskb_trim_rcsum before feeding them to netfilter. The raw packets are
>>> sent via dev_queue_xmit(), and they don't pass through the output path
>>> of netfilter.
>>
>> That's not true, raw packets also pass through netfilter. However
>> I agree that this patch makes sense to properly deal with jumbo
>> frames, but you should also update xt_length for consistency.
>>
>
>In order to support jumbo frames, we have to change the type of min
>and max in xt_length_info to u32. I'll change xt_match.revision to 1,
>do I need to support the current revision 0 at the same time?
This is all already handled by xt_length.2. But alas, merge has been
declined so far.
^ permalink raw reply
* Re: IPv6 Anycast?
From: Ulrich Weber @ 2010-07-23 16:29 UTC (permalink / raw)
To: Stuart Sheldon; +Cc: Mikael Abrahamsson, netdev
In-Reply-To: <4C49B163.8090400@actusa.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Stuart,
you probably mean the IPV6_JOIN_ANYCAST/IPV6_LEAVE_ANYCAST socket option
support? See the old patch documentation:
http://lkml.indiana.edu/hypermail/linux/net/0208.3/0028.html
To remove the automatic generated IPv6 Anycast addresses, you can remove
the routes from the local table manually:
ip -6 route del 2607:ff38:: table local
Best regards
Ulrich
- --
Ulrich Weber | uweber@astaro.com | Software Engineer
Astaro GmbH & Co. KG | www.astaro.com | Phone +49-721-25516-0 | Fax –200
An der RaumFabrik 33a | 76227 Karlsruhe | Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxJw1IACgkQ22t2oTuElzpt9ACfYR7cZ2tWRb9kVuvTl3d8nbkn
oCUAmwVQYjBJ9a35yA/UyJdLeti8cNWK
=UDP7
-----END PGP SIGNATURE-----
^ permalink raw reply
* [PATCH] net: 3c59x: fix leak of iomaps
From: Kulikov Vasiliy @ 2010-07-23 16:44 UTC (permalink / raw)
To: kernel-janitors
Cc: Steffen Klassert, David S. Miller, Eric Dumazet, Ben Hutchings,
Alexey Dobriyan, Joe Perches, netdev
If vortex_probe1() fails we should unmap ioaddr mapped earlier.
Signed-off-by: Kulikov Vasiliy <segooon@gmail.com>
---
drivers/net/3c59x.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/drivers/net/3c59x.c b/drivers/net/3c59x.c
index 9b137e1..ebd4c19 100644
--- a/drivers/net/3c59x.c
+++ b/drivers/net/3c59x.c
@@ -1029,6 +1029,7 @@ static int __devinit vortex_init_one(struct pci_dev *pdev,
rc = vortex_probe1(&pdev->dev, ioaddr, pdev->irq,
ent->driver_data, unit);
if (rc < 0) {
+ pci_iounmap(pdev, ioaddr);
pci_disable_device(pdev);
goto out;
}
--
1.7.0.4
^ permalink raw reply related
* Re: [PATCH iptables] extension: add xt_cpu match
From: Jan Engelhardt @ 2010-07-23 16:46 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Patrick McHardy, Netfilter Development Mailinglist, netdev
In-Reply-To: <1279892621.2481.53.camel@edumazet-laptop>
On Friday 2010-07-23 15:43, Eric Dumazet wrote:
>+
>+static const struct option cpu_opts[] = {
>+ { "cpu", 1, NULL, '1' },
>+ { .name = NULL }
>+};
I will never understand that sort of style mix logic. Why the
C99 initializer only on the sentinel?
{
{.name = "cpu", .has_arg = true, .val = '1'},
{NULL},
};
>+cpu_print(const void *ip, const struct xt_entry_match *match, int numeric)
>+{
>+ const struct xt_cpu_info *info = (void *)match->data;
>+
>+ printf("cpu %s%u ", info->invert ? "! ":"", info->cpu);
>+}
>+
>+static void cpu_save(const void *ip, const struct xt_entry_match *match)
>+{
>+ const struct xt_cpu_info *info = (void *)match->data;
>+
>+ printf("%s--cpu %u ", info->invert ? "! ":"", info->cpu);
>+}
Using if (info->invert) would save the empty string.
>diff --git a/extensions/libxt_cpu.man b/extensions/libxt_cpu.man
>index e69de29..f42ac7a 100644
>--- a/extensions/libxt_cpu.man
>+++ b/extensions/libxt_cpu.man
>@@ -0,0 +1,16 @@
>+.TP
>+[\fB!\fP] \fB\-\-cpu\fP \fInumber\fP
>+
>+Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1
Unwanted blank line.
>+Can be used in combination with RPS (Remote Packet Steering) or
>+multiqueue NICS to spread network traffic on different queues.
>+.PP
>+Example:
>+.PP
>+iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 0
>+ \-j REDIRECT \-\-to\-port 8080
Unwanted indent.
>+.PP
>+iptables \-t nat \-A PREROUTING \-p tcp \-\-dport 80 \-m cpu \-\-cpu 1
>+ \-j REDIRECT \-\-to\-port 8081
>+.PP
>+Available since linux 2.6.36
Linux.
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox