[GIT PULL nf-next] IPVS

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider the following enhancements to IPVS for inclusion in 3.7.

----------------------------------------------------------------
The following changes since commit 173f8654746c138a08f51a8a0db7747763a896a2:

  Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 (2012-07-27 20:52:25 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master

for you to fetch changes up to 3654e61137db891f5312e6dd813b961484b5fdf3:

  ipvs: add pmtu_disc option to disable IP DF for TUN packets (2012-08-10 10:35:07 +0900)

----------------------------------------------------------------
Claudiu Ghioc (1):
      ipvs: fixed sparse warning

Julian Anastasov (4):
      ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper
      ipvs: generalize app registration in netns
      ipvs: implement passive PMTUD for IPIP packets
      ipvs: add pmtu_disc option to disable IP DF for TUN packets

 include/net/ip_vs.h             | 16 ++++++--
 net/netfilter/ipvs/Kconfig      |  3 +-
 net/netfilter/ipvs/ip_vs_app.c  | 58 ++++++++++++++++++++--------
 net/netfilter/ipvs/ip_vs_core.c | 76 +++++++++++++++++++++++++++++++++++--
 net/netfilter/ipvs/ip_vs_ctl.c  | 16 ++++++--
 net/netfilter/ipvs/ip_vs_ftp.c  | 21 +++--------
 net/netfilter/ipvs/ip_vs_xmit.c | 83 ++++++++++++++++++++++++++++-------------
 7 files changed, 204 insertions(+), 69 deletions(-)

[PATCH 1/5] ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper

[Simon Horman]

From: Julian Anastasov <ja@ssi.bg>

	The FTP application indirectly depends on the
nf_conntrack_ftp helper for proper NAT support. If the
module is not loaded, IPVS can resize the packets for the
command connection, eg. PASV response but the SEQ adjustment
logic in ipv4_confirm is not called without helper.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/Kconfig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index f987138..8b2cffd 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -250,7 +250,8 @@ comment 'IPVS application helper'
 
 config	IP_VS_FTP
   	tristate "FTP protocol helper"
-        depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT
+	depends on IP_VS_PROTO_TCP && NF_CONNTRACK && NF_NAT && \
+		NF_CONNTRACK_FTP
 	select IP_VS_NFCT
 	---help---
 	  FTP is a protocol that transfers IP address and/or port number in
-- 
1.7.10.2.484.gcd07cc5

[PATCH 2/5] ipvs: generalize app registration in netns

[Simon Horman]

From: Julian Anastasov <ja@ssi.bg>

	Get rid of the ftp_app pointer and allow applications
to be registered without adding fields in the netns_ipvs structure.

v2: fix coding style as suggested by Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 include/net/ip_vs.h            |  5 ++--
 net/netfilter/ipvs/ip_vs_app.c | 58 ++++++++++++++++++++++++++++++------------
 net/netfilter/ipvs/ip_vs_ftp.c | 21 ++++-----------
 3 files changed, 49 insertions(+), 35 deletions(-)

diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 95374d1..4b8f18f 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -808,8 +808,6 @@ struct netns_ipvs {
 	struct list_head	rs_table[IP_VS_RTAB_SIZE];
 	/* ip_vs_app */
 	struct list_head	app_list;
-	/* ip_vs_ftp */
-	struct ip_vs_app	*ftp_app;
 	/* ip_vs_proto */
 	#define IP_VS_PROTO_TAB_SIZE	32	/* must be power of 2 */
 	struct ip_vs_proto_data *proto_data_table[IP_VS_PROTO_TAB_SIZE];
@@ -1179,7 +1177,8 @@ extern void ip_vs_service_net_cleanup(struct net *net);
  *      (from ip_vs_app.c)
  */
 #define IP_VS_APP_MAX_PORTS  8
-extern int register_ip_vs_app(struct net *net, struct ip_vs_app *app);
+extern struct ip_vs_app *register_ip_vs_app(struct net *net,
+					    struct ip_vs_app *app);
 extern void unregister_ip_vs_app(struct net *net, struct ip_vs_app *app);
 extern int ip_vs_bind_app(struct ip_vs_conn *cp, struct ip_vs_protocol *pp);
 extern void ip_vs_unbind_app(struct ip_vs_conn *cp);
diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c
index 64f9e8f..9713e6e 100644
--- a/net/netfilter/ipvs/ip_vs_app.c
+++ b/net/netfilter/ipvs/ip_vs_app.c
@@ -180,22 +180,38 @@ register_ip_vs_app_inc(struct net *net, struct ip_vs_app *app, __u16 proto,
 }
 
 
-/*
- *	ip_vs_app registration routine
- */
-int register_ip_vs_app(struct net *net, struct ip_vs_app *app)
+/* Register application for netns */
+struct ip_vs_app *register_ip_vs_app(struct net *net, struct ip_vs_app *app)
 {
 	struct netns_ipvs *ipvs = net_ipvs(net);
-	/* increase the module use count */
-	ip_vs_use_count_inc();
+	struct ip_vs_app *a;
+	int err = 0;
+
+	if (!ipvs)
+		return ERR_PTR(-ENOENT);
 
 	mutex_lock(&__ip_vs_app_mutex);
 
-	list_add(&app->a_list, &ipvs->app_list);
+	list_for_each_entry(a, &ipvs->app_list, a_list) {
+		if (!strcmp(app->name, a->name)) {
+			err = -EEXIST;
+			goto out_unlock;
+		}
+	}
+	a = kmemdup(app, sizeof(*app), GFP_KERNEL);
+	if (!a) {
+		err = -ENOMEM;
+		goto out_unlock;
+	}
+	INIT_LIST_HEAD(&a->incs_list);
+	list_add(&a->a_list, &ipvs->app_list);
+	/* increase the module use count */
+	ip_vs_use_count_inc();
 
+out_unlock:
 	mutex_unlock(&__ip_vs_app_mutex);
 
-	return 0;
+	return err ? ERR_PTR(err) : a;
 }
 
 
@@ -205,20 +221,29 @@ int register_ip_vs_app(struct net *net, struct ip_vs_app *app)
  */
 void unregister_ip_vs_app(struct net *net, struct ip_vs_app *app)
 {
-	struct ip_vs_app *inc, *nxt;
+	struct netns_ipvs *ipvs = net_ipvs(net);
+	struct ip_vs_app *a, *anxt, *inc, *nxt;
+
+	if (!ipvs)
+		return;
 
 	mutex_lock(&__ip_vs_app_mutex);
 
-	list_for_each_entry_safe(inc, nxt, &app->incs_list, a_list) {
-		ip_vs_app_inc_release(net, inc);
-	}
+	list_for_each_entry_safe(a, anxt, &ipvs->app_list, a_list) {
+		if (app && strcmp(app->name, a->name))
+			continue;
+		list_for_each_entry_safe(inc, nxt, &a->incs_list, a_list) {
+			ip_vs_app_inc_release(net, inc);
+		}
 
-	list_del(&app->a_list);
+		list_del(&a->a_list);
+		kfree(a);
 
-	mutex_unlock(&__ip_vs_app_mutex);
+		/* decrease the module use count */
+		ip_vs_use_count_dec();
+	}
 
-	/* decrease the module use count */
-	ip_vs_use_count_dec();
+	mutex_unlock(&__ip_vs_app_mutex);
 }
 
 
@@ -586,5 +611,6 @@ int __net_init ip_vs_app_net_init(struct net *net)
 
 void __net_exit ip_vs_app_net_cleanup(struct net *net)
 {
+	unregister_ip_vs_app(net, NULL /* all */);
 	proc_net_remove(net, "ip_vs_app");
 }
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index b20b29c..ad70b7e 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -441,16 +441,10 @@ static int __net_init __ip_vs_ftp_init(struct net *net)
 
 	if (!ipvs)
 		return -ENOENT;
-	app = kmemdup(&ip_vs_ftp, sizeof(struct ip_vs_app), GFP_KERNEL);
-	if (!app)
-		return -ENOMEM;
-	INIT_LIST_HEAD(&app->a_list);
-	INIT_LIST_HEAD(&app->incs_list);
-	ipvs->ftp_app = app;
 
-	ret = register_ip_vs_app(net, app);
-	if (ret)
-		goto err_exit;
+	app = register_ip_vs_app(net, &ip_vs_ftp);
+	if (IS_ERR(app))
+		return PTR_ERR(app);
 
 	for (i = 0; i < ports_count; i++) {
 		if (!ports[i])
@@ -464,9 +458,7 @@ static int __net_init __ip_vs_ftp_init(struct net *net)
 	return 0;
 
 err_unreg:
-	unregister_ip_vs_app(net, app);
-err_exit:
-	kfree(ipvs->ftp_app);
+	unregister_ip_vs_app(net, &ip_vs_ftp);
 	return ret;
 }
 /*
@@ -474,10 +466,7 @@ err_exit:
  */
 static void __ip_vs_ftp_exit(struct net *net)
 {
-	struct netns_ipvs *ipvs = net_ipvs(net);
-
-	unregister_ip_vs_app(net, ipvs->ftp_app);
-	kfree(ipvs->ftp_app);
+	unregister_ip_vs_app(net, &ip_vs_ftp);
 }
 
 static struct pernet_operations ip_vs_ftp_ops = {
-- 
1.7.10.2.484.gcd07cc5

[PATCH 3/5] ipvs: fixed sparse warning

[Simon Horman]

From: Claudiu Ghioc <claudiughioc@gmail.com>

Removed the following sparse warnings, wether CONFIG_SYSCTL
is defined or not:
*       warning: symbol 'ip_vs_control_net_init_sysctl' was not
	declared. Should it be static?
*       warning: symbol 'ip_vs_control_net_cleanup_sysctl' was
	not declared. Should it be static?

Signed-off-by: Claudiu Ghioc <claudiu.ghioc@gmail.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 84444dd..d6d5cca 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3675,7 +3675,7 @@ static void ip_vs_genl_unregister(void)
  * per netns intit/exit func.
  */
 #ifdef CONFIG_SYSCTL
-int __net_init ip_vs_control_net_init_sysctl(struct net *net)
+static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
 {
 	int idx;
 	struct netns_ipvs *ipvs = net_ipvs(net);
@@ -3743,7 +3743,7 @@ int __net_init ip_vs_control_net_init_sysctl(struct net *net)
 	return 0;
 }
 
-void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
+static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
 {
 	struct netns_ipvs *ipvs = net_ipvs(net);
 
@@ -3754,8 +3754,8 @@ void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
 
 #else
 
-int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
-void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
+static int __net_init ip_vs_control_net_init_sysctl(struct net *net) { return 0; }
+static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net) { }
 
 #endif
 
-- 
1.7.10.2.484.gcd07cc5

[PATCH 4/5] ipvs: implement passive PMTUD for IPIP packets

[Simon Horman]

From: Julian Anastasov <ja@ssi.bg>

	IPVS is missing the logic to update PMTU in routing
for its IPIP packets. We monitor the dst_mtu and can return
FRAG_NEEDED messages but if the tunneled packets get ICMP
error we can not rely on other traffic to save the lowest
MTU.

	The following patch adds ICMP handling for IPIP
packets in incoming direction, from some remote host to
our local IP used as saddr in the outer header. By this
way we can forward any related ICMP traffic if it is for IPVS
TUN connection. For the special case of PMTUD we update the
routing and if client requested DF we can forward the
error.

	To properly update the routing we have to bind
the cached route (dest->dst_cache) to the selected saddr
because ipv4_update_pmtu uses saddr for dst lookup.
Add IP_VS_RT_MODE_CONNECT flag to force such binding with
second route.

	Update ip_vs_tunnel_xmit to provide IP_VS_RT_MODE_CONNECT
and change the code to copy DF. For now we prefer not to
force PMTU discovery (outer DF=1) because we don't have
configuration option to enable or disable PMTUD. As we
do not keep any packets to resend, we prefer not to
play games with packets without DF bit because the sender
is not informed when they are rejected.

	Also, change ops->update_pmtu to be called only
for local clients because there is no point to update
MTU for input routes, in our case skb->dst->dev is lo.
It seems the code is copied from ipip.c where the skb
dst points to tunnel device.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_core.c | 76 +++++++++++++++++++++++++++++++++++++--
 net/netfilter/ipvs/ip_vs_xmit.c | 79 ++++++++++++++++++++++++++++-------------
 2 files changed, 128 insertions(+), 27 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index b54ecce..58918e2 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1303,7 +1303,8 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
 	struct ip_vs_conn *cp;
 	struct ip_vs_protocol *pp;
 	struct ip_vs_proto_data *pd;
-	unsigned int offset, ihl, verdict;
+	unsigned int offset, offset2, ihl, verdict;
+	bool ipip;
 
 	*related = 1;
 
@@ -1345,6 +1346,21 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
 
 	net = skb_net(skb);
 
+	/* Special case for errors for IPIP packets */
+	ipip = false;
+	if (cih->protocol == IPPROTO_IPIP) {
+		if (unlikely(cih->frag_off & htons(IP_OFFSET)))
+			return NF_ACCEPT;
+		/* Error for our IPIP must arrive at LOCAL_IN */
+		if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL))
+			return NF_ACCEPT;
+		offset += cih->ihl * 4;
+		cih = skb_header_pointer(skb, offset, sizeof(_ciph), &_ciph);
+		if (cih == NULL)
+			return NF_ACCEPT; /* The packet looks wrong, ignore */
+		ipip = true;
+	}
+
 	pd = ip_vs_proto_data_get(net, cih->protocol);
 	if (!pd)
 		return NF_ACCEPT;
@@ -1358,11 +1374,14 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
 	IP_VS_DBG_PKT(11, AF_INET, pp, skb, offset,
 		      "Checking incoming ICMP for");
 
+	offset2 = offset;
 	offset += cih->ihl * 4;
 
 	ip_vs_fill_iphdr(AF_INET, cih, &ciph);
-	/* The embedded headers contain source and dest in reverse order */
-	cp = pp->conn_in_get(AF_INET, skb, &ciph, offset, 1);
+	/* The embedded headers contain source and dest in reverse order.
+	 * For IPIP this is error for request, not for reply.
+	 */
+	cp = pp->conn_in_get(AF_INET, skb, &ciph, offset, ipip ? 0 : 1);
 	if (!cp)
 		return NF_ACCEPT;
 
@@ -1376,6 +1395,57 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
 		goto out;
 	}
 
+	if (ipip) {
+		__be32 info = ic->un.gateway;
+
+		/* Update the MTU */
+		if (ic->type == ICMP_DEST_UNREACH &&
+		    ic->code == ICMP_FRAG_NEEDED) {
+			struct ip_vs_dest *dest = cp->dest;
+			u32 mtu = ntohs(ic->un.frag.mtu);
+
+			/* Strip outer IP and ICMP, go to IPIP header */
+			__skb_pull(skb, ihl + sizeof(_icmph));
+			offset2 -= ihl + sizeof(_icmph);
+			skb_reset_network_header(skb);
+			IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
+				&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
+			rcu_read_lock();
+			ipv4_update_pmtu(skb, dev_net(skb->dev),
+					 mtu, 0, 0, 0, 0);
+			rcu_read_unlock();
+			/* Client uses PMTUD? */
+			if (!(cih->frag_off & htons(IP_DF)))
+				goto ignore_ipip;
+			/* Prefer the resulting PMTU */
+			if (dest) {
+				spin_lock(&dest->dst_lock);
+				if (dest->dst_cache)
+					mtu = dst_mtu(dest->dst_cache);
+				spin_unlock(&dest->dst_lock);
+			}
+			if (mtu > 68 + sizeof(struct iphdr))
+				mtu -= sizeof(struct iphdr);
+			info = htonl(mtu);
+		}
+		/* Strip outer IP, ICMP and IPIP, go to IP header of
+		 * original request.
+		 */
+		__skb_pull(skb, offset2);
+		skb_reset_network_header(skb);
+		IP_VS_DBG(12, "Sending ICMP for %pI4->%pI4: t=%u, c=%u, i=%u\n",
+			&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr,
+			ic->type, ic->code, ntohl(info));
+		icmp_send(skb, ic->type, ic->code, info);
+		/* ICMP can be shorter but anyways, account it */
+		ip_vs_out_stats(cp, skb);
+
+ignore_ipip:
+		consume_skb(skb);
+		verdict = NF_STOLEN;
+		goto out;
+	}
+
 	/* do the statistics and put it back */
 	ip_vs_in_stats(cp, skb);
 	if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 65b616a..c2275ba 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -49,6 +49,7 @@ enum {
 	IP_VS_RT_MODE_RDR	= 4, /* Allow redirect from remote daddr to
 				      * local
 				      */
+	IP_VS_RT_MODE_CONNECT	= 8, /* Always bind route to saddr */
 };
 
 /*
@@ -84,6 +85,42 @@ __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
 	return dst;
 }
 
+/* Get route to daddr, update *saddr, optionally bind route to saddr */
+static struct rtable *do_output_route4(struct net *net, __be32 daddr,
+				       u32 rtos, int rt_mode, __be32 *saddr)
+{
+	struct flowi4 fl4;
+	struct rtable *rt;
+	int loop = 0;
+
+	memset(&fl4, 0, sizeof(fl4));
+	fl4.daddr = daddr;
+	fl4.saddr = (rt_mode & IP_VS_RT_MODE_CONNECT) ? *saddr : 0;
+	fl4.flowi4_tos = rtos;
+
+retry:
+	rt = ip_route_output_key(net, &fl4);
+	if (IS_ERR(rt)) {
+		/* Invalid saddr ? */
+		if (PTR_ERR(rt) == -EINVAL && *saddr &&
+		    rt_mode & IP_VS_RT_MODE_CONNECT && !loop) {
+			*saddr = 0;
+			flowi4_update_output(&fl4, 0, rtos, daddr, 0);
+			goto retry;
+		}
+		IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n", &daddr);
+		return NULL;
+	} else if (!*saddr && rt_mode & IP_VS_RT_MODE_CONNECT && fl4.saddr) {
+		ip_rt_put(rt);
+		*saddr = fl4.saddr;
+		flowi4_update_output(&fl4, 0, rtos, daddr, fl4.saddr);
+		loop++;
+		goto retry;
+	}
+	*saddr = fl4.saddr;
+	return rt;
+}
+
 /* Get route to destination or remote server */
 static struct rtable *
 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
@@ -98,20 +135,13 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
 		spin_lock(&dest->dst_lock);
 		if (!(rt = (struct rtable *)
 		      __ip_vs_dst_check(dest, rtos))) {
-			struct flowi4 fl4;
-
-			memset(&fl4, 0, sizeof(fl4));
-			fl4.daddr = dest->addr.ip;
-			fl4.flowi4_tos = rtos;
-			rt = ip_route_output_key(net, &fl4);
-			if (IS_ERR(rt)) {
+			rt = do_output_route4(net, dest->addr.ip, rtos,
+					      rt_mode, &dest->dst_saddr.ip);
+			if (!rt) {
 				spin_unlock(&dest->dst_lock);
-				IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
-					     &dest->addr.ip);
 				return NULL;
 			}
 			__ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
-			dest->dst_saddr.ip = fl4.saddr;
 			IP_VS_DBG(10, "new dst %pI4, src %pI4, refcnt=%d, "
 				  "rtos=%X\n",
 				  &dest->addr.ip, &dest->dst_saddr.ip,
@@ -122,19 +152,17 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
 			*ret_saddr = dest->dst_saddr.ip;
 		spin_unlock(&dest->dst_lock);
 	} else {
-		struct flowi4 fl4;
+		__be32 saddr = htonl(INADDR_ANY);
 
-		memset(&fl4, 0, sizeof(fl4));
-		fl4.daddr = daddr;
-		fl4.flowi4_tos = rtos;
-		rt = ip_route_output_key(net, &fl4);
-		if (IS_ERR(rt)) {
-			IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
-				     &daddr);
+		/* For such unconfigured boxes avoid many route lookups
+		 * for performance reasons because we do not remember saddr
+		 */
+		rt_mode &= ~IP_VS_RT_MODE_CONNECT;
+		rt = do_output_route4(net, daddr, rtos, rt_mode, &saddr);
+		if (!rt)
 			return NULL;
-		}
 		if (ret_saddr)
-			*ret_saddr = fl4.saddr;
+			*ret_saddr = saddr;
 	}
 
 	local = rt->rt_flags & RTCF_LOCAL;
@@ -331,6 +359,7 @@ ip_vs_dst_reset(struct ip_vs_dest *dest)
 	old_dst = dest->dst_cache;
 	dest->dst_cache = NULL;
 	dst_release(old_dst);
+	dest->dst_saddr.ip = 0;
 }
 
 #define IP_VS_XMIT_TUNNEL(skb, cp)				\
@@ -771,7 +800,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 	struct net_device *tdev;		/* Device to other host */
 	struct iphdr  *old_iph = ip_hdr(skb);
 	u8     tos = old_iph->tos;
-	__be16 df = old_iph->frag_off;
+	__be16 df;
 	struct iphdr  *iph;			/* Our new IP header */
 	unsigned int max_headroom;		/* The extra header space needed */
 	int    mtu;
@@ -781,7 +810,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 
 	if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
 				      RT_TOS(tos), IP_VS_RT_MODE_LOCAL |
-						   IP_VS_RT_MODE_NON_LOCAL,
+						   IP_VS_RT_MODE_NON_LOCAL |
+						   IP_VS_RT_MODE_CONNECT,
 						   &saddr)))
 		goto tx_error_icmp;
 	if (rt->rt_flags & RTCF_LOCAL) {
@@ -796,10 +826,11 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 		IP_VS_DBG_RL("%s(): mtu less than 68\n", __func__);
 		goto tx_error_put;
 	}
-	if (skb_dst(skb))
+	if (rt_is_output_route(skb_rtable(skb)))
 		skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
 
-	df |= (old_iph->frag_off & htons(IP_DF));
+	/* Copy DF, reset fragment offset and MF */
+	df = old_iph->frag_off & htons(IP_DF);
 
 	if ((old_iph->frag_off & htons(IP_DF) &&
 	    mtu < ntohs(old_iph->tot_len) && !skb_is_gso(skb))) {
-- 
1.7.10.2.484.gcd07cc5

[PATCH 5/5] ipvs: add pmtu_disc option to disable IP DF for TUN packets

[Simon Horman]

From: Julian Anastasov <ja@ssi.bg>

	Disabling PMTU discovery can increase the output packet
rate but some users have enough resources and prefer to fragment
than to drop traffic. By default, we copy the DF bit but if
pmtu_disc is disabled we do not send FRAG_NEEDED messages anymore.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 include/net/ip_vs.h             | 11 +++++++++++
 net/netfilter/ipvs/ip_vs_ctl.c  |  8 ++++++++
 net/netfilter/ipvs/ip_vs_xmit.c |  6 +++---
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 4b8f18f..ee75ccd 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -888,6 +888,7 @@ struct netns_ipvs {
 	unsigned int		sysctl_sync_refresh_period;
 	int			sysctl_sync_retries;
 	int			sysctl_nat_icmp_send;
+	int			sysctl_pmtu_disc;
 
 	/* ip_vs_lblc */
 	int			sysctl_lblc_expiration;
@@ -974,6 +975,11 @@ static inline int sysctl_sync_sock_size(struct netns_ipvs *ipvs)
 	return ipvs->sysctl_sync_sock_size;
 }
 
+static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs)
+{
+	return ipvs->sysctl_pmtu_disc;
+}
+
 #else
 
 static inline int sysctl_sync_threshold(struct netns_ipvs *ipvs)
@@ -1016,6 +1022,11 @@ static inline int sysctl_sync_sock_size(struct netns_ipvs *ipvs)
 	return 0;
 }
 
+static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs)
+{
+	return 1;
+}
+
 #endif
 
 /*
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index d6d5cca..03d3fc6 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1801,6 +1801,12 @@ static struct ctl_table vs_vars[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
 	},
+	{
+		.procname	= "pmtu_disc",
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec,
+	},
 #ifdef CONFIG_IP_VS_DEBUG
 	{
 		.procname	= "debug_level",
@@ -3726,6 +3732,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
 	ipvs->sysctl_sync_retries = clamp_t(int, DEFAULT_SYNC_RETRIES, 0, 3);
 	tbl[idx++].data = &ipvs->sysctl_sync_retries;
 	tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
+	ipvs->sysctl_pmtu_disc = 1;
+	tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
 
 
 	ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index c2275ba..543a554 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -795,6 +795,7 @@ int
 ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 		  struct ip_vs_protocol *pp)
 {
+	struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
 	struct rtable *rt;			/* Route to the other host */
 	__be32 saddr;				/* Source for tunnel */
 	struct net_device *tdev;		/* Device to other host */
@@ -830,10 +831,9 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 		skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
 
 	/* Copy DF, reset fragment offset and MF */
-	df = old_iph->frag_off & htons(IP_DF);
+	df = sysctl_pmtu_disc(ipvs) ? old_iph->frag_off & htons(IP_DF) : 0;
 
-	if ((old_iph->frag_off & htons(IP_DF) &&
-	    mtu < ntohs(old_iph->tot_len) && !skb_is_gso(skb))) {
+	if (df && mtu < ntohs(old_iph->tot_len) && !skb_is_gso(skb)) {
 		icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
 		IP_VS_DBG_RL("%s(): frag needed\n", __func__);
 		goto tx_error_put;
-- 
1.7.10.2.484.gcd07cc5

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

On Fri, Aug 10, 2012 at 10:41:29AM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider the following enhancements to IPVS for inclusion in 3.7.
> 
> ----------------------------------------------------------------
> The following changes since commit 173f8654746c138a08f51a8a0db7747763a896a2:
> 
>   Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 (2012-07-27 20:52:25 -0700)
> 
> are available in the git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master

Pulled, thanks Simon.

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider the following IPVS enhancements from Julian for 3.10.

----------------------------------------------------------------
The following changes since commit 1cdb09056b27b2a06b06dc7187d2c33d57082d20:

  netfilter: nfnetlink_queue: use xor hash function to distribute instances (2013-03-15 12:38:40 +0100)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git tags/ipvs-for-v3.10

for you to fetch changes up to e095c65caffc923a0d1fb27763c3f9ec1dcb57fc:

  ipvs: fix some sparse warnings (2013-03-18 19:25:14 +0900)

----------------------------------------------------------------
IPVS enhancements for v3.10 from Julian Anastasov

----------------------------------------------------------------
Julian Anastasov (5):
      ipvs: add backup_only flag to avoid loops
      ipvs: remove extra rcu lock
      ipvs: fix sctp chunk length order
      ipvs: fix hashing in ip_vs_svc_hashkey
      ipvs: fix some sparse warnings

 Documentation/networking/ipvs-sysctl.txt |    7 +++++++
 include/net/ip_vs.h                      |   14 +++++++++++++-
 net/netfilter/ipvs/ip_vs_core.c          |   22 +++++++++-------------
 net/netfilter/ipvs/ip_vs_ctl.c           |   15 ++++++++++++---
 net/netfilter/ipvs/ip_vs_est.c           |    2 +-
 net/netfilter/ipvs/ip_vs_proto_sctp.c    |   16 +++++++++-------
 6 files changed, 51 insertions(+), 25 deletions(-)

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

Hi Simon,

On Mon, Mar 18, 2013 at 10:15:38PM +0900, Simon Horman wrote:
[...]
> ----------------------------------------------------------------
> IPVS enhancements for v3.10 from Julian Anastasov
> 
> ----------------------------------------------------------------
> Julian Anastasov (5):
>       ipvs: add backup_only flag to avoid loops
>       ipvs: remove extra rcu lock
>       ipvs: fix sctp chunk length order
>       ipvs: fix hashing in ip_vs_svc_hashkey
>       ipvs: fix some sparse warnings

I think that these three fixes:

ipvs: add backup_only flag to avoid loops
ipvs: remove extra rcu lock
ipvs: fix sctp chunk length order

should find their path to the net tree.

The remaining two sparse fixes should go to net-next.

I can manually apply these patch if you want to the corresponding
trees.

Re: [GIT PULL nf-next] IPVS

[Simon Horman]

On Tue, Mar 19, 2013 at 12:31:15AM +0100, Pablo Neira Ayuso wrote:
> Hi Simon,
> 
> On Mon, Mar 18, 2013 at 10:15:38PM +0900, Simon Horman wrote:
> [...]
> > ----------------------------------------------------------------
> > IPVS enhancements for v3.10 from Julian Anastasov
> > 
> > ----------------------------------------------------------------
> > Julian Anastasov (5):
> >       ipvs: add backup_only flag to avoid loops
> >       ipvs: remove extra rcu lock
> >       ipvs: fix sctp chunk length order
> >       ipvs: fix hashing in ip_vs_svc_hashkey
> >       ipvs: fix some sparse warnings
> 
> I think that these three fixes:
> 
> ipvs: add backup_only flag to avoid loops
> ipvs: remove extra rcu lock
> ipvs: fix sctp chunk length order
> 
> should find their path to the net tree.
> 
> The remaining two sparse fixes should go to net-next.
> 
> I can manually apply these patch if you want to the corresponding
> trees.

Thanks. I'll send two fresh pull requests shortly.

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider the following enhancements to IPVS for inclusion in 3.6.

----------------------------------------------------------------
The following changes since commit 9b70749e64132e17ab02239b82fcb4a2c55554d1:

  niu: Change niu_rbr_fill() to use unlikely() to check niu_rbr_add_page() return value (2012-07-22 23:31:07 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master

for you to fetch changes up to a805cfbcaaf819ab71a052d8a9d5d4c88cf2aba0:

  ipvs: add pmtu_disc option to disable IP DF for TUN packets (2012-07-24 08:23:06 +0900)

----------------------------------------------------------------
Claudiu Ghioc (1):
      ipvs: fixed sparse warning

Julian Anastasov (4):
      ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper
      ipvs: generalize app registration in netns
      ipvs: implement passive PMTUD for IPIP packets
      ipvs: add pmtu_disc option to disable IP DF for TUN packets

 include/net/ip_vs.h             | 16 ++++++--
 net/netfilter/ipvs/Kconfig      |  3 +-
 net/netfilter/ipvs/ip_vs_app.c  | 58 ++++++++++++++++++++--------
 net/netfilter/ipvs/ip_vs_core.c | 76 +++++++++++++++++++++++++++++++++++--
 net/netfilter/ipvs/ip_vs_ctl.c  | 16 ++++++--
 net/netfilter/ipvs/ip_vs_ftp.c  | 21 +++--------
 net/netfilter/ipvs/ip_vs_xmit.c | 83 ++++++++++++++++++++++++++++-------------
 7 files changed, 204 insertions(+), 69 deletions(-)

Re: [GIT PULL nf-next] IPVS

[David Miller]

From: Simon Horman <horms@verge.net.au>
Date: Tue, 24 Jul 2012 08:28:55 +0900

> please consider the following enhancements to IPVS for inclusion in 3.6.

The merge window has just openned, therefore any new work should have
been submitted and queued up already.

Re: [GIT PULL nf-next] IPVS

[Simon Horman]

On Mon, Jul 23, 2012 at 04:35:08PM -0700, David Miller wrote:
> From: Simon Horman <horms@verge.net.au>
> Date: Tue, 24 Jul 2012 08:28:55 +0900
> 
> > please consider the following enhancements to IPVS for inclusion in 3.6.
> 
> The merge window has just openned, therefore any new work should have
> been submitted and queued up already.

Sorry for my lateness. I can hold these changes for 3.7 if that is the
best option at this point.

Re: [GIT PULL nf-next] IPVS

[David Miller]

From: Simon Horman <horms@verge.net.au>
Date: Tue, 24 Jul 2012 10:01:05 +0900

> On Mon, Jul 23, 2012 at 04:35:08PM -0700, David Miller wrote:
>> From: Simon Horman <horms@verge.net.au>
>> Date: Tue, 24 Jul 2012 08:28:55 +0900
>> 
>> > please consider the following enhancements to IPVS for inclusion in 3.6.
>> 
>> The merge window has just openned, therefore any new work should have
>> been submitted and queued up already.
> 
> Sorry for my lateness. I can hold these changes for 3.7 if that is the
> best option at this point.

No worries, there is always the next merge window :-)

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider the following enhancements to IPVS for inclusion in 3.6.

----------------------------------------------------------------
The following changes since commit 46ba5a25f521e3c50d7bb81b1abb977769047456:

  netfilter: nfnetlink_queue: do not allow to set unsupported flag bits (2012-07-04 19:51:50 +0200)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master

for you to fetch changes up to 1fd130ebf10e1185022a9c0470f2298943bad1c4:

  ipvs: generalize app registration in netns (2012-07-10 17:58:10 +0900)

----------------------------------------------------------------
Julian Anastasov (2):
      ipvs: ip_vs_ftp depends on nf_conntrack_ftp helper
      ipvs: generalize app registration in netns

 include/net/ip_vs.h            |  5 ++--
 net/netfilter/ipvs/Kconfig     |  3 ++-
 net/netfilter/ipvs/ip_vs_app.c | 61 +++++++++++++++++++++++++++++++-----------
 net/netfilter/ipvs/ip_vs_ftp.c | 21 ++++-----------
 4 files changed, 54 insertions(+), 36 deletions(-)

[GIT PULL nf-next] IPVS

[Simon Horman]

please consider pulling
git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs.git master
to get the following enhancements to IPVS connection synchronisation
from Julian and a minor clean-up from myself.

The following changes since commit ace30d73ef09fd5f95b24c5c1c5aa11963981494:

  netfilter: xt_LOG: add __printf() to sb_add() (2012-03-07 17:41:52 +0100)

are available in the git repository at:
  git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master

Julian Anastasov (8):
      ipvs: ignore IP_VS_CONN_F_NOOUTPUT in backup server
      ipvs: remove check for IP_VS_CONN_F_SYNC from ip_vs_bind_dest
      ipvs: fix ip_vs_try_bind_dest to rebind app and transmitter
      ipvs: always update some of the flags bits in backup
      ipvs: use adaptive pause in master thread
      ipvs: reduce sync rate with time thresholds
      ipvs: add support for sync threads
      ipvs: optimize the use of flags in ip_vs_bind_dest

Simon Horman (1):
      ipvs: Provide a generic ip_vs_bind_xmit()

 include/linux/ip_vs.h           |    5 +
 include/net/ip_vs.h             |   59 ++++-
 net/netfilter/ipvs/ip_vs_conn.c |   83 ++++--
 net/netfilter/ipvs/ip_vs_core.c |   30 +--
 net/netfilter/ipvs/ip_vs_ctl.c  |   54 ++++-
 net/netfilter/ipvs/ip_vs_sync.c |  585 +++++++++++++++++++++++++--------------
 6 files changed, 547 insertions(+), 269 deletions(-)

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider pulling
git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master
to obtain and enhancement to the SH scheduelr from Michael Maixim.

This patch includes the changes that you requested; A note about the
Kconfig change in the changelog and removal of whitespace-only changes.

Michael Maxim (1):
      IPVS: Modify the SH scheduler to use weights

 net/netfilter/ipvs/Kconfig    |   15 +++++++++++++++
 net/netfilter/ipvs/ip_vs_sh.c |   18 +++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletions(-)

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

On Fri, Dec 09, 2011 at 04:13:16PM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider pulling
> git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master
> to obtain and enhancement to the SH scheduelr from Michael Maixim.
> 
> This patch includes the changes that you requested; A note about the
> Kconfig change in the changelog and removal of whitespace-only changes.

Pulled, thanks!

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider pulling
git://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next.git master
to obtain and enhancement to the SH scheduelr from Michael Maixim.

Michael Maxim (1):
      IPVS: Modify the SH scheduler to use weights

 net/netfilter/ipvs/Kconfig    |   15 +++++++++++++++
 net/netfilter/ipvs/ip_vs_sh.c |   20 ++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider pulling the following to get compile fix
and cleanup patches from Krzysztof Wilczynski.

The following changes since commit 2ca5b853f1dd81c605ddc8a55e06bdad85636597:

  netfilter: export NAT definitions through linux/netfilter_ipv4/nf_nat.h (2011-10-11 03:32:34 +0200)

are available in the git repository at:
  git://github.com/horms/ipvs-next.git master

Krzysztof Wilczynski (2):
      ipvs: Remove unused variable "cs" from ip_vs_leave function.
      ipvs: Fix compilation error in ip_vs.h for ip_vs_confirm_conntrack function.

 include/net/ip_vs.h             |    2 +-
 net/netfilter/ipvs/ip_vs_core.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

On Fri, Oct 21, 2011 at 10:33:01AM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider pulling the following to get compile fix
> and cleanup patches from Krzysztof Wilczynski.
> 
> The following changes since commit 2ca5b853f1dd81c605ddc8a55e06bdad85636597:
> 
>   netfilter: export NAT definitions through linux/netfilter_ipv4/nf_nat.h (2011-10-11 03:32:34 +0200)
> 
> are available in the git repository at:
>   git://github.com/horms/ipvs-next.git master

Pulled, thanks.

http://1984.lsi.us.es/git/?p=net-next/.git;a=shortlog;h=refs/heads/nf-next

> Krzysztof Wilczynski (2):
>       ipvs: Remove unused variable "cs" from ip_vs_leave function.
>       ipvs: Fix compilation error in ip_vs.h for ip_vs_confirm_conntrack function.

Strange, I have all IPVS configs enabled here and I didn't hit this error.

Re: [GIT PULL nf-next] IPVS

[Simon Horman]

On Fri, Oct 21, 2011 at 09:27:15AM +0200, Pablo Neira Ayuso wrote:
> On Fri, Oct 21, 2011 at 10:33:01AM +0900, Simon Horman wrote:
> > Hi Pablo,
> > 
> > please consider pulling the following to get compile fix
> > and cleanup patches from Krzysztof Wilczynski.
> > 
> > The following changes since commit 2ca5b853f1dd81c605ddc8a55e06bdad85636597:
> > 
> >   netfilter: export NAT definitions through linux/netfilter_ipv4/nf_nat.h (2011-10-11 03:32:34 +0200)
> > 
> > are available in the git repository at:
> >   git://github.com/horms/ipvs-next.git master
> 
> Pulled, thanks.
> 
> http://1984.lsi.us.es/git/?p=net-next/.git;a=shortlog;h=refs/heads/nf-next
> 
> > Krzysztof Wilczynski (2):
> >       ipvs: Remove unused variable "cs" from ip_vs_leave function.
> >       ipvs: Fix compilation error in ip_vs.h for ip_vs_confirm_conntrack function.
> 
> Strange, I have all IPVS configs enabled here and I didn't hit this error.

Hi Pablo,

I am a little confused. The nf-next branch seems to have disappeared.

Could you consider pulling git://github.com/horms/ipvs-next.git master
to get the following changes that were in your nf-next branch. Or would
you like me to rebase the ipvs patches (9 or the 11 changes below) on
top of git://1984.lsi.us.es/net-next/.git master ?

------

The following changes since commit a9e9fd7182332d0cf5f3e601df3e71dd431b70d7:

  skge: handle irq better on single port card (2011-09-27 13:41:37 -0400)

are available in the git repository at:
  git://github.com/horms/ipvs-next.git master

Joe Perches (1):
      netfilter: Remove unnecessary OOM logging messages

Krzysztof Wilczynski (3):
      ipvs: Expose ip_vs_ftp module parameters via sysfs.
      ipvs: Remove unused variable "cs" from ip_vs_leave function.
      ipvs: Fix compilation error in ip_vs.h for ip_vs_confirm_conntrack function.

Pablo Neira Ayuso (1):
      netfilter: export NAT definitions through linux/netfilter_ipv4/nf_nat.h

Simon Horman (6):
      ipvs: Add documentation for new sysctl entries
      ipvs: Remove unused parameter from ip_vs_confirm_conntrack()
      ipvs: Remove unused return value of protocol state transitions
      ipvs: Removed unused variables
      ipvs: secure_tcp does provide alternate state timeouts
      ipvs: Enhance grammar used to refer to Kconfig options

 Documentation/networking/ipvs-sysctl.txt   |   62 ++++++++++++++++++++++++---
 include/linux/netfilter_ipv4/Kbuild        |    1 +
 include/linux/netfilter_ipv4/nf_nat.h      |   58 ++++++++++++++++++++++++++
 include/net/ip_vs.h                        |   11 ++---
 include/net/netfilter/nf_conntrack_tuple.h |   27 +------------
 include/net/netfilter/nf_nat.h             |   26 +-----------
 net/bridge/netfilter/ebt_ulog.c            |    7 +--
 net/ipv4/netfilter/ipt_CLUSTERIP.c         |    1 -
 net/ipv4/netfilter/ipt_ULOG.c              |    4 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.c     |   22 +---------
 net/ipv6/netfilter/nf_conntrack_reasm.c    |    7 +--
 net/netfilter/ipset/ip_set_core.c          |    4 +-
 net/netfilter/ipvs/ip_vs_core.c            |   20 ++++-----
 net/netfilter/ipvs/ip_vs_ctl.c             |   22 +++-------
 net/netfilter/ipvs/ip_vs_dh.c              |    5 +-
 net/netfilter/ipvs/ip_vs_ftp.c             |    5 +-
 net/netfilter/ipvs/ip_vs_lblc.c            |    9 +---
 net/netfilter/ipvs/ip_vs_lblcr.c           |   13 ++----
 net/netfilter/ipvs/ip_vs_nfct.c            |    2 +-
 net/netfilter/ipvs/ip_vs_proto.c           |    5 +-
 net/netfilter/ipvs/ip_vs_proto_sctp.c      |   14 ++----
 net/netfilter/ipvs/ip_vs_proto_tcp.c       |    6 +--
 net/netfilter/ipvs/ip_vs_proto_udp.c       |    5 +-
 net/netfilter/ipvs/ip_vs_sh.c              |    5 +-
 net/netfilter/ipvs/ip_vs_wrr.c             |    5 +-
 net/netfilter/ipvs/ip_vs_xmit.c            |    2 +-
 net/netfilter/nf_conntrack_core.c          |    5 +--
 net/netfilter/nfnetlink_log.c              |    7 +--
 net/netfilter/xt_IDLETIMER.c               |    2 -
 net/netfilter/xt_hashlimit.c               |    5 +--
 30 files changed, 178 insertions(+), 189 deletions(-)
 create mode 100644 include/linux/netfilter_ipv4/nf_nat.h

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

Hi Simon,

On Mon, Nov 07, 2011 at 12:07:01PM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> I am a little confused. The nf-next branch seems to have disappeared.
> 
> Could you consider pulling git://github.com/horms/ipvs-next.git master
> to get the following changes that were in your nf-next branch.

I was late to get it into net-next. Since net-next became net after
the 3.1 release, my moved those changes to net to get it into 3.2
once Linus announced that the merge window was opened again.

> Or would
> you like me to rebase the ipvs patches (9 or the 11 changes below) on
> top of git://1984.lsi.us.es/net-next/.git master ?

They are already in net davem's tree, they will be included in the
upcoming 3.2 release.

http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet.git&a=search&h=HEAD&st=commit&s=Neira

Re: [GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

On Mon, Nov 07, 2011 at 09:29:56AM +0100, Pablo Neira Ayuso wrote:
> Hi Simon,
> 
> On Mon, Nov 07, 2011 at 12:07:01PM +0900, Simon Horman wrote:
> > Hi Pablo,
> > 
> > I am a little confused. The nf-next branch seems to have disappeared.
> > 
> > Could you consider pulling git://github.com/horms/ipvs-next.git master
> > to get the following changes that were in your nf-next branch.
> 
> I was late to get it into net-next. Since net-next became net after
> the 3.1 release, my moved those changes to net to get it into 3.2
> once Linus announced that the merge window was opened again.
> 
> > Or would
> > you like me to rebase the ipvs patches (9 or the 11 changes below) on
> > top of git://1984.lsi.us.es/net-next/.git master ?
> 
> They are already in net davem's tree, they will be included in the
> upcoming 3.2 release.
> 
> http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet.git&a=search&h=HEAD&st=commit&s=Neira

Thanks, and sorry for missing that when I checked yesterday.

Could you suggest which tree and branch I should base the master branch of my
ipvs and ipvs-next trees on? Their purposes are to provide a reference for
people wishing to fix or enhance IPVS and a mechanism to send pull requests to
you. As of now I am using the master branch of your net tree for both.

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

On Wed, Nov 09, 2011 at 09:58:07AM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> On Mon, Nov 07, 2011 at 09:29:56AM +0100, Pablo Neira Ayuso wrote:
> > Hi Simon,
> > 
> > On Mon, Nov 07, 2011 at 12:07:01PM +0900, Simon Horman wrote:
> > > Hi Pablo,
> > > 
> > > I am a little confused. The nf-next branch seems to have disappeared.
> > > 
> > > Could you consider pulling git://github.com/horms/ipvs-next.git master
> > > to get the following changes that were in your nf-next branch.
> > 
> > I was late to get it into net-next. Since net-next became net after
> > the 3.1 release, my moved those changes to net to get it into 3.2
> > once Linus announced that the merge window was opened again.
> > 
> > > Or would
> > > you like me to rebase the ipvs patches (9 or the 11 changes below) on
> > > top of git://1984.lsi.us.es/net-next/.git master ?
> > 
> > They are already in net davem's tree, they will be included in the
> > upcoming 3.2 release.
> > 
> > http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet.git&a=search&h=HEAD&st=commit&s=Neira
> 
> Thanks, and sorry for missing that when I checked yesterday.
> 
> Could you suggest which tree and branch I should base the master branch of my
> ipvs and ipvs-next trees on? Their purposes are to provide a reference for
> people wishing to fix or enhance IPVS and a mechanism to send pull requests to
> you. As of now I am using the master branch of your net tree for both.

The 1984.lsi.us.es trees are fine.

There are no branch yet because I have no patches queued for upstream
so far. You can use master if you don't see any nf branch, OK?

Re: [GIT PULL nf-next] IPVS

[Simon Horman]

On Wed, Nov 09, 2011 at 03:36:41PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Nov 09, 2011 at 09:58:07AM +0900, Simon Horman wrote:
> > Hi Pablo,
> > 
> > On Mon, Nov 07, 2011 at 09:29:56AM +0100, Pablo Neira Ayuso wrote:
> > > Hi Simon,
> > > 
> > > On Mon, Nov 07, 2011 at 12:07:01PM +0900, Simon Horman wrote:
> > > > Hi Pablo,
> > > > 
> > > > I am a little confused. The nf-next branch seems to have disappeared.
> > > > 
> > > > Could you consider pulling git://github.com/horms/ipvs-next.git master
> > > > to get the following changes that were in your nf-next branch.
> > > 
> > > I was late to get it into net-next. Since net-next became net after
> > > the 3.1 release, my moved those changes to net to get it into 3.2
> > > once Linus announced that the merge window was opened again.
> > > 
> > > > Or would
> > > > you like me to rebase the ipvs patches (9 or the 11 changes below) on
> > > > top of git://1984.lsi.us.es/net-next/.git master ?
> > > 
> > > They are already in net davem's tree, they will be included in the
> > > upcoming 3.2 release.
> > > 
> > > http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet.git&a=search&h=HEAD&st=commit&s=Neira
> > 
> > Thanks, and sorry for missing that when I checked yesterday.
> > 
> > Could you suggest which tree and branch I should base the master branch of my
> > ipvs and ipvs-next trees on? Their purposes are to provide a reference for
> > people wishing to fix or enhance IPVS and a mechanism to send pull requests to
> > you. As of now I am using the master branch of your net tree for both.
> 
> The 1984.lsi.us.es trees are fine.
> 
> There are no branch yet because I have no patches queued for upstream
> so far. You can use master if you don't see any nf branch, OK?

Ok :)

[GIT PULL nf-next] IPVS

[Simon Horman]

Hi Pablo,

please consider pulling the following to get some
documentation changes from myself.

The following changes since commit 6fa4dec85e199f31774faf29be26a53329d02e9e:

  ipvs: Removed unused variables (2011-09-28 21:09:24 +0200)

are available in the git repository at:
  git@github.com:horms/ipvs-next.git master

Simon Horman (2):
      IPVS: secure_tcp does provide alternate state timeouts
      IPVS: Enhance grammar used to refer to Kconfig options

 Documentation/networking/ipvs-sysctl.txt |   14 ++++++--------
 1 files changed, 6 insertions(+), 8 deletions(-)

Re: [GIT PULL nf-next] IPVS

[Pablo Neira Ayuso]

On Sat, Oct 01, 2011 at 12:34:17PM +0900, Simon Horman wrote:
> Hi Pablo,
> 
> please consider pulling the following to get some
> documentation changes from myself.
> 
> The following changes since commit 6fa4dec85e199f31774faf29be26a53329d02e9e:
> 
>   ipvs: Removed unused variables (2011-09-28 21:09:24 +0200)
> 
> are available in the git repository at:
>   git@github.com:horms/ipvs-next.git master
> 
> Simon Horman (2):
>       IPVS: secure_tcp does provide alternate state timeouts
>       IPVS: Enhance grammar used to refer to Kconfig options
> 
>  Documentation/networking/ipvs-sysctl.txt |   14 ++++++--------

Pulled, thanks Simon.

http://1984.lsi.us.es/git/?p=net-next/.git;a=shortlog;h=refs/heads/nf-next