linux/include/net/netfilter, branch v3.4.55Linux kernel source treehttps://git.amat.us/linux/atom/include/net/netfilter?h=v3.4.552012-10-21T16:28:00Znetfilter: nf_conntrack: fix racy timer handling with reliable events2012-10-21T16:28:00ZPablo Neira Ayusopablo@netfilter.org2012-08-29T16:25:49Zurn:sha1:7fcbcdc96302e9d3e3b36df4fbc86a4c82761092
commit 5b423f6a40a0327f9d40bc8b97ce9be266f74368 upstream.
Existing code assumes that del_timer returns true for alive conntrack
entries. However, this is not true if reliable events are enabled.
In that case, del_timer may return true for entries that were
just inserted in the dying list. Note that packets / ctnetlink may
hold references to conntrack entries that were just inserted to such
list.
This patch fixes the issue by adding an independent timer for
event delivery. This increases the size of the ecache extension.
Still we can revisit this later and use variable size extensions
to allocate this area on demand.
Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
netfilter: xt_LOG: don't use xchg() for simple assignment2012-03-26T12:00:28ZJan BeulichJBeulich@suse.com2012-03-07T23:45:44Zurn:sha1:f3d229c68bb47170f04f81e51c9ed5d4286cebdb
At least on ia64 the (bogus) use of xchg() here results in the compiler
warning about an unused expression result. As only an assignment is
intended here, convert it to such.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: cttimeout: fix dependency with l4protocol conntrack module2012-03-22T23:52:01ZPablo Neira Ayusopablo@netfilter.org2012-03-22T22:40:01Zurn:sha1:c1ebd7dff700277e4d0a3da36833a406142e31d4
This patch introduces nf_conntrack_l4proto_find_get() and
nf_conntrack_l4proto_put() to fix module dependencies between
timeout objects and l4-protocol conntrack modules.
Thus, we make sure that the module cannot be removed if it is
used by any of the cttimeout objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_LOG: add __printf() to sb_add()2012-03-07T16:41:52ZEric Dumazeteric.dumazet@gmail.com2012-03-01T02:56:59Zurn:sha1:ace30d73ef09fd5f95b24c5c1c5aa11963981494
Helps to find format mismatches at compile time
Suggested-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
netfilter: nf_ct_ext: add timeout extension2012-03-07T16:41:25ZPablo Neira Ayusopablo@netfilter.org2012-02-28T22:36:48Zurn:sha1:dd705072412225a97784fe38feee2ebf8d14814d
This patch adds the timeout extension, which allows you to attach
specific timeout policies to flows.
This extension is only used by the template conntrack.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: add cttimeout infrastructure for fine timeout tuning2012-03-07T16:41:22ZPablo Neira Ayusopablo@netfilter.org2012-02-28T18:13:48Zurn:sha1:50978462300f74dc48aea4a38471cb69bdf741a5
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.
The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_conntrack: pass timeout array to l4->new and l4->packet2012-03-07T16:41:19ZPablo Neira Ayusopablo@netfilter.org2012-02-28T17:23:31Zurn:sha1:2c8503f55fbdfbeff4164f133df804cf4d316290
This patch defines a new interface for l4 protocol trackers:
unsigned int *(*get_timeouts)(struct net *net);
that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.
This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: allow to set expectfn for expectations2012-03-07T16:40:46ZPablo Neira Ayusopablo@netfilter.org2012-02-05T02:44:51Zurn:sha1:544d5c7d9f4d1ec4f170bc5bcc522012cb7704bc
This patch allows you to set expectfn which is specifically used
by the NAT side of most of the existing conntrack helpers.
I have added a symbol map that uses a string as key to look up for
the function that is attached to the expectation object. This is
the best solution I came out with to solve this issue.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: fix soft lockup when netlink adds new entries (v2)2012-02-24T11:24:15ZJozsef Kadlecsikkadlec@blackhole.kfki.hu2012-02-24T10:45:49Zurn:sha1:7d367e06688dc7a2cc98c2ace04e1296e1d987e2
Marcell Zambo and Janos Farago noticed and reported that when
new conntrack entries are added via netlink and the conntrack table
gets full, soft lockup happens. This is because the nf_conntrack_lock
is held while nf_conntrack_alloc is called, which is in turn wants
to lock nf_conntrack_lock while evicting entries from the full table.
The patch fixes the soft lockup with limiting the holding of the
nf_conntrack_lock to the minimum, where it's absolutely required.
It required to extend (and thus change) nf_conntrack_hash_insert
so that it makes sure conntrack and ctnetlink do not add the same entry
twice to the conntrack table.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge branch 'nf-next' of git://1984.lsi.us.es/net-next2011-12-25T07:21:45ZDavid S. Millerdavem@davemloft.net2011-12-25T07:21:45Zurn:sha1:c5e1fd8ccae09f574d6f978c90c2b968ee29030c