linux/net/ipv4, branch v3.1 Linux kernel source tree https://git.amat.us/linux/atom/net/ipv4?h=v3.1 2011-10-19T07:21:35Z tproxy: copy transparent flag when creating a time wait 2011-10-19T07:21:35Z KOVACS Krisztian hidden@balabit.hu 2011-10-18T10:17:35Z urn:sha1:58af19e387d8821927e49be3f467da5e6a0aa8fd The transparent socket option setting was not copied to the time wait socket when an inet socket was being replaced by a time wait socket. This broke the --transparent option of the socket match and may have caused that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state were being dropped by the packet filter. Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: David S. Miller <davem@davemloft.net> tcp: properly update lost_cnt_hint during shifting 2011-10-05T03:31:24Z Yan, Zheng zheng.z.yan@intel.com 2011-10-02T04:21:50Z urn:sha1:1e5289e121372a3494402b1b131b41bfe1cf9b7f lost_skb_hint is used by tcp_mark_head_lost() to mark the first unhandled skb. lost_cnt_hint is the number of packets or sacked packets before the lost_skb_hint; When shifting a skb that is before the lost_skb_hint, if tcp_is_fack() is ture, the skb has already been counted in the lost_cnt_hint; if tcp_is_fack() is false, tcp_sacktag_one() will increase the lost_cnt_hint. So tcp_shifted_skb() does not need to adjust the lost_cnt_hint by itself. When shifting a skb that is equal to lost_skb_hint, the shifted packets will not be counted by tcp_mark_head_lost(). So tcp_shifted_skb() should adjust the lost_cnt_hint even tcp_is_fack(tp) is true. Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> tcp: properly handle md5sig_pool references 2011-10-05T03:31:24Z Yan, Zheng zheng.z.yan@intel.com 2011-09-29T17:10:10Z urn:sha1:260fcbeb1ae9e768a44c9925338fbacb0d7e5ba9 tcp_v4_clear_md5_list() assumes that multiple tcp md5sig peers only hold one reference to md5sig_pool. but tcp_v4_md5_do_add() increases use count of md5sig_pool for each peer. This patch makes tcp_v4_md5_do_add() only increases use count for the first tcp md5sig peer. Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> tcp: fix validation of D-SACK 2011-09-19T02:37:34Z Zheng Yan zheng.z.yan@intel.com 2011-09-19T02:37:34Z urn:sha1:f779b2d60ab95c17f1e025778ed0df3ec2f05d75 D-SACK is allowed to reside below snd_una. But the corresponding check in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo. Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> ipv4: Fix fib_info->fib_metrics leak 2011-09-16T21:42:26Z Yan, Zheng zheng.z.yan@intel.com 2011-09-04T20:24:20Z urn:sha1:19c1ea14c930db5e9c0cd7c3c6f4d01457dfcd69 Commit 4670994d(net,rcu: convert call_rcu(fc_rport_free_rcu) to kfree_rcu()) introduced a memory leak. This patch reverts it. Signed-off-by: Zheng Yan <zheng.z.yan@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> Merge branch 'master' of ../netdev/ 2011-09-16T05:09:02Z David S. Miller davem@davemloft.net 2011-09-16T05:09:02Z urn:sha1:52b9aca7ae8726d1fb41b97dd1d243d107fef11b tcp: Change possible SYN flooding messages 2011-09-15T18:49:43Z Eric Dumazet eric.dumazet@gmail.com 2011-08-30T03:21:44Z urn:sha1:946cedccbd7387488d2cee5da92cdfeb28d2e670 "Possible SYN flooding on port xxxx " messages can fill logs on servers. Change logic to log the message only once per listener, and add two new SNMP counters to track : TCPReqQFullDoCookies : number of times a SYNCOOKIE was replied to client TCPReqQFullDrop : number of times a SYN request was dropped because syncookies were not enabled. Based on a prior patch from Tom Herbert, and suggestions from David. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> net: ipv4: relax AF_INET check in bind() 2011-08-30T22:57:00Z Eric Dumazet eric.dumazet@gmail.com 2011-08-30T22:57:00Z urn:sha1:29c486df6a208432b370bd4be99ae1369ede28d8 commit d0733d2e29b65 (Check for mistakenly passed in non-IPv4 address) added regression on legacy apps that use bind() with AF_UNSPEC family. Relax the check, but make sure the bind() is done on INADDR_ANY addresses, as AF_UNSPEC has probably no sane meaning for other addresses. Bugzilla reference : https://bugzilla.kernel.org/show_bug.cgi?id=42012 Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Reported-and-bisected-by: Rene Meier <r_meier@freenet.de> CC: Marcus Meissner <meissner@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6 2011-08-30T21:43:56Z David S. Miller davem@davemloft.net 2011-08-30T21:43:56Z urn:sha1:785824165508a65478474f0c87f6b8c3ad048c62 netfilter: nf_queue: reject NF_STOLEN verdicts from userspace 2011-08-30T13:01:20Z Florian Westphal fw@strlen.de 2011-08-30T13:01:20Z urn:sha1:c6675233f9015d3c0460c8aab53ed9b99d915c64 A userspace listener may send (bogus) NF_STOLEN verdict, which causes skb leak. This problem was previously fixed via 64507fdbc29c3a622180378210ecea8659b14e40 (netfilter: nf_queue: fix NF_STOLEN skb leak) but this had to be reverted because NF_STOLEN can also be returned by a netfilter hook when iterating the rules in nf_reinject. Reject userspace NF_STOLEN verdict, as suggested by Michal Miroslaw. This is complementary to commit fad54440438a7c231a6ae347738423cbabc936d9 (netfilter: avoid double free in nf_reinject). Cc: Julian Anastasov <ja@ssi.bg> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net>