linux/net/netfilter, branch v3.2.2Linux kernel source treehttps://git.amat.us/linux/atom/net/netfilter?h=v3.2.22011-12-31T15:59:04Znetfilter: ctnetlink: fix timeout calculation2011-12-31T15:59:04ZXi Wangxi.wang@gmail.com2011-12-30T15:40:17Zurn:sha1:c121638277a71c1e1fb44c3e654ea353357bbc2c
The sanity check (timeout < 0) never works; the dividend is unsigned
and so is the division, which should have been a signed division.
long timeout = (ct->timeout.expires - jiffies) / HZ;
if (timeout < 0)
timeout = 0;
This patch converts the time values to signed for the division.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ipvs: try also real server with port 0 in backup server2011-12-31T15:06:29ZJulian Anastasovja@ssi.bg2011-12-30T05:19:02Zurn:sha1:52793dbe3d60bd73bbebe28b2bfc9f6b4b920d4c
We should not forget to try for real server with port 0
in the backup server when processing the sync message. We should
do it in all cases because the backup server can use different
forwarding method.
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Merge branch 'nf' of git://1984.lsi.us.es/net2011-12-24T21:10:26ZDavid S. Millerdavem@davemloft.net2011-12-24T21:10:26Zurn:sha1:c43c5f39584c0f388a7e5372312c2c48221a4415netfilter: ctnetlink: fix scheduling while atomic if helper is autoloaded2011-12-24T18:49:04ZPablo Neira Ayusopablo@netfilter.org2011-12-24T18:28:47Zurn:sha1:1a31a4a8388a90e9240fb4e5e5c9c909fcfdfd0e
This patch fixes one scheduling while atomic error:
[ 385.565186] ctnetlink v0.93: registering with nfnetlink.
[ 385.565349] BUG: scheduling while atomic: lt-expect_creat/16163/0x00000200
It can be triggered with utils/expect_create included in
libnetfilter_conntrack if the FTP helper is not loaded.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: fix return value of ctnetlink_get_expect()2011-12-24T18:49:04ZPablo Neira Ayusopablo@netfilter.org2011-12-24T18:03:46Zurn:sha1:81378f728fe560e175fb2e8fd33206793567e896
This fixes one bogus error that is returned to user-space:
libnetfilter_conntrack/utils# ./expect_get
TEST: get expectation (-1)(Unknown error 18446744073709551504)
This patch includes the correct handling for EAGAIN (nfnetlink
uses this error value to restart the operation after module
auto-loading).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_connbytes: handle negation correctly2011-12-23T13:50:19ZFlorian Westphalfw@strlen.de2011-12-16T17:35:15Zurn:sha1:0354b48f633ae435acbc01b470a1ce8cfeff3e9f
"! --connbytes 23:42" should match if the packet/byte count is not in range.
As there is no explict "invert match" toggle in the match structure,
userspace swaps the from and to arguments
(i.e., as if "--connbytes 42:23" were given).
However, "what <= 23 && what >= 42" will always be false.
Change things so we use "||" in case "from" is larger than "to".
This change may look like it breaks backwards compatibility when "to" is 0.
However, older iptables binaries will refuse "connbytes 42:0",
and current releases treat it to mean "! --connbytes 0:42",
so we should be fine.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: Remove ADVANCED dependency from NF_CONNTRACK_NETBIOS_NS2011-12-02T03:19:01ZDavid S. Millerdavem@davemloft.net2011-12-02T03:19:01Zurn:sha1:3ced1be5490f5c415d51a1e5918beeb9239d546b
firewalld in Fedora 16 needs this.
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge branch 'nf' of git://1984.lsi.us.es/net2011-11-29T06:20:55ZDavid S. Millerdavem@davemloft.net2011-11-29T06:20:55Zurn:sha1:c1baa88431fe0fe4fad492dece4177a7735f89cfnetfilter: Remove NOTRACK/RAW dependency on NETFILTER_ADVANCED.2011-11-23T21:07:00ZDavid S. Millerdavem@davemloft.net2011-11-23T21:07:00Zurn:sha1:46a246c4dff9f248913e791b69f2336cd8d4ec41
Distributions are using this in their default scripts, so don't hide
them behind the advanced setting.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: nf_conntrack: make event callback registration per-netns2011-11-21T23:34:47ZPablo Neira Ayusopablo@netfilter.org2011-11-21T23:16:51Zurn:sha1:70e9942f17a6193e9172a804e6569a8806633d6b
This patch fixes an oops that can be triggered following this recipe:
0) make sure nf_conntrack_netlink and nf_conntrack_ipv4 are loaded.
1) container is started.
2) connect to it via lxc-console.
3) generate some traffic with the container to create some conntrack
entries in its table.
4) stop the container: you hit one oops because the conntrack table
cleanup tries to report the destroy event to user-space but the
per-netns nfnetlink socket has already gone (as the nfnetlink
socket is per-netns but event callback registration is global).
To fix this situation, we make the ctnl_notifier per-netns so the
callback is registered/unregistered if the container is
created/destroyed.
Alex Bligh and Alexey Dobriyan originally proposed one small patch to
check if the nfnetlink socket is gone in nfnetlink_has_listeners,
but this is a very visited path for events, thus, it may reduce
performance and it looks a bit hackish to check for the nfnetlink
socket only to workaround this situation. As a result, I decided
to follow the bigger path choice, which seems to look nicer to me.
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Reported-by: Alex Bligh <alex@alex.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>