Johannes Berg [Wed, 19 Dec 2007 00:31:23 +0000 (01:31 +0100)]
mac80211: clean up eapol handling in TX path
The previous patch left only one user of the ieee80211_is_eapol()
function and that user can be eliminated easily by introducing
a new "frame is EAPOL" flag to handle the frame specially (we
already have this information) instead of doing the (expensive)
ieee80211_is_eapol() all the time.
Also, allow unencrypted frames to be sent when they are injected.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johannes Berg [Wed, 19 Dec 2007 00:31:22 +0000 (01:31 +0100)]
mac80211: clean up eapol frame handling/port control
This cleans up the eapol frame handling and some related code in the
receive and transmit paths. After this patch
* EAPOL frames addressed to us or the EAPOL group address are
always accepted regardless of whether they are encrypted or not
* other frames from a station are dropped if PAE is enabled and
the station is not authorized
* unencrypted frames (except the EAPOL frames above) are dropped if
drop_unencrypted is enabled
* some superfluous code that eth_type_trans handles anyway is gone
* port control is done for transmitted packets
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mattias Nissler [Thu, 20 Dec 2007 12:27:26 +0000 (13:27 +0100)]
rc80211-pid: export tuning parameters through debugfs
This adds all the tunable parameters used by rc80211_pid to debugfs for easy
testing and tuning.
Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mattias Nissler [Wed, 19 Dec 2007 00:27:18 +0000 (01:27 +0100)]
rc80211-pid: add debugging
This adds a new debugfs file from which rate control relevant events can be
read one event per line. The output includes the current time, so graphs can be
created showing the rate control parameters. This helps in evaluating and
tuning rate control parameters. While at it, we split headers and code for
better readability.
Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stefano Brivio [Wed, 19 Dec 2007 00:26:52 +0000 (01:26 +0100)]
rc80211-pid: add sharpening factor
This patch introduces a PID sharpening factor for faster response after
association and low activity events.
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stefano Brivio [Wed, 19 Dec 2007 00:26:34 +0000 (01:26 +0100)]
rc80211-pid: add rate behaviour learning algorithm
This patch introduces a learning algorithm in order for the PID controller
to learn how to map adjustment values to rates. This is better described in
code comments.
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stefano Brivio [Wed, 19 Dec 2007 00:26:16 +0000 (01:26 +0100)]
mac80211: make PID rate control algorithm the default
This makes the new PID TX rate control algorithm the default instead of the
rc80211_simple rate control algorithm. The simple algorithm was flawed in
several ways: it wasn't responsive at all and didn't age the information it was
relying on properly. The PID algorithm allows us to tune characteristics such
as responsiveness by adjusting parameters and was found to generally behave
better.
The default algorithm can be overridden to select simple instead. Which
ever algorithm is the default is included as part of the mac80211
module automatically. The other algorithm (simple vs. pid) can
be selected for inclusion as well. If EMBEDDED is selected then
the choice is available to have no default specified and neither
algorithm included in mac80211. The default algorithm can be set
through a modparam.
While at it, mark rc80211-simple as deprecated, and schedule it
for removal.
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Fri, 21 Dec 2007 05:48:32 +0000 (21:48 -0800)]
[TCP] Avoid two divides in tcp_output.c
Because 'free_space' variable in __tcp_select_window() is signed,
expression (free_space / 2) forces compiler to emit an integer divide.
This can be changed to a plain right shift, less expensive.
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Moore [Fri, 21 Dec 2007 04:49:33 +0000 (20:49 -0800)]
[XFRM]: Assorted IPsec fixups
This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:
* Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction
* Convert 'sid' to 'secid' everywhere we can
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels,
unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
we risk breaking userspace
* Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also also
includes the removal of some unnecessary memcpy() calls
* Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the "less is more" book on software development
* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the code
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Masahide NAKAMURA [Fri, 21 Dec 2007 04:44:02 +0000 (20:44 -0800)]
[XFRM]: Add packet processing statistics option.
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Masahide NAKAMURA [Fri, 21 Dec 2007 04:43:36 +0000 (20:43 -0800)]
[XFRM]: Support to increment packet dropping statistics.
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Masahide NAKAMURA [Fri, 21 Dec 2007 04:42:57 +0000 (20:42 -0800)]
[XFRM]: Define packet dropping statistics.
This statistics is shown factor dropped by transformation
at /proc/net/xfrm_stat for developer.
It is a counter designed from current transformation source code
and defined as linux private MIB.
See Documentation/networking/xfrm_proc.txt for the detail.
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Masahide NAKAMURA [Fri, 21 Dec 2007 04:41:57 +0000 (20:41 -0800)]
[XFRM] MIPv6: Fix to input RO state correctly.
Disable spin_lock during xfrm_type.input() function.
Follow design as IPsec inbound does.
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Masahide NAKAMURA [Fri, 21 Dec 2007 04:41:12 +0000 (20:41 -0800)]
[XFRM] IPv6: Fix dst/routing check at transformation.
IPv6 specific thing is wrongly removed from transformation at net-2.6.25.
This patch recovers it with current design.
o Update "path" of xfrm_dst since IPv6 transformation should
care about routing changes. It is required by MIPv6 and
off-link destined IPsec.
o Rename nfheader_len which is for non-fragment transformation used by
MIPv6 to rt6i_nfheader_len as IPv6 name space.
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ilpo Järvinen [Fri, 21 Dec 2007 04:36:03 +0000 (20:36 -0800)]
[TCP]: Fix TSO deferring
I'd say that most of what tcp_tso_should_defer had in between
there was dead code because of this.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:10:38 +0000 (20:10 -0800)]
[TG3]: Update version to 3.87
This patch updates the version number to 3.87.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:10:01 +0000 (20:10 -0800)]
[TG3]: Fix supporting flowctrl code
This patch does three things. It modifies tg3_setup_flow_control() to
use the administrator requested flow control settings if
autonegotiation is turned off. It slightly modifies the
tg3_setup_fiber_mii_phy() function to account for this new use case.
And finally, it does the same for tg3_setup_copper_phy().
The copper modifications are more than a small multi-line change. The
new code makes an attempt to avoid a link renegotiation if the link is
active at half duplex and the only difference between the current
advertised settings and requested advertised settings is the
flow control advertisements.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:09:29 +0000 (20:09 -0800)]
[TG3]: Correct sw autoneg flow control advertisements
This patch modifies the software autoneg code to use the administrator
specified flow control parameters. Since the autonegotiation code uses
alternative flow control enumerations, the 1000-BaseX utility functions
are used and code was added to convert the definitions to and from the
alternate enumerations.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:09:00 +0000 (20:09 -0800)]
[TG3]: Correct 5704S flowctrl advertisements
This patch modifies the 5704S hardware autoneg code to use the
administrator specified flow control parameters. Since the 5704S uses
device specific flow control enumerations, the 1000-BaseX utility
functions are used and code was added to convert the definitions to and
from the proprietary enumerations.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:08:32 +0000 (20:08 -0800)]
[TG3]: Replace some magic 5704S constants
This patch replaces magic values with preprocessor definitions for
the sg_dig_ctrl and sg_dig_status registers. This is preparatory work
for the next patch.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:08:00 +0000 (20:08 -0800)]
[TG3]: Add 1000T & 1000X flowctl adv helpers
This patch adds two functions designed to convert abstract TX & RX
flow control parameters to 1000-BaseT and 1000-BaseX autonegotiation
advertisements. Code that uses standard definitions which statically
advertises TX & RX flow control has been replaced with code that
configures the advertisements based on administrator dictated
preferences.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:06:19 +0000 (20:06 -0800)]
[TG3]: Add 1000T & 1000X flowctrl resolvers
This patch adds two new utility functions to resolve flow control. One
function resolves flow control based on 1000-BaseT register definitions.
The other resolves flow control based on 1000-Base X register
definitions.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Fri, 21 Dec 2007 04:05:44 +0000 (20:05 -0800)]
[TG3]: Separate requested and actual flow control parameters
This patch removes the TX and RX flow control flags from tg3_flags and
adds two new flow control variables, flowctrl and active_flowctrl.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Emelyanov [Thu, 20 Dec 2007 23:49:05 +0000 (15:49 -0800)]
[NEIGH]: Make neigh_add_timer symmetrical to neigh_del_timer.
The neigh_del_timer() looks sane - it removes the timer and
(conditionally) puts the neighbor. I expected, that the
neigh_add_timer() is symmetrical to the del one - i.e. it
holds the neighbor and arms the timer - but it turned out
that it was not so.
I think, that making them look symmetrical makes the code
more readable.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Emelyanov [Thu, 20 Dec 2007 23:32:54 +0000 (15:32 -0800)]
[INET]: Uninline the inet_twsk_put function.
This one is not that big, but is widely used: saves 1200 bytes
from net/ipv4/built-in.o
add/remove: 1/0 grow/shrink: 1/12 up/down: 97/-1300 (-1203)
function old new delta
inet_twsk_put - 87 +87
__inet_lookup_listener 274 284 +10
tcp_sacktag_write_queue 2255 2254 -1
tcp_time_wait 482 411 -71
__inet_check_established 796 722 -74
tcp_v4_err 973 898 -75
__inet_twsk_kill 230 154 -76
inet_twsk_deschedule 180 103 -77
tcp_v4_do_rcv 462 384 -78
inet_hash_connect 686 607 -79
inet_twdr_do_twkill_work 236 150 -86
inet_twdr_twcal_tick 395 307 -88
tcp_v4_rcv 1744 1480 -264
tcp_timewait_state_process 975 644 -331
Export it for ipv6 module.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Emelyanov [Thu, 20 Dec 2007 23:32:17 +0000 (15:32 -0800)]
[INET]: Uninline the __inet_lookup_established function.
This is -700 bytes from the net/ipv4/built-in.o
add/remove: 1/0 grow/shrink: 1/3 up/down: 340/-1040 (-700)
function old new delta
__inet_lookup_established - 339 +339
tcp_sacktag_write_queue 2254 2255 +1
tcp_v4_err 1304 973 -331
tcp_v4_rcv 2089 1744 -345
tcp_v4_do_rcv 826 462 -364
Exporting is for dccp module (used via e.g. inet_lookup).
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Emelyanov [Thu, 20 Dec 2007 23:31:33 +0000 (15:31 -0800)]
[INET]: Uninline the __inet_hash function.
This one is used in quite many places in the networking code and
seems to big to be inline.
After the patch net/ipv4/build-in.o loses ~650 bytes:
add/remove: 2/0 grow/shrink: 0/5 up/down: 461/-1114 (-653)
function old new delta
__inet_hash_nolisten - 282 +282
__inet_hash - 179 +179
tcp_sacktag_write_queue 2255 2254 -1
__inet_lookup_listener 284 274 -10
tcp_v4_syn_recv_sock 755 493 -262
tcp_v4_hash 389 35 -354
inet_hash_connect 1086 599 -487
This version addresses the issue pointed by Eric, that
while being inline this function was optimized by gcc
in respect to the 'listen_possible' argument.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:13:31 +0000 (14:13 -0800)]
[SCTP]: Follow Add-IP security consideratiosn wrt INIT/INIT-ACK
The Security Considerations section of RFC 5061 has the following
text:
If an SCTP endpoint that supports this extension receives an INIT
that indicates that the peer supports the ASCONF extension but does
NOT support the [RFC4895] extension, the receiver of such an INIT
MUST send an ABORT in response. Note that an implementation is
allowed to silently discard such an INIT as an option as well, but
under NO circumstance is an implementation allowed to proceed with
the association setup by sending an INIT-ACK in response.
An implementation that receives an INIT-ACK that indicates that the
peer does not support the [RFC4895] extension MUST NOT send the
COOKIE-ECHO to establish the association. Instead, the
implementation MUST discard the INIT-ACK and report to the upper-
layer user that an association cannot be established destroying the
Transmission Control Block (TCB).
Follow the recomendations.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:12:59 +0000 (14:12 -0800)]
[SCTP]: Implement ADD-IP special case processing for ABORT chunk
ADD-IP spec has a special case for processing ABORTs:
F4) ... One special consideration is that ABORT
Chunks arriving destined to the IP address being deleted MUST be
ignored (see Section 5.3.1 for further details).
Check if the address we received on is in the DEL state, and if
so, ignore the ABORT.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:12:24 +0000 (14:12 -0800)]
[SCTP]: Change use_as_src into a full address state
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:11:47 +0000 (14:11 -0800)]
[SCTP]: Update ASCONF processing to conform to spec.
The processing of the ASCONF chunks has changed a lot in the
spec. New items are:
1. A list of ASCONF-ACK chunks is now cached
2. The source of the packet is used in response.
3. New handling for unexpect ASCONF chunks.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:11:11 +0000 (14:11 -0800)]
[SCTP]: ADD-IP updates the states where ASCONFs can be sent
C4) Both ASCONF and ASCONF-ACK Chunks MUST NOT be sent in any SCTP
state except ESTABLISHED, SHUTDOWN-PENDING, SHUTDOWN-RECEIVED,
and SHUTDOWN-SENT.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:10:38 +0000 (14:10 -0800)]
[SCTP]: Update association lookup to look at ASCONF chunks as well
ADD-IP draft section 5.2 specifies that if an association can not
be found using the source and destination of the IP packet,
then, if the packet contains ASCONF chunks, the Address Parameter
TLV should be used to lookup an association.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:10:00 +0000 (14:10 -0800)]
[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT
The ADD-IP "Set Primary IP Address" parameter is allowed in the
INIT/INIT-ACK exchange. Allow processing of this parameter during
the INIT/INIT-ACK.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:08:56 +0000 (14:08 -0800)]
[SCTP]: Handle the wildcard ADD-IP Address parameter
The Address Parameter in the parameter list of the ASCONF chunk
may be a wildcard address. In this case special processing
is required. For the 'add' case, the source IP of the packet is
added. In the 'del' case, all addresses except the source IP
of packet are removed. In the "mark primary" case, the source
address is marked as primary.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich [Thu, 20 Dec 2007 22:08:04 +0000 (14:08 -0800)]
[SCTP]: Discard unauthenticated ASCONF and ASCONF ACK chunks
Now that we support AUTH, discard unauthenticated ASCONF and ASCONF ACK
chunks as mandated in the ADD-IP spec.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Thu, 20 Dec 2007 21:53:40 +0000 (13:53 -0800)]
[IPSEC]: Rename tunnel-mode functions to avoid collisions with tunnels
It appears that I've managed to create two different functions both
called xfrm6_tunnel_output. This is because we have the plain tunnel
encapsulation named xfrmX_tunnel as well as the tunnel-mode encapsulation
which lives in the files xfrmX_mode_tunnel.c.
This patch renames functions from the latter to use the xfrmX_mode_tunnel
prefix to avoid name-space conflicts.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mattias Nissler [Wed, 19 Dec 2007 00:25:57 +0000 (01:25 +0100)]
mac80211: add PID controller based rate control algorithm
Add a new rate control algorithm based on a PID controller. It samples the
percentage of failed frames over time, feeds the result into the controller and
uses its output to control the TX rate.
Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mattias Nissler [Thu, 20 Dec 2007 12:50:07 +0000 (13:50 +0100)]
mac80211: clean up rate selection
Move some code out of rc80211_simple since it's probably needed for all rate
selection algorithms, and fix iwlwifi accordingly. While at it, clean up the
rate_control_get_rate() interface.
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ron Rindjunsky [Tue, 18 Dec 2007 15:23:53 +0000 (17:23 +0200)]
mac80211: pass in PS_POLL frames
This patch fixes should_drop_frame function to pass in ps poll control
frames required for power save functioanlity. Interface types that do not
have interest for PS POLL frames now drop it in handler.
Signed-off-by: Ron Rindjunsky <ron.rindjunsky@intel.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Thu, 20 Dec 2007 12:13:21 +0000 (04:13 -0800)]
[SNMP]: Fix SNMP counters with PREEMPT
The SNMP macros use raw_smp_processor_id() in process context
which is illegal because the process may be preempted and then
migrated to another CPU.
This patch makes it use get_cpu/put_cpu to disable preemption.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Perches [Thu, 20 Dec 2007 12:07:35 +0000 (04:07 -0800)]
[NIU]: Use print_mac
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Perches [Thu, 20 Dec 2007 12:06:59 +0000 (04:06 -0800)]
[TG3]: Use print_mac
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Perches [Thu, 20 Dec 2007 12:06:25 +0000 (04:06 -0800)]
[SUNVNET]: Use print_mac
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Wed, 19 Dec 2007 06:14:25 +0000 (22:14 -0800)]
[IPSEC]: Do xfrm_state_check_space before encapsulation
While merging the IPsec output path I moved the encapsulation output
operation to the top of the loop so that it sits outside of the locked
section. Unfortunately in doing so it now sits in front of the space
check as well which could be a fatal error.
This patch rearranges the calls so that the space check happens as
the thing on the output path.
This patch also fixes an incorrect goto should the encapsulation output
fail.
Thanks to Kazunori MIYAZAWA for finding this bug.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:47:05 +0000 (22:47 -0800)]
[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option
The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter
options when disabled and provides defaults (M) that should allow to
run a distribution firewall without further thinking.
Defaults to 'y' to avoid breaking current configurations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:45:52 +0000 (22:45 -0800)]
[NETFILTER]: non-power-of-two jhash optimizations
Apply Eric Dumazet's jhash optimizations where applicable. Quoting Eric:
Thanks to jhash, hash value uses full 32 bits. Instead of returning
hash % size (implying a divide) we return the high 32 bits of the
(hash * size) that will give results between [0 and size-1] and same
hash distribution.
On most cpus, a multiply is less expensive than a divide, by an order
of magnitude.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 18 Dec 2007 06:45:28 +0000 (22:45 -0800)]
[NETFILTER]: xt_hashlimit: reduce overhead without IPv6
This patch generalizes the (CONFIG_IP6_NF_IPTABLES || CONFIG_IP6_NF_IPTABLES_MODULE)
test done in hashlimit_init_dst() to all the xt_hashlimit module.
This permits a size reduction of "struct dsthash_dst". This saves memory and
cpu for IPV4 only hosts.
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 18 Dec 2007 06:45:13 +0000 (22:45 -0800)]
[NETFILTER]: xt_hashlimit: speedup hash_dst()
1) Using jhash2() instead of jhash() is a litle bit faster if applicable.
2) Thanks to jhash, hash value uses full 32 bits.
Instead of returning hash % size (implying a divide)
we return the high 32 bits of the (hash * size) that will
give results between [0 and size-1] and same hash distribution.
On most cpus, a multiply is less expensive than a divide, by an order
of magnitude.
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Engelhardt [Tue, 18 Dec 2007 06:44:47 +0000 (22:44 -0800)]
[NETFILTER]: xt_connlimit: use the new union nf_inet_addr
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Engelhardt [Tue, 18 Dec 2007 06:44:06 +0000 (22:44 -0800)]
[NETFILTER]: Parenthesize macro parameters
Parenthesize macro parameters.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Engelhardt [Tue, 18 Dec 2007 06:43:50 +0000 (22:43 -0800)]
[NETFILTER]: Introduce nf_inet_address
A few netfilter modules provide their own union of IPv4 and IPv6
address storage. Will unify that in this patch series.
(1/4): Rename union nf_conntrack_address to union nf_inet_addr and
move it to x_tables.h.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Engelhardt [Tue, 18 Dec 2007 06:43:15 +0000 (22:43 -0800)]
[NETFILTER]: x_tables: use %u format specifiers
Use %u format specifiers as ->family is unsigned.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:42:51 +0000 (22:42 -0800)]
[NETFILTER]: nf_nat: properly use RCU for ip_nat_decode_session
We need to use rcu_assign_pointer/rcu_dereference to avoid races.
Also remove an obsolete CONFIG_IP_NAT_NEEDED ifdef.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:42:27 +0000 (22:42 -0800)]
[NETFILTER]: constify nf_afinfo
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:42:09 +0000 (22:42 -0800)]
[NETFILTER]: Kill function prototype for non-existing function
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:41:52 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_log: include GID in netlink message
Similar to Maciej Soltysiak's ipt_LOG patch, include GID in addition
to UID in netlink message.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:41:35 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_log: use endianness-aware attribute functions
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:41:21 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_{queue,log}: return proper error codes in instance_create
Currently we return EINVAL for "instance exists", "allocation failed" and
"module unloaded below us", which is completely inapproriate.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:41:02 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_log: remove excessive debugging
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:40:19 +0000 (22:40 -0800)]
[NETFILTER]: nfnetlink_{queue,log}: return ENOTSUPP for unknown cfg commands
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:39:55 +0000 (22:39 -0800)]
[NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config
Similar to the nfnetlink_queue fixes:
The peer_pid must be checked in all cases when a logging instance exists,
additionally we must check whether an instance exists before attempting
to configure it to avoid NULL ptr dereferences.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:39:27 +0000 (22:39 -0800)]
[NETFILTER]: nf_log: remove incomprehensible comment
Whatever that comment tries to say, I don't get it and it looks like
a leftover from the time when RCU wasn't used properly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:39:08 +0000 (22:39 -0800)]
[NETFILTER]: nf_log: constify struct nf_logger and nf_log_packet loginfo arg
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:38:49 +0000 (22:38 -0800)]
[NETFILTER]: nf_log: move logging stuff to seperate header
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:38:20 +0000 (22:38 -0800)]
[NETFILTER]: nf_nat: pass manip type instead of hook to nf_nat_setup_info
nf_nat_setup_info gets the hook number and translates that to the
manip type to perform. This is a relict from the time when one
manip per hook could exist, the exact hook number doesn't matter
anymore, its converted to the manip type. Most callers already
know what kind of NAT they want to perform, so pass the maniptype
in directly.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:37:52 +0000 (22:37 -0800)]
[NETFILTER]: nf_nat: sprinkle a few __read_mostlys
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:37:36 +0000 (22:37 -0800)]
[NETFILTER]: nf_nat: mark NAT protocols const
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:37:20 +0000 (22:37 -0800)]
[NETFILTER]: nf_nat_proto_gre: add missing module reference
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:37:03 +0000 (22:37 -0800)]
[NETFILTER]: ctnetlink: fix expectation timeout dumping
When the timer is late its timeout might be before the current time,
in which case a very large value is dumped.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:29:45 +0000 (22:29 -0800)]
[NETFILTER]: ctnetlink: use netlink attribute helpers
Use NLA_PUT_BE32, nla_get_be32() etc.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:29:26 +0000 (22:29 -0800)]
[NETLINK]: Add NLA_PUT_BE16/nla_get_be16()
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:29:02 +0000 (22:29 -0800)]
[NETFILTER]: nf_conntrack_sctp: add ctnetlink support
This patch adds support for SCTP to ctnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:28:41 +0000 (22:28 -0800)]
[NETFILTER]: ctnetlink: add support for secmark
This patch adds support for James Morris' connsecmark.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:28:19 +0000 (22:28 -0800)]
[NETFILTER]: ctnetlink: add support for master tuple event notification and dumping
This patch adds support for master tuple event notification and
dumping. Conntrackd needs this information to recover related
connections appropriately.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:28:00 +0000 (22:28 -0800)]
[NETFILTER]: ctnetlink: add support for NAT sequence adjustments
The combination of NAT and helpers may produce TCP sequence adjustments.
In failover setups, this information needs to be replicated in order to
achieve a successful recovery of mangled, related connections. This patch is
particularly useful for conntrackd, see:
http://people.netfilter.org/pablo/conntrack-tools/
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Benjamin LaHaise [Tue, 18 Dec 2007 06:27:36 +0000 (22:27 -0800)]
[NETFILTER]: xt_TCPMSS: don't allow netfilter --setmss to increase mss
When terminating DSL connections for an assortment of random customers, I've
found it necessary to use iptables to clamp the MSS used for connections to
work around the various ICMP blackholes in the greater net. Unfortunately,
the current behaviour in Linux is imperfect and actually make things worse,
so I'm proposing the following: increasing the MSS in a packet can never be
a good thing, so make --set-mss only lower the MSS in a packet.
Yes, I am aware of --clamp-mss-to-pmtu, but it doesn't work for outgoing
connections from clients (ie web traffic), as it only looks at the PMTU on
the destination route, not the source of the packet (the DSL interfaces in
question have a 1442 byte MTU while the destination ethernet interface is
1500 -- there are problematic hosts which use a 1300 byte MTU). Reworking
that is probably a good idea at some point, but it's more work than this is.
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:26:54 +0000 (22:26 -0800)]
[NETFILTER]: arp_tables: add compat support
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:26:38 +0000 (22:26 -0800)]
[NETFILTER]: arp_tables: resync get_entries() with ip_tables
Resync get_entries() with ip_tables.c by moving the checks from the
setsockopt handler to the function itself.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 06:26:24 +0000 (22:26 -0800)]
[NETFILTER]: arp_tables: move ARPT_SO_GET_INFO handling to seperate function
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:56:48 +0000 (21:56 -0800)]
[NETFILTER]: arp_tables: move counter allocation to seperate function
More resyncing with ip_tables.c as preparation for compat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:56:33 +0000 (21:56 -0800)]
[NETFILTER]: arp_tables: move entry and target checks to seperate functions
Resync with ip_tables.c as preparation for compat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:56:14 +0000 (21:56 -0800)]
[NETFILTER]: arp_tables: remove ipchains compat hack
Remove compatiblity hack copied from ip_tables.c - ipchains didn't even
support arp_tables :)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:55:59 +0000 (21:55 -0800)]
[NETFILTER]: arp_tables: use vmalloc_node()
Use vmalloc_node() as in ip_tables.c.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:55:34 +0000 (21:55 -0800)]
[NETFILTER]: arp_tables: use XT_ALIGN
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:55:16 +0000 (21:55 -0800)]
[NETFILTER]: arp_tables: remove obsolete standard_check function
The size check is already performed by xt_check_target, no need
to do it again.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:53:40 +0000 (21:53 -0800)]
[NETFILTER]: ip6_tables: use XT_ALIGN
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:53:18 +0000 (21:53 -0800)]
[NETFILTER]: ip_tables: remove ipchains compatibility hack
ipchains support has been removed years ago. kill last remains.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:52:52 +0000 (21:52 -0800)]
[NETFILTER]: ip6_tables: use raw_smp_processor_id() in do_add_counters()
Use raw_smp_processor_id() in do_add_counters() as in ip_tables.c.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:52:35 +0000 (21:52 -0800)]
[NETFILTER]: ip6_tables: fix stack leagage
Fix leakage of local variable on stack. This already got fixed in
ip_tables silently by the compat patches.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:52:15 +0000 (21:52 -0800)]
[NETFILTER]: {ip,ip6}_tables: fix format strings
Use %zu for sizeof() and remove casts.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:52:00 +0000 (21:52 -0800)]
[NETFILTER]: {ip,ip6}_tables: reformat to eliminate differences
Reformat ip_tables.c and ip6_tables.c in order to eliminate non-functional
differences and minimize diff output.
This allows to get a view of the real differences using:
sed -e 's/IP6T/IPT/g' \
-e 's/IP6/IP/g' \
-e 's/INET6/INET/g' \
-e 's/ip6t/ipt/g' \
-e 's/ip6/ip/g' \
-e 's/ipv6/ip/g' \
-e 's/icmp6/icmp/g' \
net/ipv6/netfilter/ip6_tables.c | \
diff -wup /dev/stdin net/ipv4/netfilter/ip_tables.c
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:51:33 +0000 (21:51 -0800)]
[NETFILTER]: xt_MARK: add compat support for revision 0
Old userspace doesn't support revision 1, especially for IPv6, which
is only available in the SVN snapshot.
Add compat support for revision 0.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:51:14 +0000 (21:51 -0800)]
[NETFILTER]: xt_MARK: support revision 1 for IPv6
The current netfilter SVN version includes support for this, so enable
it in the kernel as well.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:50:53 +0000 (21:50 -0800)]
[NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:50:37 +0000 (21:50 -0800)]
[NETFILTER]: ip6_tables: add compat support
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:50:22 +0000 (21:50 -0800)]
[NETFILTER]: ip6_tables: resync get_entries() with ip_tables
Resync get_entries() with ip_tables.c by moving the checks from the
setsockopt handler to the function itself.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:50:05 +0000 (21:50 -0800)]
[NETFILTER]: ip6_tables: move IP6T_SO_GET_INFO handling to seperate function
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:49:51 +0000 (21:49 -0800)]
[NETFILTER]: ip6_tables: move counter allocation to seperate function
More resyncing with ip_tables.c as preparation for compat support.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Tue, 18 Dec 2007 05:48:33 +0000 (21:48 -0800)]
[NETFILTER]: ip6_tables: use vmalloc_node()
Consistently use vmalloc_node for all counter allocations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>