Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.5 2012-07-09T08:53:19Z 2012-07-09T08:53:19Z Pablo Neira Ayuso pablo@netfilter.org 2012-07-05T13:42:10Z urn:sha1:6bd0405bb4196b44f1acb7a58f11382cdaf6f7f0 Hans reports that he's still hitting: BUG: unable to handle kernel NULL pointer dereference at 000000000000027c IP: [<ffffffff813615db>] netlink_has_listeners+0xb/0x60 PGD 0 Oops: 0000 [#3] PREEMPT SMP CPU 0 It happens when adding a number of containers with do: nfct_query(h, NFCT_Q_CREATE, ct); and most likely one namespace shuts down. this problem was supposed to be fixed by: 70e9942 netfilter: nf_conntrack: make event callback registration per-netns Still, it was missing one rcu_access_pointer to check if the callback is set or not. Reported-by: Hans Schillstrom <hans@schillstrom.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-05-08T17:36:33Z Eric Dumazet edumazet@google.com 2012-04-18T04:36:40Z urn:sha1:ac3a546ac89fdf3c4b50e40039a5a7f6df4dda72 this_cpu_inc() is IRQ safe and faster than local_bh_disable()/__this_cpu_inc()/local_bh_enable(), at least on x86. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Christoph Lameter <cl@linux.com> Cc: Tejun Heo <tj@kernel.org> Reviewed-by: Christoph Lameter <cl@linux.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-05-08T17:35:18Z Eric Leblond eric@regit.org 2012-04-18T09:20:41Z urn:sha1:a9006892643a8f4e885b692de0708bcb35a7d530 This patch allows you to disable automatic conntrack helper lookup based on TCP/UDP ports, eg. echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper [ Note: flows that already got a helper will keep using it even if automatic helper assignment has been disabled ] Once this behaviour has been disabled, you have to explicitly use the iptables CT target to attach helper to flows. There are good reasons to stop supporting automatic helper assignment, for further information, please read: http://www.netfilter.org/news.html#2012-04-03 This patch also adds one message to inform that automatic helper assignment is deprecated and it will be removed soon (this is spotted only once, with the first flow that gets a helper attached to make it as less annoying as possible). Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-04-21T01:22:30Z Eric W. Biederman ebiederm@xmission.com 2012-04-19T13:43:55Z urn:sha1:f99e8f715a5c7ebad5410b1e9b4d744ddb284f54 There isn't much advantage here except that strings paths are a bit easier to read, and converting everything to them allows me to kill off ctl_path. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Acked-by: Pavel Emelyanov <xemul@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-03-26T12:00:28Z Jan Beulich JBeulich@suse.com 2012-03-07T23:45:44Z urn:sha1:f3d229c68bb47170f04f81e51c9ed5d4286cebdb At least on ia64 the (bogus) use of xchg() here results in the compiler warning about an unused expression result. As only an assignment is intended here, convert it to such. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-22T23:52:01Z Pablo Neira Ayuso pablo@netfilter.org 2012-03-22T22:40:01Z urn:sha1:c1ebd7dff700277e4d0a3da36833a406142e31d4 This patch introduces nf_conntrack_l4proto_find_get() and nf_conntrack_l4proto_put() to fix module dependencies between timeout objects and l4-protocol conntrack modules. Thus, we make sure that the module cannot be removed if it is used by any of the cttimeout objects. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-07T16:41:52Z Eric Dumazet eric.dumazet@gmail.com 2012-03-01T02:56:59Z urn:sha1:ace30d73ef09fd5f95b24c5c1c5aa11963981494 Helps to find format mismatches at compile time Suggested-by: David Laight <David.Laight@ACULAB.COM> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> 2012-03-07T16:41:25Z Pablo Neira Ayuso pablo@netfilter.org 2012-02-28T22:36:48Z urn:sha1:dd705072412225a97784fe38feee2ebf8d14814d This patch adds the timeout extension, which allows you to attach specific timeout policies to flows. This extension is only used by the template conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-07T16:41:22Z Pablo Neira Ayuso pablo@netfilter.org 2012-02-28T18:13:48Z urn:sha1:50978462300f74dc48aea4a38471cb69bdf741a5 This patch adds the infrastructure to add fine timeout tuning over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT subsystem to create/delete/dump timeout objects that contain some specific timeout policy for one flow. The follow up patches will allow you attach timeout policy object to conntrack via the CT target and the conntrack extension infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-07T16:41:19Z Pablo Neira Ayuso pablo@netfilter.org 2012-02-28T17:23:31Z urn:sha1:2c8503f55fbdfbeff4164f133df804cf4d316290 This patch defines a new interface for l4 protocol trackers: unsigned int *(*get_timeouts)(struct net *net); that is used to return the array of unsigned int that contains the timeouts that will be applied for this flow. This is passed to the l4proto->new(...) and l4proto->packet(...) functions to specify the timeout policy. This interface allows per-net global timeout configuration (although only DCCP supports this by now) and it will allow custom custom timeout configuration by means of follow-up patches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>