Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.9 2013-03-01T20:56:29Z 2013-03-01T20:56:29Z Neil Horman nhorman@tuxdriver.com 2013-03-01T07:44:08Z urn:sha1:d8c6f4b9b7848bca8babfc0ae43a50c8ab22fbb9 I had a report recently of a user trying to use dropwatch to localise some frame loss, and they were getting false positives. Turned out they were using a user space SCTP stack that used raw sockets to grab frames. When we don't have a registered protocol for a given packet, we record it as a drop, even if a raw socket receieves the frame. We should only record the drop in the event a raw socket doesnt exist to receive the frames Tested by the reported successfully Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Reported-by: William Reich <reich@ulticom.com> Tested-by: William Reich <reich@ulticom.com> CC: "David S. Miller" <davem@davemloft.net> CC: William Reich <reich@ulticom.com> CC: eric.dumazet@gmail.com Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-02-05T19:42:23Z David S. Miller davem@davemloft.net 2013-02-05T19:42:23Z urn:sha1:547472b8e1da72ae226430c0c4273e36fc8ca768 All in-tree ipv4 protocol implementations are now namespace aware. Therefore all the run-time checks are superfluous. Reject registry of any non-namespace aware ipv4 protocol. Eventually we'll remove prot->netns_ok and this registry time check as well. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-30T21:53:21Z Eric Dumazet edumazet@google.com 2012-07-29T21:06:13Z urn:sha1:cca32e4bf999a34ac08d959f351f2b30bcd02460 early_demux() handlers should be called in RCU context, and as we use skb_dst_set_noref(skb, dst), caller must not exit from RCU context before dst use (skb_dst(skb)) or release (skb_drop(dst)) Therefore, rcu_read_lock()/rcu_read_unlock() pairs around ->early_demux() are confusing and not needed : Protocol handlers are already in an RCU read lock section. (__netif_receive_skb() does the rcu_read_lock() ) Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-26T22:50:39Z Eric Dumazet edumazet@google.com 2012-07-26T12:18:11Z urn:sha1:c7109986db3c945f50ceed884a30e0fd8af3b89b This is the IPv6 missing bits for infrastructure added in commit 41063e9dd1195 (ipv4: Early TCP socket demux.) Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-26T22:50:39Z David S. Miller davem@davemloft.net 2012-07-26T11:14:38Z urn:sha1:c6cffba4ffa26a8ffacd0bb9f3144e34f20da7de With the routing cache removal we lost the "noref" code paths on input, and this can kill some routing workloads. Reinstate the noref path when we hit a cached route in the FIB nexthops. With help from Eric Dumazet. Reported-by: Alexander Duyck <alexander.duyck@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-24T20:54:15Z Eric Dumazet edumazet@google.com 2012-07-24T01:19:31Z urn:sha1:9cb429d692b341e972b12e6cd097364050ebbb26 1) Remove a non needed pskb_may_pull() in tcp_v4_early_demux() and fix a potential bug if skb->head was reallocated (iph & th pointers were not reloaded) TCP stack will pull/check headers anyway. 2) must reload iph in ip_rcv_finish() after early_demux() call since skb->head might have changed. 3) skb->dev->ifindex can be now replaced by skb->skb_iif Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-20T20:30:59Z David Miller davem@davemloft.net 2012-07-01T02:02:53Z urn:sha1:38a424e4657462fe9f8b76f01a0e879abde99ab4 The "noref" argument to ip_route_input_common() is now always ignored because we do not cache routes, and in that case we must always grab a reference to the resulting 'dst'. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-06-28T05:01:22Z David S. Miller davem@davemloft.net 2012-06-28T05:01:22Z urn:sha1:160eb5a6b14ca2eab5c598bdbbb24c24624bad34 It's completely unnecessary. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-06-28T00:05:06Z David S. Miller davem@davemloft.net 2012-06-28T00:05:06Z urn:sha1:c10237e077cef50e925f052e49f3b4fead9d71f9 This reverts commit c074da2810c118b3812f32d6754bd9ead2f169e7. This change has several unwanted side effects: 1) Sockets will cache the DST_NOCACHE route in sk->sk_rx_dst and we'll thus never create a real cached route. 2) All TCP traffic will use DST_NOCACHE and never use the routing cache at all. Signed-off-by: David S. Miller <davem@davemloft.net> 2012-06-27T22:34:24Z Eric Dumazet edumazet@google.com 2012-06-26T23:14:15Z urn:sha1:c074da2810c118b3812f32d6754bd9ead2f169e7 DDOS synflood attacks hit badly IP route cache. On typical machines, this cache is allowed to hold up to 8 Millions dst entries, 256 bytes for each, for a total of 2GB of memory. rt_garbage_collect() triggers and tries to cleanup things. Eventually route cache is disabled but machine is under fire and might OOM and crash. This patch exploits the new TCP early demux, to set a nocache boolean in case incoming TCP frame is for a not yet ESTABLISHED or TIMEWAIT socket. This 'nocache' boolean is then used in case dst entry is not found in route cache, to create an unhashed dst entry (DST_NOCACHE) SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache output dst for syncookies), so after this patch, a machine is able to absorb a DDOS synflood attack without polluting its IP route cache. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>