Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.8 2013-02-06T00:56:50Z 2013-02-06T00:56:50Z Daniel Borkmann dborkman@redhat.com 2013-02-05T16:21:31Z urn:sha1:4b47bc9a9e69141ed3a854c57601f548e82c78ba In our test lab, we have a simple SCTP client connecting to a SCTP server via an IPVS load balancer. On some machines, load balancing works, but on others the initial handshake just fails, thus no SCTP connection whatsoever can be established! We observed that the SCTP INIT-ACK handshake reply from the IPVS machine to the client had a correct IP checksum, but corrupt SCTP checksum when forwarded, thus on the client-side the packet was dropped and an intial handshake retriggered until all attempts run into the void. To fix this issue, this patch i) adds a missing CHECKSUM_UNNECESSARY after the full checksum (re-)calculation (as done in IPVS TCP and UDP code as well), ii) calculates the checksum in little-endian format (as fixed with the SCTP code in commit 4458f04c: sctp: Clean up sctp checksumming code) and iii) refactors duplicate checksum code into a common function. Tested by myself. Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> 2013-01-28T01:14:37Z Dan Carpenter dan.carpenter@oracle.com 2013-01-25T15:44:57Z urn:sha1:b425df4cdd953a400d814b4474c9d3ec04481858 If state != IP_VS_STATE_BACKUP then tinfo->buf is uninitialized. If kthread_run() fails then it means we free random memory resulting in an oops. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> 2012-11-30T17:01:30Z David S. Miller davem@davemloft.net 2012-11-30T17:01:30Z urn:sha1:e7165030db8e932a9a968f7015cd3b2e984f8e7c Conflicts: net/ipv6/exthdrs_core.c Jesse Gross says: ==================== This series of improvements for 3.8/net-next contains four components: * Support for modifying IPv6 headers * Support for matching and setting skb->mark for better integration with things like iptables * Ability to recognize the EtherType for RARP packets * Two small performance enhancements The movement of ipv6_find_hdr() into exthdrs_core.c causes two small merge conflicts. I left it as is but can do the merge if you want. The conflicts are: * ipv6_find_hdr() and ipv6_find_tlv() were both moved to the bottom of exthdrs_core.c. Both should stay. * A new use of ipv6_find_hdr() was added to net/netfilter/ipvs/ip_vs_core.c after this patch. The IPVS user has two instances of the old constant name IP6T_FH_F_FRAG which has been renamed to IP6_FH_F_FRAG. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-19T19:20:42Z Eric W. Biederman ebiederm@xmission.com 2012-11-19T05:26:30Z urn:sha1:e5ef39eda6a1dfc045445d1199e5508703d139df In (464dc801c76a net: Don't export sysctls to unprivileged users) I typoed and introduced a spurious backslash. Delete it. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-19T01:32:45Z Eric W. Biederman ebiederm@xmission.com 2012-11-16T03:03:07Z urn:sha1:df008c91f83583e662ac54aee00004afc3f1894d Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Allow creation of af_key sockets. Allow creation of llc sockets. Allow creation of af_packet sockets. Allow sending xfrm netlink control messages. Allow binding to netlink multicast groups. Allow sending to netlink multicast groups. Allow adding and dropping netlink multicast groups. Allow sending to all netlink multicast groups and port ids. Allow reading the netfilter SO_IP_SET socket option. Allow sending netfilter netlink messages. Allow setting and getting ip_vs netfilter socket options. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-11-19T01:30:55Z Eric W. Biederman ebiederm@xmission.com 2012-11-16T03:02:59Z urn:sha1:464dc801c76aa0db88e16e8f5f47c6879858b9b2 In preparation for supporting the creation of network namespaces by unprivileged users, modify all of the per net sysctl exports and refuse to allow them to unprivileged users. This makes it safe for unprivileged users in general to access per net sysctls, and allows sysctls to be exported to unprivileged users on an individual basis as they are deemed safe. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-10-28T21:50:51Z Alan Cox alan@linux.intel.com 2012-10-26T00:13:27Z urn:sha1:05b4b065a06c3ebacc23ff188e15ea7a278eadc0 I don't even want to think what the C spec says for this 8) Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2012-10-26T18:40:55Z David S. Miller davem@davemloft.net 2012-10-26T18:40:55Z urn:sha1:f019948dbb388eacbc0fb61db1d30e686224df77 Pablo Neira Ayuso says: ==================== The following changeset contains updates for IPVS from Jesper Dangaard Brouer that did not reach the previous merge window in time. More specifically, updates to improve IPv6 support in IPVS. More relevantly, some of the existing code performed wrong handling of the extensions headers and better fragmentation handling. Jesper promised more follow-up patches to refine this after this batch hits net-next. Yet to come. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2012-10-17T08:59:20Z Pablo Neira Ayuso pablo@netfilter.org 2012-10-17T08:59:20Z urn:sha1:0b4f5b1d6385826093dc3cd9035b186f0d77a5dc To obtain new flag FLOWI_FLAG_KNOWN_NH to fix netfilter's xt_TEE target. 2012-10-09T04:04:34Z Arnd Bergmann arnd@arndb.de 2012-10-09T04:04:34Z urn:sha1:b61a602ee6730150f4d0df730d9312ac4d820ceb As reported by a gcc warning, the do_ip_vs_get_ctl does not initalize all the members of the ip_vs_timeout_user structure it returns if at least one of the TCP or UDP protocols is disabled for ipvs. This makes sure that the data is always initialized, before it is returned as a response to IPVS_CMD_GET_CONFIG or printed as a debug message in IPVS_CMD_SET_CONFIG. Without this patch, building ARM ixp4xx_defconfig results in: net/netfilter/ipvs/ip_vs_ctl.c: In function 'ip_vs_genl_set_cmd': net/netfilter/ipvs/ip_vs_ctl.c:2238:47: warning: 't.udp_timeout' may be used uninitialized in this function [-Wuninitialized] net/netfilter/ipvs/ip_vs_ctl.c:3322:28: note: 't.udp_timeout' was declared here net/netfilter/ipvs/ip_vs_ctl.c:2238:47: warning: 't.tcp_fin_timeout' may be used uninitialized in this function [-Wuninitialized] net/netfilter/ipvs/ip_vs_ctl.c:3322:28: note: 't.tcp_fin_timeout' was declared here net/netfilter/ipvs/ip_vs_ctl.c:2238:47: warning: 't.tcp_timeout' may be used uninitialized in this function [-Wuninitialized] net/netfilter/ipvs/ip_vs_ctl.c:3322:28: note: 't.tcp_timeout' was declared here Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au>