Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v2.6.30 2009-05-27T22:51:25+00:00 2009-05-27T22:51:25+00:00 David S. Miller davem@davemloft.net 2009-05-27T22:51:25+00:00 urn:sha1:4d3383d0adb6d1047fb9ee3edd9dc05e4d2184f0 2009-05-25T15:23:15+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2009-05-25T15:23:15+00:00 urn:sha1:bfcaa50270e18f35220a11d46e98fc6232c24606 Robert L Mathews discovered that some clients send evil TCP RST segments, which are accepted by netfilter conntrack but discarded by the destination. Thus the conntrack entry is destroyed but the destination retransmits data until timeout. The same technique, i.e. sending properly crafted RST segments, can easily be used to bypass connlimit/connbytes based restrictions (the sample script written by Robert can be found in the netfilter mailing list archives). The patch below adds a new flag and new field to struct ip_ct_tcp_state so that checking RST segments can be made more strict and thus TCP conntrack can catch the invalid ones: the RST segment is accepted only if its sequence number higher than or equal to the highest ack we seen from the other direction. (The last_ack field cannot be reused because it is used to catch resent packets.) Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2009-05-05T19:00:53+00:00 David S. Miller davem@davemloft.net 2009-05-05T19:00:53+00:00 urn:sha1:356d6c2d55b71303a17910ea2cce3eba8e44bd29 2009-05-05T15:46:07+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-05-05T15:46:07+00:00 urn:sha1:280f37afa2c270ff029cb420b34396aa002909c3 This patch fixes a problem when you use 32 nodes in the cluster match: % iptables -I PREROUTING -t mangle -i eth0 -m cluster \ --cluster-total-nodes 32 --cluster-local-node 32 \ --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff iptables: Invalid argument. Run `dmesg' for more information. % dmesg | tail -1 xt_cluster: this node mask cannot be higher than the total number of nodes The problem is related to this checking: if (info->node_mask >= (1 << info->total_nodes)) { printk(KERN_ERR "xt_cluster: this node mask cannot be " "higher than the total number of nodes\n"); return false; } (1 << 32) is 1. Thus, the checking fails. BTW, I said this before but I insist: I have only tested the cluster match with 2 nodes getting ~45% extra performance in an active-active setup. The maximum limit of 32 nodes is still completely arbitrary. I'd really appreciate if people that have more nodes in their setups let me know. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 2009-05-05T12:31:12+00:00 Patrick McHardy kaber@trash.net 2009-05-05T12:31:12+00:00 urn:sha1:a7ca7fccacc029958fd09985e7f3529b90ec791d Pointed out by Dave Miller: CHECK include/linux/netfilter (57 files) /home/davem/src/GIT/net-2.6/usr/include/linux/netfilter/xt_LED.h:6: found __[us]{8,16,32,64} type without #include <linux/types.h> Signed-off-by: Patrick McHardy <kaber@trash.net> 2009-05-01T16:10:46+00:00 Eric Dumazet dada1@cosmosbay.com 2009-05-01T16:10:46+00:00 urn:sha1:0f3d042ed2f934f149ccb78300454beaf0c1134b Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-04-29T05:36:33+00:00 Stephen Hemminger shemminger@vyatta.com 2009-04-29T05:36:33+00:00 urn:sha1:942e4a2bd680c606af0211e64eb216be2e19bf61 The x_tables are organized with a table structure and a per-cpu copies of the counters and rules. On older kernels there was a reader/writer lock per table which was a performance bottleneck. In 2.6.30-rc, this was converted to use RCU and the counters/rules which solved the performance problems for do_table but made replacing rules much slower because of the necessary RCU grace period. This version uses a per-cpu set of spinlocks and counters to allow to table processing to proceed without the cache thrashing of a global reader lock and keeps the same performance for table updates. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-04-24T14:58:41+00:00 Pablo Neira Ayuso pablo@netfilter.org 2009-04-24T14:58:41+00:00 urn:sha1:71951b64a5a87c09eb6fde59ce51aaab2fdaeab2 This patch adds missing role attribute to the DCCP type, otherwise the creation of entries is not of any use. The attribute added is CTA_PROTOINFO_DCCP_ROLE which contains the role of the conntrack original tuple. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 2009-03-27T05:45:23+00:00 David S. Miller davem@davemloft.net 2009-03-27T05:45:23+00:00 urn:sha1:01e6de64d9c8d0e75dca3bb4cf898db73abe00d4 2009-03-26T23:11:41+00:00 Linus Torvalds torvalds@linux-foundation.org 2009-03-26T23:11:41+00:00 urn:sha1:ba1eb95cf3cc666769afe42eaa15a3a34ae82f94 * 'header-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (50 commits) x86: headers cleanup - setup.h emu101k1.h: fix duplicate include of <linux/types.h> compiler-gcc4: conditionalize #error on __KERNEL__ remove __KERNEL_STRICT_NAMES make netfilter use strict integer types make drm headers use strict integer types make MTD headers use strict integer types make most exported headers use strict integer types make exported headers use strict posix types unconditionally include asm/types.h from linux/types.h make linux/types.h as assembly safe Neither asm/types.h nor linux/types.h is required for arch/ia64/include/asm/fpu.h headers_check fix cleanup: linux/reiserfs_fs.h headers_check fix cleanup: linux/nubus.h headers_check fix cleanup: linux/coda_psdev.h headers_check fix: x86, setup.h headers_check fix: x86, prctl.h headers_check fix: linux/reinserfs_fs.h headers_check fix: linux/socket.h headers_check fix: linux/nubus.h ... Manually fix trivial conflicts in: include/linux/netfilter/xt_limit.h include/linux/netfilter/xt_statistic.h