aboutsummaryrefslogtreecommitdiffstats
path: root/net
Commit message (Collapse)AuthorAgeFilesLines
* Merge master.kernel.org:/pub/scm/linux/kernel/git/gregkh/driver-2.6Linus Torvalds2007-07-122-6/+5
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/gregkh/driver-2.6: (61 commits) sysfs: add parameter "struct bin_attribute *" in .read/.write methods for sysfs binary attributes sysfs: make directory dentries and inodes reclaimable sysfs: implement sysfs_get_dentry() sysfs: move sysfs_drop_dentry() to dir.c and make it static sysfs: restructure add/remove paths and fix inode update sysfs: use sysfs_mutex to protect the sysfs_dirent tree sysfs: consolidate sysfs spinlocks sysfs: make kobj point to sysfs_dirent instead of dentry sysfs: implement sysfs_find_dirent() and sysfs_get_dirent() sysfs: implement SYSFS_FLAG_REMOVED flag sysfs: rename sysfs_dirent->s_type to s_flags and make room for flags sysfs: make sysfs_drop_dentry() access inodes using ilookup() sysfs: Fix oops in sysfs_drop_dentry on x86_64 sysfs: use singly-linked list for sysfs_dirent tree sysfs: slim down sysfs_dirent->s_active sysfs: move s_active functions to fs/sysfs/dir.c sysfs: fix root sysfs_dirent -> root dentry association sysfs: use iget_locked() instead of new_inode() sysfs: reorganize sysfs_new_indoe() and sysfs_create() sysfs: fix parent refcounting during rename and move ...
| * sysfs: add parameter "struct bin_attribute *" in .read/.write methods for ↵Zhang Rui2007-07-111-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | sysfs binary attributes Well, first of all, I don't want to change so many files either. What I do: Adding a new parameter "struct bin_attribute *" in the .read/.write methods for the sysfs binary attributes. In fact, only the four lines change in fs/sysfs/bin.c and include/linux/sysfs.h do the real work. But I have to update all the files that use binary attributes to make them compatible with the new .read and .write methods. I'm not sure if I missed any. :( Why I do this: For a sysfs attribute, we can get a pointer pointing to the struct attribute in the .show/.store method, while we can't do this for the binary attributes. I don't know why this is different, but this does make it not so handy to use the binary attributes as the regular ones. So I think this patch is reasonable. :) Who benefits from it: The patch that exposes ACPI tables in sysfs requires such an improvement. All the table binary attributes share the same .read method. Parameter "struct bin_attribute *" is used to get the table signature and instance number which are used to distinguish different ACPI table binary attributes. Without this parameter, we need to offer different .read methods for different ACPI table binary attributes. This is impossible as there are various ACPI tables on different platforms, and we don't know what they are until they are loaded. Signed-off-by: Zhang Rui <rui.zhang@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| * sysfs: kill unnecessary attribute->ownerTejun Heo2007-07-112-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | sysfs is now completely out of driver/module lifetime game. After deletion, a sysfs node doesn't access anything outside sysfs proper, so there's no reason to hold onto the attribute owners. Note that often the wrong modules were accounted for as owners leading to accessing removed modules. This patch kills now unnecessary attribute->owner. Note that with this change, userland holding a sysfs node does not prevent the backing module from being unloaded. For more info regarding lifetime rule cleanup, please read the following message. http://article.gmane.org/gmane.linux.kernel/510293 (tweaked by Greg to not delete the field just yet, to make it easier to merge things properly.) Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* | [NET_SCHED]: ematch: module autoloadingPatrick McHardy2007-07-116-0/+22
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [TCP]: tcp probe wraparound handling and other changesStephen Hemminger2007-07-111-70/+124
| | | | | | | | | | | | | | | | | | | | | | | | | | Switch from formatting messages in probe routine and copying with kfifo, to using a small circular queue of information and formatting on read. This avoids wraparound issues with kfifo, and saves one copy. Also make sure to state correct license, rather than copying off some other driver I started with. Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [RTNETLINK]: rtnl_link: allow specifying initial device addressPatrick McHardy2007-07-113-4/+20
| | | | | | | | | | | | | | | | Drivers need to validate the initial addresses in their netlink attribute validation function or manually reject them if they can't support this. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [RTNETLINK]: rtnl_link API simplificationPatrick McHardy2007-07-112-25/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | All drivers need to unregister their devices in the module unload function. While doing so they must hold the rtnl and atomically unregister the rtnl_link ops as well. This makes the rtnl_link_unregister function that takes the rtnl itself completely useless. Provide default newlink/dellink functions, make __rtnl_link_unregister and rtnl_link_unregister unregister all devices with matching rtnl_link_ops and change the existing users to take advantage of that. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [VLAN]: Fix MAC address handlingPatrick McHardy2007-07-113-45/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The VLAN MAC address handling is broken in multiple ways. When the address differs when setting it, the real device is put in promiscous mode twice, but never taken out again. Additionally it doesn't resync when the real device's address is changed and needlessly puts it in promiscous mode when the vlan device is still down. Fix by moving address handling to vlan_dev_open/vlan_dev_stop and properly deal with address changes in the device notifier. Also switch to dev_unicast_add (which needs the exact same handling). Since the set_mac_address handler is identical to the generic ethernet one with these changes, kill it and use ether_setup(). Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | [ETH]: Validate address in eth_mac_addrPatrick McHardy2007-07-111-0/+3
| | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge master.kernel.org:/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6David S. Miller2007-07-114-45/+169
|\ \
| * | [Bluetooth] Add basics to better support and handle eSCO linksMarcel Holtmann2007-07-113-35/+48
| | | | | | | | | | | | | | | | | | | | | | | | To better support and handle eSCO links in the future a bunch of constants needs to be added and some basic routines need to be updated. This is the initial step. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * | [Bluetooth] Keep rfcomm_dev on the list until it is freedVille Tervo2007-07-111-8/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the RFCOMM TTY release process so that the TTY is kept on the list until it is really freed. A new device flag is used to keep track of released TTYs. Signed-off-by: Ville Tervo <ville.tervo@nokia.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * | [Bluetooth] Hangup TTY before releasing rfcomm_devMikko Rapeli2007-07-111-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The core problem is that RFCOMM socket layer ioctl can release rfcomm_dev struct while RFCOMM TTY layer is still actively using it. Calling tty_vhangup() is needed for a synchronous hangup before rfcomm_dev is freed. Addresses the oops at http://bugzilla.kernel.org/show_bug.cgi?id=7509 Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * | [Bluetooth] Add hci_recv_fragment() helper functionMarcel Holtmann2007-07-111-2/+95
| | | | | | | | | | | | | | | | | | | | | | | | Most drivers must handle fragmented HCI data packets and events. This patch adds a generic function for their reassembly to the Bluetooth core layer and thus allows to shrink the complexity of the drivers. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | | [NET]: Fix races in net_rx_action vs netpoll.Olaf Kirch2007-07-111-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | Keep netpoll/poll_napi from messing with the poll_list. Only net_rx_action is allowed to manipulate the list. Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [AF_UNIX]: Rewrite garbage collector, fixes race.Miklos Szeredi2007-07-112-143/+188
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Throw out the old mark & sweep garbage collector and put in a refcounting cycle detecting one. The old one had a race with recvmsg, that resulted in false positives and hence data loss. The old algorithm operated on all unix sockets in the system, so any additional locking would have meant performance problems for all users of these. The new algorithm instead only operates on "in flight" sockets, which are very rare, and the additional locking for these doesn't negatively impact the vast majority of users. In fact it's probable, that there weren't *any* heavy senders of sockets over sockets, otherwise the above race would have been discovered long ago. The patch works OK with the app that exposed the race with the old code. The garbage collection has also been verified to work in a few simple cases. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr ↵Patrick McHardy2007-07-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dereference (CVE-2007-2876) When creating a new connection by sending an unknown chunk type, we don't transition to a valid state, causing a NULL pointer dereference in sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE]. Fix by don't creating new conntrack entry if initial state is invalid. Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET]: Make all initialized struct seq_operations const.Philippe De Muyter2007-07-1056-76/+76
| | | | | | | | | | | | | | | | | | | | | Make all initialized struct seq_operations in net/ const Signed-off-by: Philippe De Muyter <phdm@macqel.be> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [UDP]: Fix length check.Patrick McHardy2007-07-101-7/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rémi Denis-Courmont wrote: > Right. By the way, shouldn't "len" rather be signed in there? > > unsigned int len; > > /* if we're overly short, let UDP handle it */ > len = skb->len - sizeof(struct udphdr); > if (len <= 0) > goto udp; It should, but the < 0 case can't happen since __udp4_lib_rcv already makes sure that we have at least a complete UDP header. Anyways, this patch fixes it. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [IPV6]: Remove unneeded pointer idev from addrconf_cleanup().Micah Gruber2007-07-101-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This trivial patch removes the unneeded pointer idev returned from __in6_dev_get(), which is never used. The check for NULL can be simply done by if (__in6_dev_get(dev) == NULL). Signed-off-by: Micah Gruber <micah.gruber@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [IPV6]: Make IPV6_{RECV,2292}RTHDR boolean options.YOSHIFUJI Hideaki2007-07-101-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Because reversing RH0 is no longer supported by deprecation of RH0, let's make IPV6_{RECV,2292}RTHDR boolean options. Boolean are more appropriate from standard POV. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [IPV6]: Do not send RH0 anymore.YOSHIFUJI Hideaki2007-07-105-122/+2
| | | | | | | | | | | | | | | | | | | | | Based on <draft-ietf-ipv6-deprecate-rh0-00.txt>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [IPV6]: Restore semantics of Routing Header processing.YOSHIFUJI Hideaki2007-07-101-31/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The "fix" for emerging security threat was overkill and it broke basic semantic of IPv6 routing header processing. We should assume RT0 (or even RT2, depends on configuration) as "unknown" RH type so that we - silently ignore the routing header if segleft == 0 - send ICMPv6 Parameter Problem message back to the sender, otherwise. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET_SCHED]: Make HTB scheduler work with TSO.Ranjit Manomohan2007-07-101-10/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the HTB scheduler does not correctly account for TSO packets which causes large inaccuracies in the bandwidth control when using TSO. This patch allows the HTB scheduler to work with TSO enabled devices. Signed-off-by: Ranjit Manomohan <ranjitm@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET]: Avoid copying writable clones in tunnel driversPatrick McHardy2007-07-104-5/+8
| | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [IPV4]: Make ip_tos2prio const.Philippe De Muyter2007-07-101-1/+1
| | | | | | | | | | | | | | | Signed-off-by: Philippe De Muyter <phdm@macqel.be> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET]: Fix gen_estimator timer removal racePatrick McHardy2007-07-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As noticed by Jarek Poplawski <jarkao2@o2.pl>, the timer removal in gen_kill_estimator races with the timer function rearming the timer. Check whether the timer list is empty before rearming the timer in the timer function to fix this. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Jarek Poplawski <jarkao2@o2.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETPOLL]: Fix a leak-n-bug in netpoll_cleanup()Satyam Sharma2007-07-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 93ec2c723e3f8a216dde2899aeb85c648672bc6b applied excessive duct tape to the netpoll beast's netpoll_cleanup(), thus substituting one leak with another, and opening up a little buglet :-) net_device->npinfo (netpoll_info) is a shared and refcounted object and cannot simply be set NULL the first time netpoll_cleanup() is called. Otherwise, further netpoll_cleanup()'s see np->dev->npinfo == NULL and become no-ops, thus leaking. And it's a bug too: the first call to netpoll_cleanup() would thus (annoyingly) "disable" other (still alive) netpolls too. Maybe nobody noticed this because netconsole (only user of netpoll) never supported multiple netpoll objects earlier. This is a trivial and obvious one-line fixlet. Signed-off-by: Satyam Sharma <ssatyam@cse.iitk.ac.in> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [RXRPC]: Remove Makefile reference to obsolete RXRPC config variableRobert P. J. Day2007-07-101-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since there is no Kconfig variable RXRPC anywhere in the tree, and the variable AF_RXRPC performs exactly the same function, remove the reference to CONFIG_RXRPC from net/Makefile. Signed-off-by: Robert P. J. Day <rpjday@mindspring.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER] net/ipv4/netfilter/ip_tables.c: lower printk severityDan Aloni2007-07-101-1/+1
| | | | | | | | | | | | | | | | | | Signed-off-by: Dan Aloni <da-x@monatomic.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [DCCP]: Make struct dccp_li_cachep static.Adrian Bunk2007-07-101-1/+1
| | | | | | | | | | | | | | | | | | Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET]: "wrong timeout value in sk_wait_data()": cleanupsAndrew Morton2007-07-101-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - save 4 bytes - it's read-mostly. Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Vasily Averin <vvs@sw.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NET]: Make some network-related proc files use seq_list_xxx helpersPavel Emelianov2007-07-102-77/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This includes /proc/net/protocols, /proc/net/rxrpc_calls and /proc/net/rxrpc_connections files. All three need seq_list_start_head to show some header. Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [ATM] br2684: Use seq_list_xxx helpersPavel Emelianov2007-07-101-18/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | The .show callback receives the list_head pointer now, not the struct br2684_dev one. Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: x_tables: add more detail to error message about match/target ↵Balazs Scheidler2007-07-101-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | mask mismatch Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_queue: Use RCU and mutex for queue handlersYasuyuki Kozakai2007-07-101-23/+29
| | | | | | | | | | | | | | | | | | | | | | | | Queue handlers are registered/unregistered in only process context. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nfnetlink_queue: don't unregister handler of other subsystemYasuyuki Kozakai2007-07-102-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The queue handlers registered by ip[6]_queue.ko at initialization should not be unregistered according to requests from userland program using nfnetlink_queue. If we allow that, there is no way to register the handlers of built-in ip[6]_queue again. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: Convert DEBUGP to pr_debugPatrick McHardy2007-07-1046-965/+655
| | | | | | | | | | | | | | | | | | | | | Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: xt_helper: use RCUPatrick McHardy2007-07-101-23/+8
| | | | | | | | | | | | | | | | | | | | | | | | The ->helper pointer is protected by RCU, no need to take nf_conntrack_lock. Also remove excessive debugging. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack_h323: turn some printks into DEBUGPsPatrick McHardy2007-07-101-15/+10
| | | | | | | | | | | | | | | | | | | | | | | | Don't spam the ringbuffer with decoding errors. The only printks remaining are for dropped packets when we're certain they are H.323. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: ipt_CLUSTERIP: add compat codePatrick McHardy2007-07-101-19/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | Adjust structure size and don't expect pointers passed in from userspace to be valid. Also replace an enum in an ABI structure by a fixed size type. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: ipt_SAME: add to feature-removal-schedulePatrick McHardy2007-07-101-1/+1
| | | | | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack: early_drop improvementPatrick McHardy2007-07-101-7/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the maximum number of conntrack entries is reached and a new one needs to be allocated, conntrack tries to drop an unassured connection from the same hash bucket the new conntrack would hash to. Since with a properly sized hash the average number of entries per bucket is 1, the chances of actually finding one are not very good. This patch makes it walk the hash until a minimum number of 8 entries are checked. Based on patch by Vasily Averin <vvs@sw.ru>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack: mark helpers __read_mostlyPatrick McHardy2007-07-102-4/+4
| | | | | | | | | | | | | | | | | | | | | Most are __read_mostly already, this changes the remaining ones. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack_helper: use hashtable for conntrack helpersPatrick McHardy2007-07-101-13/+57
| | | | | | | | | | | | | | | | | | | | | Eliminate the last global list searched for every new connection. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack_expect: introduce nf_conntrack_expect_max sysctPatrick McHardy2007-07-102-1/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As a last step of preventing DoS by creating lots of expectations, this patch introduces a global maximum and a sysctl to control it. The default is initialized to 4 * the expectation hash table size, which results in 1/64 of the default maxmimum of conntracks. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack_expect: maintain per conntrack expectation listPatrick McHardy2007-07-104-36/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch brings back the per-conntrack expectation list that was removed around 2.6.10 to avoid walking all expectations on expectation eviction and conntrack destruction. As these were the last users of the global expectation list, this patch also kills that. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack_helper/nf_conntrack_netlink: convert to ↵Patrick McHardy2007-07-102-42/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | expectation hash Convert from the global expectation list to the hash table. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack_expect: convert proc functions to hashPatrick McHardy2007-07-102-47/+121
| | | | | | | | | | | | | | | | | | | | | Convert from the global expectation list to the hash table. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | [NETFILTER]: nf_conntrack: use hashtable for expectationsPatrick McHardy2007-07-101-6/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently all expectations are kept on a global list that - needs to be searched for every new conncetion - needs to be walked for evicting expectations when a master connection has reached its limit - needs to be walked on connection destruction for connections that have open expectations This is obviously not good, especially when considering helpers like H.323 that register *lots* of expectations and can set up permanent expectations, but it also allows for an easy DoS against firewalls using connection tracking helpers. Use a hashtable for expectations to avoid incurring the search overhead for every new connection. The default hash size is 1/256 of the conntrack hash table size, this can be overriden using a module parameter. This patch only introduces the hash table for expectation lookups and keeps other users to reduce the noise, the following patches will get rid of it completely. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>