1. 18 Sep, 2015 1 commit
    • Eric W. Biederman's avatar
      netfilter: Pass struct net into the netfilter hooks · 29a26a56
      Eric W. Biederman authored
      Pass a network namespace parameter into the netfilter hooks.  At the
      call site of the netfilter hooks the path a packet is taking through
      the network stack is well known which allows the network namespace to
      be easily and reliabily.
      This allows the replacement of magic code like
      "dev_net(state->in?:state->out)" that appears at the start of most
      netfilter hooks with "state->net".
      In almost all cases the network namespace passed in is derived
      from the first network device passed in, guaranteeing those
      paths will not see any changes in practice.
      The exceptions are:
      xfrm/xfrm_output.c:xfrm_output_resume()         xs_net(skb_dst(skb)->xfrm)
      ipvs/ip_vs_xmit.c:ip_vs_nat_send_or_cont()      ip_vs_conn_net(cp)
      ipvs/ip_vs_xmit.c:ip_vs_send_or_cont()          ip_vs_conn_net(cp)
      ipv4/raw.c:raw_send_hdrinc()                    sock_net(sk)
      ipv6/ip6_output.c:ip6_xmit()			sock_net(sk)
      ipv6/ndisc.c:ndisc_send_skb()                   dev_net(skb->dev) not dev_net(dst->dev)
      ipv6/raw.c:raw6_send_hdrinc()                   sock_net(sk)
      br_netfilter_hooks.c:br_nf_pre_routing_finish() dev_net(skb->dev) before skb->dev is set to nf_bridge->physindev
      In all cases these exceptions seem to be a better expression for the
      network namespace the packet is being processed in then the historic
      "dev_net(in?in:out)".  I am documenting them in case something odd
      pops up and someone starts trying to track down what happened.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  2. 07 Apr, 2015 1 commit
    • David Miller's avatar
      netfilter: Pass socket pointer down through okfn(). · 7026b1dd
      David Miller authored
      On the output paths in particular, we have to sometimes deal with two
      socket contexts.  First, and usually skb->sk, is the local socket that
      generated the frame.
      And second, is potentially the socket used to control a tunneling
      socket, such as one the encapsulates using UDP.
      We do not want to disassociate skb->sk when encapsulating in order
      to fix this, because that would break socket memory accounting.
      The most extreme case where this can cause huge problems is an
      AF_PACKET socket transmitting over a vxlan device.  We hit code
      paths doing checks that assume they are dealing with an ipv4
      socket, but are actually operating upon the AF_PACKET one.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  3. 06 Mar, 2015 1 commit
    • Eric W. Biederman's avatar
      DECnet: Only use neigh_ops for adding the link layer header · aaa4e704
      Eric W. Biederman authored
      Other users users of the neighbour table use neigh->output as the method
      to decided when and which link-layer header to place on a packet.
      DECnet has been using neigh->output to decide which DECnet headers to
      place on a packet depending which neighbour the packet is destined for.
      The DECnet usage isn't totally wrong but it can run into problems if the
      neighbour output function is run for a second time as the teql driver
      and the bridge netfilter code can do.
      Therefore to avoid pathologic problems later down the line and make the
      neighbour code easier to understand by refactoring the decnet output
      code to only use a neighbour method to add a link layer header to a
      This is done by moving the neigbhour operations lookup from
      dn_to_neigh_output to dn_neigh_output_packet.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  4. 04 Mar, 2015 1 commit
    • Eric W. Biederman's avatar
      neigh: Factor out ___neigh_lookup_noref · 60395a20
      Eric W. Biederman authored
      While looking at the mpls code I found myself writing yet another
      version of neigh_lookup_noref.  We currently have __ipv4_lookup_noref
      and __ipv6_lookup_noref.
      So to make my work a little easier and to make it a smidge easier to
      verify/maintain the mpls code in the future I stopped and wrote
      ___neigh_lookup_noref.  Then I rewote __ipv4_lookup_noref and
      __ipv6_lookup_noref in terms of this new function.  I tested my new
      version by verifying that the same code is generated in
      ip_finish_output2 and ip6_finish_output2 where these functions are
      To get to ___neigh_lookup_noref I added a new neighbour cache table
      function key_eq.  So that the static size of the key would be
      I also added __neigh_lookup_noref for people who want to to lookup
      a neighbour table entry quickly but don't know which neibhgour table
      they are going to look up.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  5. 02 Mar, 2015 1 commit
  6. 11 Nov, 2014 1 commit
  7. 10 Dec, 2013 1 commit
  8. 18 Feb, 2013 2 commits
  9. 11 Feb, 2013 1 commit
  10. 05 Jul, 2012 1 commit
  11. 04 Jun, 2012 1 commit
  12. 15 May, 2012 1 commit
  13. 01 Feb, 2012 1 commit
  14. 28 Dec, 2011 1 commit
  15. 05 Dec, 2011 1 commit
  16. 14 Nov, 2011 1 commit
    • Eric Dumazet's avatar
      neigh: new unresolved queue limits · 8b5c171b
      Eric Dumazet authored
      Le mercredi 09 novembre 2011 à 16:21 -0500, David Miller a écrit :
      > From: David Miller <davem@davemloft.net>
      > Date: Wed, 09 Nov 2011 16:16:44 -0500 (EST)
      > > From: Eric Dumazet <eric.dumazet@gmail.com>
      > > Date: Wed, 09 Nov 2011 12:14:09 +0100
      > >
      > >> unres_qlen is the number of frames we are able to queue per unresolved
      > >> neighbour. Its default value (3) was never changed and is responsible
      > >> for strange drops, especially if IP fragments are used, or multiple
      > >> sessions start in parallel. Even a single tcp flow can hit this limit.
      > >  ...
      > >
      > > Ok, I've applied this, let's see what happens :-)
      > Early answer, build fails.
      > Please test build this patch with DECNET enabled and resubmit.  The
      > decnet neigh layer still refers to the removed ->queue_len member.
      > Thanks.
      Ouch, this was fixed on one machine yesterday, but not the other one I
      used this morning, sorry.
      [PATCH V5 net-next] neigh: new unresolved queue limits
      unres_qlen is the number of frames we are able to queue per unresolved
      neighbour. Its default value (3) was never changed and is responsible
      for strange drops, especially if IP fragments are used, or multiple
      sessions start in parallel. Even a single tcp flow can hit this limit.
      $ arp -d ; ping -c 2 -s 8000
      PING ( 8000(8028) bytes of data.
      8008 bytes from icmp_seq=2 ttl=64 time=0.322 ms
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  17. 26 Jul, 2011 1 commit
  18. 18 Jul, 2011 2 commits
  19. 17 Jul, 2011 2 commits
  20. 01 Jul, 2011 1 commit
  21. 08 Nov, 2010 1 commit
  22. 05 Oct, 2010 1 commit
    • Eric Dumazet's avatar
      net neigh: RCU conversion of neigh hash table · d6bf7817
      Eric Dumazet authored
      This is the first step for RCU conversion of neigh code.
      Next patches will convert hash_buckets[] and "struct neighbour" to RCU
      protected objects.
      [PATCH net-next] net neigh: RCU conversion of neigh hash table
      Instead of storing hash_buckets, hash_mask and hash_rnd in "struct
      neigh_table", a new structure is defined :
      struct neigh_hash_table {
             struct neighbour        **hash_buckets;
             unsigned int            hash_mask;
             __u32                   hash_rnd;
             struct rcu_head         rcu;
      And "struct neigh_table" has an RCU protected pointer to such a
      This means the signature of (*hash)() function changed: We need to add a
      third parameter with the actual hash_rnd value, since this is not
      anymore a neigh_table field.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  23. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      The script does the followings.
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
      The conversion was done in the following steps.
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
      6. percpu.h was updated not to include slab.h.
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
  24. 25 Mar, 2010 1 commit
  25. 02 Sep, 2009 1 commit
  26. 03 Jun, 2009 1 commit
  27. 27 Nov, 2008 1 commit
  28. 28 Jan, 2008 1 commit
    • Eric W. Biederman's avatar
      [NETNS]: Modify the neighbour table code so it handles multiple network namespaces · 426b5303
      Eric W. Biederman authored
      I'm actually surprised at how much was involved.  At first glance it
      appears that the neighbour table data structures are already split by
      network device so all that should be needed is to modify the user
      interface commands to filter the set of neighbours by the network
      namespace of their devices.
      However a couple things turned up while I was reading through the
      code.  The proxy neighbour table allows entries with no network
      device, and the neighbour parms are per network device (except for the
      defaults) so they now need a per network namespace default.
      So I updated the two structures (which surprised me) with their very
      own network namespace parameter.  Updated the relevant lookup and
      destroy routines with a network namespace parameter and modified the
      code that interacts with users to filter out neighbour table entries
      for devices of other namespaces.
      I'm a little concerned that we can modify and display the global table
      configuration and from all network namespaces.  But this appears good
      enough for now.
      I keep thinking modifying the neighbour table to have per network
      namespace instances of each table type would should be cleaner.  The
      hash table is already dynamically sized so there are it is not a
      limiter.  The default parameter would be straight forward to take care
      of.  However when I look at the how the network table is built and
      used I still find some assumptions that there is only a single
      neighbour table for each type of table in the kernel.  The netlink
      operations, neigh_seq_start, the non-core network users that call
      neigh_lookup.  So while it might be doable it would require more
      refactoring than my current approach of just doing a little extra
      filtering in the code.
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarDaniel Lezcano <dlezcano@fr.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  29. 10 Oct, 2007 3 commits
  30. 11 Jul, 2007 1 commit
  31. 26 Apr, 2007 1 commit
  32. 12 Feb, 2007 1 commit
  33. 11 Feb, 2007 1 commit
  34. 03 Dec, 2006 1 commit
  35. 21 Jul, 2006 1 commit