1. 26 Sep, 2014 2 commits
  2. 19 Sep, 2014 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: export rule-set generation ID · 84d7fce6
      Pablo Neira Ayuso authored
      This patch exposes the ruleset generation ID in three ways:
      1) The new command NFT_MSG_GETGEN that exposes the 32-bits ruleset
         generation ID. This ID is incremented in every commit and it
         should be large enough to avoid wraparound problems.
      2) The less significant 16-bits of the generation ID are exposed through
         the nfgenmsg->res_id header field. This allows us to quickly catch
         if the ruleset has change between two consecutive list dumps from
         different object lists (in this specific case I think the risk of
         wraparound is unlikely).
      3) Userspace subscribers may receive notifications of new rule-set
         generation after every commit. This also provides an alternative
         way to monitor the generation ID. If the events are lost, the
         userspace process hits a overrun error, so it knows that it is
         working with a stale ruleset anyway.
      Patrick spotted that rule-set transformations in userspace may take
      quite some time. In that case, it annotates the 32-bits generation ID
      before fetching the rule-set, then:
      1) it compares it to what we obtain after the transformation to
         make sure it is not working with a stale rule-set and no wraparound
         has ocurred.
      2) it subscribes to ruleset notifications, so it can watch for new
         generation ID.
      This is complementary to the NLM_F_DUMP_INTR approach, which allows
      us to detect an interference in the middle one single list dumping.
      There is no way to explicitly check that an interference has occurred
      between two list dumps from the kernel, since it doesn't know how
      many lists the userspace client is actually going to dump.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink: use original skbuff when committing/aborting · fc04733a
      Pablo Neira Ayuso authored
      This allows us to access the original content of the batch from
      the commit and the abort paths.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
  3. 18 Sep, 2014 1 commit
    • Pablo Neira Ayuso's avatar
      Merge branch 'ipvs-next' · fcfa8f49
      Pablo Neira Ayuso authored
      Simon Horman says:
      This pull requests makes the following changes:
      * Add simple weighted fail-over scheduler.
        - Unlike other IPVS schedulers this offers fail-over rather than load
          balancing. Connections are directed to the appropriate server based
          solely on highest weight value and server availability.
        - Thanks to Kenny Mathis
      * Support IPv6 real servers in IPv4 virtual-services and vice versa
        - This feature is supported in conjunction with the tunnel (IPIP)
          forwarding mechanism. That is, IPv4 may be forwarded in IPv6 and
          vice versa.
        - The motivation for this is to allow more flexibility in the
          choice of IP version offered by both virtual-servers and
          real-servers as they no longer need to match: An IPv4 connection from an
          end-user may be forwarded to a real-server using IPv6 and vice versa.
        - Further work need to be done to support this feature in conjunction
          with connection synchronisation. For now such configurations are
          not allowed.
        - This change includes update to netlink protocol, adding a new
          destination address family attribute. And the necessary changes
          to plumb this information throughout IPVS.
        - Thanks to Alex Gartrell and Julian Anastasov
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
  4. 17 Sep, 2014 3 commits
  5. 16 Sep, 2014 12 commits
  6. 15 Sep, 2014 8 commits
  7. 12 Sep, 2014 2 commits
  8. 11 Sep, 2014 2 commits
  9. 10 Sep, 2014 8 commits