platform/kernel/linux-rpi.git
16 years agomac80211: move tx crypto decision
Johannes Berg [Tue, 18 Dec 2007 14:27:47 +0000 (15:27 +0100)]
mac80211: move tx crypto decision

This patch moves the decision making about whether a frame is encrypted
with a certain algorithm up into the TX handlers rather than having it
in the crypto algorithm implementation.

This fixes a problem with the radiotap injection code where injecting
a non-data packet and requesting encryption could end up asking the
driver to encrypt a packet without giving it a key.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: implement station stats retrieval
Johannes Berg [Wed, 19 Dec 2007 01:03:37 +0000 (02:03 +0100)]
mac80211: implement station stats retrieval

This implements the required cfg80211 callback in mac80211
to allow userspace to get station statistics.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agocfg80211/nl80211: implement station attribute retrieval
Johannes Berg [Wed, 19 Dec 2007 01:03:36 +0000 (02:03 +0100)]
cfg80211/nl80211: implement station attribute retrieval

After a station is added to the kernel's structures, userspace
has to be able to retrieve statistics about that station, especially
whether the station was idle and how much bytes were transferred
to and from it. This adds the necessary code to nl80211.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agocfg80211/nl80211: station handling
Johannes Berg [Wed, 19 Dec 2007 01:03:34 +0000 (02:03 +0100)]
cfg80211/nl80211: station handling

This patch adds station handling to cfg80211/nl80211.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agocfg80211/nl80211: add beacon settings
Johannes Berg [Wed, 19 Dec 2007 01:03:32 +0000 (02:03 +0100)]
cfg80211/nl80211: add beacon settings

This adds the necessary API to cfg80211/nl80211 to allow
changing beaconing settings.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: support getting key sequence counters via cfg80211
Johannes Berg [Wed, 19 Dec 2007 01:03:31 +0000 (02:03 +0100)]
mac80211: support getting key sequence counters via cfg80211

This implements cfg80211's get_key() to allow retrieving the sequence
counter for a TKIP or CCMP key from userspace. It also cleans up and
documents the associated low-level driver interface.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: support adding/removing keys via cfg80211
Johannes Berg [Wed, 19 Dec 2007 01:03:30 +0000 (02:03 +0100)]
mac80211: support adding/removing keys via cfg80211

This adds the necessary hooks to mac80211 to allow userspace
to edit keys with cfg80211 (through nl80211.)

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agocfg80211/nl80211: introduce key handling
Johannes Berg [Wed, 19 Dec 2007 01:03:29 +0000 (02:03 +0100)]
cfg80211/nl80211: introduce key handling

This introduces key handling to cfg80211/nl80211. Default
and group keys can be added, changed and removed; sequence
counters for each key can be retrieved.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agodoc: fix typo in feature-removal-schedule
Stefano Brivio [Wed, 19 Dec 2007 00:46:53 +0000 (01:46 +0100)]
doc: fix typo in feature-removal-schedule

Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: allow easier multicast/broadcast buffering in hardware
Johannes Berg [Wed, 19 Dec 2007 00:31:25 +0000 (01:31 +0100)]
mac80211: allow easier multicast/broadcast buffering in hardware

There are various decisions influencing the decision whether to buffer
a frame for after the next DTIM beacon. The "do we have stations in PS
mode" condition cannot be tested by the driver so mac80211 has to do
that. To ease driver writing for hardware that can buffer frames until
after the next DTIM beacon, introduce a new txctl flag telling the
driver to buffer a specific frame.

While at it, restructure and comment the code for multicast buffering
and remove spurious "inline" directives.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: make ieee80211_rx_mgmt_action static
Johannes Berg [Wed, 19 Dec 2007 00:31:24 +0000 (01:31 +0100)]
mac80211: make ieee80211_rx_mgmt_action static

The function is only used locally.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: clean up eapol handling in TX path
Johannes Berg [Wed, 19 Dec 2007 00:31:23 +0000 (01:31 +0100)]
mac80211: clean up eapol handling in TX path

The previous patch left only one user of the ieee80211_is_eapol()
function and that user can be eliminated easily by introducing
a new "frame is EAPOL" flag to handle the frame specially (we
already have this information) instead of doing the (expensive)
ieee80211_is_eapol() all the time.

Also, allow unencrypted frames to be sent when they are injected.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: clean up eapol frame handling/port control
Johannes Berg [Wed, 19 Dec 2007 00:31:22 +0000 (01:31 +0100)]
mac80211: clean up eapol frame handling/port control

This cleans up the eapol frame handling and some related code in the
receive and transmit paths. After this patch
 * EAPOL frames addressed to us or the EAPOL group address are
   always accepted regardless of whether they are encrypted or not
 * other frames from a station are dropped if PAE is enabled and
   the station is not authorized
 * unencrypted frames (except the EAPOL frames above) are dropped if
   drop_unencrypted is enabled
 * some superfluous code that eth_type_trans handles anyway is gone
 * port control is done for transmitted packets

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agorc80211-pid: export tuning parameters through debugfs
Mattias Nissler [Thu, 20 Dec 2007 12:27:26 +0000 (13:27 +0100)]
rc80211-pid: export tuning parameters through debugfs

This adds all the tunable parameters used by rc80211_pid to debugfs for easy
testing and tuning.

Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agorc80211-pid: add debugging
Mattias Nissler [Wed, 19 Dec 2007 00:27:18 +0000 (01:27 +0100)]
rc80211-pid: add debugging

This adds a new debugfs file from which rate control relevant events can be
read one event per line. The output includes the current time, so graphs can be
created showing the rate control parameters. This helps in evaluating and
tuning rate control parameters. While at it, we split headers and code for
better readability.

Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agorc80211-pid: add sharpening factor
Stefano Brivio [Wed, 19 Dec 2007 00:26:52 +0000 (01:26 +0100)]
rc80211-pid: add sharpening factor

This patch introduces a PID sharpening factor for faster response after
association and low activity events.

Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agorc80211-pid: add rate behaviour learning algorithm
Stefano Brivio [Wed, 19 Dec 2007 00:26:34 +0000 (01:26 +0100)]
rc80211-pid: add rate behaviour learning algorithm

This patch introduces a learning algorithm in order for the PID controller
to learn how to map adjustment values to rates. This is better described in
code comments.

Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: make PID rate control algorithm the default
Stefano Brivio [Wed, 19 Dec 2007 00:26:16 +0000 (01:26 +0100)]
mac80211: make PID rate control algorithm the default

This makes the new PID TX rate control algorithm the default instead of the
rc80211_simple rate control algorithm. The simple algorithm was flawed in
several ways: it wasn't responsive at all and didn't age the information it was
relying on properly. The PID algorithm allows us to tune characteristics such
as responsiveness by adjusting parameters and was found to generally behave
better.

The default algorithm can be overridden to select simple instead. Which
ever algorithm is the default is included as part of the mac80211
module automatically. The other algorithm (simple vs. pid) can
be selected for inclusion as well. If EMBEDDED is selected then
the choice is available to have no default specified and neither
algorithm included in mac80211. The default algorithm can be set
through a modparam.

While at it, mark rc80211-simple as deprecated, and schedule it
for removal.

Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TCP] Avoid two divides in tcp_output.c
Eric Dumazet [Fri, 21 Dec 2007 05:48:32 +0000 (21:48 -0800)]
[TCP] Avoid two divides in tcp_output.c

Because 'free_space' variable in __tcp_select_window() is signed,
expression (free_space / 2) forces compiler to emit an integer divide.

This can be changed to a plain right shift, less expensive.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[XFRM]: Assorted IPsec fixups
Paul Moore [Fri, 21 Dec 2007 04:49:33 +0000 (20:49 -0800)]
[XFRM]: Assorted IPsec fixups

This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:

 * Use the 'audit_enabled' variable already in include/linux/audit.h
   Removed the need for extern declarations local to each XFRM audit fuction

 * Convert 'sid' to 'secid' everywhere we can
   The 'sid' name is specific to SELinux, 'secid' is the common naming
   convention used by the kernel when refering to tokenized LSM labels,
   unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
   we risk breaking userspace

 * Convert address display to use standard NIP* macros
   Similar to what was recently done with the SPD audit code, this also also
   includes the removal of some unnecessary memcpy() calls

 * Move common code to xfrm_audit_common_stateinfo()
   Code consolidation from the "less is more" book on software development

 * Proper spacing around commas in function arguments
   Minor style tweak since I was already touching the code

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[XFRM]: Add packet processing statistics option.
Masahide NAKAMURA [Fri, 21 Dec 2007 04:44:02 +0000 (20:44 -0800)]
[XFRM]: Add packet processing statistics option.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[XFRM]: Support to increment packet dropping statistics.
Masahide NAKAMURA [Fri, 21 Dec 2007 04:43:36 +0000 (20:43 -0800)]
[XFRM]: Support to increment packet dropping statistics.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[XFRM]: Define packet dropping statistics.
Masahide NAKAMURA [Fri, 21 Dec 2007 04:42:57 +0000 (20:42 -0800)]
[XFRM]: Define packet dropping statistics.

This statistics is shown factor dropped by transformation
at /proc/net/xfrm_stat for developer.
It is a counter designed from current transformation source code
and defined as linux private MIB.

See Documentation/networking/xfrm_proc.txt for the detail.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[XFRM] MIPv6: Fix to input RO state correctly.
Masahide NAKAMURA [Fri, 21 Dec 2007 04:41:57 +0000 (20:41 -0800)]
[XFRM] MIPv6: Fix to input RO state correctly.

Disable spin_lock during xfrm_type.input() function.
Follow design as IPsec inbound does.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[XFRM] IPv6: Fix dst/routing check at transformation.
Masahide NAKAMURA [Fri, 21 Dec 2007 04:41:12 +0000 (20:41 -0800)]
[XFRM] IPv6: Fix dst/routing check at transformation.

IPv6 specific thing is wrongly removed from transformation at net-2.6.25.
This patch recovers it with current design.

o Update "path" of xfrm_dst since IPv6 transformation should
  care about routing changes. It is required by MIPv6 and
  off-link destined IPsec.
o Rename nfheader_len which is for non-fragment transformation used by
  MIPv6 to rt6i_nfheader_len as IPv6 name space.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TCP]: Fix TSO deferring
Ilpo Järvinen [Fri, 21 Dec 2007 04:36:03 +0000 (20:36 -0800)]
[TCP]: Fix TSO deferring

I'd say that most of what tcp_tso_should_defer had in between
there was dead code because of this.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Update version to 3.87
Matt Carlson [Fri, 21 Dec 2007 04:10:38 +0000 (20:10 -0800)]
[TG3]: Update version to 3.87

This patch updates the version number to 3.87.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Fix supporting flowctrl code
Matt Carlson [Fri, 21 Dec 2007 04:10:01 +0000 (20:10 -0800)]
[TG3]: Fix supporting flowctrl code

This patch does three things.  It modifies tg3_setup_flow_control() to
use the administrator requested flow control settings if
autonegotiation is turned off.  It slightly modifies the
tg3_setup_fiber_mii_phy() function to account for this new use case.
And finally, it does the same for tg3_setup_copper_phy().

The copper modifications are more than a small multi-line change.  The
new code makes an attempt to avoid a link renegotiation if the link is
active at half duplex and the only difference between the current
advertised settings and requested advertised settings is the
flow control advertisements.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Correct sw autoneg flow control advertisements
Matt Carlson [Fri, 21 Dec 2007 04:09:29 +0000 (20:09 -0800)]
[TG3]: Correct sw autoneg flow control advertisements

This patch modifies the software autoneg code to use the administrator
specified flow control parameters.  Since the autonegotiation code uses
alternative flow control enumerations, the 1000-BaseX utility functions
are used and code was added to convert the definitions to and from the
alternate enumerations.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Correct 5704S flowctrl advertisements
Matt Carlson [Fri, 21 Dec 2007 04:09:00 +0000 (20:09 -0800)]
[TG3]: Correct 5704S flowctrl advertisements

This patch modifies the 5704S hardware autoneg code to use the
administrator specified flow control parameters.  Since the 5704S uses
device specific flow control enumerations, the 1000-BaseX utility
functions are used and code was added to convert the definitions to and
from the proprietary enumerations.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Replace some magic 5704S constants
Matt Carlson [Fri, 21 Dec 2007 04:08:32 +0000 (20:08 -0800)]
[TG3]: Replace some magic 5704S constants

This patch replaces magic values with preprocessor definitions for
the sg_dig_ctrl and sg_dig_status registers.  This is preparatory work
for the next patch.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Add 1000T & 1000X flowctl adv helpers
Matt Carlson [Fri, 21 Dec 2007 04:08:00 +0000 (20:08 -0800)]
[TG3]: Add 1000T & 1000X flowctl adv helpers

This patch adds two functions designed to convert abstract TX & RX
flow control parameters to 1000-BaseT and 1000-BaseX autonegotiation
advertisements.  Code that uses standard definitions which statically
advertises TX & RX flow control has been replaced with code that
configures the advertisements based on administrator dictated
preferences.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Add 1000T & 1000X flowctrl resolvers
Matt Carlson [Fri, 21 Dec 2007 04:06:19 +0000 (20:06 -0800)]
[TG3]: Add 1000T & 1000X flowctrl resolvers

This patch adds two new utility functions to resolve flow control.  One
function resolves flow control based on 1000-BaseT register definitions.
The other resolves flow control based on 1000-Base X register
definitions.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Separate requested and actual flow control parameters
Matt Carlson [Fri, 21 Dec 2007 04:05:44 +0000 (20:05 -0800)]
[TG3]: Separate requested and actual flow control parameters

This patch removes the TX and RX flow control flags from tg3_flags and
adds two new flow control variables, flowctrl and active_flowctrl.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NEIGH]: Make neigh_add_timer symmetrical to neigh_del_timer.
Pavel Emelyanov [Thu, 20 Dec 2007 23:49:05 +0000 (15:49 -0800)]
[NEIGH]: Make neigh_add_timer symmetrical to neigh_del_timer.

The neigh_del_timer() looks sane - it removes the timer and
(conditionally) puts the neighbor. I expected, that the
neigh_add_timer() is symmetrical to the del one - i.e. it
holds the neighbor and arms the timer - but it turned out
that it was not so.

I think, that making them look symmetrical makes the code
more readable.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[INET]: Uninline the inet_twsk_put function.
Pavel Emelyanov [Thu, 20 Dec 2007 23:32:54 +0000 (15:32 -0800)]
[INET]: Uninline the inet_twsk_put function.

This one is not that big, but is widely used: saves 1200 bytes
from net/ipv4/built-in.o

add/remove: 1/0 grow/shrink: 1/12 up/down: 97/-1300 (-1203)
function                                     old     new   delta
inet_twsk_put                                  -      87     +87
__inet_lookup_listener                       274     284     +10
tcp_sacktag_write_queue                     2255    2254      -1
tcp_time_wait                                482     411     -71
__inet_check_established                     796     722     -74
tcp_v4_err                                   973     898     -75
__inet_twsk_kill                             230     154     -76
inet_twsk_deschedule                         180     103     -77
tcp_v4_do_rcv                                462     384     -78
inet_hash_connect                            686     607     -79
inet_twdr_do_twkill_work                     236     150     -86
inet_twdr_twcal_tick                         395     307     -88
tcp_v4_rcv                                  1744    1480    -264
tcp_timewait_state_process                   975     644    -331

Export it for ipv6 module.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[INET]: Uninline the __inet_lookup_established function.
Pavel Emelyanov [Thu, 20 Dec 2007 23:32:17 +0000 (15:32 -0800)]
[INET]: Uninline the __inet_lookup_established function.

This is -700 bytes from the net/ipv4/built-in.o

add/remove: 1/0 grow/shrink: 1/3 up/down: 340/-1040 (-700)
function                                     old     new   delta
__inet_lookup_established                      -     339    +339
tcp_sacktag_write_queue                     2254    2255      +1
tcp_v4_err                                  1304     973    -331
tcp_v4_rcv                                  2089    1744    -345
tcp_v4_do_rcv                                826     462    -364

Exporting is for dccp module (used via e.g. inet_lookup).

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[INET]: Uninline the __inet_hash function.
Pavel Emelyanov [Thu, 20 Dec 2007 23:31:33 +0000 (15:31 -0800)]
[INET]: Uninline the __inet_hash function.

This one is used in quite many places in the networking code and
seems to big to be inline.

After the patch net/ipv4/build-in.o loses ~650 bytes:
add/remove: 2/0 grow/shrink: 0/5 up/down: 461/-1114 (-653)
function                                     old     new   delta
__inet_hash_nolisten                           -     282    +282
__inet_hash                                    -     179    +179
tcp_sacktag_write_queue                     2255    2254      -1
__inet_lookup_listener                       284     274     -10
tcp_v4_syn_recv_sock                         755     493    -262
tcp_v4_hash                                  389      35    -354
inet_hash_connect                           1086     599    -487

This version addresses the issue pointed by Eric, that
while being inline this function was optimized by gcc
in respect to the 'listen_possible' argument.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Follow Add-IP security consideratiosn wrt INIT/INIT-ACK
Vlad Yasevich [Thu, 20 Dec 2007 22:13:31 +0000 (14:13 -0800)]
[SCTP]: Follow Add-IP security consideratiosn wrt INIT/INIT-ACK

The Security Considerations section of RFC 5061 has the following
text:

   If an SCTP endpoint that supports this extension receives an INIT
   that indicates that the peer supports the ASCONF extension but does
   NOT support the [RFC4895] extension, the receiver of such an INIT
   MUST send an ABORT in response.  Note that an implementation is
   allowed to silently discard such an INIT as an option as well, but
   under NO circumstance is an implementation allowed to proceed with
   the association setup by sending an INIT-ACK in response.

   An implementation that receives an INIT-ACK that indicates that the
   peer does not support the [RFC4895] extension MUST NOT send the
   COOKIE-ECHO to establish the association.  Instead, the
   implementation MUST discard the INIT-ACK and report to the upper-
   layer user that an association cannot be established destroying the
   Transmission Control Block (TCB).

Follow the recomendations.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Implement ADD-IP special case processing for ABORT chunk
Vlad Yasevich [Thu, 20 Dec 2007 22:12:59 +0000 (14:12 -0800)]
[SCTP]: Implement ADD-IP special case processing for ABORT chunk

ADD-IP spec has a special case for processing ABORTs:
    F4) ... One special consideration is that ABORT
        Chunks arriving destined to the IP address being deleted MUST be
        ignored (see Section 5.3.1 for further details).

Check if the address we received on is in the DEL state, and if
so, ignore the ABORT.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Change use_as_src into a full address state
Vlad Yasevich [Thu, 20 Dec 2007 22:12:24 +0000 (14:12 -0800)]
[SCTP]: Change use_as_src into a full address state

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Update ASCONF processing to conform to spec.
Vlad Yasevich [Thu, 20 Dec 2007 22:11:47 +0000 (14:11 -0800)]
[SCTP]: Update ASCONF processing to conform to spec.

The processing of the ASCONF chunks has changed a lot in the
spec.  New items are:
    1. A list of ASCONF-ACK chunks is now cached
    2. The source of the packet is used in response.
    3. New handling for unexpect ASCONF chunks.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: ADD-IP updates the states where ASCONFs can be sent
Vlad Yasevich [Thu, 20 Dec 2007 22:11:11 +0000 (14:11 -0800)]
[SCTP]: ADD-IP updates the states where ASCONFs can be sent

   C4)  Both ASCONF and ASCONF-ACK Chunks MUST NOT be sent in any SCTP
        state except ESTABLISHED, SHUTDOWN-PENDING, SHUTDOWN-RECEIVED,
        and SHUTDOWN-SENT.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Update association lookup to look at ASCONF chunks as well
Vlad Yasevich [Thu, 20 Dec 2007 22:10:38 +0000 (14:10 -0800)]
[SCTP]: Update association lookup to look at ASCONF chunks as well

ADD-IP draft section 5.2 specifies that if an association can not
be found using the source and destination of the IP packet,
then, if the packet contains ASCONF chunks, the Address Parameter
TLV should be used to lookup an association.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT
Vlad Yasevich [Thu, 20 Dec 2007 22:10:00 +0000 (14:10 -0800)]
[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT

The ADD-IP "Set Primary IP Address" parameter is allowed in the
INIT/INIT-ACK exchange.  Allow processing of this parameter during
the INIT/INIT-ACK.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Handle the wildcard ADD-IP Address parameter
Vlad Yasevich [Thu, 20 Dec 2007 22:08:56 +0000 (14:08 -0800)]
[SCTP]: Handle the wildcard ADD-IP Address parameter

The Address Parameter in the parameter list of the ASCONF chunk
may be a wildcard address.  In this case special processing
is required.  For the 'add' case, the source IP of the packet is
added.  In the 'del' case, all addresses except the source IP
of packet are removed. In the "mark primary" case, the source
address is marked as primary.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SCTP]: Discard unauthenticated ASCONF and ASCONF ACK chunks
Vlad Yasevich [Thu, 20 Dec 2007 22:08:04 +0000 (14:08 -0800)]
[SCTP]: Discard unauthenticated ASCONF and ASCONF ACK chunks

Now that we support AUTH, discard unauthenticated ASCONF and ASCONF ACK
chunks as mandated in the ADD-IP spec.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[IPSEC]: Rename tunnel-mode functions to avoid collisions with tunnels
Herbert Xu [Thu, 20 Dec 2007 21:53:40 +0000 (13:53 -0800)]
[IPSEC]: Rename tunnel-mode functions to avoid collisions with tunnels

It appears that I've managed to create two different functions both
called xfrm6_tunnel_output.  This is because we have the plain tunnel
encapsulation named xfrmX_tunnel as well as the tunnel-mode encapsulation
which lives in the files xfrmX_mode_tunnel.c.

This patch renames functions from the latter to use the xfrmX_mode_tunnel
prefix to avoid name-space conflicts.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: add PID controller based rate control algorithm
Mattias Nissler [Wed, 19 Dec 2007 00:25:57 +0000 (01:25 +0100)]
mac80211: add PID controller based rate control algorithm

Add a new rate control algorithm based on a PID controller. It samples the
percentage of failed frames over time, feeds the result into the controller and
uses its output to control the TX rate.

Signed-off-by: Mattias Nissler <mattias.nissler@gmx.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: clean up rate selection
Mattias Nissler [Thu, 20 Dec 2007 12:50:07 +0000 (13:50 +0100)]
mac80211: clean up rate selection

Move some code out of rc80211_simple since it's probably needed for all rate
selection algorithms, and fix iwlwifi accordingly. While at it, clean up the
rate_control_get_rate() interface.

Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agomac80211: pass in PS_POLL frames
Ron Rindjunsky [Tue, 18 Dec 2007 15:23:53 +0000 (17:23 +0200)]
mac80211: pass in PS_POLL frames

This patch fixes should_drop_frame function to pass in ps poll control
frames required for power save functioanlity. Interface types that do not
have interest for PS POLL frames now drop it in handler.

Signed-off-by: Ron Rindjunsky <ron.rindjunsky@intel.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SNMP]: Fix SNMP counters with PREEMPT
Herbert Xu [Thu, 20 Dec 2007 12:13:21 +0000 (04:13 -0800)]
[SNMP]: Fix SNMP counters with PREEMPT

The SNMP macros use raw_smp_processor_id() in process context
which is illegal because the process may be preempted and then
migrated to another CPU.

This patch makes it use get_cpu/put_cpu to disable preemption.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NIU]: Use print_mac
Joe Perches [Thu, 20 Dec 2007 12:07:35 +0000 (04:07 -0800)]
[NIU]: Use print_mac

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[TG3]: Use print_mac
Joe Perches [Thu, 20 Dec 2007 12:06:59 +0000 (04:06 -0800)]
[TG3]: Use print_mac

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[SUNVNET]: Use print_mac
Joe Perches [Thu, 20 Dec 2007 12:06:25 +0000 (04:06 -0800)]
[SUNVNET]: Use print_mac

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[IPSEC]: Do xfrm_state_check_space before encapsulation
Herbert Xu [Wed, 19 Dec 2007 06:14:25 +0000 (22:14 -0800)]
[IPSEC]: Do xfrm_state_check_space before encapsulation

While merging the IPsec output path I moved the encapsulation output
operation to the top of the loop so that it sits outside of the locked
section.  Unfortunately in doing so it now sits in front of the space
check as well which could be a fatal error.

This patch rearranges the calls so that the space check happens as
the thing on the output path.

This patch also fixes an incorrect goto should the encapsulation output
fail.

Thanks to Kazunori MIYAZAWA for finding this bug.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option
Patrick McHardy [Tue, 18 Dec 2007 06:47:05 +0000 (22:47 -0800)]
[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option

The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter
options when disabled and provides defaults (M) that should allow to
run a distribution firewall without further thinking.

Defaults to 'y' to avoid breaking current configurations.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: non-power-of-two jhash optimizations
Patrick McHardy [Tue, 18 Dec 2007 06:45:52 +0000 (22:45 -0800)]
[NETFILTER]: non-power-of-two jhash optimizations

Apply Eric Dumazet's jhash optimizations where applicable. Quoting Eric:

Thanks to jhash, hash value uses full 32 bits. Instead of returning
hash % size (implying a divide) we return the high 32 bits of the
(hash * size) that will give results between [0 and size-1] and same
hash distribution.

On most cpus, a multiply is less expensive than a divide, by an order
of magnitude.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: xt_hashlimit: reduce overhead without IPv6
Eric Dumazet [Tue, 18 Dec 2007 06:45:28 +0000 (22:45 -0800)]
[NETFILTER]: xt_hashlimit: reduce overhead without IPv6

This patch generalizes the (CONFIG_IP6_NF_IPTABLES || CONFIG_IP6_NF_IPTABLES_MODULE)
test done in hashlimit_init_dst() to all the xt_hashlimit module.

This permits a size reduction of "struct dsthash_dst". This saves memory and
cpu for IPV4 only hosts.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: xt_hashlimit: speedup hash_dst()
Eric Dumazet [Tue, 18 Dec 2007 06:45:13 +0000 (22:45 -0800)]
[NETFILTER]: xt_hashlimit: speedup hash_dst()

1) Using jhash2() instead of jhash() is a litle bit faster if applicable.

2) Thanks to jhash, hash value uses full 32 bits.
   Instead of returning hash % size (implying a divide)
   we return the high 32 bits of the (hash * size) that will
   give results between [0 and size-1] and same hash distribution.

  On most cpus, a multiply is less expensive than a divide, by an order
  of magnitude.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: xt_connlimit: use the new union nf_inet_addr
Jan Engelhardt [Tue, 18 Dec 2007 06:44:47 +0000 (22:44 -0800)]
[NETFILTER]: xt_connlimit: use the new union nf_inet_addr

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: Parenthesize macro parameters
Jan Engelhardt [Tue, 18 Dec 2007 06:44:06 +0000 (22:44 -0800)]
[NETFILTER]: Parenthesize macro parameters

Parenthesize macro parameters.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: Introduce nf_inet_address
Jan Engelhardt [Tue, 18 Dec 2007 06:43:50 +0000 (22:43 -0800)]
[NETFILTER]: Introduce nf_inet_address

A few netfilter modules provide their own union of IPv4 and IPv6
address storage. Will unify that in this patch series.

(1/4): Rename union nf_conntrack_address to union nf_inet_addr and
move it to x_tables.h.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: x_tables: use %u format specifiers
Jan Engelhardt [Tue, 18 Dec 2007 06:43:15 +0000 (22:43 -0800)]
[NETFILTER]: x_tables: use %u format specifiers

Use %u format specifiers as ->family is unsigned.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_nat: properly use RCU for ip_nat_decode_session
Patrick McHardy [Tue, 18 Dec 2007 06:42:51 +0000 (22:42 -0800)]
[NETFILTER]: nf_nat: properly use RCU for ip_nat_decode_session

We need to use rcu_assign_pointer/rcu_dereference to avoid races.
Also remove an obsolete CONFIG_IP_NAT_NEEDED ifdef.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: constify nf_afinfo
Patrick McHardy [Tue, 18 Dec 2007 06:42:27 +0000 (22:42 -0800)]
[NETFILTER]: constify nf_afinfo

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: Kill function prototype for non-existing function
Patrick McHardy [Tue, 18 Dec 2007 06:42:09 +0000 (22:42 -0800)]
[NETFILTER]: Kill function prototype for non-existing function

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nfnetlink_log: include GID in netlink message
Patrick McHardy [Tue, 18 Dec 2007 06:41:52 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_log: include GID in netlink message

Similar to Maciej Soltysiak's ipt_LOG patch, include GID in addition
to UID in netlink message.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nfnetlink_log: use endianness-aware attribute functions
Patrick McHardy [Tue, 18 Dec 2007 06:41:35 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_log: use endianness-aware attribute functions

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nfnetlink_{queue,log}: return proper error codes in instance_create
Patrick McHardy [Tue, 18 Dec 2007 06:41:21 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_{queue,log}: return proper error codes in instance_create

Currently we return EINVAL for "instance exists", "allocation failed" and
"module unloaded below us", which is completely inapproriate.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nfnetlink_log: remove excessive debugging
Patrick McHardy [Tue, 18 Dec 2007 06:41:02 +0000 (22:41 -0800)]
[NETFILTER]: nfnetlink_log: remove excessive debugging

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nfnetlink_{queue,log}: return ENOTSUPP for unknown cfg commands
Patrick McHardy [Tue, 18 Dec 2007 06:40:19 +0000 (22:40 -0800)]
[NETFILTER]: nfnetlink_{queue,log}: return ENOTSUPP for unknown cfg commands

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config
Patrick McHardy [Tue, 18 Dec 2007 06:39:55 +0000 (22:39 -0800)]
[NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config

Similar to the nfnetlink_queue fixes:

The peer_pid must be checked in all cases when a logging instance exists,
additionally we must check whether an instance exists before attempting
to configure it to avoid NULL ptr dereferences.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_log: remove incomprehensible comment
Patrick McHardy [Tue, 18 Dec 2007 06:39:27 +0000 (22:39 -0800)]
[NETFILTER]: nf_log: remove incomprehensible comment

Whatever that comment tries to say, I don't get it and it looks like
a leftover from the time when RCU wasn't used properly.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_log: constify struct nf_logger and nf_log_packet loginfo arg
Patrick McHardy [Tue, 18 Dec 2007 06:39:08 +0000 (22:39 -0800)]
[NETFILTER]: nf_log: constify struct nf_logger and nf_log_packet loginfo arg

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_log: move logging stuff to seperate header
Patrick McHardy [Tue, 18 Dec 2007 06:38:49 +0000 (22:38 -0800)]
[NETFILTER]: nf_log: move logging stuff to seperate header

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_nat: pass manip type instead of hook to nf_nat_setup_info
Patrick McHardy [Tue, 18 Dec 2007 06:38:20 +0000 (22:38 -0800)]
[NETFILTER]: nf_nat: pass manip type instead of hook to nf_nat_setup_info

nf_nat_setup_info gets the hook number and translates that to the
manip type to perform. This is a relict from the time when one
manip per hook could exist, the exact hook number doesn't matter
anymore, its converted to the manip type. Most callers already
know what kind of NAT they want to perform, so pass the maniptype
in directly.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_nat: sprinkle a few __read_mostlys
Patrick McHardy [Tue, 18 Dec 2007 06:37:52 +0000 (22:37 -0800)]
[NETFILTER]: nf_nat: sprinkle a few __read_mostlys

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_nat: mark NAT protocols const
Patrick McHardy [Tue, 18 Dec 2007 06:37:36 +0000 (22:37 -0800)]
[NETFILTER]: nf_nat: mark NAT protocols const

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_nat_proto_gre: add missing module reference
Patrick McHardy [Tue, 18 Dec 2007 06:37:20 +0000 (22:37 -0800)]
[NETFILTER]: nf_nat_proto_gre: add missing module reference

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ctnetlink: fix expectation timeout dumping
Patrick McHardy [Tue, 18 Dec 2007 06:37:03 +0000 (22:37 -0800)]
[NETFILTER]: ctnetlink: fix expectation timeout dumping

When the timer is late its timeout might be before the current time,
in which case a very large value is dumped.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ctnetlink: use netlink attribute helpers
Patrick McHardy [Tue, 18 Dec 2007 06:29:45 +0000 (22:29 -0800)]
[NETFILTER]: ctnetlink: use netlink attribute helpers

Use NLA_PUT_BE32, nla_get_be32() etc.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETLINK]: Add NLA_PUT_BE16/nla_get_be16()
Patrick McHardy [Tue, 18 Dec 2007 06:29:26 +0000 (22:29 -0800)]
[NETLINK]: Add NLA_PUT_BE16/nla_get_be16()

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: nf_conntrack_sctp: add ctnetlink support
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:29:02 +0000 (22:29 -0800)]
[NETFILTER]: nf_conntrack_sctp: add ctnetlink support

This patch adds support for SCTP to ctnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ctnetlink: add support for secmark
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:28:41 +0000 (22:28 -0800)]
[NETFILTER]: ctnetlink: add support for secmark

This patch adds support for James Morris' connsecmark.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ctnetlink: add support for master tuple event notification and dumping
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:28:19 +0000 (22:28 -0800)]
[NETFILTER]: ctnetlink: add support for master tuple event notification and dumping

This patch adds support for master tuple event notification and
dumping.  Conntrackd needs this information to recover related
connections appropriately.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ctnetlink: add support for NAT sequence adjustments
Pablo Neira Ayuso [Tue, 18 Dec 2007 06:28:00 +0000 (22:28 -0800)]
[NETFILTER]: ctnetlink: add support for NAT sequence adjustments

The combination of NAT and helpers may produce TCP sequence adjustments.
In failover setups, this information needs to be replicated in order to
achieve a successful recovery of mangled, related connections. This patch is
particularly useful for conntrackd, see:

http://people.netfilter.org/pablo/conntrack-tools/

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: xt_TCPMSS: don't allow netfilter --setmss to increase mss
Benjamin LaHaise [Tue, 18 Dec 2007 06:27:36 +0000 (22:27 -0800)]
[NETFILTER]: xt_TCPMSS: don't allow netfilter --setmss to increase mss

When terminating DSL connections for an assortment of random customers, I've
found it necessary to use iptables to clamp the MSS used for connections to
work around the various ICMP blackholes in the greater net.  Unfortunately,
the current behaviour in Linux is imperfect and actually make things worse,
so I'm proposing the following: increasing the MSS in a packet can never be
a good thing, so make --set-mss only lower the MSS in a packet.

Yes, I am aware of --clamp-mss-to-pmtu, but it doesn't work for outgoing
connections from clients (ie web traffic), as it only looks at the PMTU on
the destination route, not the source of the packet (the DSL interfaces in
question have a 1442 byte MTU while the destination ethernet interface is
1500 -- there are problematic hosts which use a 1300 byte MTU).  Reworking
that is probably a good idea at some point, but it's more work than this is.

Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: add compat support
Patrick McHardy [Tue, 18 Dec 2007 06:26:54 +0000 (22:26 -0800)]
[NETFILTER]: arp_tables: add compat support

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: resync get_entries() with ip_tables
Patrick McHardy [Tue, 18 Dec 2007 06:26:38 +0000 (22:26 -0800)]
[NETFILTER]: arp_tables: resync get_entries() with ip_tables

Resync get_entries() with ip_tables.c by moving the checks from the
setsockopt handler to the function itself.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: move ARPT_SO_GET_INFO handling to seperate function
Patrick McHardy [Tue, 18 Dec 2007 06:26:24 +0000 (22:26 -0800)]
[NETFILTER]: arp_tables: move ARPT_SO_GET_INFO handling to seperate function

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: move counter allocation to seperate function
Patrick McHardy [Tue, 18 Dec 2007 05:56:48 +0000 (21:56 -0800)]
[NETFILTER]: arp_tables: move counter allocation to seperate function

More resyncing with ip_tables.c as preparation for compat support.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: move entry and target checks to seperate functions
Patrick McHardy [Tue, 18 Dec 2007 05:56:33 +0000 (21:56 -0800)]
[NETFILTER]: arp_tables: move entry and target checks to seperate functions

Resync with ip_tables.c as preparation for compat support.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: remove ipchains compat hack
Patrick McHardy [Tue, 18 Dec 2007 05:56:14 +0000 (21:56 -0800)]
[NETFILTER]: arp_tables: remove ipchains compat hack

Remove compatiblity hack copied from ip_tables.c - ipchains didn't even
support arp_tables :)

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: use vmalloc_node()
Patrick McHardy [Tue, 18 Dec 2007 05:55:59 +0000 (21:55 -0800)]
[NETFILTER]: arp_tables: use vmalloc_node()

Use vmalloc_node() as in ip_tables.c.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: use XT_ALIGN
Patrick McHardy [Tue, 18 Dec 2007 05:55:34 +0000 (21:55 -0800)]
[NETFILTER]: arp_tables: use XT_ALIGN

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: arp_tables: remove obsolete standard_check function
Patrick McHardy [Tue, 18 Dec 2007 05:55:16 +0000 (21:55 -0800)]
[NETFILTER]: arp_tables: remove obsolete standard_check function

The size check is already performed by xt_check_target, no need
to do it again.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ip6_tables: use XT_ALIGN
Patrick McHardy [Tue, 18 Dec 2007 05:53:40 +0000 (21:53 -0800)]
[NETFILTER]: ip6_tables: use XT_ALIGN

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ip_tables: remove ipchains compatibility hack
Patrick McHardy [Tue, 18 Dec 2007 05:53:18 +0000 (21:53 -0800)]
[NETFILTER]: ip_tables: remove ipchains compatibility hack

ipchains support has been removed years ago. kill last remains.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
16 years ago[NETFILTER]: ip6_tables: use raw_smp_processor_id() in do_add_counters()
Patrick McHardy [Tue, 18 Dec 2007 05:52:52 +0000 (21:52 -0800)]
[NETFILTER]: ip6_tables: use raw_smp_processor_id() in do_add_counters()

Use raw_smp_processor_id() in do_add_counters() as in ip_tables.c.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>