diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/route.c | 9 | ||||
| -rw-r--r-- | net/ipv4/xfrm4_policy.c | 13 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_ip.c | 4 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_ipport.c | 7 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_ipportip.c | 7 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_ipportnet.c | 7 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_cttimeout.c | 3 |
7 files changed, 22 insertions, 28 deletions
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index a8c651216fa6..df251424d816 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c | |||
| @@ -1785,6 +1785,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res, | |||
| 1785 | if (dev_out->flags & IFF_LOOPBACK) | 1785 | if (dev_out->flags & IFF_LOOPBACK) |
| 1786 | flags |= RTCF_LOCAL; | 1786 | flags |= RTCF_LOCAL; |
| 1787 | 1787 | ||
| 1788 | do_cache = true; | ||
| 1788 | if (type == RTN_BROADCAST) { | 1789 | if (type == RTN_BROADCAST) { |
| 1789 | flags |= RTCF_BROADCAST | RTCF_LOCAL; | 1790 | flags |= RTCF_BROADCAST | RTCF_LOCAL; |
| 1790 | fi = NULL; | 1791 | fi = NULL; |
| @@ -1793,6 +1794,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res, | |||
| 1793 | if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, | 1794 | if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, |
| 1794 | fl4->flowi4_proto)) | 1795 | fl4->flowi4_proto)) |
| 1795 | flags &= ~RTCF_LOCAL; | 1796 | flags &= ~RTCF_LOCAL; |
| 1797 | else | ||
| 1798 | do_cache = false; | ||
| 1796 | /* If multicast route do not exist use | 1799 | /* If multicast route do not exist use |
| 1797 | * default one, but do not gateway in this case. | 1800 | * default one, but do not gateway in this case. |
| 1798 | * Yes, it is hack. | 1801 | * Yes, it is hack. |
| @@ -1802,8 +1805,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res, | |||
| 1802 | } | 1805 | } |
| 1803 | 1806 | ||
| 1804 | fnhe = NULL; | 1807 | fnhe = NULL; |
| 1805 | do_cache = fi != NULL; | 1808 | do_cache &= fi != NULL; |
| 1806 | if (fi) { | 1809 | if (do_cache) { |
| 1807 | struct rtable __rcu **prth; | 1810 | struct rtable __rcu **prth; |
| 1808 | struct fib_nh *nh = &FIB_RES_NH(*res); | 1811 | struct fib_nh *nh = &FIB_RES_NH(*res); |
| 1809 | 1812 | ||
| @@ -2597,7 +2600,7 @@ int __init ip_rt_init(void) | |||
| 2597 | pr_err("Unable to create route proc files\n"); | 2600 | pr_err("Unable to create route proc files\n"); |
| 2598 | #ifdef CONFIG_XFRM | 2601 | #ifdef CONFIG_XFRM |
| 2599 | xfrm_init(); | 2602 | xfrm_init(); |
| 2600 | xfrm4_init(ip_rt_max_size); | 2603 | xfrm4_init(); |
| 2601 | #endif | 2604 | #endif |
| 2602 | rtnl_register(PF_INET, RTM_GETROUTE, inet_rtm_getroute, NULL, NULL); | 2605 | rtnl_register(PF_INET, RTM_GETROUTE, inet_rtm_getroute, NULL, NULL); |
| 2603 | 2606 | ||
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 05c5ab8d983c..3be0ac2c1920 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c | |||
| @@ -279,19 +279,8 @@ static void __exit xfrm4_policy_fini(void) | |||
| 279 | xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo); | 279 | xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo); |
| 280 | } | 280 | } |
| 281 | 281 | ||
| 282 | void __init xfrm4_init(int rt_max_size) | 282 | void __init xfrm4_init(void) |
| 283 | { | 283 | { |
| 284 | /* | ||
| 285 | * Select a default value for the gc_thresh based on the main route | ||
| 286 | * table hash size. It seems to me the worst case scenario is when | ||
| 287 | * we have ipsec operating in transport mode, in which we create a | ||
| 288 | * dst_entry per socket. The xfrm gc algorithm starts trying to remove | ||
| 289 | * entries at gc_thresh, and prevents new allocations as 2*gc_thresh | ||
| 290 | * so lets set an initial xfrm gc_thresh value at the rt_max_size/2. | ||
| 291 | * That will let us store an ipsec connection per route table entry, | ||
| 292 | * and start cleaning when were 1/2 full | ||
| 293 | */ | ||
| 294 | xfrm4_dst_ops.gc_thresh = rt_max_size/2; | ||
| 295 | dst_entries_init(&xfrm4_dst_ops); | 284 | dst_entries_init(&xfrm4_dst_ops); |
| 296 | 285 | ||
| 297 | xfrm4_state_init(); | 286 | xfrm4_state_init(); |
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c index ec3dba5dcd62..5c0b78528e55 100644 --- a/net/netfilter/ipset/ip_set_hash_ip.c +++ b/net/netfilter/ipset/ip_set_hash_ip.c | |||
| @@ -173,6 +173,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 173 | return adtfn(set, &nip, timeout, flags); | 173 | return adtfn(set, &nip, timeout, flags); |
| 174 | } | 174 | } |
| 175 | 175 | ||
| 176 | ip_to = ip; | ||
| 176 | if (tb[IPSET_ATTR_IP_TO]) { | 177 | if (tb[IPSET_ATTR_IP_TO]) { |
| 177 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | 178 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); |
| 178 | if (ret) | 179 | if (ret) |
| @@ -185,8 +186,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 185 | if (!cidr || cidr > 32) | 186 | if (!cidr || cidr > 32) |
| 186 | return -IPSET_ERR_INVALID_CIDR; | 187 | return -IPSET_ERR_INVALID_CIDR; |
| 187 | ip_set_mask_from_to(ip, ip_to, cidr); | 188 | ip_set_mask_from_to(ip, ip_to, cidr); |
| 188 | } else | 189 | } |
| 189 | ip_to = ip; | ||
| 190 | 190 | ||
| 191 | hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); | 191 | hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); |
| 192 | 192 | ||
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c index 0171f7502fa5..6283351f4eeb 100644 --- a/net/netfilter/ipset/ip_set_hash_ipport.c +++ b/net/netfilter/ipset/ip_set_hash_ipport.c | |||
| @@ -162,7 +162,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 162 | const struct ip_set_hash *h = set->data; | 162 | const struct ip_set_hash *h = set->data; |
| 163 | ipset_adtfn adtfn = set->variant->adt[adt]; | 163 | ipset_adtfn adtfn = set->variant->adt[adt]; |
| 164 | struct hash_ipport4_elem data = { }; | 164 | struct hash_ipport4_elem data = { }; |
| 165 | u32 ip, ip_to = 0, p = 0, port, port_to; | 165 | u32 ip, ip_to, p = 0, port, port_to; |
| 166 | u32 timeout = h->timeout; | 166 | u32 timeout = h->timeout; |
| 167 | bool with_ports = false; | 167 | bool with_ports = false; |
| 168 | int ret; | 168 | int ret; |
| @@ -210,7 +210,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 210 | return ip_set_eexist(ret, flags) ? 0 : ret; | 210 | return ip_set_eexist(ret, flags) ? 0 : ret; |
| 211 | } | 211 | } |
| 212 | 212 | ||
| 213 | ip = ntohl(data.ip); | 213 | ip_to = ip = ntohl(data.ip); |
| 214 | if (tb[IPSET_ATTR_IP_TO]) { | 214 | if (tb[IPSET_ATTR_IP_TO]) { |
| 215 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | 215 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); |
| 216 | if (ret) | 216 | if (ret) |
| @@ -223,8 +223,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 223 | if (!cidr || cidr > 32) | 223 | if (!cidr || cidr > 32) |
| 224 | return -IPSET_ERR_INVALID_CIDR; | 224 | return -IPSET_ERR_INVALID_CIDR; |
| 225 | ip_set_mask_from_to(ip, ip_to, cidr); | 225 | ip_set_mask_from_to(ip, ip_to, cidr); |
| 226 | } else | 226 | } |
| 227 | ip_to = ip; | ||
| 228 | 227 | ||
| 229 | port_to = port = ntohs(data.port); | 228 | port_to = port = ntohs(data.port); |
| 230 | if (with_ports && tb[IPSET_ATTR_PORT_TO]) { | 229 | if (with_ports && tb[IPSET_ATTR_PORT_TO]) { |
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c index 6344ef551ec8..6a21271c8d5a 100644 --- a/net/netfilter/ipset/ip_set_hash_ipportip.c +++ b/net/netfilter/ipset/ip_set_hash_ipportip.c | |||
| @@ -166,7 +166,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 166 | const struct ip_set_hash *h = set->data; | 166 | const struct ip_set_hash *h = set->data; |
| 167 | ipset_adtfn adtfn = set->variant->adt[adt]; | 167 | ipset_adtfn adtfn = set->variant->adt[adt]; |
| 168 | struct hash_ipportip4_elem data = { }; | 168 | struct hash_ipportip4_elem data = { }; |
| 169 | u32 ip, ip_to = 0, p = 0, port, port_to; | 169 | u32 ip, ip_to, p = 0, port, port_to; |
| 170 | u32 timeout = h->timeout; | 170 | u32 timeout = h->timeout; |
| 171 | bool with_ports = false; | 171 | bool with_ports = false; |
| 172 | int ret; | 172 | int ret; |
| @@ -218,7 +218,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 218 | return ip_set_eexist(ret, flags) ? 0 : ret; | 218 | return ip_set_eexist(ret, flags) ? 0 : ret; |
| 219 | } | 219 | } |
| 220 | 220 | ||
| 221 | ip = ntohl(data.ip); | 221 | ip_to = ip = ntohl(data.ip); |
| 222 | if (tb[IPSET_ATTR_IP_TO]) { | 222 | if (tb[IPSET_ATTR_IP_TO]) { |
| 223 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | 223 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); |
| 224 | if (ret) | 224 | if (ret) |
| @@ -231,8 +231,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 231 | if (!cidr || cidr > 32) | 231 | if (!cidr || cidr > 32) |
| 232 | return -IPSET_ERR_INVALID_CIDR; | 232 | return -IPSET_ERR_INVALID_CIDR; |
| 233 | ip_set_mask_from_to(ip, ip_to, cidr); | 233 | ip_set_mask_from_to(ip, ip_to, cidr); |
| 234 | } else | 234 | } |
| 235 | ip_to = ip; | ||
| 236 | 235 | ||
| 237 | port_to = port = ntohs(data.port); | 236 | port_to = port = ntohs(data.port); |
| 238 | if (with_ports && tb[IPSET_ATTR_PORT_TO]) { | 237 | if (with_ports && tb[IPSET_ATTR_PORT_TO]) { |
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c index cb71f9a774e7..2d5cd4ee30eb 100644 --- a/net/netfilter/ipset/ip_set_hash_ipportnet.c +++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c | |||
| @@ -215,8 +215,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 215 | const struct ip_set_hash *h = set->data; | 215 | const struct ip_set_hash *h = set->data; |
| 216 | ipset_adtfn adtfn = set->variant->adt[adt]; | 216 | ipset_adtfn adtfn = set->variant->adt[adt]; |
| 217 | struct hash_ipportnet4_elem data = { .cidr = HOST_MASK - 1 }; | 217 | struct hash_ipportnet4_elem data = { .cidr = HOST_MASK - 1 }; |
| 218 | u32 ip, ip_to = 0, p = 0, port, port_to; | 218 | u32 ip, ip_to, p = 0, port, port_to; |
| 219 | u32 ip2_from = 0, ip2_to, ip2_last, ip2; | 219 | u32 ip2_from, ip2_to, ip2_last, ip2; |
| 220 | u32 timeout = h->timeout; | 220 | u32 timeout = h->timeout; |
| 221 | bool with_ports = false; | 221 | bool with_ports = false; |
| 222 | u8 cidr; | 222 | u8 cidr; |
| @@ -286,6 +286,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 286 | return ip_set_eexist(ret, flags) ? 0 : ret; | 286 | return ip_set_eexist(ret, flags) ? 0 : ret; |
| 287 | } | 287 | } |
| 288 | 288 | ||
| 289 | ip_to = ip; | ||
| 289 | if (tb[IPSET_ATTR_IP_TO]) { | 290 | if (tb[IPSET_ATTR_IP_TO]) { |
| 290 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | 291 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); |
| 291 | if (ret) | 292 | if (ret) |
| @@ -306,6 +307,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], | |||
| 306 | if (port > port_to) | 307 | if (port > port_to) |
| 307 | swap(port, port_to); | 308 | swap(port, port_to); |
| 308 | } | 309 | } |
| 310 | |||
| 311 | ip2_to = ip2_from; | ||
| 309 | if (tb[IPSET_ATTR_IP2_TO]) { | 312 | if (tb[IPSET_ATTR_IP2_TO]) { |
| 310 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to); | 313 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to); |
| 311 | if (ret) | 314 | if (ret) |
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index 8847b4d8be06..701c88a20fea 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c | |||
| @@ -41,7 +41,8 @@ MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tu | |||
| 41 | static LIST_HEAD(cttimeout_list); | 41 | static LIST_HEAD(cttimeout_list); |
| 42 | 42 | ||
| 43 | static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = { | 43 | static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = { |
| 44 | [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING }, | 44 | [CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING, |
| 45 | .len = CTNL_TIMEOUT_NAME_MAX - 1}, | ||
| 45 | [CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 }, | 46 | [CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 }, |
| 46 | [CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 }, | 47 | [CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 }, |
| 47 | [CTA_TIMEOUT_DATA] = { .type = NLA_NESTED }, | 48 | [CTA_TIMEOUT_DATA] = { .type = NLA_NESTED }, |