Auto merge with /home/aegl/GIT/linus

author: Tony Luck <tony.luck@intel.com> 2005-07-13 15:15:43 -0400
committer: Tony Luck <tony.luck@intel.com> 2005-07-13 15:15:43 -0400
commit: 99ad25a313bda566a346b46a6015afa65bc0a02b (patch)
tree: b9443fed1ab74f320c4ee0791864ee96d7c069df /net/ipv4
parent: f62c4a96f74d6c6dd56d1742697e94a5c2085e87 (diff)
parent: 9a556e89081b0c1c2f83cee915363b15a68a6f2d (diff)
7 files changed, 24 insertions, 38 deletions
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 3e63123f7b..df5386885a 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -3,7 +3,6 @@
 #
 config IP_MULTICAST
        bool "IP: multicasting"
-        depends on INET
        help
          This is code for addressing several networked computers at once,
          enlarging your kernel by about 2 KB. You need multicasting if you
@@ -17,7 +16,6 @@ config IP_MULTICAST
 config IP_ADVANCED_ROUTER
        bool "IP: advanced router"
-        depends on INET
        ---help---
          If you intend to run your Linux box mostly as a router, i.e. as a
          computer that forwards and redistributes network packets, say Y; you
@@ -183,7 +181,6 @@ config IP_ROUTE_VERBOSE
 config IP_PNP
        bool "IP: kernel level autoconfiguration"
-        depends on INET
        help
          This enables automatic configuration of IP addresses of devices and
          of the routing table during kernel boot, based on either information
@@ -242,7 +239,6 @@ config IP_PNP_RARP
 #   bool '    IP: ARP support' CONFIG_IP_PNP_ARP                
 config NET_IPIP
        tristate "IP: tunneling"
-        depends on INET
        select INET_TUNNEL
        ---help---
          Tunneling means encapsulating data of one protocol type within
@@ -260,7 +256,6 @@ config NET_IPIP
 config NET_IPGRE
        tristate "IP: GRE tunnels over IP"
-        depends on INET
        select XFRM
        help
          Tunneling means encapsulating data of one protocol type within
@@ -319,7 +314,7 @@ config IP_PIMSM_V2
 config ARPD
        bool "IP: ARP daemon support (EXPERIMENTAL)"
-        depends on INET && EXPERIMENTAL
+        depends on EXPERIMENTAL
        ---help---
          Normally, the kernel maintains an internal cache which maps IP
          addresses to hardware addresses on the local network, so that
@@ -344,7 +339,6 @@ config ARPD
 config SYN_COOKIES
        bool "IP: TCP syncookie support (disabled per default)"
-        depends on INET
        ---help---
          Normal TCP/IP networking is open to an attack known as "SYN
          flooding". This denial-of-service attack prevents legitimate remote
@@ -381,7 +375,6 @@ config SYN_COOKIES
 config INET_AH
        tristate "IP: AH transformation"
-        depends on INET
        select XFRM
        select CRYPTO
        select CRYPTO_HMAC
@@ -394,7 +387,6 @@ config INET_AH
 config INET_ESP
        tristate "IP: ESP transformation"
-        depends on INET
        select XFRM
        select CRYPTO
        select CRYPTO_HMAC
@@ -408,7 +400,6 @@ config INET_ESP
 config INET_IPCOMP
        tristate "IP: IPComp transformation"
-        depends on INET
        select XFRM
        select INET_TUNNEL
        select CRYPTO
@@ -421,7 +412,6 @@ config INET_IPCOMP
 config INET_TUNNEL
        tristate "IP: tunnel transformation"
-        depends on INET
        select XFRM
        ---help---
          Support for generic IP tunnel transformation, which is required by
@@ -431,7 +421,6 @@ config INET_TUNNEL
 config IP_TCPDIAG
        tristate "IP: TCP socket monitoring interface"
-        depends on INET
        default y
        ---help---
          Support for TCP socket monitoring interface used by native Linux
@@ -447,7 +436,6 @@ config IP_TCPDIAG_IPV6
 config TCP_CONG_ADVANCED
        bool "TCP: advanced congestion control"
-        depends on INET
        ---help---
          Support for selection of various TCP congestion control
          modules.
@@ -463,7 +451,6 @@ menu "TCP congestion control"
 config TCP_CONG_BIC
        tristate "Binary Increase Congestion (BIC) control"
-        depends on INET
        default y
        ---help---
        BIC-TCP is a sender-side only change that ensures a linear RTT
@@ -478,7 +465,6 @@ config TCP_CONG_BIC
 config TCP_CONG_WESTWOOD
        tristate "TCP Westwood+"
-        depends on INET
        default m
        ---help---
        TCP Westwood+ is a sender-side only modification of the TCP Reno
@@ -493,7 +479,6 @@ config TCP_CONG_WESTWOOD
 config TCP_CONG_HTCP
        tristate "H-TCP"
-        depends on INET
        default m
        ---help---
        H-TCP is a send-side only modifications of the TCP Reno
@@ -505,7 +490,7 @@ config TCP_CONG_HTCP
 config TCP_CONG_HSTCP
        tristate "High Speed TCP"
-        depends on INET && EXPERIMENTAL
+        depends on EXPERIMENTAL
        default n
        ---help---
        Sally Floyd's High Speed TCP (RFC 3649) congestion control.
@@ -516,7 +501,7 @@ config TCP_CONG_HSTCP
 config TCP_CONG_HYBLA
        tristate "TCP-Hybla congestion control algorithm"
-        depends on INET && EXPERIMENTAL
+        depends on EXPERIMENTAL
        default n
        ---help---
        TCP-Hybla is a sender-side only change that eliminates penalization of
@@ -526,7 +511,7 @@ config TCP_CONG_HYBLA
 config TCP_CONG_VEGAS
        tristate "TCP Vegas"
-        depends on INET && EXPERIMENTAL
+        depends on EXPERIMENTAL
        default n
        ---help---
        TCP Vegas is a sender-side only change to TCP that anticipates
@@ -537,7 +522,7 @@ config TCP_CONG_VEGAS
 config TCP_CONG_SCALABLE
        tristate "Scalable TCP"
-        depends on INET && EXPERIMENTAL
+        depends on EXPERIMENTAL
        default n
        ---help---
        Scalable TCP is a sender-side only change to TCP which uses a
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 9de83e6e0f..80d13103b2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -107,7 +107,6 @@ static int ip_dev_loopback_xmit(struct sk_buff *newskb)
        newskb->pkt_type = PACKET_LOOPBACK;
        newskb->ip_summed = CHECKSUM_UNNECESSARY;
        BUG_TRAP(newskb->dst);
-        nf_reset(newskb);
        netif_rx(newskb);
        return 0;
 }
@@ -188,14 +187,6 @@ static inline int ip_finish_output2(struct sk_buff *skb)
                skb = skb2;
        }
-#ifdef CONFIG_BRIDGE_NETFILTER
-        /* bridge-netfilter defers calling some IP hooks to the bridge layer
-         * and still needs the conntrack reference.
-         */
-        if (skb->nf_bridge == NULL)
-#endif
-                nf_reset(skb);
        if (hh) {
                int hh_alen;
diff --git a/net/ipv4/ipvs/Kconfig b/net/ipv4/ipvs/Kconfig
index 63a82b4b64..c9820bfc49 100644
--- a/net/ipv4/ipvs/Kconfig
+++ b/net/ipv4/ipvs/Kconfig
@@ -2,11 +2,11 @@
 # IP Virtual Server configuration
 #
 menu    "IP: Virtual Server Configuration"
-        depends on INET && NETFILTER
+        depends on NETFILTER
 config  IP_VS
        tristate "IP virtual server support (EXPERIMENTAL)"
-        depends on INET && NETFILTER
+        depends on NETFILTER
        ---help---
          IP Virtual Server support will let you build a high-performance
          virtual server based on cluster of two or more real servers. This
diff --git a/net/ipv4/ipvs/ip_vs_conn.c b/net/ipv4/ipvs/ip_vs_conn.c
index 9f16ab3091..d0145a8b15 100644
--- a/net/ipv4/ipvs/ip_vs_conn.c
+++ b/net/ipv4/ipvs/ip_vs_conn.c
@@ -758,7 +758,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
        return 1;
 }
+/* Called from keventd and must protect itself from softirqs */
 void ip_vs_random_dropentry(void)
 {
        int idx;
@@ -773,7 +773,7 @@ void ip_vs_random_dropentry(void)
                /*
                 *  Lock is actually needed in this loop.
                 */
-                ct_write_lock(hash);
+                ct_write_lock_bh(hash);
                list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
                        if (!cp->cport && !(cp->flags & IP_VS_CONN_F_NO_CPORT))
@@ -806,7 +806,7 @@ void ip_vs_random_dropentry(void)
                                ip_vs_conn_expire_now(cp->control);
                        }
                }
-                ct_write_unlock(hash);
+                ct_write_unlock_bh(hash);
        }
 }
diff --git a/net/ipv4/ipvs/ip_vs_ctl.c b/net/ipv4/ipvs/ip_vs_ctl.c
index 12a82e91d2..7d99ede2ef 100644
--- a/net/ipv4/ipvs/ip_vs_ctl.c
+++ b/net/ipv4/ipvs/ip_vs_ctl.c
@@ -90,7 +90,8 @@ int ip_vs_get_debug_level(void)
 #endif
 /*
- *      update_defense_level is called from keventd and from sysctl.
+ *      update_defense_level is called from keventd and from sysctl,
+ *      so it needs to protect itself from softirqs
 */
 static void update_defense_level(void)
 {
@@ -110,6 +111,8 @@ static void update_defense_level(void)
        nomem = (availmem < sysctl_ip_vs_amemthresh);
+        local_bh_disable();
        /* drop_entry */
        spin_lock(&__ip_vs_dropentry_lock);
        switch (sysctl_ip_vs_drop_entry) {
@@ -206,6 +209,8 @@ static void update_defense_level(void)
        if (to_change >= 0)
                ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);
        write_unlock(&__ip_vs_securetcp_lock);
+        local_bh_enable();
 }
@@ -1360,9 +1365,7 @@ proc_do_defense_mode(ctl_table *table, int write, struct file * filp,
                        /* Restore the correct value */
                        *valp = val;
                } else {
-                        local_bh_disable();
                        update_defense_level();
-                        local_bh_enable();
                }
        }
        return rc;
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 42dc951028..1dd824f3cf 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -432,6 +432,13 @@ static unsigned int ip_conntrack_defrag(unsigned int hooknum,
                                        const struct net_device *out,
                                        int (*okfn)(struct sk_buff *))
 {
+#if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE)
+        /* Previously seen (loopback)?  Ignore.  Do this before
+           fragment check. */
+        if ((*pskb)->nfct)
+                return NF_ACCEPT;
+#endif
        /* Gather fragments. */
        if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
                *pskb = ip_ct_gather_frags(*pskb,
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 726ea5e818..d675ff80b0 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1685,7 +1685,7 @@ static void ip_handle_martian_source(struct net_device *dev,
                printk(KERN_WARNING "martian source %u.%u.%u.%u from "
                        "%u.%u.%u.%u, on dev %s\n",
                        NIPQUAD(daddr), NIPQUAD(saddr), dev->name);
-                if (dev->hard_header_len) {
+                if (dev->hard_header_len && skb->mac.raw) {
                        int i;
                        unsigned char *p = skb->mac.raw;
                        printk(KERN_WARNING "ll header: ");
author	Tony Luck <tony.luck@intel.com>	2005-07-13 15:15:43 -0400
committer	Tony Luck <tony.luck@intel.com>	2005-07-13 15:15:43 -0400
commit	99ad25a313bda566a346b46a6015afa65bc0a02b (patch)
tree	b9443fed1ab74f320c4ee0791864ee96d7c069df /net/ipv4
parent	f62c4a96f74d6c6dd56d1742697e94a5c2085e87 (diff)
parent	9a556e89081b0c1c2f83cee915363b15a68a6f2d (diff)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 3e63123f7b..df5386885a 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig
@@ -3,7 +3,6 @@
3	#	3	#
4	config IP_MULTICAST	4	config IP_MULTICAST
5	bool "IP: multicasting"	5	bool "IP: multicasting"
6	depends on INET
7	help	6	help
8	This is code for addressing several networked computers at once,	7	This is code for addressing several networked computers at once,
9	enlarging your kernel by about 2 KB. You need multicasting if you	8	enlarging your kernel by about 2 KB. You need multicasting if you
@@ -17,7 +16,6 @@ config IP_MULTICAST
17		16
18	config IP_ADVANCED_ROUTER	17	config IP_ADVANCED_ROUTER
19	bool "IP: advanced router"	18	bool "IP: advanced router"
20	depends on INET
21	---help---	19	---help---
22	If you intend to run your Linux box mostly as a router, i.e. as a	20	If you intend to run your Linux box mostly as a router, i.e. as a
23	computer that forwards and redistributes network packets, say Y; you	21	computer that forwards and redistributes network packets, say Y; you
@@ -183,7 +181,6 @@ config IP_ROUTE_VERBOSE
183		181
184	config IP_PNP	182	config IP_PNP
185	bool "IP: kernel level autoconfiguration"	183	bool "IP: kernel level autoconfiguration"
186	depends on INET
187	help	184	help
188	This enables automatic configuration of IP addresses of devices and	185	This enables automatic configuration of IP addresses of devices and
189	of the routing table during kernel boot, based on either information	186	of the routing table during kernel boot, based on either information
@@ -242,7 +239,6 @@ config IP_PNP_RARP
242	# bool ' IP: ARP support' CONFIG_IP_PNP_ARP	239	# bool ' IP: ARP support' CONFIG_IP_PNP_ARP
243	config NET_IPIP	240	config NET_IPIP
244	tristate "IP: tunneling"	241	tristate "IP: tunneling"
245	depends on INET
246	select INET_TUNNEL	242	select INET_TUNNEL
247	---help---	243	---help---
248	Tunneling means encapsulating data of one protocol type within	244	Tunneling means encapsulating data of one protocol type within
@@ -260,7 +256,6 @@ config NET_IPIP
260		256
261	config NET_IPGRE	257	config NET_IPGRE
262	tristate "IP: GRE tunnels over IP"	258	tristate "IP: GRE tunnels over IP"
263	depends on INET
264	select XFRM	259	select XFRM
265	help	260	help
266	Tunneling means encapsulating data of one protocol type within	261	Tunneling means encapsulating data of one protocol type within
@@ -319,7 +314,7 @@ config IP_PIMSM_V2
319		314
320	config ARPD	315	config ARPD
321	bool "IP: ARP daemon support (EXPERIMENTAL)"	316	bool "IP: ARP daemon support (EXPERIMENTAL)"
322	depends on INET && EXPERIMENTAL	317	depends on EXPERIMENTAL
323	---help---	318	---help---
324	Normally, the kernel maintains an internal cache which maps IP	319	Normally, the kernel maintains an internal cache which maps IP
325	addresses to hardware addresses on the local network, so that	320	addresses to hardware addresses on the local network, so that
@@ -344,7 +339,6 @@ config ARPD
344		339
345	config SYN_COOKIES	340	config SYN_COOKIES
346	bool "IP: TCP syncookie support (disabled per default)"	341	bool "IP: TCP syncookie support (disabled per default)"
347	depends on INET
348	---help---	342	---help---
349	Normal TCP/IP networking is open to an attack known as "SYN	343	Normal TCP/IP networking is open to an attack known as "SYN
350	flooding". This denial-of-service attack prevents legitimate remote	344	flooding". This denial-of-service attack prevents legitimate remote
@@ -381,7 +375,6 @@ config SYN_COOKIES
381		375
382	config INET_AH	376	config INET_AH
383	tristate "IP: AH transformation"	377	tristate "IP: AH transformation"
384	depends on INET
385	select XFRM	378	select XFRM
386	select CRYPTO	379	select CRYPTO
387	select CRYPTO_HMAC	380	select CRYPTO_HMAC
@@ -394,7 +387,6 @@ config INET_AH
394		387
395	config INET_ESP	388	config INET_ESP
396	tristate "IP: ESP transformation"	389	tristate "IP: ESP transformation"
397	depends on INET
398	select XFRM	390	select XFRM
399	select CRYPTO	391	select CRYPTO
400	select CRYPTO_HMAC	392	select CRYPTO_HMAC
@@ -408,7 +400,6 @@ config INET_ESP
408		400
409	config INET_IPCOMP	401	config INET_IPCOMP
410	tristate "IP: IPComp transformation"	402	tristate "IP: IPComp transformation"
411	depends on INET
412	select XFRM	403	select XFRM
413	select INET_TUNNEL	404	select INET_TUNNEL
414	select CRYPTO	405	select CRYPTO
@@ -421,7 +412,6 @@ config INET_IPCOMP
421		412
422	config INET_TUNNEL	413	config INET_TUNNEL
423	tristate "IP: tunnel transformation"	414	tristate "IP: tunnel transformation"
424	depends on INET
425	select XFRM	415	select XFRM
426	---help---	416	---help---
427	Support for generic IP tunnel transformation, which is required by	417	Support for generic IP tunnel transformation, which is required by
@@ -431,7 +421,6 @@ config INET_TUNNEL
431		421
432	config IP_TCPDIAG	422	config IP_TCPDIAG
433	tristate "IP: TCP socket monitoring interface"	423	tristate "IP: TCP socket monitoring interface"
434	depends on INET
435	default y	424	default y
436	---help---	425	---help---
437	Support for TCP socket monitoring interface used by native Linux	426	Support for TCP socket monitoring interface used by native Linux
@@ -447,7 +436,6 @@ config IP_TCPDIAG_IPV6
447		436
448	config TCP_CONG_ADVANCED	437	config TCP_CONG_ADVANCED
449	bool "TCP: advanced congestion control"	438	bool "TCP: advanced congestion control"
450	depends on INET
451	---help---	439	---help---
452	Support for selection of various TCP congestion control	440	Support for selection of various TCP congestion control
453	modules.	441	modules.
@@ -463,7 +451,6 @@ menu "TCP congestion control"
463		451
464	config TCP_CONG_BIC	452	config TCP_CONG_BIC
465	tristate "Binary Increase Congestion (BIC) control"	453	tristate "Binary Increase Congestion (BIC) control"
466	depends on INET
467	default y	454	default y
468	---help---	455	---help---
469	BIC-TCP is a sender-side only change that ensures a linear RTT	456	BIC-TCP is a sender-side only change that ensures a linear RTT
@@ -478,7 +465,6 @@ config TCP_CONG_BIC
478		465
479	config TCP_CONG_WESTWOOD	466	config TCP_CONG_WESTWOOD
480	tristate "TCP Westwood+"	467	tristate "TCP Westwood+"
481	depends on INET
482	default m	468	default m
483	---help---	469	---help---
484	TCP Westwood+ is a sender-side only modification of the TCP Reno	470	TCP Westwood+ is a sender-side only modification of the TCP Reno
@@ -493,7 +479,6 @@ config TCP_CONG_WESTWOOD
493		479
494	config TCP_CONG_HTCP	480	config TCP_CONG_HTCP
495	tristate "H-TCP"	481	tristate "H-TCP"
496	depends on INET
497	default m	482	default m
498	---help---	483	---help---
499	H-TCP is a send-side only modifications of the TCP Reno	484	H-TCP is a send-side only modifications of the TCP Reno
@@ -505,7 +490,7 @@ config TCP_CONG_HTCP
505		490
506	config TCP_CONG_HSTCP	491	config TCP_CONG_HSTCP
507	tristate "High Speed TCP"	492	tristate "High Speed TCP"
508	depends on INET && EXPERIMENTAL	493	depends on EXPERIMENTAL
509	default n	494	default n
510	---help---	495	---help---
511	Sally Floyd's High Speed TCP (RFC 3649) congestion control.	496	Sally Floyd's High Speed TCP (RFC 3649) congestion control.
@@ -516,7 +501,7 @@ config TCP_CONG_HSTCP
516		501
517	config TCP_CONG_HYBLA	502	config TCP_CONG_HYBLA
518	tristate "TCP-Hybla congestion control algorithm"	503	tristate "TCP-Hybla congestion control algorithm"
519	depends on INET && EXPERIMENTAL	504	depends on EXPERIMENTAL
520	default n	505	default n
521	---help---	506	---help---
522	TCP-Hybla is a sender-side only change that eliminates penalization of	507	TCP-Hybla is a sender-side only change that eliminates penalization of
@@ -526,7 +511,7 @@ config TCP_CONG_HYBLA
526		511
527	config TCP_CONG_VEGAS	512	config TCP_CONG_VEGAS
528	tristate "TCP Vegas"	513	tristate "TCP Vegas"
529	depends on INET && EXPERIMENTAL	514	depends on EXPERIMENTAL
530	default n	515	default n
531	---help---	516	---help---
532	TCP Vegas is a sender-side only change to TCP that anticipates	517	TCP Vegas is a sender-side only change to TCP that anticipates
@@ -537,7 +522,7 @@ config TCP_CONG_VEGAS
537		522
538	config TCP_CONG_SCALABLE	523	config TCP_CONG_SCALABLE
539	tristate "Scalable TCP"	524	tristate "Scalable TCP"
540	depends on INET && EXPERIMENTAL	525	depends on EXPERIMENTAL
541	default n	526	default n
542	---help---	527	---help---
543	Scalable TCP is a sender-side only change to TCP which uses a	528	Scalable TCP is a sender-side only change to TCP which uses a


diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 9de83e6e0f..80d13103b2 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c
@@ -107,7 +107,6 @@ static int ip_dev_loopback_xmit(struct sk_buff *newskb)
107	newskb->pkt_type = PACKET_LOOPBACK;	107	newskb->pkt_type = PACKET_LOOPBACK;
108	newskb->ip_summed = CHECKSUM_UNNECESSARY;	108	newskb->ip_summed = CHECKSUM_UNNECESSARY;
109	BUG_TRAP(newskb->dst);	109	BUG_TRAP(newskb->dst);
110	nf_reset(newskb);
111	netif_rx(newskb);	110	netif_rx(newskb);
112	return 0;	111	return 0;
113	}	112	}
@@ -188,14 +187,6 @@ static inline int ip_finish_output2(struct sk_buff *skb)
188	skb = skb2;	187	skb = skb2;
189	}	188	}
190		189
191	#ifdef CONFIG_BRIDGE_NETFILTER
192	/* bridge-netfilter defers calling some IP hooks to the bridge layer
193	* and still needs the conntrack reference.
194	*/
195	if (skb->nf_bridge == NULL)
196	#endif
197	nf_reset(skb);
198
199	if (hh) {	190	if (hh) {
200	int hh_alen;	191	int hh_alen;
201		192


diff --git a/net/ipv4/ipvs/Kconfig b/net/ipv4/ipvs/Kconfig index 63a82b4b64..c9820bfc49 100644 --- a/net/ipv4/ipvs/Kconfig +++ b/net/ipv4/ipvs/Kconfig
@@ -2,11 +2,11 @@
2	# IP Virtual Server configuration	2	# IP Virtual Server configuration
3	#	3	#
4	menu "IP: Virtual Server Configuration"	4	menu "IP: Virtual Server Configuration"
5	depends on INET && NETFILTER	5	depends on NETFILTER
6		6
7	config IP_VS	7	config IP_VS
8	tristate "IP virtual server support (EXPERIMENTAL)"	8	tristate "IP virtual server support (EXPERIMENTAL)"
9	depends on INET && NETFILTER	9	depends on NETFILTER
10	---help---	10	---help---
11	IP Virtual Server support will let you build a high-performance	11	IP Virtual Server support will let you build a high-performance
12	virtual server based on cluster of two or more real servers. This	12	virtual server based on cluster of two or more real servers. This


diff --git a/net/ipv4/ipvs/ip_vs_conn.c b/net/ipv4/ipvs/ip_vs_conn.c index 9f16ab3091..d0145a8b15 100644 --- a/net/ipv4/ipvs/ip_vs_conn.c +++ b/net/ipv4/ipvs/ip_vs_conn.c
@@ -758,7 +758,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
758	return 1;	758	return 1;
759	}	759	}
760		760
761		761	/* Called from keventd and must protect itself from softirqs */
762	void ip_vs_random_dropentry(void)	762	void ip_vs_random_dropentry(void)
763	{	763	{
764	int idx;	764	int idx;
@@ -773,7 +773,7 @@ void ip_vs_random_dropentry(void)
773	/*	773	/*
774	* Lock is actually needed in this loop.	774	* Lock is actually needed in this loop.
775	*/	775	*/
776	ct_write_lock(hash);	776	ct_write_lock_bh(hash);
777		777
778	list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {	778	list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
779	if (!cp->cport && !(cp->flags & IP_VS_CONN_F_NO_CPORT))	779	if (!cp->cport && !(cp->flags & IP_VS_CONN_F_NO_CPORT))
@@ -806,7 +806,7 @@ void ip_vs_random_dropentry(void)
806	ip_vs_conn_expire_now(cp->control);	806	ip_vs_conn_expire_now(cp->control);
807	}	807	}
808	}	808	}
809	ct_write_unlock(hash);	809	ct_write_unlock_bh(hash);
810	}	810	}
811	}	811	}
812		812


diff --git a/net/ipv4/ipvs/ip_vs_ctl.c b/net/ipv4/ipvs/ip_vs_ctl.c index 12a82e91d2..7d99ede2ef 100644 --- a/net/ipv4/ipvs/ip_vs_ctl.c +++ b/net/ipv4/ipvs/ip_vs_ctl.c
@@ -90,7 +90,8 @@ int ip_vs_get_debug_level(void)
90	#endif	90	#endif
91		91
92	/*	92	/*
93	* update_defense_level is called from keventd and from sysctl.	93	* update_defense_level is called from keventd and from sysctl,
		94	* so it needs to protect itself from softirqs
94	*/	95	*/
95	static void update_defense_level(void)	96	static void update_defense_level(void)
96	{	97	{
@@ -110,6 +111,8 @@ static void update_defense_level(void)
110		111
111	nomem = (availmem < sysctl_ip_vs_amemthresh);	112	nomem = (availmem < sysctl_ip_vs_amemthresh);
112		113
		114	local_bh_disable();
		115
113	/* drop_entry */	116	/* drop_entry */
114	spin_lock(&__ip_vs_dropentry_lock);	117	spin_lock(&__ip_vs_dropentry_lock);
115	switch (sysctl_ip_vs_drop_entry) {	118	switch (sysctl_ip_vs_drop_entry) {
@@ -206,6 +209,8 @@ static void update_defense_level(void)
206	if (to_change >= 0)	209	if (to_change >= 0)
207	ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);	210	ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);
208	write_unlock(&__ip_vs_securetcp_lock);	211	write_unlock(&__ip_vs_securetcp_lock);
		212
		213	local_bh_enable();
209	}	214	}
210		215
211		216
@@ -1360,9 +1365,7 @@ proc_do_defense_mode(ctl_table table, int write, struct file filp,
1360	/* Restore the correct value */	1365	/* Restore the correct value */
1361	*valp = val;	1366	*valp = val;
1362	} else {	1367	} else {
1363	local_bh_disable();
1364	update_defense_level();	1368	update_defense_level();
1365	local_bh_enable();
1366	}	1369	}
1367	}	1370	}
1368	return rc;	1371	return rc;


diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 42dc951028..1dd824f3cf 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -432,6 +432,13 @@ static unsigned int ip_conntrack_defrag(unsigned int hooknum,
432	const struct net_device *out,	432	const struct net_device *out,
433	int (okfn)(struct sk_buff ))	433	int (okfn)(struct sk_buff ))
434	{	434	{
		435	#if !defined(CONFIG_IP_NF_NAT) && !defined(CONFIG_IP_NF_NAT_MODULE)
		436	/* Previously seen (loopback)? Ignore. Do this before
		437	fragment check. */
		438	if ((*pskb)->nfct)
		439	return NF_ACCEPT;
		440	#endif
		441
435	/* Gather fragments. */	442	/* Gather fragments. */
436	if ((*pskb)->nh.iph->frag_off & htons(IP_MF\|IP_OFFSET)) {	443	if ((*pskb)->nh.iph->frag_off & htons(IP_MF\|IP_OFFSET)) {
437	pskb = ip_ct_gather_frags(pskb,	444	pskb = ip_ct_gather_frags(pskb,


diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 726ea5e818..d675ff80b0 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c
@@ -1685,7 +1685,7 @@ static void ip_handle_martian_source(struct net_device *dev,
1685	printk(KERN_WARNING "martian source %u.%u.%u.%u from "	1685	printk(KERN_WARNING "martian source %u.%u.%u.%u from "
1686	"%u.%u.%u.%u, on dev %s\n",	1686	"%u.%u.%u.%u, on dev %s\n",
1687	NIPQUAD(daddr), NIPQUAD(saddr), dev->name);	1687	NIPQUAD(daddr), NIPQUAD(saddr), dev->name);
1688	if (dev->hard_header_len) {	1688	if (dev->hard_header_len && skb->mac.raw) {
1689	int i;	1689	int i;
1690	unsigned char *p = skb->mac.raw;	1690	unsigned char *p = skb->mac.raw;
1691	printk(KERN_WARNING "ll header: ");	1691	printk(KERN_WARNING "ll header: ");