1. 10 Jul, 2012 1 commit
  2. 28 Jun, 2012 1 commit
  3. 27 Jun, 2012 2 commits
    • David S. Miller's avatar
      Revert "ipv4: tcp: dont cache unconfirmed intput dst" · c10237e0
      David S. Miller authored
      This reverts commit c074da28.
      
      This change has several unwanted side effects:
      
      1) Sockets will cache the DST_NOCACHE route in sk->sk_rx_dst and we'll
         thus never create a real cached route.
      
      2) All TCP traffic will use DST_NOCACHE and never use the routing
         cache at all.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c10237e0
    • Eric Dumazet's avatar
      ipv4: tcp: dont cache unconfirmed intput dst · c074da28
      Eric Dumazet authored
      DDOS synflood attacks hit badly IP route cache.
      
      On typical machines, this cache is allowed to hold up to 8 Millions dst
      entries, 256 bytes for each, for a total of 2GB of memory.
      
      rt_garbage_collect() triggers and tries to cleanup things.
      
      Eventually route cache is disabled but machine is under fire and might
      OOM and crash.
      
      This patch exploits the new TCP early demux, to set a nocache
      boolean in case incoming TCP frame is for a not yet ESTABLISHED or
      TIMEWAIT socket.
      
      This 'nocache' boolean is then used in case dst entry is not found in
      route cache, to create an unhashed dst entry (DST_NOCACHE)
      
      SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache
      output dst for syncookies), so after this patch, a machine is able to
      absorb a DDOS synflood attack without polluting its IP route cache.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Hans Schillstrom <hans.schillstrom@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c074da28
  4. 14 Jun, 2012 1 commit
    • David S. Miller's avatar
      ipv4: Handle PMTU in all ICMP error handlers. · 36393395
      David S. Miller authored
      With ip_rt_frag_needed() removed, we have to explicitly update PMTU
      information in every ICMP error handler.
      
      Create two helper functions to facilitate this.
      
      1) ipv4_sk_update_pmtu()
      
         This updates the PMTU when we have a socket context to
         work with.
      
      2) ipv4_update_pmtu()
      
         Raw version, used when no socket context is available.  For this
         interface, we essentially just pass in explicit arguments for
         the flow identity information we would have extracted from the
         socket.
      
         And you'll notice that ipv4_sk_update_pmtu() is simply implemented
         in terms of ipv4_update_pmtu()
      
      Note that __ip_route_output_key() is used, rather than something like
      ip_route_output_flow() or ip_route_output_key().  This is because we
      absolutely do not want to end up with a route that does IPSEC
      encapsulation and the like.  Instead, we only want the route that
      would get us to the node described by the outermost IP header.
      Reported-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36393395
  5. 11 Jun, 2012 4 commits
    • David S. Miller's avatar
      inet: Fix BUG triggered by __rt{,6}_get_peer(). · 55afabaa
      David S. Miller authored
      If no peer actually gets attached (either because create is zero or
      the peer allocation fails) we'll trigger a BUG because we
      unconditionally do an rt{,6}_peer_ptr() afterwards.
      
      Fix this by guarding it with the proper check.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55afabaa
    • David S. Miller's avatar
      ipv4: Kill ip_rt_frag_needed(). · 46517008
      David S. Miller authored
      There is zero point to this function.
      
      It's only real substance is to perform an extremely outdated BSD4.2
      ICMP check, which we can safely remove.  If you really have a MTU
      limited link being routed by a BSD4.2 derived system, here's a nickel
      go buy yourself a real router.
      
      The other actions of ip_rt_frag_needed(), checking and conditionally
      updating the peer, are done by the per-protocol handlers of the ICMP
      event.
      
      TCP, UDP, et al. have a handler which will receive this event and
      transmit it back into the associated route via dst_ops->update_pmtu().
      
      This simplification is important, because it eliminates the one place
      where we do not have a proper route context in which to make an
      inetpeer lookup.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      46517008
    • David S. Miller's avatar
      inet: Hide route peer accesses behind helpers. · 97bab73f
      David S. Miller authored
      We encode the pointer(s) into an unsigned long with one state bit.
      
      The state bit is used so we can store the inetpeer tree root to use
      when resolving the peer later.
      
      Later the peer roots will be per-FIB table, and this change works to
      facilitate that.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      97bab73f
    • Roland Dreier's avatar
      net: Reorder initialization in ip_route_output to fix gcc warning · c5d21c4b
      Roland Dreier authored
      If I build with W=1, for every file that includes <net/route.h>, I get the warning
      
          include/net/route.h: In function 'ip_route_output':
          include/net/route.h:135:3: warning: initialized field overwritten [-Woverride-init]
          include/net/route.h:135:3: warning: (near initialization for 'fl4') [-Woverride-init]
      
      (This is with "gcc (Debian 4.6.3-1) 4.6.3")
      
      A fix seems pretty trivial: move the initialization of .flowi4_tos
      earlier.  As far as I can tell, this has no effect on code generation.
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5d21c4b
  6. 09 Jun, 2012 1 commit
  7. 15 Apr, 2012 1 commit
  8. 04 Feb, 2012 1 commit
    • Julian Anastasov's avatar
      ipv4: reset flowi parameters on route connect · e6b45241
      Julian Anastasov authored
      Eric Dumazet found that commit 813b3b5d
      (ipv4: Use caller's on-stack flowi as-is in output
      route lookups.) that comes in 3.0 added a regression.
      The problem appears to be that resulting flowi4_oif is
      used incorrectly as input parameter to some routing lookups.
      The result is that when connecting to local port without
      listener if the IP address that is used is not on a loopback
      interface we incorrectly assign RTN_UNICAST to the output
      route because no route is matched by oif=lo. The RST packet
      can not be sent immediately by tcp_v4_send_reset because
      it expects RTN_LOCAL.
      
      	So, change ip_route_connect and ip_route_newports to
      update the flowi4 fields that are input parameters because
      we do not want unnecessary binding to oif.
      
      	To make it clear what are the input parameters that
      can be modified during lookup and to show which fields of
      floiw4 are reused add a new function to update the flowi4
      structure: flowi4_update_output.
      
      Thanks to Yurij M. Plotnikov for providing a bug report including a
      program to reproduce the problem.
      
      Thanks to Eric Dumazet for tracking the problem down to
      tcp_v4_send_reset and providing initial fix.
      Reported-by: default avatarYurij M. Plotnikov <Yurij.Plotnikov@oktetlabs.ru>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6b45241
  9. 26 Nov, 2011 1 commit
  10. 18 May, 2011 2 commits
  11. 13 May, 2011 1 commit
  12. 04 May, 2011 1 commit
  13. 03 May, 2011 2 commits
  14. 29 Apr, 2011 1 commit
  15. 28 Apr, 2011 1 commit
  16. 27 Apr, 2011 2 commits
    • David S. Miller's avatar
      ipv4: Kill RTO_CONN. · b678027c
      David S. Miller authored
      It's not used by anything in the kernel, and defined in net/route.h so
      never exported to userspace.
      
      Therefore we can safely remove it.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b678027c
    • David S. Miller's avatar
      ipv4: Sanitize and simplify ip_route_{connect,newports}() · 2d7192d6
      David S. Miller authored
      These functions are used together as a unit for route resolution
      during connect().  They address the chicken-and-egg problem that
      exists when ports need to be allocated during connect() processing,
      yet such port allocations require addressing information from the
      routing code.
      
      It's currently more heavy handed than it needs to be, and in
      particular we allocate and initialize a flow object twice.
      
      Let the callers provide the on-stack flow object.  That way we only
      need to initialize it once in the ip_route_connect() call.
      
      Later, if ip_route_newports() needs to do anything, it re-uses that
      flow object as-is except for the ports which it updates before the
      route re-lookup.
      
      Also, describe why this set of facilities are needed and how it works
      in a big comment.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Reviewed-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      2d7192d6
  17. 24 Apr, 2011 1 commit
  18. 22 Apr, 2011 1 commit
  19. 07 Apr, 2011 1 commit
  20. 31 Mar, 2011 1 commit
  21. 25 Mar, 2011 1 commit
  22. 22 Mar, 2011 1 commit
    • Julian Anastasov's avatar
      ipv4: fix route deletion for IPs on many subnets · e6abbaa2
      Julian Anastasov authored
      Alex Sidorenko reported for problems with local
      routes left after IP addresses are deleted. It happens
      when same IPs are used in more than one subnet for the
      device.
      
      	Fix fib_del_ifaddr to restrict the checks for duplicate
      local and broadcast addresses only to the IFAs that use
      our primary IFA or another primary IFA with same address.
      And we expect the prefsrc to be matched when the routes
      are deleted because it is possible they to differ only by
      prefsrc. This patch prevents local and broadcast routes
      to be leaked until their primary IP is deleted finally
      from the box.
      
      	As the secondary address promotion needs to delete
      the routes for all secondaries that used the old primary IFA,
      add option to ignore these secondaries from the checks and
      to assume they are already deleted, so that we can safely
      delete the route while these IFAs are still on the device list.
      Reported-by: default avatarAlex Sidorenko <alexandre.sidorenko@hp.com>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e6abbaa2
  23. 12 Mar, 2011 5 commits
  24. 04 Mar, 2011 2 commits
  25. 02 Mar, 2011 2 commits
  26. 01 Mar, 2011 2 commits