#
38a424e4 |
| 30-Jun-2012 |
David Miller <davem@davemloft.net> |
ipv4: Kill ip_route_input_noref().
The "noref" argument to ip_route_input_common() is now always ignored because we do not cache routes, and in that case we must always grab a reference to the resul
ipv4: Kill ip_route_input_noref().
The "noref" argument to ip_route_input_common() is now always ignored because we do not cache routes, and in that case we must always grab a reference to the resulting 'dst'.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
89aef892 |
| 17-Jul-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Delete routing cache.
The ipv4 routing cache is non-deterministic, performance wise, and is subject to reasonably easy to launch denial of service attacks.
The routing cache works great for w
ipv4: Delete routing cache.
The ipv4 routing cache is non-deterministic, performance wise, and is subject to reasonably easy to launch denial of service attacks.
The routing cache works great for well behaved traffic, and the world was a much friendlier place when the tradeoffs that led to the routing cache's design were considered.
What it boils down to is that the performance of the routing cache is a product of the traffic patterns seen by a system rather than being a product of the contents of the routing tables. The former of which is controllable by external entitites.
Even for "well behaved" legitimate traffic, high volume sites can see hit rates in the routing cache of only ~%10.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
1f42539d |
| 11-Jul-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Kill ip_rt_redirect().
No longer needed, as the protocol handlers now all properly propagate the redirect back into the routing code.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
b42597e2 |
| 11-Jul-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Add ipv4_redirect() and ipv4_sk_redirect() helper functions.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
94206125 |
| 11-Jul-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Rearrange arguments to ip_rt_redirect()
Pass in the SKB rather than just the IP addresses, so that policy and other aspects can reside in ip_rt_redirect() rather then icmp_redirect().
Signed-
ipv4: Rearrange arguments to ip_rt_redirect()
Pass in the SKB rather than just the IP addresses, so that policy and other aspects can reside in ip_rt_redirect() rather then icmp_redirect().
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
f185071d |
| 10-Jul-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Remove inetpeer from routes.
No longer used.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
5943634f |
| 10-Jul-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Maintain redirect and PMTU info in struct rtable again.
Maintaining this in the inetpeer entries was not the right way to do this at all.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
3e12939a |
| 10-Jul-2012 |
David S. Miller <davem@davemloft.net> |
inet: Kill FLOWI_FLAG_PRECOW_METRICS.
No longer needed. TCP writes metrics, but now in it's own special cache that does not dirty the route metrics. Therefore there is no longer any reason to pre-
inet: Kill FLOWI_FLAG_PRECOW_METRICS.
No longer needed. TCP writes metrics, but now in it's own special cache that does not dirty the route metrics. Therefore there is no longer any reason to pre-cow metrics in this way.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v3.5-rc5 |
|
#
41347dcd |
| 28-Jun-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Kill rt->rt_spec_dst, no longer used.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
c10237e0 |
| 27-Jun-2012 |
David S. Miller <davem@davemloft.net> |
Revert "ipv4: tcp: dont cache unconfirmed intput dst"
This reverts commit c074da2810c118b3812f32d6754bd9ead2f169e7.
This change has several unwanted side effects:
1) Sockets will cache the DST_NOC
Revert "ipv4: tcp: dont cache unconfirmed intput dst"
This reverts commit c074da2810c118b3812f32d6754bd9ead2f169e7.
This change has several unwanted side effects:
1) Sockets will cache the DST_NOCACHE route in sk->sk_rx_dst and we'll thus never create a real cached route.
2) All TCP traffic will use DST_NOCACHE and never use the routing cache at all.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
c074da28 |
| 26-Jun-2012 |
Eric Dumazet <edumazet@google.com> |
ipv4: tcp: dont cache unconfirmed intput dst
DDOS synflood attacks hit badly IP route cache.
On typical machines, this cache is allowed to hold up to 8 Millions dst entries, 256 bytes for each, for
ipv4: tcp: dont cache unconfirmed intput dst
DDOS synflood attacks hit badly IP route cache.
On typical machines, this cache is allowed to hold up to 8 Millions dst entries, 256 bytes for each, for a total of 2GB of memory.
rt_garbage_collect() triggers and tries to cleanup things.
Eventually route cache is disabled but machine is under fire and might OOM and crash.
This patch exploits the new TCP early demux, to set a nocache boolean in case incoming TCP frame is for a not yet ESTABLISHED or TIMEWAIT socket.
This 'nocache' boolean is then used in case dst entry is not found in route cache, to create an unhashed dst entry (DST_NOCACHE)
SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache output dst for syncookies), so after this patch, a machine is able to absorb a DDOS synflood attack without polluting its IP route cache.
Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Hans Schillstrom <hans.schillstrom@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v3.5-rc4, v3.5-rc3 |
|
#
36393395 |
| 15-Jun-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Handle PMTU in all ICMP error handlers.
With ip_rt_frag_needed() removed, we have to explicitly update PMTU information in every ICMP error handler.
Create two helper functions to facilitate
ipv4: Handle PMTU in all ICMP error handlers.
With ip_rt_frag_needed() removed, we have to explicitly update PMTU information in every ICMP error handler.
Create two helper functions to facilitate this.
1) ipv4_sk_update_pmtu()
This updates the PMTU when we have a socket context to work with.
2) ipv4_update_pmtu()
Raw version, used when no socket context is available. For this interface, we essentially just pass in explicit arguments for the flow identity information we would have extracted from the socket.
And you'll notice that ipv4_sk_update_pmtu() is simply implemented in terms of ipv4_update_pmtu()
Note that __ip_route_output_key() is used, rather than something like ip_route_output_flow() or ip_route_output_key(). This is because we absolutely do not want to end up with a route that does IPSEC encapsulation and the like. Instead, we only want the route that would get us to the node described by the outermost IP header.
Reported-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
55afabaa |
| 11-Jun-2012 |
David S. Miller <davem@davemloft.net> |
inet: Fix BUG triggered by __rt{,6}_get_peer().
If no peer actually gets attached (either because create is zero or the peer allocation fails) we'll trigger a BUG because we unconditionally do an rt
inet: Fix BUG triggered by __rt{,6}_get_peer().
If no peer actually gets attached (either because create is zero or the peer allocation fails) we'll trigger a BUG because we unconditionally do an rt{,6}_peer_ptr() afterwards.
Fix this by guarding it with the proper check.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
46517008 |
| 10-Jun-2012 |
David S. Miller <davem@davemloft.net> |
ipv4: Kill ip_rt_frag_needed().
There is zero point to this function.
It's only real substance is to perform an extremely outdated BSD4.2 ICMP check, which we can safely remove. If you really have
ipv4: Kill ip_rt_frag_needed().
There is zero point to this function.
It's only real substance is to perform an extremely outdated BSD4.2 ICMP check, which we can safely remove. If you really have a MTU limited link being routed by a BSD4.2 derived system, here's a nickel go buy yourself a real router.
The other actions of ip_rt_frag_needed(), checking and conditionally updating the peer, are done by the per-protocol handlers of the ICMP event.
TCP, UDP, et al. have a handler which will receive this event and transmit it back into the associated route via dst_ops->update_pmtu().
This simplification is important, because it eliminates the one place where we do not have a proper route context in which to make an inetpeer lookup.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
97bab73f |
| 10-Jun-2012 |
David S. Miller <davem@davemloft.net> |
inet: Hide route peer accesses behind helpers.
We encode the pointer(s) into an unsigned long with one state bit.
The state bit is used so we can store the inetpeer tree root to use when resolving
inet: Hide route peer accesses behind helpers.
We encode the pointer(s) into an unsigned long with one state bit.
The state bit is used so we can store the inetpeer tree root to use when resolving the peer later.
Later the peer roots will be per-FIB table, and this change works to facilitate that.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
c5d21c4b |
| 10-Jun-2012 |
Roland Dreier <roland@purestorage.com> |
net: Reorder initialization in ip_route_output to fix gcc warning
If I build with W=1, for every file that includes <net/route.h>, I get the warning
include/net/route.h: In function 'ip_route_o
net: Reorder initialization in ip_route_output to fix gcc warning
If I build with W=1, for every file that includes <net/route.h>, I get the warning
include/net/route.h: In function 'ip_route_output': include/net/route.h:135:3: warning: initialized field overwritten [-Woverride-init] include/net/route.h:135:3: warning: (near initialization for 'fl4') [-Woverride-init]
(This is with "gcc (Debian 4.6.3-1) 4.6.3")
A fix seems pretty trivial: move the initialization of .flowi4_tos earlier. As far as I can tell, this has no effect on code generation.
Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
fbfe95a4 |
| 09-Jun-2012 |
David S. Miller <davem@davemloft.net> |
inet: Create and use rt{,6}_get_peer_create().
There's a lot of places that open-code rt{,6}_get_peer() only because they want to set 'create' to one. So add an rt{,6}_get_peer_create() for their s
inet: Create and use rt{,6}_get_peer_create().
There's a lot of places that open-code rt{,6}_get_peer() only because they want to set 'create' to one. So add an rt{,6}_get_peer_create() for their sake.
There were also a few spots open-coding plain rt{,6}_get_peer() and those are transformed here as well.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v3.5-rc2, v3.5-rc1, v3.4, v3.4-rc7, v3.4-rc6, v3.4-rc5, v3.4-rc4, v3.4-rc3 |
|
#
95c96174 |
| 15-Apr-2012 |
Eric Dumazet <eric.dumazet@gmail.com> |
net: cleanup unsigned to unsigned int
Use of "unsigned int" is preferred to bare "unsigned" in net tree.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@d
net: cleanup unsigned to unsigned int
Use of "unsigned int" is preferred to bare "unsigned" in net tree.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v3.4-rc2, v3.4-rc1, v3.3, v3.3-rc7, v3.3-rc6, v3.3-rc5, v3.3-rc4, v3.3-rc3 |
|
#
e6b45241 |
| 04-Feb-2012 |
Julian Anastasov <ja@ssi.bg> |
ipv4: reset flowi parameters on route connect
Eric Dumazet found that commit 813b3b5db83 (ipv4: Use caller's on-stack flowi as-is in output route lookups.) that comes in 3.0 added a regression. The
ipv4: reset flowi parameters on route connect
Eric Dumazet found that commit 813b3b5db83 (ipv4: Use caller's on-stack flowi as-is in output route lookups.) that comes in 3.0 added a regression. The problem appears to be that resulting flowi4_oif is used incorrectly as input parameter to some routing lookups. The result is that when connecting to local port without listener if the IP address that is used is not on a loopback interface we incorrectly assign RTN_UNICAST to the output route because no route is matched by oif=lo. The RST packet can not be sent immediately by tcp_v4_send_reset because it expects RTN_LOCAL.
So, change ip_route_connect and ip_route_newports to update the flowi4 fields that are input parameters because we do not want unnecessary binding to oif.
To make it clear what are the input parameters that can be modified during lookup and to show which fields of floiw4 are reused add a new function to update the flowi4 structure: flowi4_update_output.
Thanks to Yurij M. Plotnikov for providing a bug report including a program to reproduce the problem.
Thanks to Eric Dumazet for tracking the problem down to tcp_v4_send_reset and providing initial fix.
Reported-by: Yurij M. Plotnikov <Yurij.Plotnikov@oktetlabs.ru> Signed-off-by: Julian Anastasov <ja@ssi.bg> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v3.3-rc2, v3.3-rc1, v3.2, v3.2-rc7, v3.2-rc6, v3.2-rc5, v3.2-rc4, v3.2-rc3 |
|
#
b8400f37 |
| 22-Nov-2011 |
Steffen Klassert <steffen.klassert@secunet.com> |
route: struct rtable can be const in rt_is_input_route and rt_is_output_route
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
Revision tags: v3.2-rc2, v3.2-rc1, v3.1, v3.1-rc10, v3.1-rc9, v3.1-rc8, v3.1-rc7, v3.1-rc6, v3.1-rc5, v3.1-rc4, v3.1-rc3, v3.1-rc2, v3.1-rc1, v3.0, v3.0-rc7, v3.0-rc6, v3.0-rc5, v3.0-rc4, v3.0-rc3, v3.0-rc2, v3.0-rc1, v2.6.39 |
|
#
a48eff12 |
| 18-May-2011 |
David S. Miller <davem@davemloft.net> |
ipv4: Pass explicit destination address to rt_bind_peer().
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
ed2361e6 |
| 18-May-2011 |
David S. Miller <davem@davemloft.net> |
ipv4: Pass explicit destination address to rt_get_peer().
This will next trickle down to rt_bind_peer().
Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
8e36360a |
| 13-May-2011 |
David S. Miller <davem@davemloft.net> |
ipv4: Remove route key identity dependencies in ip_rt_get_source().
Pass in the sk_buff so that we can fetch the necessary keys from the packet header when working with input routes.
Signed-off-by:
ipv4: Remove route key identity dependencies in ip_rt_get_source().
Pass in the sk_buff so that we can fetch the necessary keys from the packet header when working with input routes.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v2.6.39-rc7 |
|
#
cbb1e85f |
| 04-May-2011 |
David S. Miller <davem@davemloft.net> |
ipv4: Kill rt->rt_{src, dst} usage in IP GRE tunnels.
First, make callers pass on-stack flowi4 to ip_route_output_gre() so they can get at the fully resolved flow key.
Next, use that in ipgre_tunne
ipv4: Kill rt->rt_{src, dst} usage in IP GRE tunnels.
First, make callers pass on-stack flowi4 to ip_route_output_gre() so they can get at the fully resolved flow key.
Next, use that in ipgre_tunnel_xmit() to avoid the need to use rt->rt_{dst,src}.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
31e4543d |
| 03-May-2011 |
David S. Miller <davem@davemloft.net> |
ipv4: Make caller provide on-stack flow key to ip_route_output_ports().
Signed-off-by: David S. Miller <davem@davemloft.net>
|