Re: lenny updates (networking)
Hi Kir Quoting Kir Kolyshkin k...@openvz.org: Ola Lundqvist wrote: [...] http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=ce67d5b4cc85fa0c6a6d226d436276ab307ae041 iptables: setup init iptables mask before net initialization Trivial fix for IPv6 iptables in container. Not an ABI breaker. Attached as 0042* IPv6 is not really working in the current version. However this is an improvement to the current state. Not sure it should be included. I have added to my test build but I think I need advice from Dann here. So we can either disable IPv6 in config or fix it. It's up to you/Dann to decide. I'd go with fixing. I tend to agree. Speaking of IPv6, we also have a bunch of patches for ipv6 conntracks in containers which I haven't sent since it looks more like a new functionality rather than a bugfix. If it is new functionality, then it can not go in. However if it is fixes (= important) then it should go in. So if you see any important ones please let me know. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=fffc6ffba65ec0b12aeb89f2e4a448785298aa75 net: set ve context when init/exit method is called Attached as 0043* Security issue? No. Deadlocks/leaks on VE stop. I personally consider deadlock as a denial of service. However this can only be done by root. On the other hand I assume it is still important to fix it. [...] Best regards, // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comAnnebergsslingan 37\ | o...@debian.org 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: lenny updates (networking)
On Mon, Mar 16, 2009 at 02:19:39PM +0300, Kir Kolyshkin wrote: So we can either disable IPv6 in config or fix it. It's up to you/Dann to decide. I'd go with fixing. Speaking of IPv6, we also have a bunch of patches for ipv6 conntracks in containers which I haven't sent since it looks more like a new functionality rather than a bugfix. yes please fix it, we have explicit demand for ipv6 also ipv6 support is a release goal of lenny, so such updates should just go in. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: lenny updates (networking)
Thanks for this clarification. Kir, please list the corrections that you can find. If they are more on improvement please mark that and we can discuss it further. Best regards, // Ola Quoting maximilian attems m...@stro.at: On Mon, Mar 16, 2009 at 02:19:39PM +0300, Kir Kolyshkin wrote: So we can either disable IPv6 in config or fix it. It's up to you/Dann to decide. I'd go with fixing. Speaking of IPv6, we also have a bunch of patches for ipv6 conntracks in containers which I haven't sent since it looks more like a new functionality rather than a bugfix. yes please fix it, we have explicit demand for ipv6 also ipv6 support is a release goal of lenny, so such updates should just go in. -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comAnnebergsslingan 37\ | o...@debian.org 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: lenny updates (networking)
Attached four patches fixes conntracks for IPv6.
Ola Lundqvist wrote:
Thanks for this clarification.
Kir, please list the corrections that you can find. If they are more
on improvement please mark that and we can discuss it further.
Best regards,
// Ola
Quoting maximilian attems m...@stro.at:
On Mon, Mar 16, 2009 at 02:19:39PM +0300, Kir Kolyshkin wrote:
So we can either disable IPv6 in config or fix it. It's up to you/Dann
to decide. I'd go with fixing.
Speaking of IPv6, we also have a bunch of patches for ipv6
conntracks in
containers which I haven't sent since it looks more like a new
functionality rather than a bugfix.
yes please fix it, we have explicit demand for ipv6
also ipv6 support is a release goal of lenny,
so such updates should just go in.
From 2c1b2f728e1ae136ec1713bfec9892cf7cd656b6 Mon Sep 17 00:00:00 2001
From: Vitaliy Gusev vgu...@openvz.org
Date: Wed, 24 Sep 2008 14:51:32 +0400
Subject: [PATCH] conntrack: Allocate/free ve_nf_conntrack_l3proto_ipv6
Virtualize nf_ct_ipv6_sysctl_table and allocate/free
ve_nf_conntrack_l3proto_ipv6.
Per VE nf_ct_ipv6_sysctl_table sysctl registration looks like:
nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
nf_ct_l3proto_register_sysctl(proto);
nf_ct_register_sysctl(l3proto-ctl_table_header,
l3proto-ctl_table_path,
l3proto-ctl_table, NULL);
So ve_nf_conntrack_l3proto_ipv6 is allocated per VE as l3proto sysctl
registration changes l3proto-ctl_table_header.
Signed-off-by: Vitaliy Gusev vgu...@openvz.org
Signed-off-by: Pavel Emelyanov xe...@openvz.org
---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 34 +++-
net/ipv6/netfilter/nf_conntrack_reasm.c| 25 +-
2 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 71b15ab..8623b7c 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -360,6 +360,33 @@ MODULE_ALIAS(nf_conntrack- __stringify(AF_INET6));
MODULE_LICENSE(GPL);
MODULE_AUTHOR(Yasuyuki KOZAKAI @USAGI yasuyuki.koza...@toshiba.co.jp);
+static int nf_ct_proto_ipv6_init_net(struct net *net)
+{
+ struct nf_conntrack_l3proto *ipv6;
+
+ ipv6 = nf_conntrack_l3proto_ipv6;
+ if (net != init_net) {
+ ipv6 = kmemdup(ipv6,
+ sizeof(struct nf_conntrack_l3proto), GFP_KERNEL);
+ if (!ipv6)
+ return -ENOMEM;
+ }
+
+ ve_nf_conntrack_l3proto_ipv6 = ipv6;
+ return 0;
+}
+
+static void nf_ct_proto_ipv6_exit_net(struct net *net)
+{
+ if (net != init_net)
+ kfree(ve_nf_conntrack_l3proto_ipv6);
+}
+
+static struct pernet_operations nf_ct_ipv6_ops = {
+ .init = nf_ct_proto_ipv6_init_net,
+ .exit = nf_ct_proto_ipv6_exit_net,
+};
+
int init_nf_ct_l3proto_ipv6(void)
{
int ret = -ENOMEM;
@@ -435,10 +462,12 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
need_conntrack();
+ register_pernet_subsys(nf_ct_ipv6_ops);
+
ret = nf_ct_frag6_init();
if (ret 0) {
printk(nf_conntrack_ipv6: can't initialize frag6.\n);
- return ret;
+ goto unreg_subsys;
}
ret = init_nf_ct_l3proto_ipv6();
@@ -461,6 +490,8 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
cleanup_frag6:
nf_ct_frag6_cleanup();
+unreg_subsys:
+ unregister_pernet_subsys(nf_ct_ipv6_ops);
return ret;
}
@@ -473,6 +504,7 @@ static void __exit nf_conntrack_l3proto_ipv6_fini(void)
nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
fini_nf_ct_l3proto_ipv6();
nf_ct_frag6_cleanup();
+ unregister_pernet_subsys(nf_ct_ipv6_ops);
}
module_init(nf_conntrack_l3proto_ipv6_init);
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c
b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 9faaa59..e8e4112 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -40,6 +40,7 @@
#include net/ndisc.h
#include net/addrconf.h
#include net/netfilter/ipv6/nf_conntrack_ipv6.h
+#include net/netfilter/nf_conntrack_l3proto.h
#include linux/sysctl.h
#include linux/netfilter.h
#include linux/netfilter_ipv6.h
@@ -696,17 +697,39 @@ static int nf_ct_frag6_init_net(struct net *net)
{
struct netns_frags *frags = net-ipv6.ct_frags;
+#ifdef CONFIG_SYSCTL
+ if (net != init_net) {
+ struct nf_conntrack_l3proto *ipv6 =
+ ve_nf_conntrack_l3proto_ipv6;
+
+ ipv6-ctl_table = kmemdup(nf_ct_ipv6_sysctl_table,
+ sizeof(nf_ct_ipv6_sysctl_table),
+
Re: lenny updates (networking)
Hi Kir More comments... On Tue, Mar 10, 2009 at 02:54:04AM +0300, Kir Kolyshkin wrote: Kir Kolyshkin wrote: I am currently checking all the ~80 patches that are not in openvz lenny kernel. Looks like most are really needed. Let me suggest some in a few emails I will send as a reply to this one. Some networking fixes. Networking changed much in 2.6.26 (net namespaces etc.) so some fixes came out later. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=24cebf40278cb071ff8b5671b03c763f0f74b5ec netns: add support for net namespace in igmp code Fixes networking lock up while dealing with multicast traffic. Backport from mainstream. OpenVZ bug #992 (http://bugzilla.openvz.org/992) Could be an ABI breaker. Attached as 0013* Already in Debian openvz patch. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=849af42466bed078e6953a4eeeff28c81f64a983 [UB]: Double free for UDP socket Found by internal testing. Not an ABI breaker. Attached as 0015* I assume this can be a security issue, right? http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=b6133ea5860a6c549065be5eaca57244ac8ccc92 Removes a compilation warning. Very trivial :) Attached as 0030* I assume this one is not very important, right? On the other hand it can not really disturb anything. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=9baf6095c98f930e02769b09addbd4b5f18772d5 Simplify call __dev_change_net_namespace() by remove parameters. Related to OpenVZ bug #1044, prerequisite to the next patch. Attached as 0040* http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=35f41f111afc1a9f024153ac43d8d829a894fb2b Adjust VE before call netdev_unregister_kobject/netdev_register_kobject Fix for OpenVZ bug #1044 (http://bugzilla.openvz.org/1044) Attached as 0041* Looks like an important thing to fix, yes. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=ce67d5b4cc85fa0c6a6d226d436276ab307ae041 iptables: setup init iptables mask before net initialization Trivial fix for IPv6 iptables in container. Not an ABI breaker. Attached as 0042* IPv6 is not really working in the current version. However this is an improvement to the current state. Not sure it should be included. I have added to my test build but I think I need advice from Dann here. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=fffc6ffba65ec0b12aeb89f2e4a448785298aa75 net: set ve context when init/exit method is called Attached as 0043* Security issue? http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=8a951e3f434541143a639dd529a504d343d28cc7 tun: mark tun/tap devices with NETIF_F_VIRTUAL flag Fix for OpenVZ bug #1145 (http://bugzilla.openvz.org/1145) Attached as 0062* Ok. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=5c591aeb2a194a9554b0cf0bd3959d8c18fa5129 bridge: don't leak master device on brctl addif Fix for OpenVZ bug #1145 (http://bugzilla.openvz.org/1145) Attached as 0063* Same bug as above. Ok. http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=c578262d8816d27ab5530696d7b5f1e102e3b977 net: NETIF_F_VIRTUAL intersects with NETIF_F_LRO Fix for OpenVZ bug #1145 (http://bugzilla.openvz.org/1145) Attached as 0064* Same bug as above. Ok. Best regards, // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comAnnebergsslingan 37\ | o...@debian.org 654 65 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
