29 Jan, 2008
40 commits
-
I'm actually surprised at how much was involved. At first glance it
appears that the neighbour table data structures are already split by
network device so all that should be needed is to modify the user
interface commands to filter the set of neighbours by the network
namespace of their devices.However a couple things turned up while I was reading through the
code. The proxy neighbour table allows entries with no network
device, and the neighbour parms are per network device (except for the
defaults) so they now need a per network namespace default.So I updated the two structures (which surprised me) with their very
own network namespace parameter. Updated the relevant lookup and
destroy routines with a network namespace parameter and modified the
code that interacts with users to filter out neighbour table entries
for devices of other namespaces.I'm a little concerned that we can modify and display the global table
configuration and from all network namespaces. But this appears good
enough for now.I keep thinking modifying the neighbour table to have per network
namespace instances of each table type would should be cleaner. The
hash table is already dynamically sized so there are it is not a
limiter. The default parameter would be straight forward to take care
of. However when I look at the how the network table is built and
used I still find some assumptions that there is only a single
neighbour table for each type of table in the kernel. The netlink
operations, neigh_seq_start, the non-core network users that call
neigh_lookup. So while it might be doable it would require more
refactoring than my current approach of just doing a little extra
filtering in the code.Signed-off-by: Eric W. Biederman
Signed-off-by: Daniel Lezcano
Signed-off-by: David S. Miller -
According to RFC4303, section 3.3.3 we need to drop outgoing packets which
cause the replay counter to overflow:3.3.3. Sequence Number Generation
The sender's counter is initialized to 0 when an SA is established.
The sender increments the sequence number (or ESN) counter for this
SA and inserts the low-order 32 bits of the value into the Sequence
Number field. Thus, the first packet sent using a given SA will
contain a sequence number of 1.If anti-replay is enabled (the default), the sender checks to ensure
that the counter has not cycled before inserting the new value in the
Sequence Number field. In other words, the sender MUST NOT send a
packet on an SA if doing so would cause the sequence number to cycle.
An attempt to transmit a packet that would result in sequence number
overflow is an auditable event. The audit log entry for this event
SHOULD include the SPI value, current date/time, Source Address,
Destination Address, and (in IPv6) the cleartext Flow ID.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
tcp_win_from_space() being signed, compiler might emit an integer divide
to compute tcp_win_from_space()/2 .Using right shifts is OK here and less expensive.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
tcp_mtu_to_mss() being signed, compiler might emit an integer divide
to compute tcp_mtu_to_mss()/2 .Using a right shift is OK here and less expensive.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Down into the only scope where it is used.
Signed-off-by: David S. Miller
-
Because sk_wmem_queued, sk_sndbuf are signed, a divide per two
may force compiler to use an integer divide.We can instead use a right shift.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Before submiting a patch to change a divide to a right shift, I felt
necessary to create a helper function tcp_mtu_probing() to reduce length of
lines exceeding 100 chars in tcp_write_timeout().Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Since 'goal' is a signed int, compiler may emit an integer divide
to compute goal/2.Using a right shift is OK here and less expensive.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Several length variables cannot be negative, so convert int to
unsigned int. This also allows us to do sane shift operations
on those variables.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
According to the standard, the field cannot be present, so don't
try to interpret it either.Signed-off-by: Johannes Berg
Cc: Daniel Drake
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This patch moves the decision making about whether a frame is encrypted
with a certain algorithm up into the TX handlers rather than having it
in the crypto algorithm implementation.This fixes a problem with the radiotap injection code where injecting
a non-data packet and requesting encryption could end up asking the
driver to encrypt a packet without giving it a key.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This implements the required cfg80211 callback in mac80211
to allow userspace to get station statistics.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
After a station is added to the kernel's structures, userspace
has to be able to retrieve statistics about that station, especially
whether the station was idle and how much bytes were transferred
to and from it. This adds the necessary code to nl80211.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This patch adds station handling to cfg80211/nl80211.
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This adds the necessary API to cfg80211/nl80211 to allow
changing beaconing settings.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This implements cfg80211's get_key() to allow retrieving the sequence
counter for a TKIP or CCMP key from userspace. It also cleans up and
documents the associated low-level driver interface.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This adds the necessary hooks to mac80211 to allow userspace
to edit keys with cfg80211 (through nl80211.)Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This introduces key handling to cfg80211/nl80211. Default
and group keys can be added, changed and removed; sequence
counters for each key can be retrieved.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
Signed-off-by: Stefano Brivio
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
There are various decisions influencing the decision whether to buffer
a frame for after the next DTIM beacon. The "do we have stations in PS
mode" condition cannot be tested by the driver so mac80211 has to do
that. To ease driver writing for hardware that can buffer frames until
after the next DTIM beacon, introduce a new txctl flag telling the
driver to buffer a specific frame.While at it, restructure and comment the code for multicast buffering
and remove spurious "inline" directives.Signed-off-by: Johannes Berg
Cc: Michael Buesch
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
The function is only used locally.
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
The previous patch left only one user of the ieee80211_is_eapol()
function and that user can be eliminated easily by introducing
a new "frame is EAPOL" flag to handle the frame specially (we
already have this information) instead of doing the (expensive)
ieee80211_is_eapol() all the time.Also, allow unencrypted frames to be sent when they are injected.
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This cleans up the eapol frame handling and some related code in the
receive and transmit paths. After this patch
* EAPOL frames addressed to us or the EAPOL group address are
always accepted regardless of whether they are encrypted or not
* other frames from a station are dropped if PAE is enabled and
the station is not authorized
* unencrypted frames (except the EAPOL frames above) are dropped if
drop_unencrypted is enabled
* some superfluous code that eth_type_trans handles anyway is gone
* port control is done for transmitted packetsSigned-off-by: Johannes Berg
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This adds all the tunable parameters used by rc80211_pid to debugfs for easy
testing and tuning.Signed-off-by: Mattias Nissler
Signed-off-by: Stefano Brivio
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This adds a new debugfs file from which rate control relevant events can be
read one event per line. The output includes the current time, so graphs can be
created showing the rate control parameters. This helps in evaluating and
tuning rate control parameters. While at it, we split headers and code for
better readability.Signed-off-by: Mattias Nissler
Signed-off-by: Stefano Brivio
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This patch introduces a PID sharpening factor for faster response after
association and low activity events.Signed-off-by: Stefano Brivio
Signed-off-by: Mattias Nissler
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This patch introduces a learning algorithm in order for the PID controller
to learn how to map adjustment values to rates. This is better described in
code comments.Signed-off-by: Stefano Brivio
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
This makes the new PID TX rate control algorithm the default instead of the
rc80211_simple rate control algorithm. The simple algorithm was flawed in
several ways: it wasn't responsive at all and didn't age the information it was
relying on properly. The PID algorithm allows us to tune characteristics such
as responsiveness by adjusting parameters and was found to generally behave
better.The default algorithm can be overridden to select simple instead. Which
ever algorithm is the default is included as part of the mac80211
module automatically. The other algorithm (simple vs. pid) can
be selected for inclusion as well. If EMBEDDED is selected then
the choice is available to have no default specified and neither
algorithm included in mac80211. The default algorithm can be set
through a modparam.While at it, mark rc80211-simple as deprecated, and schedule it
for removal.Signed-off-by: Stefano Brivio
Signed-off-by: John W. Linville
Signed-off-by: David S. Miller -
Because 'free_space' variable in __tcp_select_window() is signed,
expression (free_space / 2) forces compiler to emit an integer divide.This can be changed to a plain right shift, less expensive.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:* Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction* Convert 'sid' to 'secid' everywhere we can
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels,
unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
we risk breaking userspace* Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also also
includes the removal of some unnecessary memcpy() calls* Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the "less is more" book on software development* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the codeSigned-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
This statistics is shown factor dropped by transformation
at /proc/net/xfrm_stat for developer.
It is a counter designed from current transformation source code
and defined as linux private MIB.See Documentation/networking/xfrm_proc.txt for the detail.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
Disable spin_lock during xfrm_type.input() function.
Follow design as IPsec inbound does.Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
IPv6 specific thing is wrongly removed from transformation at net-2.6.25.
This patch recovers it with current design.o Update "path" of xfrm_dst since IPv6 transformation should
care about routing changes. It is required by MIPv6 and
off-link destined IPsec.
o Rename nfheader_len which is for non-fragment transformation used by
MIPv6 to rt6i_nfheader_len as IPv6 name space.Signed-off-by: Masahide NAKAMURA
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
I'd say that most of what tcp_tso_should_defer had in between
there was dead code because of this.Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller -
This patch updates the version number to 3.87.
Signed-off-by: Matt Carlson
Signed-off-by: Michael Chan
Signed-off-by: David S. Miller
