26 Sep, 2006
4 commits
-
At the suggestion of Thomas Graf, rewrite NetLabel's use of Netlink attributes
to better follow the common Netlink attribute usage.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Add a new function, nla_validate_nested(), to validate nested Netlink
attributes.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
At the top of include/net/netlink.h is a list of Netlink interfaces, however,
the nla_for_each_nested() macro was not listed. This patch adds this interface
to the list at the top of the header file.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Fix a problem where NetLabel would always set the value of
sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of
the socket, causing problems when users would query the context of the
connection. This patch fixes this so that the value in
sk_security_struct->peer_sid is only set when the connection is NetLabel based,
otherwise the value is untouched.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
25 Sep, 2006
2 commits
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds -
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: (217 commits)
net/ieee80211: fix more crypto-related build breakage
[PATCH] Spidernet: add ethtool -S (show statistics)
[NET] GT96100: Delete bitrotting ethernet driver
[PATCH] mv643xx_eth: restrict to 32-bit PPC_MULTIPLATFORM
[PATCH] Cirrus Logic ep93xx ethernet driver
r8169: the MMIO region of the 8167 stands behin BAR#1
e1000, ixgb: Remove pointless wrappers
[PATCH] Remove powerpc specific parts of 3c509 driver
[PATCH] s2io: Switch to pci_get_device
[PATCH] gt96100: move to pci_get_device API
[PATCH] ehea: bugfix for register access functions
[PATCH] e1000 disable device on PCI error
drivers/net/phy/fixed: #if 0 some incomplete code
drivers/net: const-ify ethtool_ops declarations
[PATCH] ethtool: allow const ethtool_ops
[PATCH] sky2: big endian
[PATCH] sky2: fiber support
[PATCH] sky2: tx pause bug fix
drivers/net: Trim trailing whitespace
[PATCH] ehea: IBM eHEA Ethernet Device Driver
...Manually resolved conflicts in drivers/net/ixgb/ixgb_main.c and
drivers/net/sky2.c related to CHECKSUM_HW/CHECKSUM_PARTIAL changes by
commit 84fa7933a33f806bbbaae6775e87459b1ec584c0 that just happened to be
next to unrelated changes in this update.
23 Sep, 2006
34 commits
-
Conflicts:
net/ieee80211/ieee80211_crypt_tkip.c
net/ieee80211/ieee80211_crypt_wep.c -
IFA_F_HOMEADDRESS is introduced for Mobile IPv6 Home Addresses on
Mobile Node.The IFA_F_HOMEADDRESS flag should be set for Mobile IPv6 Home
Addresses for 2 purposes. 1) We need to check this on receipt of
Type 2 Routing Header (RFC3775 Secion 6.4), 2) We prefer Home
Address(es) in source address selection (RFC3484 Section 5 Rule 4).Signed-off-by: Noriaki TAKAMIYA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
We have sent NA with router flag from the node-wide forwarding
configuration. This is not appropriate for proxy NA, and it should be
set according to each proxy entry's configuration.This is used by Mobile IPv6 home agent to support physical home link
in acting as a proxy router for mobile node which is not a router,
for example.Based on MIPL2 kernel patch.
Signed-off-by: Ville Nuorvala
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
Now that IPv6 supports policy routing we need to reroute in NF_IP6_LOCAL_OUT
when the mark value changes.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Hashing SAs by source address breaks templates with wildcards as tunnel
source since the source address used for hashing/lookup is still 0/0.
Move source address lookup to xfrm_tmpl_resolve_one() so we can use the
real address in the lookup.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
It does not affect either mss-sized connections (obviously) or
connections controlled by Nagle (because there is only one small
segment in flight).The idea is to record the fact that a small segment arrives on a
connection, where one small segment has already been received and
still not-ACKed. In this case ACK is forced after tcp_recvmsg() drains
receive buffer.In other words, it is a "soft" each-2nd-segment ACK, which is enough
to preserve ACK clock even when ABC is enabled.Signed-off-by: Alexey Kuznetsov
Signed-off-by: David S. Miller -
This patch contains the following cleanups:
- make the following needlessly global function static:
- socket.c: sctp_apply_peer_addr_params()
- add proper prototypes for the several global functions in
include/net/sctp/sctp.hNote that this fixes wrong prototypes for the following functions:
- sctp_snmp_proc_exit()
- sctp_eps_proc_exit()
- sctp_assocs_proc_exit()The latter was spotted by the GNU C compiler and reported
by David Woodhouse.Signed-off-by: Adrian Bunk
Acked-by: Sridhar Samudrala
Signed-off-by: David S. Miller -
Additionaly exports the following information when providing
the list of registered generic netlink families:
- protocol version
- header size
- maximum number of attributes
- list of available operations including
- id
- flags
- avaiability of policy and doit/dumpit functionlibnl HEAD provides a utility to read this new information:
0x0010 nlctrl version 1
hdrsize 0 maxattr 6
op GETFAMILY (0x03) [POLICY,DOIT,DUMPIT]
0x0011 NLBL_MGMT version 1
hdrsize 0 maxattr 0
op unknown (0x02) [DOIT]
op unknown (0x03) [DOIT]
....Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Expose IPSEC modes output path to take an xfrm state as input param.
This makes it consistent with the input mode processing (which already
takes the xfrm state as a param).Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Function sk_filter() is called from tcp_v{4,6}_rcv() functions with arg
needlock = 0, while socket is not locked at that moment. In order to avoid
this and similar issues in the future, use rcu for sk->sk_filter field read
protection.Signed-off-by: Dmitry Mishin
Signed-off-by: Alexey Kuznetsov
Signed-off-by: Kirill Korotaev -
Add some missing include files to the NetLabel related header files.
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Removed some older function prototypes for functions that no longer exist.
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Introduces a new attribute type NLA_NUL_STRING to support NUL
terminated strings. Attributes of this kind require to carry
a terminating NUL within the maximum specified in the policy.The `old' NLA_STRING which is not required to be NUL terminated
is extended to provide means to specify a maximum length of the
string.Aims at easing the pain with using nla_strlcpy() on temporary
buffers.Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
This also kills a warning while building ipv6:
net/ipv6/udp.c: In function ‘udp_v6_get_port’:
net/ipv6/udp.c:66: warning: passing argument 3 of ‘udp_get_port’ from incompatible pointer typeSigned-off-by: David S. Miller
-
This patch creates one common function which is called by
udp_v4_get_port() and udp_v6_get_port(). As a result,
* duplicated code is removed
* udp_port_rover and local port lookup can now be removed from udp.h
* further savings follow since the same function will be used by UDP-Litev4
and UDP-Litev6In contrast to the patch sent in response to Yoshifujis comments
(fixed by this variant), the code below also removes the
EXPORT_SYMBOL(udp_port_rover), since udp_port_rover can now remain
local to net/ipv4/udp.c.Signed-off-by: Gerrit Renker
Signed-off-by: David S. Miller -
This patch removes the 'value' argument from NLA_PUT_FLAG which is
unused anyway. The documentation comment was already correct so it
doesn't need an update :)Signed-off-by: Johannes Berg
Signed-off-by: David S. Miller -
Based on patch by Jean Lorchat .
Signed-off-by: YOSHIFUJI Hideaki
-
First of all, if the xfrm_state only gets used for input
packets this entropy is a complete waste.Secondly, it is often the case that a configuration loads
many rules (perhaps even dynamically) and they don't all
necessarily ever get used.This get_random_bytes() call was showing up in the profiles
for xfrm_state inserts which is how I noticed this.Signed-off-by: David S. Miller
-
This idea is from Alexey Kuznetsov.
It is common for policies to be non-prefixed. And for
that case we can optimize lookups, insert, etc. quite
a bit.For each direction, we have a dynamically sized policy
hash table for non-prefixed policies. We also have a
hash table on policy->index.For prefixed policies, we have a list per-direction which
we will consult on lookups when a non-prefix hashtable
lookup fails.This still isn't as efficient as I would like it. There
are four immediate problems:1) Lots of excessive refcounting, which can be fixed just
like xfrm_state was
2) We do 2 hash probes on insert, one to look for dups and
one to allocate a unique policy->index. Althought I wonder
how much this matters since xfrm_state inserts do up to
3 hash probes and that seems to perform fine.
3) xfrm_policy_insert() is very complex because of the priority
ordering and entry replacement logic.
4) Lots of counter bumping, in addition to policy refcounts,
in the form of xfrm_policy_count[]. This is merely used
to let code path(s) know that some IPSEC rules exist. So
this count is indexed per-direction, maybe that is overkill.Signed-off-by: David S. Miller
-
Just let GC and other normal mechanisms take care of getting
rid of DST cache references to deleted xfrm_state objects
instead of walking all the policy bundles.Signed-off-by: David S. Miller
-
Instead, simply set all potentially aliasing existing xfrm_state
objects to have the current generation counter value.This will make routes get relooked up the next time an existing
route mentioning these aliased xfrm_state objects gets used,
via xfrm_dst_check().Signed-off-by: David S. Miller
-
Each xfrm_state inserted gets a new generation counter
value. When a bundle is created, the xfrm_dst objects
get the current generation counter of the xfrm_state
they will attach to at dst->xfrm.xfrm_bundle_ok() will return false if it sees an
xfrm_dst with a generation count different from the
generation count of the xfrm_state that dst points to.This provides a facility by which to passively and
cheaply invalidate cached IPSEC routes during SA
database changes.Signed-off-by: David S. Miller
-
Signed-off-by: David S. Miller
-
Signed-off-by: David S. Miller
-
Signed-off-by: David S. Miller
-
Sub policy can be used through netlink socket.
PF_KEY uses main only and it is TODO to support sub.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Under two transformation policies it is required to merge them.
This is a platform to sort state for outbound and templates
for inbound respectively.
It will be used when Mobile IPv6 and IPsec are used at the same time.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Sub policy is introduced. Main and sub policy are applied the same flow.
(Policy that current kernel uses is named as main.)
It is required another transformation policy management to keep IPsec
and Mobile IPv6 lives separate.
Policy which lives shorter time in kernel should be a sub i.e. normally
main is for IPsec and sub is for Mobile IPv6.
(Such usage as two IPsec policies on different database can be used, too.)Limitation or TODOs:
- Sub policy is not supported for per socket one (it is always inserted as main).
- Current kernel makes cached outbound with flowi to skip searching database.
However this patch makes it disabled only when "two policies are used and
the first matched one is bypass case" because neither flowi nor bundle
information knows about transformation template size.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
XFRM_MSG_REPORT is a message as notification of state protocol and
selector from kernel to user-space.Mobile IPv6 will use it when inbound reject is occurred at route
optimization to make user-space know a binding error requirement.Based on MIPL2 kernel patch.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
For Mobile IPv6 usage, it is required to trace which secpath state is
reject factor in order to notify it to user space (to know the address
which cannot be used route optimized communication).Based on MIPL2 kernel patch.
This patch was also written by: Henrik Petander
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Transformation support mobility header.
Based on MIPL2 kernel patch.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Like ICMPv6, mobility header is handled through raw socket.
In inbound case, check only whether ICMPv6 error should be sent as a reply
or not by kernel.
Based on MIPL2 kernel patch.This patch was also written by: Ville Nuorvala
This patch was also written by: Antti TuominenSigned-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Add Mobility header definition for Mobile IPv6.
Based on MIPL2 kernel patch.This patch was also written by: Antti Tuominen
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
