02 Feb, 2008
3 commits
-
Changes the ANOM_PROMISCUOUS message to include uid and gid fields,
making it consistent with other AUDIT_ANOM_ messages and in the
format the userspace is expecting.Signed-off-by: Klaus Heinrich Kiwi
Acked-by: Eric Paris -
In order to correlate audit records to an individual login add a session
id. This is incremented every time a user logs in and is included in
almost all messages which currently output the auid. The field is
labeled ses= or oses=Signed-off-by: Eric Paris
-
all callers pass something->audit_context
Signed-off-by: Al Viro
01 Feb, 2008
37 commits
-
The namespace is not available in the fib_sync_down_addr, add it as a
parameter.Looking up a device by the pointer to it is OK. Looking up using a
result from fib_trie/fib_hash table lookup is also safe. No need to
fix that at all. So, just fix lookup by address and insertion to the
hash table path.Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
This is required to make fib_info lookups namespace aware. In the
other case initial namespace devices are marked as dead in the local
routing table during other namespace stop.Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
fib_sync_down can be called with an address and with a device. In
reality it is called either with address OR with a device. The
codepath inside is completely different, so lets separate it into two
calls for these two cases.Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
The namespace is available when required except rtm_to_ifaddr. Add
namespace argument to it.Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
Remove error code assignment inside brackets on failure. The code
looks better if the error is assigned before condition check. Also,
the compiler treats this better.Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
net->ipv4.fib_table_hash is not freed when fib4_rules_init failed.
Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller -
The hashlimit_ipv6_mask() is called from under IP6_NF_IPTABLES config
option, but is not under it by itself.gcc warns us about it :) :
net/netfilter/xt_hashlimit.c:473: warning: "hashlimit_ipv6_mask" defined but not usedSigned-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256- alternatively:
tc filter add ... flow map \
key dst and 0xff- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xffPerturbation is currently not supported because we can't reliable kill the
timer on destruction.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add support for dumping statistics and make internal queues visible as
classes.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Add support for external classifiers to allow using different flow
hash functions similar to ESFQ. When no classifier is attached the
built-in hash is used as before.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Jens Axboe noticed that we were queueing &conn->work on both btaddconn
and keventd_wq.Signed-off-by: Dave Young
Signed-off-by: David S. Miller -
This patch removes the no longer used
EXPORT_SYMBOL(sysctl_tcp_tso_win_divisor).Signed-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
struct ipv4_devconf can now become static.
Signed-off-by: Adrian Bunk
Acked-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
sysctl_tr_rif_timeout can now become static.
Signed-off-by: Adrian Bunk
Acked-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
o Outbound sequence number overflow error status
is counted as XfrmOutStateSeqError.
o Additionaly, it changes inbound sequence number replay
error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError
to apply name scheme above.
o Inbound IPv4 UDP encapsuling type mismatch error is wrongly
mapped to XfrmInStateInvalid then this patch fiex the error
to XfrmInStateMismatch.Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
This patch removes the following no longer used EXPORT_SYMBOL's:
- xfrm_input.c: xfrm_parse_spi
- xfrm_state.c: xfrm_replay_check
- xfrm_state.c: xfrm_replay_advanceSigned-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Signed-off-by: Roel Kluin
Signed-off-by: David S. Miller -
Current ip route cache implementation is not suited to large caches.
We can consume a lot of CPU when cache must be invalidated, since we
currently need to evict all cache entries, and this eviction is
sometimes asynchronous. min_delay & max_delay can somewhat control this
asynchronism behavior, but whole thing is a kludge, regularly triggering
infamous soft lockup messages. When entries are still in use, this also
consumes a lot of ram, filling dst_garbage.list.A better scheme is to use a generation identifier on each entry,
so that cache invalidation can be performed by changing the table
identifier, without having to scan all entries.
No more delayed flushing, no more stalling when secret_interval expires.Invalidated entries will then be freed at GC time (controled by
ip_rt_gc_timeout or stress), or when an invalidated entry is found
in a chain when an insert is done.
Thus we keep a normal equilibrium.This patch :
- renames rt_hash_rnd to rt_genid (and makes it an atomic_t)
- Adds a new rt_genid field to 'struct rtable' (filling a hole on 64bit)
- Checks entry->rt_genid at appropriate places : -
when using pktgen to send delay packets the module prints repeatedly
to the kernel log:sleeping for X
sleeping for X
...This is probably just a debugging item left in and should not be
enabled for regular use of the module.Signed-off-by: Jesse Brandeburg
Signed-off-by: David S. Miller -
Since the old policer code is gone, TC actions are needed for policing.
The ingress qdisc can get packets directly from netif_receive_skb()
in case TC actions are enabled or through netfilter otherwise, but
since without TC actions there is no policer the only thing it actually
does is count packets.Remove the netfilter support and always require TC actions.
Signed-off-by: Patrick McHardy
Acked-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Reuse the existing logic for multicast list synchronization for the
unicast address list. The core of dev_mc_sync/unsync are split out as
__dev_addr_sync/unsync and moved from dev_mcast.c to dev.c. These are
then used to implement dev_unicast_sync/unsync as well.I'm working on cleaning up Intel's FCoE stack, which generates new MAC
addresses from the fibre channel device id assigned by the fabric as
per the current draft specification in T11. When using such a
protocol in a VLAN environment it would be nice to not always be
forced into promiscuous mode, assuming the underlying Ethernet driver
supports multiple unicast addresses as well.Signed-off-by: Chris Leech
Signed-off-by: Patrick McHardy -
In strategy_allowed_congestion_control of the 2.6.24 kernel, when
sysctl_string return 1 on success,it should call
tcp_set_allowed_congestion_control to set the allowed congestion
control.But, it don't. the sysctl_string return 1 on success,
otherwise return negative, never return 0.The patch fix the problem.Signed-off-by: Shan Wei
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Normally during a dump the key of the last dumped entry is used for
continuation, but since lock is dropped it might be lost. In that case
fallback to the old counter based N^2 behaviour. This means the dump
will end up skipping some routes which matches what FIB_HASH does.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
- Remove an unused definition (LAT_BUCKETS_MAX) in net/core/pktgen.c.
- Remove the corresponding comment.
- The LAT_BUCKETS_MAX seems to have to do with a patch from a long
time ago which was not applied (Ben Greear), which dealt with latency
counters.See, for example : http://oss.sgi.com/archives/netdev/2002-09/msg00184.html
Signed-off-by: Rami Rosen
Signed-off-by: David S. Miller -
This is needed because in ndisc.c, we have:
static void ndisc_router_discovery(struct sk_buff *skb)
{
// ...
if (ndopts.nd_opts_mtu) {
// ...
if (rt)
rt->u.dst.metrics[RTAX_MTU-1] = mtu;rt6_mtu_change(skb->dev, mtu);
// ...
}Since the mtu is set directly here, rt6_mtu_change_route thinks that
it is unchanged, and so it fails to update the MSS accordingly. This
patch lets rt6_mtu_change_route still update MSS if old_mtu == new_mtu.Signed-off-by: Jim Paris
Signed-off-by: David S. Miller -
Add the net parameter to udp_get_port family of calls and
udp_lookup one and use it to filter sockets.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Add a net argument to inet6_lookup and propagate it further.
Actually, this is tcp-v6 implementation of what was done for
tcp-v4 sockets in a previous patch.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Add a net argument to inet_lookup and propagate it further
into lookup calls. Plus tune the __inet_check_established.The dccp and inet_diag, which use that lookup functions
pass the init_net into them.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
This tags the inet_bind_bucket struct with net pointer,
initializes it during creation and makes a filtering
during lookup.A better hashfn, that takes the net into account is to
be done in the future, but currently all bind buckets
with similar port will be in one hash chain.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
These two functions are the same except for what they call
to "check_established" and "hash" for a socket.This saves half-a-kilo for ipv4 and ipv6.
add/remove: 1/0 grow/shrink: 1/4 up/down: 582/-1128 (-546)
function old new delta
__inet_hash_connect - 577 +577
arp_ignore 108 113 +5
static.hint 8 4 -4
rt_worker_func 376 372 -4
inet6_hash_connect 584 25 -559
inet_hash_connect 586 25 -561Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
We have INET_MATCH, INET_TW_MATCH and INET6_MATCH to test sockets and
twbuckets for matching, but ipv6 twbuckets are tested manually.Here's the INET6_TW_MATCH to help with it.
Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
CHECK net/netfilter/xt_iprange.c
net/netfilter/xt_iprange.c:104:19: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:37: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:19: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:37: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:19: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:37: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:19: warning: restricted degrades to integer
net/netfilter/xt_iprange.c:104:37: warning: restricted degrades to integerSigned-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Reported by Ingo Molnar:
net/built-in.o: In function `ip_queue_init':
ip_queue.c:(.init.text+0x322c): undefined reference to `net_ipv4_ctl_path'Fix the build error and also handle CONFIG_PROC_FS=n properly.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
