1. 17 1月, 2015 2 次提交
  2. 16 1月, 2015 21 次提交
  3. 15 1月, 2015 17 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 4e7a84b1
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      netfilter updates for net-next
      
      The following patchset contains netfilter updates for net-next, just a
      bunch of cleanups and small enhancement to selectively flush conntracks
      in ctnetlink, more specifically the patches are:
      
      1) Rise default number of buckets in conntrack from 16384 to 65536 in
         systems with >= 4GBytes, patch from Marcelo Leitner.
      
      2) Small refactor to save one level on indentation in xt_osf, from
         Joe Perches.
      
      3) Remove unnecessary sizeof(char) in nf_log, from Fabian Frederick.
      
      4) Another small cleanup to remove redundant variable in nfnetlink,
         from Duan Jiong.
      
      5) Fix compilation warning in nfnetlink_cthelper on parisc, from
         Chen Gang.
      
      6) Fix wrong format in debugging for ctseqadj, from Gao feng.
      
      7) Selective conntrack flushing through the mark for ctnetlink, patch
         from Kristian Evensen.
      
      8) Remove nf_ct_conntrack_flush_report() exported symbol now that is
         not required anymore after the selective flushing patch, again from
         Kristian.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e7a84b1
    • D
      Merge branch 'vxlan_group_policy_extension' · 2e62fa69
      David S. Miller 提交于
      Thomas Graf says:
      
      ====================
      VXLAN Group Policy Extension
      
      Implements supports for the Group Policy VXLAN extension [0] to provide
      a lightweight and simple security label mechanism across network peers
      based on VXLAN. The security context and associated metadata is mapped
      to/from skb->mark. This allows further mapping to a SELinux context
      using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
      tc, etc.
      
      The extension is disabled by default and should be run on a distinct
      port in mixed Linux VXLAN VTEP environments. Liberal VXLAN VTEPs
      which ignore unknown reserved bits will be able to receive VXLAN-GBP
      frames.
      
      Simple usage example:
      
      10.1.1.1:
         # ip link add vxlan0 type vxlan id 10 remote 10.1.1.2 gbp
         # iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
      
      10.1.1.2:
         # ip link add vxlan0 type vxlan id 10 remote 10.1.1.1 gbp
         # iptables -I INPUT -m mark --mark 0x200 -j DROP
      
      iproute2 [1] and OVS [2] support will be provided in separate patches.
      
      [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
      [1] https://github.com/tgraf/iproute2/tree/vxlan-gbp
      [2] https://github.com/tgraf/ovs/tree/vxlan-gbp
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2e62fa69
    • T
      openvswitch: Support VXLAN Group Policy extension · 1dd144cf
      Thomas Graf 提交于
      Introduces support for the group policy extension to the VXLAN virtual
      port. The extension is disabled by default and only enabled if the user
      has provided the respective configuration.
      
        ovs-vsctl add-port br0 vxlan0 -- \
           set Interface vxlan0 type=vxlan options:exts=gbp
      
      The configuration interface to enable the extension is based on a new
      attribute OVS_VXLAN_EXT_GBP nested inside OVS_TUNNEL_ATTR_EXTENSION
      which can carry additional extensions as needed in the future.
      
      The group policy metadata is stored as binary blob (struct ovs_vxlan_opts)
      internally just like Geneve options but transported as nested Netlink
      attributes to user space.
      
      Renames the existing TUNNEL_OPTIONS_PRESENT to TUNNEL_GENEVE_OPT with the
      binary value kept intact, a new flag TUNNEL_VXLAN_OPT is introduced.
      
      The attributes OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and existing
      OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS are implemented mutually exclusive.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1dd144cf
    • T
      openvswitch: Allow for any level of nesting in flow attributes · 81bfe3c3
      Thomas Graf 提交于
      nlattr_set() is currently hardcoded to two levels of nesting. This change
      introduces struct ovs_len_tbl to define minimal length requirements plus
      next level nesting tables to traverse the key attributes to arbitrary depth.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      81bfe3c3
    • T
      openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS() · d91641d9
      Thomas Graf 提交于
      Also factors out Geneve validation code into a new separate function
      validate_and_copy_geneve_opts().
      
      A subsequent patch will introduce VXLAN options. Rename the existing
      GENEVE_TUN_OPTS() to reflect its extended purpose of carrying generic
      tunnel metadata options.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d91641d9
    • T
      vxlan: Only bind to sockets with compatible flags enabled · ac5132d1
      Thomas Graf 提交于
      A VXLAN net_device looking for an appropriate socket may only consider
      a socket which has a matching set of flags/extensions enabled. If
      incompatible flags are enabled, return a conflict to have the caller
      create a distinct socket with distinct port.
      
      The OVS VXLAN port is kept unaware of extensions at this point.
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ac5132d1
    • T
      vxlan: Group Policy extension · 3511494c
      Thomas Graf 提交于
      Implements supports for the Group Policy VXLAN extension [0] to provide
      a lightweight and simple security label mechanism across network peers
      based on VXLAN. The security context and associated metadata is mapped
      to/from skb->mark. This allows further mapping to a SELinux context
      using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
      tc, etc.
      
      The group membership is defined by the lower 16 bits of skb->mark, the
      upper 16 bits are used for flags.
      
      SELinux allows to manage label to secure local resources. However,
      distributed applications require ACLs to implemented across hosts. This
      is typically achieved by matching on L2-L4 fields to identify the
      original sending host and process on the receiver. On top of that,
      netlabel and specifically CIPSO [1] allow to map security contexts to
      universal labels.  However, netlabel and CIPSO are relatively complex.
      This patch provides a lightweight alternative for overlay network
      environments with a trusted underlay. No additional control protocol
      is required.
      
                 Host 1:                       Host 2:
      
            Group A        Group B        Group B     Group A
            +-----+   +-------------+    +-------+   +-----+
            | lxc |   | SELinux CTX |    | httpd |   | VM  |
            +--+--+   +--+----------+    +---+---+   +--+--+
      	  \---+---/                     \----+---/
      	      |                              |
      	  +---+---+                      +---+---+
      	  | vxlan |                      | vxlan |
      	  +---+---+                      +---+---+
      	      +------------------------------+
      
      Backwards compatibility:
      A VXLAN-GBP socket can receive standard VXLAN frames and will assign
      the default group 0x0000 to such frames. A Linux VXLAN socket will
      drop VXLAN-GBP  frames. The extension is therefore disabled by default
      and needs to be specifically enabled:
      
         ip link add [...] type vxlan [...] gbp
      
      In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
      must run on a separate port number.
      
      Examples:
       iptables:
        host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
        host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
      
       OVS:
        # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
        # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
      
      [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
      [1] http://lwn.net/Articles/204905/Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3511494c
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 3f3558bb
      David S. Miller 提交于
      Conflicts:
      	drivers/net/xen-netfront.c
      
      Minor overlapping changes in xen-netfront.c, mostly to do
      with some buffer management changes alongside the split
      of stats into TX and RX.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3f3558bb
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · a6391a92
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Don't use uninitialized data in IPVS, from Dan Carpenter.
      
       2) conntrack race fixes from Pablo Neira Ayuso.
      
       3) Fix TX hangs with i40e, from Jesse Brandeburg.
      
       4) Fix budget return from poll calls in dnet and alx, from Eric
          Dumazet.
      
       5) Fix bugus "if (unlikely(x) < 0)" test in AF_PACKET, from Christoph
          Jaeger.
      
       6) Fix bug introduced by conversion to list_head in TIPC retransmit
          code, from Jon Paul Maloy.
      
       7) Don't use GFP_NOIO under spinlock in USB kaweth driver, from Alexey
          Khoroshilov.
      
       8) Fix bridge build with INET disabled, from Arnd Bergmann.
      
       9) Fix netlink array overrun for PROBE attributes in openvswitch, from
          Thomas Graf.
      
      10) Don't hold spinlock across synchronize_irq() in tg3 driver, from
          Prashant Sreedharan.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
        tg3: Release tp->lock before invoking synchronize_irq()
        tg3: tg3_reset_task() needs to use rtnl_lock to synchronize
        tg3: tg3_timer() should grab tp->lock before checking for tp->irq_sync
        team: avoid possible underflow of count_pending value for notify_peers and mcast_rejoin
        openvswitch: packet messages need their own probe attribtue
        i40e: adds FCoE configure option
        cxgb4vf: Fix queue allocation for 40G adapter
        netdevice: Add missing parentheses in macro
        bridge: only provide proxy ARP when CONFIG_INET is enabled
        neighbour: fix base_reachable_time(_ms) not effective immediatly when changed
        net: fec: fix MDIO bus assignement for dual fec SoC's
        xen-netfront: use different locks for Rx and Tx stats
        drivers: net: cpsw: fix multicast flush in dual emac mode
        cxgb4vf: Initialize mdio_addr before using it
        net: Corrected the comment describing the ndo operations to reflect the actual prototype for couple of operations
        usb/kaweth: use GFP_ATOMIC under spin_lock in usb_start_wait_urb()
        MAINTAINERS: add me as ibmveth maintainer
        tipc: fix bug in broadcast retransmit code
        update ip-sysctl.txt documentation (v2)
        net/at91_ether: prepare and unprepare clock
        ...
      a6391a92
    • D
      Merge branch 'tg3-net' · c637dbce
      David S. Miller 提交于
      Prashant Sreedharan says:
      
      ====================
      tg3: synchronize_irq() should be called without taking locks
      
      v2: Added Reported-by, Tested-by fields and reference to the thread that
          reported the problem
      
      This series addresses the problem reported by Peter Hurley in mail thread
      https://lkml.org/lkml/2015/1/12/1082
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c637dbce
    • P
      tg3: Release tp->lock before invoking synchronize_irq() · 932f19de
      Prashant Sreedharan 提交于
      synchronize_irq() can sleep waiting, for pending IRQ handlers so driver
      should release the tp->lock spin lock before invoking synchronize_irq()
      Reported-by: NPeter Hurley <peter@hurleysoftware.com>
      Tested-by: NPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: NPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      932f19de
    • P
      tg3: tg3_reset_task() needs to use rtnl_lock to synchronize · db84bf43
      Prashant Sreedharan 提交于
      Currently tg3_reset_task() uses only tp->lock for synchronizing with code
      paths like tg3_open() etc. But since tp->lock is released before doing
      synchronize_irq(), rtnl_lock should be taken in tg3_reset_task() to
      synchronize it with other code paths.
      Reported-by: NPeter Hurley <peter@hurleysoftware.com>
      Tested-by: NPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: NPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      db84bf43
    • P
      tg3: tg3_timer() should grab tp->lock before checking for tp->irq_sync · 4fd190a9
      Prashant Sreedharan 提交于
      This is to avoid the race between tg3_timer() and the execution paths
      which does not invoke tg3_timer_stop() and releases tp->lock before
      calling synchronize_irq()
      Reported-by: NPeter Hurley <peter@hurleysoftware.com>
      Tested-by: NPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: NPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4fd190a9
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 48c53db2
      Linus Torvalds 提交于
      Pull kvm fixes from Paolo Bonzini:
       "Two bugfixes for arm64.  I will have another pull request next week,
        but otherwise things are calm"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        arm64: KVM: Fix HCR setting for 32bit guests
        arm64: KVM: Fix TLB invalidation by IPA/VMID
      48c53db2
    • J
      team: avoid possible underflow of count_pending value for notify_peers and mcast_rejoin · b0d11b42
      Jiri Pirko 提交于
      This patch is fixing a race condition that may cause setting
      count_pending to -1, which results in unwanted big bulk of arp messages
      (in case of "notify peers").
      
      Consider following scenario:
      
      count_pending == 2
         CPU0                                           CPU1
      					team_notify_peers_work
      					  atomic_dec_and_test (dec count_pending to 1)
      					  schedule_delayed_work
       team_notify_peers
         atomic_add (adding 1 to count_pending)
      					team_notify_peers_work
      					  atomic_dec_and_test (dec count_pending to 1)
      					  schedule_delayed_work
      					team_notify_peers_work
      					  atomic_dec_and_test (dec count_pending to 0)
         schedule_delayed_work
      					team_notify_peers_work
      					  atomic_dec_and_test (dec count_pending to -1)
      
      Fix this race by using atomic_dec_if_positive - that will prevent
      count_pending running under 0.
      
      Fixes: fc423ff0 ("team: add peer notification")
      Fixes: 492b200e  ("team: add support for sending multicast rejoins")
      Signed-off-by: NJiri Pirko <jiri@resnulli.us>
      Signed-off-by: NJiri Benc <jbenc@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b0d11b42
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 6fb400d3
      Linus Torvalds 提交于
      Pull s390 fixes from Martin Schwidefsky:
       "Two small performance tweaks, the plumbing for the execveat system
        call and a couple of bug fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/uprobes: fix user space PER events
        s390/bpf: Fix JMP_JGE_X (A > X) and JMP_JGT_X (A >= X)
        s390/bpf: Fix ALU_NEG (A = -A)
        s390/mm: avoid using pmd_to_page for !USE_SPLIT_PMD_PTLOCKS
        s390/timex: fix get_tod_clock_ext() inline assembly
        s390: wire up execveat syscall
        s390/kernel: use stnsm 255 instead of stosm 0
        s390/vtime: Get rid of redundant WARN_ON
        s390/zcrypt: kernel oops at insmod of the z90crypt device driver
      6fb400d3
    • T
      openvswitch: packet messages need their own probe attribtue · 1ba39804
      Thomas Graf 提交于
      User space is currently sending a OVS_FLOW_ATTR_PROBE for both flow
      and packet messages. This leads to an out-of-bounds access in
      ovs_packet_cmd_execute() because OVS_FLOW_ATTR_PROBE >
      OVS_PACKET_ATTR_MAX.
      
      Introduce a new OVS_PACKET_ATTR_PROBE with the same numeric value
      as OVS_FLOW_ATTR_PROBE to grow the range of accepted packet attributes
      while maintaining to be binary compatible with existing OVS binaries.
      
      Fixes: 05da5898 ("openvswitch: Add support for OVS_FLOW_ATTR_PROBE.")
      Reported-by: NSander Eikelenboom <linux@eikelenboom.it>
      Tracked-down-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NThomas Graf <tgraf@suug.ch>
      Reviewed-by: NJesse Gross <jesse@nicira.com>
      Acked-by: NPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1ba39804