1. 30 1月, 2013 1 次提交
  2. 11 1月, 2013 2 次提交
  3. 20 12月, 2012 1 次提交
  4. 05 12月, 2012 2 次提交
  5. 04 12月, 2012 1 次提交
  6. 02 12月, 2012 1 次提交
  7. 19 11月, 2012 5 次提交
    • E
      net: Enable a userns root rtnl calls that are safe for unprivilged users · b51642f6
      Eric W. Biederman 提交于
      - Only allow moving network devices to network namespaces you have
        CAP_NET_ADMIN privileges over.
      
      - Enable creating/deleting/modifying interfaces
      - Enable adding/deleting addresses
      - Enable adding/setting/deleting neighbour entries
      - Enable adding/removing routes
      - Enable adding/removing fib rules
      - Enable setting the forwarding state
      - Enable adding/removing ipv6 address labels
      - Enable setting bridge parameter
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b51642f6
    • E
      net: Enable some sysctls that are safe for the userns root · c027aab4
      Eric W. Biederman 提交于
      - Enable the per device ipv4 sysctls:
         net/ipv4/conf/<if>/forwarding
         net/ipv4/conf/<if>/mc_forwarding
         net/ipv4/conf/<if>/accept_redirects
         net/ipv4/conf/<if>/secure_redirects
         net/ipv4/conf/<if>/shared_media
         net/ipv4/conf/<if>/rp_filter
         net/ipv4/conf/<if>/send_redirects
         net/ipv4/conf/<if>/accept_source_route
         net/ipv4/conf/<if>/accept_local
         net/ipv4/conf/<if>/src_valid_mark
         net/ipv4/conf/<if>/proxy_arp
         net/ipv4/conf/<if>/medium_id
         net/ipv4/conf/<if>/bootp_relay
         net/ipv4/conf/<if>/log_martians
         net/ipv4/conf/<if>/tag
         net/ipv4/conf/<if>/arp_filter
         net/ipv4/conf/<if>/arp_announce
         net/ipv4/conf/<if>/arp_ignore
         net/ipv4/conf/<if>/arp_accept
         net/ipv4/conf/<if>/arp_notify
         net/ipv4/conf/<if>/proxy_arp_pvlan
         net/ipv4/conf/<if>/disable_xfrm
         net/ipv4/conf/<if>/disable_policy
         net/ipv4/conf/<if>/force_igmp_version
         net/ipv4/conf/<if>/promote_secondaries
         net/ipv4/conf/<if>/route_localnet
      
      - Enable the global ipv4 sysctl:
         net/ipv4/ip_forward
      
      - Enable the per device ipv6 sysctls:
         net/ipv6/conf/<if>/forwarding
         net/ipv6/conf/<if>/hop_limit
         net/ipv6/conf/<if>/mtu
         net/ipv6/conf/<if>/accept_ra
         net/ipv6/conf/<if>/accept_redirects
         net/ipv6/conf/<if>/autoconf
         net/ipv6/conf/<if>/dad_transmits
         net/ipv6/conf/<if>/router_solicitations
         net/ipv6/conf/<if>/router_solicitation_interval
         net/ipv6/conf/<if>/router_solicitation_delay
         net/ipv6/conf/<if>/force_mld_version
         net/ipv6/conf/<if>/use_tempaddr
         net/ipv6/conf/<if>/temp_valid_lft
         net/ipv6/conf/<if>/temp_prefered_lft
         net/ipv6/conf/<if>/regen_max_retry
         net/ipv6/conf/<if>/max_desync_factor
         net/ipv6/conf/<if>/max_addresses
         net/ipv6/conf/<if>/accept_ra_defrtr
         net/ipv6/conf/<if>/accept_ra_pinfo
         net/ipv6/conf/<if>/accept_ra_rtr_pref
         net/ipv6/conf/<if>/router_probe_interval
         net/ipv6/conf/<if>/accept_ra_rt_info_max_plen
         net/ipv6/conf/<if>/proxy_ndp
         net/ipv6/conf/<if>/accept_source_route
         net/ipv6/conf/<if>/optimistic_dad
         net/ipv6/conf/<if>/mc_forwarding
         net/ipv6/conf/<if>/disable_ipv6
         net/ipv6/conf/<if>/accept_dad
         net/ipv6/conf/<if>/force_tllao
      
      - Enable the global ipv6 sysctls:
         net/ipv6/bindv6only
         net/ipv6/icmp/ratelimit
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c027aab4
    • E
      net: Allow userns root to control ipv6 · af31f412
      Eric W. Biederman 提交于
      Allow an unpriviled user who has created a user namespace, and then
      created a network namespace to effectively use the new network
      namespace, by reducing capable(CAP_NET_ADMIN) and
      capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
      CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
      
      Settings that merely control a single network device are allowed.
      Either the network device is a logical network device where
      restrictions make no difference or the network device is hardware NIC
      that has been explicity moved from the initial network namespace.
      
      In general policy and network stack state changes are allowed while
      resource control is left unchanged.
      
      Allow the SIOCSIFADDR ioctl to add ipv6 addresses.
      Allow the SIOCDIFADDR ioctl to delete ipv6 addresses.
      Allow the SIOCADDRT ioctl to add ipv6 routes.
      Allow the SIOCDELRT ioctl to delete ipv6 routes.
      
      Allow creation of ipv6 raw sockets.
      
      Allow setting the IPV6_JOIN_ANYCAST socket option.
      Allow setting the IPV6_FL_A_RENEW parameter of the IPV6_FLOWLABEL_MGR
      socket option.
      
      Allow setting the IPV6_TRANSPARENT socket option.
      Allow setting the IPV6_HOPOPTS socket option.
      Allow setting the IPV6_RTHDRDSTOPTS socket option.
      Allow setting the IPV6_DSTOPTS socket option.
      Allow setting the IPV6_IPSEC_POLICY socket option.
      Allow setting the IPV6_XFRM_POLICY socket option.
      
      Allow sending packets with the IPV6_2292HOPOPTS control message.
      Allow sending packets with the IPV6_2292DSTOPTS control message.
      Allow sending packets with the IPV6_RTHDRDSTOPTS control message.
      
      Allow setting the multicast routing socket options on non multicast
      routing sockets.
      
      Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, and SIOCDELTUNNEL ioctls for
      setting up, changing and deleting tunnels over ipv6.
      
      Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, SIOCDELTUNNEL ioctls for
      setting up, changing and deleting ipv6 over ipv4 tunnels.
      
      Allow the SIOCADDPRL, SIOCDELPRL, SIOCCHGPRL ioctls for adding,
      deleting, and changing the potential router list for ISATAP tunnels.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      af31f412
    • E
      net: Push capable(CAP_NET_ADMIN) into the rtnl methods · dfc47ef8
      Eric W. Biederman 提交于
      - In rtnetlink_rcv_msg convert the capable(CAP_NET_ADMIN) check
        to ns_capable(net->user-ns, CAP_NET_ADMIN).  Allowing unprivileged
        users to make netlink calls to modify their local network
        namespace.
      
      - In the rtnetlink doit methods add capable(CAP_NET_ADMIN) so
        that calls that are not safe for unprivileged users are still
        protected.
      
      Later patches will remove the extra capable calls from methods
      that are safe for unprivilged users.
      Acked-by: NSerge Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dfc47ef8
    • E
      net: Don't export sysctls to unprivileged users · 464dc801
      Eric W. Biederman 提交于
      In preparation for supporting the creation of network namespaces
      by unprivileged users, modify all of the per net sysctl exports
      and refuse to allow them to unprivileged users.
      
      This makes it safe for unprivileged users in general to access
      per net sysctls, and allows sysctls to be exported to unprivileged
      users on an individual basis as they are deemed safe.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      464dc801
  8. 14 11月, 2012 1 次提交
  9. 04 11月, 2012 2 次提交
  10. 02 11月, 2012 1 次提交
  11. 29 10月, 2012 2 次提交
  12. 17 10月, 2012 1 次提交
  13. 03 10月, 2012 1 次提交
    • N
      ipv6: don't add link local route when there is no link local address · 62b54dd9
      Nicolas Dichtel 提交于
      When an address is added on loopback (ip -6 a a 2002::1/128 dev lo), a route
      to fe80::/64 is added in the main table:
        unreachable fe80::/64 dev lo  proto kernel  metric 256  error -101
      
      This route does not match any prefix (no fe80:: address on lo). In fact,
      addrconf_dev_config() will not add link local address because this function
      filters interfaces by type. If the link local address is added manually, the
      route to the link local prefix will be automatically added by
      addrconf_add_linklocal().
      Note also, that this route is not deleted when the address is removed.
      
      After looking at the code, it seems that addrconf_add_lroute() is redundant with
      addrconf_add_linklocal(), because this function will add the link local route
      when the link local address is configured.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      62b54dd9
  14. 02 10月, 2012 1 次提交
    • N
      ipv6: del unreachable route when an addr is deleted on lo · 64c6d08e
      Nicolas Dichtel 提交于
      When an address is added on loopback (ip -6 a a 2002::1/128 dev lo), two routes
      are added:
       - one in the local table:
          local 2002::1 via :: dev lo  proto none  metric 0
       - one the in main table (for the prefix):
          unreachable 2002::1 dev lo  proto kernel  metric 256  error -101
      
      When the address is deleted, the route inserted in the main table remains
      because we use rt6_lookup(), which returns NULL when dst->error is set, which
      is the case here! Thus, it is better to use ip6_route_lookup() to avoid this
      kind of filter.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64c6d08e
  15. 14 9月, 2012 2 次提交
  16. 11 9月, 2012 1 次提交
  17. 01 9月, 2012 1 次提交
  18. 30 8月, 2012 1 次提交
  19. 24 8月, 2012 1 次提交
  20. 23 8月, 2012 1 次提交
    • E
      net: remove delay at device dismantle · 0115e8e3
      Eric Dumazet 提交于
      I noticed extra one second delay in device dismantle, tracked down to
      a call to dst_dev_event() while some call_rcu() are still in RCU queues.
      
      These call_rcu() were posted by rt_free(struct rtable *rt) calls.
      
      We then wait a little (but one second) in netdev_wait_allrefs() before
      kicking again NETDEV_UNREGISTER.
      
      As the call_rcu() are now completed, dst_dev_event() can do the needed
      device swap on busy dst.
      
      To solve this problem, add a new NETDEV_UNREGISTER_FINAL, called
      after a rcu_barrier(), but outside of RTNL lock.
      
      Use NETDEV_UNREGISTER_FINAL with care !
      
      Change dst_dev_event() handler to react to NETDEV_UNREGISTER_FINAL
      
      Also remove NETDEV_UNREGISTER_BATCH, as its not used anymore after
      IP cache removal.
      
      With help from Gao feng
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Tom Herbert <therbert@google.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Gao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0115e8e3
  21. 15 8月, 2012 1 次提交
    • B
      ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock · 4acd4945
      Ben Hutchings 提交于
      Cong Wang reports that lockdep detected suspicious RCU usage while
      enabling IPV6 forwarding:
      
       [ 1123.310275] ===============================
       [ 1123.442202] [ INFO: suspicious RCU usage. ]
       [ 1123.558207] 3.6.0-rc1+ #109 Not tainted
       [ 1123.665204] -------------------------------
       [ 1123.768254] include/linux/rcupdate.h:430 Illegal context switch in RCU read-side critical section!
       [ 1123.992320]
       [ 1123.992320] other info that might help us debug this:
       [ 1123.992320]
       [ 1124.307382]
       [ 1124.307382] rcu_scheduler_active = 1, debug_locks = 0
       [ 1124.522220] 2 locks held by sysctl/5710:
       [ 1124.648364]  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81768498>] rtnl_trylock+0x15/0x17
       [ 1124.882211]  #1:  (rcu_read_lock){.+.+.+}, at: [<ffffffff81871df8>] rcu_lock_acquire+0x0/0x29
       [ 1125.085209]
       [ 1125.085209] stack backtrace:
       [ 1125.332213] Pid: 5710, comm: sysctl Not tainted 3.6.0-rc1+ #109
       [ 1125.441291] Call Trace:
       [ 1125.545281]  [<ffffffff8109d915>] lockdep_rcu_suspicious+0x109/0x112
       [ 1125.667212]  [<ffffffff8107c240>] rcu_preempt_sleep_check+0x45/0x47
       [ 1125.781838]  [<ffffffff8107c260>] __might_sleep+0x1e/0x19b
      [...]
       [ 1127.445223]  [<ffffffff81757ac5>] call_netdevice_notifiers+0x4a/0x4f
      [...]
       [ 1127.772188]  [<ffffffff8175e125>] dev_disable_lro+0x32/0x6b
       [ 1127.885174]  [<ffffffff81872d26>] dev_forward_change+0x30/0xcb
       [ 1128.013214]  [<ffffffff818738c4>] addrconf_forward_change+0x85/0xc5
      [...]
      
      addrconf_forward_change() uses RCU iteration over the netdev list,
      which is unnecessary since it already holds the RTNL lock.  We also
      cannot reasonably require netdevice notifier functions not to sleep.
      Reported-by: NCong Wang <amwang@redhat.com>
      Signed-off-by: NBen Hutchings <bhutchings@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4acd4945
  22. 19 7月, 2012 1 次提交
    • E
      ipv6: add ipv6_addr_hash() helper · ddbe5032
      Eric Dumazet 提交于
      Introduce ipv6_addr_hash() helper doing a XOR on all bits
      of an IPv6 address, with an optimized x86_64 version.
      
      Use it in flow dissector, as suggested by Andrew McGregor,
      to reduce hash collision probabilities in fq_codel (and other
      users of flow dissector)
      
      Use it in ip6_tunnel.c and use more bit shuffling, as suggested
      by David Laight, as existing hash was ignoring most of them.
      
      Use it in sunrpc and use more bit shuffling, using hash_32().
      
      Use it in net/ipv6/addrconf.c, using hash_32() as well.
      
      As a cleanup, use it in net/ipv4/tcp_metrics.c
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAndrew McGregor <andrewmcgr@gmail.com>
      Cc: Dave Taht <dave.taht@gmail.com>
      Cc: Tom Herbert <therbert@google.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ddbe5032
  23. 16 5月, 2012 4 次提交
  24. 11 5月, 2012 1 次提交
    • A
      6lowpan: IPv6 link local address · 06a4c1c5
      alex.bluesman.smirnov@gmail.com 提交于
      According to the RFC4944 (Transmission of IPv6 Packets over
      IEEE 802.15.4 Networks), chapter 7:
      
      The IPv6 link-local address [RFC4291] for an IEEE 802.15.4 interface
      is formed by appending the Interface Identifier, as defined above, to
      the prefix FE80::/64.
      
        10 bits            54 bits                  64 bits
      +----------+-----------------------+----------------------------+
      |1111111010|         (zeros)       |    Interface Identifier    |
      +----------+-----------------------+----------------------------+
      
      This patch adds IPv6 address generation support for the 6lowpan
      interfaces.
      Signed-off-by: NAlexander Smirnov <alex.bluesman.smirnov@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      06a4c1c5
  25. 21 4月, 2012 1 次提交
  26. 15 4月, 2012 1 次提交
  27. 14 4月, 2012 1 次提交
    • G
      ipv6: fix problem with expired dst cache · 1716a961
      Gao feng 提交于
      If the ipv6 dst cache which copy from the dst generated by ICMPV6 RA packet.
      this dst cache will not check expire because it has no RTF_EXPIRES flag.
      So this dst cache will always be used until the dst gc run.
      
      Change the struct dst_entry,add a union contains new pointer from and expires.
      When rt6_info.rt6i_flags has no RTF_EXPIRES flag,the dst.expires has no use.
      we can use this field to point to where the dst cache copy from.
      The dst.from is only used in IPV6.
      
      rt6_check_expired check if rt6_info.dst.from is expired.
      
      ip6_rt_copy only set dst.from when the ort has flag RTF_ADDRCONF
      and RTF_DEFAULT.then hold the ort.
      
      ip6_dst_destroy release the ort.
      
      Add some functions to operate the RTF_EXPIRES flag and expires(from) together.
      and change the code to use these new adding functions.
      
      Changes from v5:
      modify ip6_route_add and ndisc_router_discovery to use new adding functions.
      
      Only set dst.from when the ort has flag RTF_ADDRCONF
      and RTF_DEFAULT.then hold the ort.
      Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1716a961
  28. 02 4月, 2012 1 次提交
    • E
      net/ipv6/addrconf.c: Checkpatch cleanups · 8e5e8f30
      Eldad Zack 提交于
      net/ipv6/addrconf.c:340: WARNING: EXPORT_SYMBOL(foo); should immediately follow its function/variable
      net/ipv6/addrconf.c:342: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:444: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:1337: WARNING: EXPORT_SYMBOL(foo); should immediately follow its function/variable
      net/ipv6/addrconf.c:1526: ERROR: "(foo*)" should be "(foo *)"
      net/ipv6/addrconf.c:1671: ERROR: open brace '{' following function declarations go on the next line
      net/ipv6/addrconf.c:1914: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:2368: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:2370: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:2416: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:2437: ERROR: "foo    * bar" should be "foo    *bar"
      net/ipv6/addrconf.c:2573: ERROR: "foo * bar" should be "foo *bar"
      net/ipv6/addrconf.c:3797: ERROR: "foo* bar" should be "foo *bar"
      Signed-off-by: NEldad Zack <eldad@fogrefinery.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8e5e8f30