1. 29 11月, 2012 1 次提交
    • N
      ip6tnl/sit: drop packet if ECN present with not-ECT · f4e0b4c5
      Nicolas Dichtel 提交于
      This patch reports the change made by Stephen Hemminger in ipip and gre[6] in
      commit eccc1bb8 (tunnel: drop packet if ECN present with not-ECT).
      
      Goal is to handle RFC6040, Section 4.2:
      
      Default Tunnel Egress Behaviour.
       o If the inner ECN field is Not-ECT, the decapsulator MUST NOT
            propagate any other ECN codepoint onwards.  This is because the
            inner Not-ECT marking is set by transports that rely on dropped
            packets as an indication of congestion and would not understand or
            respond to any other ECN codepoint [RFC4774].  Specifically:
      
            *  If the inner ECN field is Not-ECT and the outer ECN field is
               CE, the decapsulator MUST drop the packet.
      
            *  If the inner ECN field is Not-ECT and the outer ECN field is
               Not-ECT, ECT(0), or ECT(1), the decapsulator MUST forward the
               outgoing packet with the ECN field cleared to Not-ECT.
      
      The patch takes benefits from common function added in net/inet_ecn.h.
      
      Like it was done for Xin4 tunnels, it adds logging to allow detecting broken
      systems that set ECN bits incorrectly when tunneling (or an intermediate
      router might be changing the header). Errors are also tracked via
      rx_frame_error.
      
      CC: Stephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4e0b4c5
  2. 19 11月, 2012 1 次提交
    • E
      net: Allow userns root to control ipv6 · af31f412
      Eric W. Biederman 提交于
      Allow an unpriviled user who has created a user namespace, and then
      created a network namespace to effectively use the new network
      namespace, by reducing capable(CAP_NET_ADMIN) and
      capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
      CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
      
      Settings that merely control a single network device are allowed.
      Either the network device is a logical network device where
      restrictions make no difference or the network device is hardware NIC
      that has been explicity moved from the initial network namespace.
      
      In general policy and network stack state changes are allowed while
      resource control is left unchanged.
      
      Allow the SIOCSIFADDR ioctl to add ipv6 addresses.
      Allow the SIOCDIFADDR ioctl to delete ipv6 addresses.
      Allow the SIOCADDRT ioctl to add ipv6 routes.
      Allow the SIOCDELRT ioctl to delete ipv6 routes.
      
      Allow creation of ipv6 raw sockets.
      
      Allow setting the IPV6_JOIN_ANYCAST socket option.
      Allow setting the IPV6_FL_A_RENEW parameter of the IPV6_FLOWLABEL_MGR
      socket option.
      
      Allow setting the IPV6_TRANSPARENT socket option.
      Allow setting the IPV6_HOPOPTS socket option.
      Allow setting the IPV6_RTHDRDSTOPTS socket option.
      Allow setting the IPV6_DSTOPTS socket option.
      Allow setting the IPV6_IPSEC_POLICY socket option.
      Allow setting the IPV6_XFRM_POLICY socket option.
      
      Allow sending packets with the IPV6_2292HOPOPTS control message.
      Allow sending packets with the IPV6_2292DSTOPTS control message.
      Allow sending packets with the IPV6_RTHDRDSTOPTS control message.
      
      Allow setting the multicast routing socket options on non multicast
      routing sockets.
      
      Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, and SIOCDELTUNNEL ioctls for
      setting up, changing and deleting tunnels over ipv6.
      
      Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, SIOCDELTUNNEL ioctls for
      setting up, changing and deleting ipv6 over ipv4 tunnels.
      
      Allow the SIOCADDPRL, SIOCDELPRL, SIOCCHGPRL ioctls for adding,
      deleting, and changing the potential router list for ISATAP tunnels.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      af31f412
  3. 16 11月, 2012 1 次提交
  4. 15 11月, 2012 4 次提交
  5. 10 11月, 2012 1 次提交
  6. 04 11月, 2012 1 次提交
  7. 20 8月, 2012 1 次提交
  8. 15 8月, 2012 1 次提交
  9. 19 7月, 2012 1 次提交
    • E
      ipv6: add ipv6_addr_hash() helper · ddbe5032
      Eric Dumazet 提交于
      Introduce ipv6_addr_hash() helper doing a XOR on all bits
      of an IPv6 address, with an optimized x86_64 version.
      
      Use it in flow dissector, as suggested by Andrew McGregor,
      to reduce hash collision probabilities in fq_codel (and other
      users of flow dissector)
      
      Use it in ip6_tunnel.c and use more bit shuffling, as suggested
      by David Laight, as existing hash was ignoring most of them.
      
      Use it in sunrpc and use more bit shuffling, using hash_32().
      
      Use it in net/ipv6/addrconf.c, using hash_32() as well.
      
      As a cleanup, use it in net/ipv4/tcp_metrics.c
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: NAndrew McGregor <andrewmcgr@gmail.com>
      Cc: Dave Taht <dave.taht@gmail.com>
      Cc: Tom Herbert <therbert@google.com>
      Cc: David Laight <David.Laight@ACULAB.COM>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ddbe5032
  10. 17 7月, 2012 1 次提交
    • D
      net: Pass optional SKB and SK arguments to dst_ops->{update_pmtu,redirect}() · 6700c270
      David S. Miller 提交于
      This will be used so that we can compose a full flow key.
      
      Even though we have a route in this context, we need more.  In the
      future the routes will be without destination address, source address,
      etc. keying.  One ipv4 route will cover entire subnets, etc.
      
      In this environment we have to have a way to possess persistent storage
      for redirects and PMTU information.  This persistent storage will exist
      in the FIB tables, and that's why we'll need to be able to rebuild a
      full lookup flow key here.  Using that flow key will do a fib_lookup()
      and create/update the persistent entry.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6700c270
  11. 12 7月, 2012 2 次提交
  12. 11 7月, 2012 1 次提交
  13. 29 6月, 2012 1 次提交
    • V
      ipv6_tunnel: Allow receiving packets on the fallback tunnel if they pass sanity checks · d0087b29
      Ville Nuorvala 提交于
      At Facebook, we do Layer-3 DSR via IP-in-IP tunneling. Our load balancers wrap
      an extra IP header on incoming packets so they can be routed to the backend.
      In the v4 tunnel driver, when these packets fall on the default tunl0 device,
      the behavior is to decapsulate them and drop them back on the stack. So our
      setup is that tunl0 has the VIP and eth0 has (obviously) the backend's real
      address.
      
      In IPv6 we do the same thing, but the v6 tunnel driver didn't have this same
      behavior - if you didn't have an explicit tunnel setup, it would drop the
      packet.
      
      This patch brings that v4 feature to the v6 driver.
      
      The same IPv6 address checks are performed as with any normal tunnel,
      but as the fallback tunnel endpoint addresses are unspecified, the checks
      must be performed on a per-packet basis, rather than at tunnel
      configuration time.
      
      [Patch description modified by phil@ipom.com]
      Signed-off-by: NVille Nuorvala <ville.nuorvala@gmail.com>
      Tested-by: NPhil Dibowitz <phil@ipom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0087b29
  14. 18 5月, 2012 1 次提交
  15. 16 5月, 2012 3 次提交
  16. 20 4月, 2012 1 次提交
  17. 16 4月, 2012 1 次提交
  18. 13 1月, 2012 1 次提交
  19. 29 12月, 2011 1 次提交
  20. 23 11月, 2011 1 次提交
  21. 14 11月, 2011 1 次提交
    • J
      ip6_tunnel: copy parms.name after register_netdevice · 731abb9c
      Josh Boyer 提交于
      Commit 1c5cae81 removed an explicit call to dev_alloc_name in ip6_tnl_create
      because register_netdevice will now create a valid name.  This works for the
      net_device itself.
      
      However the tunnel keeps a copy of the name in the parms structure for the
      ip6_tnl associated with the tunnel.  parms.name is set by copying the net_device
      name in ip6_tnl_dev_init_gen.  That function is called from ip6_tnl_dev_init in
      ip6_tnl_create, but it is done before register_netdevice is called so the name
      is set to a bogus value in the parms.name structure.
      
      This shows up if you do a simple tunnel add, followed by a tunnel show:
      
      [root@localhost ~]# ip -6 tunnel add remote fec0::100 local fec0::200
      [root@localhost ~]# ip -6 tunnel show
      ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
      ip6tnl%d: ipv6/ipv6 remote fec0::100 local fec0::200 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
      [root@localhost ~]#
      
      Fix this by moving the strcpy out of ip6_tnl_dev_init_gen, and calling it after
      register_netdevice has successfully returned.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJosh Boyer <jwboyer@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      731abb9c
  22. 09 11月, 2011 1 次提交
  23. 21 9月, 2011 1 次提交
  24. 02 8月, 2011 1 次提交
  25. 01 8月, 2011 1 次提交
  26. 27 7月, 2011 1 次提交
  27. 06 5月, 2011 1 次提交
  28. 04 5月, 2011 1 次提交
  29. 23 4月, 2011 1 次提交
  30. 13 3月, 2011 3 次提交
  31. 11 3月, 2011 1 次提交
  32. 03 3月, 2011 1 次提交