1. 20 6月, 2013 1 次提交
  2. 01 6月, 2013 1 次提交
  3. 27 3月, 2013 2 次提交
    • P
      Tunneling: use IP Tunnel stats APIs. · f61dd388
      Pravin B Shelar 提交于
      Use common function get calculate rtnl_link_stats64 stats.
      Signed-off-by: NPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f61dd388
    • P
      GRE: Refactor GRE tunneling code. · c5441932
      Pravin B Shelar 提交于
      Following patch refactors GRE code into ip tunneling code and GRE
      specific code. Common tunneling code is moved to ip_tunnel module.
      ip_tunnel module is written as generic library which can be used
      by different tunneling implementations.
      
      ip_tunnel module contains following components:
       - packet xmit and rcv generic code. xmit flow looks like
         (gre_xmit/ipip_xmit)->ip_tunnel_xmit->ip_local_out.
       - hash table of all devices.
       - lookup for tunnel devices.
       - control plane operations like device create, destroy, ioctl, netlink
         operations code.
       - registration for tunneling modules, like gre, ipip etc.
       - define single pcpu_tstats dev->tstats.
       - struct tnl_ptk_info added to pass parsed tunnel packet parameters.
      
      ipip.h header is renamed to ip_tunnel.h
      Signed-off-by: NPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5441932
  4. 10 3月, 2013 1 次提交
  5. 30 1月, 2013 1 次提交
    • H
      ipv6: add anti-spoofing checks for 6to4 and 6rd · 218774dc
      Hannes Frederic Sowa 提交于
      This patch adds anti-spoofing checks in sit.c as specified in RFC3964
      section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
      checks which could easily be implemented with netfilter.
      
      Specifically this patch adds following logic (based loosely on the
      pseudocode in RFC3964 section 5.2):
      
      if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
              and outer_src_v4 != embedded_ipv4 (inner_src_v6)
                      drop
      if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
              and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
                      drop
      accept
      
      To accomplish the specified security checks proposed by above RFCs,
      it is still necessary to employ uRPF filters with netfilter. These new
      checks only kick in if the employed addresses are within the 2002::/16 or
      another range specified by the 6rd-prefix (which defaults to 2002::/16).
      
      Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      218774dc
  6. 19 1月, 2013 1 次提交
  7. 29 11月, 2012 1 次提交
    • N
      ip6tnl/sit: drop packet if ECN present with not-ECT · f4e0b4c5
      Nicolas Dichtel 提交于
      This patch reports the change made by Stephen Hemminger in ipip and gre[6] in
      commit eccc1bb8 (tunnel: drop packet if ECN present with not-ECT).
      
      Goal is to handle RFC6040, Section 4.2:
      
      Default Tunnel Egress Behaviour.
       o If the inner ECN field is Not-ECT, the decapsulator MUST NOT
            propagate any other ECN codepoint onwards.  This is because the
            inner Not-ECT marking is set by transports that rely on dropped
            packets as an indication of congestion and would not understand or
            respond to any other ECN codepoint [RFC4774].  Specifically:
      
            *  If the inner ECN field is Not-ECT and the outer ECN field is
               CE, the decapsulator MUST drop the packet.
      
            *  If the inner ECN field is Not-ECT and the outer ECN field is
               Not-ECT, ECT(0), or ECT(1), the decapsulator MUST forward the
               outgoing packet with the ECN field cleared to Not-ECT.
      
      The patch takes benefits from common function added in net/inet_ecn.h.
      
      Like it was done for Xin4 tunnels, it adds logging to allow detecting broken
      systems that set ECN bits incorrectly when tunneling (or an intermediate
      router might be changing the header). Errors are also tracked via
      rx_frame_error.
      
      CC: Stephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f4e0b4c5
  8. 21 11月, 2012 1 次提交
  9. 19 11月, 2012 1 次提交
    • E
      net: Allow userns root to control ipv6 · af31f412
      Eric W. Biederman 提交于
      Allow an unpriviled user who has created a user namespace, and then
      created a network namespace to effectively use the new network
      namespace, by reducing capable(CAP_NET_ADMIN) and
      capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
      CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
      
      Settings that merely control a single network device are allowed.
      Either the network device is a logical network device where
      restrictions make no difference or the network device is hardware NIC
      that has been explicity moved from the initial network namespace.
      
      In general policy and network stack state changes are allowed while
      resource control is left unchanged.
      
      Allow the SIOCSIFADDR ioctl to add ipv6 addresses.
      Allow the SIOCDIFADDR ioctl to delete ipv6 addresses.
      Allow the SIOCADDRT ioctl to add ipv6 routes.
      Allow the SIOCDELRT ioctl to delete ipv6 routes.
      
      Allow creation of ipv6 raw sockets.
      
      Allow setting the IPV6_JOIN_ANYCAST socket option.
      Allow setting the IPV6_FL_A_RENEW parameter of the IPV6_FLOWLABEL_MGR
      socket option.
      
      Allow setting the IPV6_TRANSPARENT socket option.
      Allow setting the IPV6_HOPOPTS socket option.
      Allow setting the IPV6_RTHDRDSTOPTS socket option.
      Allow setting the IPV6_DSTOPTS socket option.
      Allow setting the IPV6_IPSEC_POLICY socket option.
      Allow setting the IPV6_XFRM_POLICY socket option.
      
      Allow sending packets with the IPV6_2292HOPOPTS control message.
      Allow sending packets with the IPV6_2292DSTOPTS control message.
      Allow sending packets with the IPV6_RTHDRDSTOPTS control message.
      
      Allow setting the multicast routing socket options on non multicast
      routing sockets.
      
      Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, and SIOCDELTUNNEL ioctls for
      setting up, changing and deleting tunnels over ipv6.
      
      Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, SIOCDELTUNNEL ioctls for
      setting up, changing and deleting ipv6 over ipv4 tunnels.
      
      Allow the SIOCADDPRL, SIOCDELPRL, SIOCCHGPRL ioctls for adding,
      deleting, and changing the potential router list for ISATAP tunnels.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      af31f412
  10. 16 11月, 2012 1 次提交
  11. 15 11月, 2012 6 次提交
  12. 10 11月, 2012 1 次提交
  13. 28 9月, 2012 1 次提交
  14. 17 7月, 2012 1 次提交
    • D
      net: Pass optional SKB and SK arguments to dst_ops->{update_pmtu,redirect}() · 6700c270
      David S. Miller 提交于
      This will be used so that we can compose a full flow key.
      
      Even though we have a route in this context, we need more.  In the
      future the routes will be without destination address, source address,
      etc. keying.  One ipv4 route will cover entire subnets, etc.
      
      In this environment we have to have a way to possess persistent storage
      for redirects and PMTU information.  This persistent storage will exist
      in the FIB tables, and that's why we'll need to be able to rebuild a
      full lookup flow key here.  Using that flow key will do a fib_lookup()
      and create/update the persistent entry.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6700c270
  15. 12 7月, 2012 1 次提交
  16. 15 6月, 2012 1 次提交
    • D
      ipv4: Handle PMTU in all ICMP error handlers. · 36393395
      David S. Miller 提交于
      With ip_rt_frag_needed() removed, we have to explicitly update PMTU
      information in every ICMP error handler.
      
      Create two helper functions to facilitate this.
      
      1) ipv4_sk_update_pmtu()
      
         This updates the PMTU when we have a socket context to
         work with.
      
      2) ipv4_update_pmtu()
      
         Raw version, used when no socket context is available.  For this
         interface, we essentially just pass in explicit arguments for
         the flow identity information we would have extracted from the
         socket.
      
         And you'll notice that ipv4_sk_update_pmtu() is simply implemented
         in terms of ipv4_update_pmtu()
      
      Note that __ip_route_output_key() is used, rather than something like
      ip_route_output_flow() or ip_route_output_key().  This is because we
      absolutely do not want to end up with a route that does IPSEC
      encapsulation and the like.  Instead, we only want the route that
      would get us to the node described by the outermost IP header.
      Reported-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      36393395
  17. 16 5月, 2012 2 次提交
  18. 15 4月, 2012 1 次提交
  19. 02 4月, 2012 1 次提交
  20. 27 1月, 2012 1 次提交
  21. 13 1月, 2012 1 次提交
  22. 13 12月, 2011 1 次提交
    • T
      ipip, sit: copy parms.name after register_netdevice · 72b36015
      Ted Feng 提交于
      Same fix as 731abb9c for ipip and sit tunnel.
      Commit 1c5cae81 removed an explicit call to dev_alloc_name in
      ipip_tunnel_locate and ipip6_tunnel_locate, because register_netdevice
      will now create a valid name, however the tunnel keeps a copy of the
      name in the private parms structure. Fix this by copying the name back
      after register_netdevice has successfully returned.
      
      This shows up if you do a simple tunnel add, followed by a tunnel show:
      
      $ sudo ip tunnel add mode ipip remote 10.2.20.211
      $ ip tunnel
      tunl0: ip/ip  remote any  local any  ttl inherit  nopmtudisc
      tunl%d: ip/ip  remote 10.2.20.211  local any  ttl inherit
      $ sudo ip tunnel add mode sit remote 10.2.20.212
      $ ip tunnel
      sit0: ipv6/ip  remote any  local any  ttl 64  nopmtudisc 6rd-prefix 2002::/16
      sit%d: ioctl 89f8 failed: No such device
      sit%d: ipv6/ip  remote 10.2.20.212  local any  ttl inherit
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NTed Feng <artisdom@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      72b36015
  23. 06 12月, 2011 1 次提交
  24. 23 11月, 2011 1 次提交
  25. 09 11月, 2011 1 次提交
  26. 17 8月, 2011 1 次提交
  27. 02 8月, 2011 1 次提交
  28. 18 7月, 2011 1 次提交
  29. 08 5月, 2011 1 次提交
  30. 06 5月, 2011 1 次提交
  31. 05 5月, 2011 1 次提交
  32. 04 5月, 2011 1 次提交
  33. 23 4月, 2011 1 次提交