1. 29 1月, 2008 6 次提交
    • E
      [NETNS]: Modify the neighbour table code so it handles multiple network namespaces · 426b5303
      Eric W. Biederman 提交于
      I'm actually surprised at how much was involved.  At first glance it
      appears that the neighbour table data structures are already split by
      network device so all that should be needed is to modify the user
      interface commands to filter the set of neighbours by the network
      namespace of their devices.
      
      However a couple things turned up while I was reading through the
      code.  The proxy neighbour table allows entries with no network
      device, and the neighbour parms are per network device (except for the
      defaults) so they now need a per network namespace default.
      
      So I updated the two structures (which surprised me) with their very
      own network namespace parameter.  Updated the relevant lookup and
      destroy routines with a network namespace parameter and modified the
      code that interacts with users to filter out neighbour table entries
      for devices of other namespaces.
      
      I'm a little concerned that we can modify and display the global table
      configuration and from all network namespaces.  But this appears good
      enough for now.
      
      I keep thinking modifying the neighbour table to have per network
      namespace instances of each table type would should be cleaner.  The
      hash table is already dynamically sized so there are it is not a
      limiter.  The default parameter would be straight forward to take care
      of.  However when I look at the how the network table is built and
      used I still find some assumptions that there is only a single
      neighbour table for each type of table in the kernel.  The netlink
      operations, neigh_seq_start, the non-core network users that call
      neigh_lookup.  So while it might be doable it would require more
      refactoring than my current approach of just doing a little extra
      filtering in the code.
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NDaniel Lezcano <dlezcano@fr.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      426b5303
    • M
      [XFRM] IPv6: Fix dst/routing check at transformation. · a1b05140
      Masahide NAKAMURA 提交于
      IPv6 specific thing is wrongly removed from transformation at net-2.6.25.
      This patch recovers it with current design.
      
      o Update "path" of xfrm_dst since IPv6 transformation should
        care about routing changes. It is required by MIPv6 and
        off-link destined IPsec.
      o Rename nfheader_len which is for non-fragment transformation used by
        MIPv6 to rt6i_nfheader_len as IPv6 name space.
      Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a1b05140
    • P
      [NETFILTER]: Introduce NF_INET_ hook values · 6e23ae2a
      Patrick McHardy 提交于
      The IPv4 and IPv6 hook values are identical, yet some code tries to figure
      out the "correct" value by looking at the address family. Introduce NF_INET_*
      values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
      section for userspace compatibility.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6e23ae2a
    • H
      [IPV6]: Add ip6_local_out · ef76bc23
      Herbert Xu 提交于
      Most callers of the LOCAL_OUT chain will set the IP packet length
      before doing so.  They also share the same output function dst_output.
      
      This patch creates a new function called ip6_local_out which does all
      of that and converts the appropriate users over to it.
      
      Apart from removing duplicate code, it will also help in merging the
      IPsec output path.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ef76bc23
    • H
      [IPV6]: Move nfheader_len into rt6_info · b4ce9277
      Herbert Xu 提交于
      The dst member nfheader_len is only used by IPv6.  It's also currently
      creating a rather ugly alignment hole in struct dst.  Therefore this patch
      moves it from there into struct rt6_info.
      
      It also reorders the fields in rt6_info to minimize holes.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b4ce9277
    • H
      [IPV6]: Only set nfheader_len for top xfrm dst · 01488942
      Herbert Xu 提交于
      We only need to set nfheader_len in the top xfrm dst.  This is because
      we only ever read the nfheader_len from the top xfrm dst.
      
      It is also easier to count nfheader_len as part of header_len which
      then lets us remove the ugly wrapper functions for incrementing and
      decrementing header lengths in xfrm6_policy.c.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      01488942
  2. 23 1月, 2008 1 次提交
  3. 07 12月, 2007 1 次提交
  4. 07 11月, 2007 1 次提交
  5. 24 10月, 2007 1 次提交
  6. 16 10月, 2007 1 次提交
    • P
      [IPV6]: Uninline netfilter okfns · ad643a79
      Patrick McHardy 提交于
      Uninline netfilter okfns for those cases where gcc can generate tail-calls.
      
      Before:
         text    data     bss     dec     hex filename
      8994153 1016524  524652 10535329         a0c1a1 vmlinux
      
      After:
         text    data     bss     dec     hex filename
      8992761 1016524  524652 10533937         a0bc31 vmlinux
      -------------------------------------------------------
        -1392
      
      All cases have been verified to generate tail-calls with and without netfilter.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ad643a79
  7. 11 10月, 2007 2 次提交
    • D
      [IPV6]: Add ICMPMsgStats MIB (RFC 4293) [rev 2] · 14878f75
      David L Stevens 提交于
      Background: RFC 4293 deprecates existing individual, named ICMP
      type counters to be replaced with the ICMPMsgStatsTable. This table
      includes entries for both IPv4 and IPv6, and requires counting of all
      ICMP types, whether or not the machine implements the type.
      
      These patches "remove" (but not really) the existing counters, and
      replace them with the ICMPMsgStats tables for v4 and v6.
      It includes the named counters in the /proc places they were, but gets the
      values for them from the new tables. It also counts packets generated
      from raw socket output (e.g., OutEchoes, MLD queries, RA's from
      radvd, etc).
      
      Changes:
      1) create icmpmsg_statistics mib
      2) create icmpv6msg_statistics mib
      3) modify existing counters to use these
      4) modify /proc/net/snmp to add "IcmpMsg" with all ICMP types
              listed by number for easy SNMP parsing
      5) modify /proc/net/snmp printing for "Icmp" to get the named data
              from new counters.
      [new to 2nd revision]
      6) support per-interface ICMP stats
      7) use common macro for per-device stat macros
      Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      14878f75
    • M
      [IPV6] IPSEC: Omit redirect for tunnelled packet. · 1e5dc146
      Masahide NAKAMURA 提交于
      IPv6 IPsec tunnel gateway incorrectly sends redirect to
      router or sender when network device the IPsec tunnelled packet
      is arrived is the same as the one the decapsulated packet
      is sent.
      
      With this patch, it omits to send the redirect when the forwarding
      skbuff carries secpath, since such skbuff should be assumed as
      a decapsulated packet from IPsec tunnel by own.
      
      It may be a rare case for an IPsec security gateway, however
      it is not rare when the gateway is MIPv6 Home Agent since
      the another tunnel end-point is Mobile Node and it changes
      the attached network.
      Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1e5dc146
  8. 11 9月, 2007 1 次提交
    • Y
      [IPv6]: Fix NULL pointer dereference in ip6_flush_pending_frames · e1f52208
      YOSHIFUJI Hideaki 提交于
      Some of skbs in sk->write_queue do not have skb->dst because
      we do not fill skb->dst when we allocate new skb in append_data().
      
      BTW, I think we may not need to (or we should not) increment some stats
      when using corking; if 100 sendmsg() (with MSG_MORE) result in 2 packets,
      how many should we increment?
      
      If 100, we should set skb->dst for every queued skbs.
      
      If 1 (or 2 (*)), we increment the stats for the first queued skb and
      we should just skip incrementing OutDiscards for the rest of queued skbs,
      adn we should also impelement this semantics in other places;
      e.g., we should increment other stats just once, not 100 times.
      
      *: depends on the place we are discarding the datagram.
      
      I guess should just increment by 1 (or 2).
      Signed-off-by: NYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e1f52208
  9. 22 8月, 2007 1 次提交
    • W
      [IPV6]: Fix kernel panic while send SCTP data with IP fragments · 8984e41d
      Wei Yongjun 提交于
      If ICMP6 message with "Packet Too Big" is received after send SCTP DATA,
      kernel panic will occur when SCTP DATA is send again.
      
      This is because of a bad dest address when call to skb_copy_bits().
      
      The messages sequence is like this:
      
      Endpoint A                             Endpoint B
                                     <-------  SCTP DATA (size=1432)
      ICMP6 message ------->
      (Packet Too Big pmtu=1280)
                                     <-------  Resend SCTP DATA (size=1432)
      ------------kernel panic---------------
      
       printing eip:
      c05be62a
      *pde = 00000000
      Oops: 0002 [#1]
      SMP
      Modules linked in: scomm l2cap bluetooth ipv6 dm_mirror dm_mod video output sbs battery lp floppy sg i2c_piix4 i2c_core pcnet32 mii button ac parport_pc parport ide_cd cdrom serio_raw mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
      CPU:    0
      EIP:    0060:[<c05be62a>]    Not tainted VLI
      EFLAGS: 00010282   (2.6.23-rc2 #1)
      EIP is at skb_copy_bits+0x4f/0x1ef
      eax: 000004d0   ebx: ce12a980   ecx: 00000134   edx: cfd5a880
      esi: c8246858   edi: 00000000   ebp: c0759b14   esp: c0759adc
      ds: 007b   es: 007b   fs: 00d8  gs: 0000  ss: 0068
      Process swapper (pid: 0, ti=c0759000 task=c06d0340 task.ti=c0713000)
      Stack: c0759b88 c0405867 ce12a980 c8bff838 c789c084 00000000 00000028 cfd5a880
             d09f1890 000005dc 0000007b ce12a980 cfd5a880 c8bff838 c0759b88 d09bc521
             000004d0 fffff96c 00000200 00000100 c0759b50 cfd5a880 00000246 c0759bd4
      Call Trace:
       [<c0405e1d>] show_trace_log_lvl+0x1a/0x2f
       [<c0405ecd>] show_stack_log_lvl+0x9b/0xa3
       [<c040608d>] show_registers+0x1b8/0x289
       [<c0406271>] die+0x113/0x246
       [<c0625dbc>] do_page_fault+0x4ad/0x57e
       [<c0624642>] error_code+0x72/0x78
       [<d09bc521>] ip6_output+0x8e5/0xab2 [ipv6]
       [<d09bcec1>] ip6_xmit+0x2ea/0x3a3 [ipv6]
       [<d0a3f2ca>] sctp_v6_xmit+0x248/0x253 [sctp]
       [<d0a3c934>] sctp_packet_transmit+0x53f/0x5ae [sctp]
       [<d0a34bf8>] sctp_outq_flush+0x555/0x587 [sctp]
       [<d0a34d3c>] sctp_retransmit+0xf8/0x10f [sctp]
       [<d0a3d183>] sctp_icmp_frag_needed+0x57/0x5b [sctp]
       [<d0a3ece2>] sctp_v6_err+0xcd/0x148 [sctp]
       [<d09cf1ce>] icmpv6_notify+0xe6/0x167 [ipv6]
       [<d09d009a>] icmpv6_rcv+0x7d7/0x849 [ipv6]
       [<d09be240>] ip6_input+0x1dc/0x310 [ipv6]
       [<d09be965>] ipv6_rcv+0x294/0x2df [ipv6]
       [<c05c3789>] netif_receive_skb+0x2d2/0x335
       [<c05c5733>] process_backlog+0x7f/0xd0
       [<c05c58f6>] net_rx_action+0x96/0x17e
       [<c042e722>] __do_softirq+0x64/0xcd
       [<c0406f37>] do_softirq+0x5c/0xac
       =======================
      Code: 00 00 29 ca 89 d0 2b 45 e0 89 55 ec 85 c0 7e 35 39 45 08 8b 55 e4 0f 4e 45 08 8b 75 e0 8b 7d dc 89 c1 c1 e9 02 03 b2 a0 00 00 00 <f3> a5 89 c1 83 e1 03 74 02 f3 a4 29 45 08 0f 84 7b 01 00 00 01
      EIP: [<c05be62a>] skb_copy_bits+0x4f/0x1ef SS:ESP 0068:c0759adc
      Kernel panic - not syncing: Fatal exception in interrupt
      
      Arnaldo says:
      ====================
      Thanks! I'm to blame for this one, problem was introduced in:
      
      b0e380b1
      
      @@ -761,7 +762,7 @@ slow_path:
                      /*
                       *      Copy a block of the IP datagram.
                       */
      -               if (skb_copy_bits(skb, ptr, frag->h.raw, len))
      +               if (skb_copy_bits(skb, ptr, skb_transport_header(skb),
      len))
                              BUG();
                      left -= len;
      ====================
      Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
      Acked-by: NYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Signed-off-by: NArnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8984e41d
  10. 11 7月, 2007 2 次提交
    • J
      [NETFILTER]: x_tables: add TRACE target · ba9dda3a
      Jozsef Kadlecsik 提交于
      The TRACE target can be used to follow IP and IPv6 packets through
      the ruleset.
      Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: NPatrick NcHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ba9dda3a
    • M
      [IPV6] MIP6: Loadable module support for MIPv6. · 59fbb3a6
      Masahide NAKAMURA 提交于
      This patch makes MIPv6 loadable module named "mip6".
      
      Here is a modprobe.conf(5) example to load it automatically
      when user application uses XFRM state for MIPv6:
      
      alias xfrm-type-10-43 mip6
      alias xfrm-type-10-60 mip6
      
      Some MIPv6 feature is not included by this modular, however,
      it should not be affected to other features like either IPsec
      or IPv6 with and without the patch.
      We may discuss XFRM, MH (RAW socket) and ancillary data/sockopt
      separately for future work.
      
      Loadable features:
      * MH receiving check (to send ICMP error back)
      * RO header parsing and building (i.e. RH2 and HAO in DSTOPTS)
      * XFRM policy/state database handling for RO
      
      These are NOT covered as loadable:
      * Home Address flags and its rule on source address selection
      * XFRM sub policy (depends on its own kernel option)
      * XFRM functions to receive RO as IPv6 extension header
      * MH sending/receiving through raw socket if user application
        opens it (since raw socket allows to do so)
      * RH2 sending as ancillary data
      * RH2 operation with setsockopt(2)
      Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      59fbb3a6
  11. 11 5月, 2007 1 次提交
  12. 26 4月, 2007 19 次提交
  13. 11 2月, 2007 1 次提交
  14. 09 12月, 2006 1 次提交
  15. 07 12月, 2006 1 次提交