1. 04 1月, 2006 1 次提交
  2. 06 12月, 2005 1 次提交
  3. 16 11月, 2005 1 次提交
  4. 12 11月, 2005 1 次提交
  5. 11 11月, 2005 1 次提交
  6. 10 11月, 2005 1 次提交
    • Y
      [NETFILTER]: Add nf_conntrack subsystem. · 9fb9cbb1
      Yasuyuki Kozakai 提交于
      The existing connection tracking subsystem in netfilter can only
      handle ipv4.  There were basically two choices present to add
      connection tracking support for ipv6.  We could either duplicate all
      of the ipv4 connection tracking code into an ipv6 counterpart, or (the
      choice taken by these patches) we could design a generic layer that
      could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
      (TCP, UDP, etc.) connection tracking helper module to be written.
      
      In fact nf_conntrack is capable of working with any layer 3
      protocol.
      
      The existing ipv4 specific conntrack code could also not deal
      with the pecularities of doing connection tracking on ipv6,
      which is also cured here.  For example, these issues include:
      
      1) ICMPv6 handling, which is used for neighbour discovery in
         ipv6 thus some messages such as these should not participate
         in connection tracking since effectively they are like ARP
         messages
      
      2) fragmentation must be handled differently in ipv6, because
         the simplistic "defrag, connection track and NAT, refrag"
         (which the existing ipv4 connection tracking does) approach simply
         isn't feasible in ipv6
      
      3) ipv6 extension header parsing must occur at the correct spots
         before and after connection tracking decisions, and there were
         no provisions for this in the existing connection tracking
         design
      
      4) ipv6 has no need for stateful NAT
      
      The ipv4 specific conntrack layer is kept around, until all of
      the ipv4 specific conntrack helpers are ported over to nf_conntrack
      and it is feature complete.  Once that occurs, the old conntrack
      stuff will get placed into the feature-removal-schedule and we will
      fully kill it off 6 months later.
      Signed-off-by: NYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
      Signed-off-by: NHarald Welte <laforge@netfilter.org>
      Signed-off-by: NArnaldo Carvalho de Melo <acme@mandriva.com>
      9fb9cbb1
  7. 09 11月, 2005 1 次提交
    • A
      [PATCH] Fix sysctl unregistration oops (CVE-2005-2709) · 330d57fb
      Al Viro 提交于
      You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
      wait for interface to go away, try to grab as much memory as possible in
      hope to hit the (kfreed) ctl_table.  Then fill it with pointers to your
      function.  Then do read from file you've opened and if you are lucky,
      you'll get it called as ->proc_handler() in kernel mode.
      
      So this is at least an Oops and possibly more.  It does depend on an
      interface going away though, so less of a security risk than it would
      otherwise be.
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      330d57fb
  8. 22 9月, 2005 1 次提交
  9. 13 9月, 2005 1 次提交
    • R
      [NETROM]: Implement G8PZT Circuit reset for NET/ROM · e21ce8c7
      Ralf Baechle 提交于
      NET/ROM is lacking a connection reset like TCP's RST flag which at times
      may result in a connecting having to slowly timing out instead of just being
      reset.  An earlier attempt to reset the connection by sending a
      NR_CONNACK | NR_CHOKE_FLAG transport was inacceptable as it did result in
      crashes of BPQ systems.  An alternative approach of introducing a new
      transport type 7 (NR_RESET) has be implemented several years ago in
      Paula Jayne Dowie G8PZT's Xrouter.
      
      Implement NR_RESET for Linux's NET/ROM but like any messing with the state
      engine consider this experimental for now and thus control it by a sysctl
      (net.netrom.reset) which for the time being defaults to off.
      Signed-off-by: NRalf Baechle DL5RB <ralf@linux-mips.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e21ce8c7
  10. 08 9月, 2005 1 次提交
  11. 28 7月, 2005 1 次提交
    • M
      [PATCH] s390: spin lock retry · 951f22d5
      Martin Schwidefsky 提交于
      Split spin lock and r/w lock implementation into a single try which is done
      inline and an out of line function that repeatedly tries to get the lock
      before doing the cpu_relax().  Add a system control to set the number of
      retries before a cpu is yielded.
      
      The reason for the spin lock retry is that the diagnose 0x44 that is used to
      give up the virtual cpu is quite expensive.  For spin locks that are held only
      for a short period of time the costs of the diagnoses outweights the savings
      for spin locks that are held for a longer timer.  The default retry count is
      1000.
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      951f22d5
  12. 14 7月, 2005 1 次提交
  13. 13 7月, 2005 1 次提交
    • R
      [PATCH] inotify · 0eeca283
      Robert Love 提交于
      inotify is intended to correct the deficiencies of dnotify, particularly
      its inability to scale and its terrible user interface:
      
              * dnotify requires the opening of one fd per each directory
                that you intend to watch. This quickly results in too many
                open files and pins removable media, preventing unmount.
              * dnotify is directory-based. You only learn about changes to
                directories. Sure, a change to a file in a directory affects
                the directory, but you are then forced to keep a cache of
                stat structures.
              * dnotify's interface to user-space is awful.  Signals?
      
      inotify provides a more usable, simple, powerful solution to file change
      notification:
      
              * inotify's interface is a system call that returns a fd, not SIGIO.
      	  You get a single fd, which is select()-able.
              * inotify has an event that says "the filesystem that the item
                you were watching is on was unmounted."
              * inotify can watch directories or files.
      
      Inotify is currently used by Beagle (a desktop search infrastructure),
      Gamin (a FAM replacement), and other projects.
      
      See Documentation/filesystems/inotify.txt.
      Signed-off-by: NRobert Love <rml@novell.com>
      Cc: John McCutchan <ttb@tentacle.dhs.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      0eeca283
  14. 29 6月, 2005 1 次提交
  15. 24 6月, 2005 3 次提交
    • S
      [NET]: Separate two usages of netdev_max_backlog. · 51b0bded
      Stephen Hemminger 提交于
      Separate out the two uses of netdev_max_backlog. One controls the
      upper bound on packets processed per softirq, the new name for this is
      netdev_budget; the other controls the limit on packets queued via
      netif_rx.
      
      Increase the max_backlog default to account for faster processors.
      Signed-off-by: NStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51b0bded
    • S
      [TCP]: Add pluggable congestion control algorithm infrastructure. · 317a76f9
      Stephen Hemminger 提交于
      Allow TCP to have multiple pluggable congestion control algorithms.
      Algorithms are defined by a set of operations and can be built in
      or modules.  The legacy "new RENO" algorithm is used as a starting
      point and fallback.
      Signed-off-by: NStephen Hemminger <shemminger@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      317a76f9
    • A
      [PATCH] setuid core dump · d6e71144
      Alan Cox 提交于
      Add a new `suid_dumpable' sysctl:
      
      This value can be used to query and set the core dump mode for setuid
      or otherwise protected/tainted binaries. The modes are
      
      0 - (default) - traditional behaviour.  Any process which has changed
          privilege levels or is execute only will not be dumped
      
      1 - (debug) - all processes dump core when possible.  The core dump is
          owned by the current user and no security is applied.  This is intended
          for system debugging situations only.  Ptrace is unchecked.
      
      2 - (suidsafe) - any binary which normally would not be dumped is dumped
          readable by root only.  This allows the end user to remove such a dump but
          not access it directly.  For security reasons core dumps in this mode will
          not overwrite one another or other files.  This mode is appropriate when
          adminstrators are attempting to debug problems in a normal environment.
      
      (akpm:
      
      > > +EXPORT_SYMBOL(suid_dumpable);
      >
      > EXPORT_SYMBOL_GPL?
      
      No problem to me.
      
      > >  	if (current->euid == current->uid && current->egid == current->gid)
      > >  		current->mm->dumpable = 1;
      >
      > Should this be SUID_DUMP_USER?
      
      Actually the feedback I had from last time was that the SUID_ defines
      should go because its clearer to follow the numbers. They can go
      everywhere (and there are lots of places where dumpable is tested/used
      as a bool in untouched code)
      
      > Maybe this should be renamed to `dump_policy' or something.  Doing that
      > would help us catch any code which isn't using the #defines, too.
      
      Fair comment. The patch was designed to be easy to maintain for Red Hat
      rather than for merging. Changing that field would create a gigantic
      diff because it is used all over the place.
      
      )
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      d6e71144
  16. 14 6月, 2005 1 次提交
    • J
      [IPV4]: Sysctl configurable icmp error source address. · 1c2fb7f9
      J. Simonetti 提交于
      This patch alows you to change the source address of icmp error
      messages. It applies cleanly to 2.6.11.11 and retains the default
      behaviour.
      
      In the old (default) behaviour icmp error messages are sent with the ip
      of the exiting interface.
      
      The new behaviour (when the sysctl variable is toggled on), it will send
      the message with the ip of the interface that received the packet that
      caused the icmp error. This is the behaviour network administrators will
      expect from a router. It makes debugging complicated network layouts
      much easier. Also, all 'vendor routers' I know of have the later
      behaviour.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1c2fb7f9
  17. 30 5月, 2005 1 次提交
  18. 29 4月, 2005 1 次提交
  19. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4