summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* batman-adv: Fix broadcast duplist for fragmentationSimon Wunderlich2012-11-214-23/+11
| | | | | | | | | | | | | If the skb is fragmented, the checksum must be computed on the individual fragments, just using skb->data may fail on fragmented data. Instead of doing linearizing the packet, use the new batadv_crc32 to do that more efficiently- it should not hurt replacing the old crc16 by the new crc32. Reported-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* batman-adv: Add function to calculate crc32c for the skb payloadSven Eckelmann2012-11-213-0/+36
| | | | | | Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* batman-adv: sysfs documentation should keep alphabetical orderMarek Lindner2012-11-212-25/+26
| | | | | Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* batman-adv: Add wrapper to look up neighbor and send skbMartin Hundebøll2012-11-216-107/+74
| | | | | | | | | | | | | | | | | | | By adding batadv_send_skb_to_orig() in send.c, we can remove duplicate code that looks up the next hop and then calls batadv_send_skb_packet(). Furthermore, this prepares the upcoming new implementation of fragmentation, which requires the next hop to route packets. Please note that this doesn't entirely remove the next-hop lookup in routing.c and unicast.c, since it is used by the current fragmentation code. Also note that the next-hop info is removed from debug messages in translation-table.c, since it is looked up elsewhere. Signed-off-by: Martin Hundebøll <martin@hundeboll.net> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* batman-adv: support array of debugfs general attributesAntonio Quartulli2012-11-211-9/+25
| | | | | | | | | | | | This patch adds support for an array of debugfs general (not soft_iface specific) attributes. With this change it will be possible to add more general attributes by simply appending them to the array without touching the rest of the code. Reported-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org> Acked-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
* batman-adv: fix bla compare functionSimon Wunderlich2012-11-211-2/+16
| | | | | | | | | | | The address and the VLAN VID may not be packed in the respective structs. Fix this by comparing the elements individually. Reported-by: Marek Lindner <lindner_marek@yahoo.de> Reported-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* batman-adv: Mark best gateway in transtable_global debugfsSven Eckelmann2012-11-211-26/+64
| | | | | | | | | | | | | | The transtable_global debug file can show multiple entries for a single client when multiple gateways exist. The chosen gateway isn't marked in the list and therefore the user cannot easily debug the situation when there is a problem with the currently used gateway. The best gateway is now marked with "*" and secondary gateways are marked with "+". Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* sctp: send abort chunk when max_retrans exceededNeil Horman2012-11-203-1/+29
| | | | | | | | | | | | | | | | | | | In the event that an association exceeds its max_retrans attempts, we should send an ABORT chunk indicating that we are closing the assocation as a result. Because of the nature of the error, its unlikely to be received, but its a nice clean way to close the association if it does make it through, and it will give anyone watching via tcpdump a clue as to what happened. Change notes: v2) * Removed erroneous changes from sctp_make_violation_parmlen Signed-off-by: Neil Horman <nhorman@tuxdriver.com> CC: Vlad Yasevich <vyasevich@gmail.com> CC: "David S. Miller" <davem@davemloft.net> CC: linux-sctp@vger.kernel.org Acked-by: Vlad Yasevich <vyasevich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Remove redundant null check before kfree in dev.cSachin Kamat2012-11-201-4/+2
| | | | | | | kfree on a null pointer is a no-op. Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* caif: Remove redundant null check before kfree in cfctrl.cSachin Kamat2012-11-201-2/+1
| | | | | | | | kfree on a null pointer is a no-op. Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bnx2x: Remove duplicate inclusion of bnx2x_hsi.hSachin Kamat2012-11-201-1/+0
| | | | | | | bnx2x_hsi.h was included twice. Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* sit: allow to configure 6rd tunnels via netlinkNicolas Dichtel2012-11-202-25/+128
| | | | | | | | | | This patch add the support of 6RD tunnels management via netlink. Note that netdev_state_change() is now called when 6RD parameters are updated. 6RD parameters are updated only if there is at least one 6RD attribute. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* add DOVE extensions for VXLANDavid Stevens2012-11-202-25/+235
| | | | | | | | | | | | | | | | | | | | | | This patch provides extensions to VXLAN for supporting Distributed Overlay Virtual Ethernet (DOVE) networks. The patch includes: + a dove flag per VXLAN device to enable DOVE extensions + ARP reduction, whereby a bridge-connected VXLAN tunnel endpoint answers ARP requests from the local bridge on behalf of remote DOVE clients + route short-circuiting (aka L3 switching). Known destination IP addresses use the corresponding destination MAC address for switching rather than going to a (possibly remote) router first. + netlink notification messages for forwarding table and L3 switching misses Changes since v2 - combined bools into "u32 flags" - replaced loop with !is_zero_ether_addr() Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Remove bogus dependencies on INETBen Hutchings2012-11-209-10/+10
| | | | | | | | | Various drivers depend on INET because they used to select INET_LRO, but they have all been converted to use GRO which has no such dependency. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ehea: Remove remnants of LRO supportBen Hutchings2012-11-202-4/+3
| | | | | | | | Commit 2cb1deb56f5bf413da83491e0cb5a0474393c8ef ('ehea: Remove LRO support') left behind the Kconfig depends/select and feature flag. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* mlx4_en: Remove remnants of LRO supportBen Hutchings2012-11-203-25/+4
| | | | | | | | | | Commit fa37a9586f92051de03a13e55e5ec3880bb6783e ('mlx4_en: Moving to work with GRO') left behind the Kconfig depends/select, some dead code and comments referring to LRO. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Acked-by: Amir Vadai <amirv@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: remove unnecessary wireless includesJohannes Berg2012-11-201-2/+0
| | | | | | | | The wireless and wext includes in net-sysfs.c aren't needed, so remove them. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/ethernet: remove useless is_valid_ether_addr from drivers ndo_openJoachim Eastwood2012-11-2013-62/+1
| | | | | | | | | | | | | | If ndo_validate_addr is set to the generic eth_validate_addr function there is no point in calling is_valid_ether_addr from driver ndo_open if ndo_open is not used elsewhere in the driver. With this change is_valid_ether_addr will be called from the generic eth_validate_addr function. So there should be no change in the actual behavior. Signed-off-by: Joachim Eastwood <manabian@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: rds: use this_cpu_* per-cpu helperShan Wei2012-11-202-12/+14
| | | | | | Signed-off-by: Shan Wei <davidshan@tencent.com> Reviewed-by: Christoph Lameter <cl@linux.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: core: use this_cpu_ptr per-cpu helperShan Wei2012-11-201-3/+1
| | | | | | | | | flush_tasklet is a struct, not a pointer in percpu var. so use this_cpu_ptr to get the member pointer. Signed-off-by: Shan Wei <davidshan@tencent.com> Reviewed-by: Christoph Lameter <cl@linux.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* vhost: Remove duplicate inclusion of linux/vhost.hSachin Kamat2012-11-191-1/+0
| | | | | | | | linux/vhost.h was included twice. Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/macb: move to circ_buf macros and fix initial conditionNicolas Ferre2012-11-191-10/+7
| | | | | | | | | | | | | | | | | | | | | Move to circular buffers management macro and correct an error with circular buffer initial condition. Without this patch, the macb_tx_ring_avail() function was not reporting the proper ring availability at startup: macb macb: eth0: BUG! Tx Ring full when queue awake! macb macb: eth0: tx_head = 0, tx_tail = 0 And hanginig forever... I remove the macb_tx_ring_avail() function and use the proven macros from circ_buf.h. CIRC_CNT() is used in the "consumer" part of the driver: macb_tx_interrupt() to match advice from Documentation/circular-buffers.txt. Reported-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com> Tested-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netfilter: Remove the spurious \ in __ip_vs_lblc_initEric W. Biederman2012-11-191-1/+1
| | | | | | | | In (464dc801c76a net: Don't export sysctls to unprivileged users) I typoed and introduced a spurious backslash. Delete it. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qeth: Remove BUG_ONsStefan Raspl2012-11-193-14/+10
| | | | | | | | | | Remove BUG_ONs or convert to WARN_ON_ONCE/WARN_ONs since a failure within a networking device driver is no reason to shut down the entire machine. Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qeth: Consolidate tracing of card featuresStefan Raspl2012-11-194-3/+16
| | | | | | | | | Trace all supported and enabled card features to s390dbf. Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qeth: Clarify card type naming for virtual NICsStefan Raspl2012-11-191-8/+8
| | | | | | | | | | | So far, virtual NICs whether attached to a VSWITCH or a guest LAN were always displayed as guest LANs in the device driver attributes and messages, while in fact it is a virtual NIC. Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* claw: remove BUG_ONsUrsula Braun2012-11-191-2/+0
| | | | | | | | | Remove BUG_ON's in claw driver, since the checked error conditions are null pointer accesses. Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ctcm: remove BUG_ONsUrsula Braun2012-11-192-5/+0
| | | | | | | | | Remove BUG_ON's in ctcm driver, since the checked error conditions are null pointer accesses. Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qeth: Remove unused variableStefan Raspl2012-11-191-2/+1
| | | | | | | | | Eliminate a variable that is never modified. Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root to control tun and tap devicesEric W. Biederman2012-11-191-2/+3
| | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) calls to ns_capable(net->user_ns,CAP_NET_ADMIN) calls. Allow setting of the tun iff flags. Allow creating of tun devices. Allow adding a new queue to a tun device. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make CAP_NET_BIND_SERVICE per user namespaceEric W. Biederman2012-11-193-6/+10
| | | | | | | | Allow privileged users in any user namespace to bind to privileged sockets in network namespaces they control. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Enable a userns root rtnl calls that are safe for unprivilged usersEric W. Biederman2012-11-199-54/+4
| | | | | | | | | | | | | | | | | - Only allow moving network devices to network namespaces you have CAP_NET_ADMIN privileges over. - Enable creating/deleting/modifying interfaces - Enable adding/deleting addresses - Enable adding/setting/deleting neighbour entries - Enable adding/removing routes - Enable adding/removing fib rules - Enable setting the forwarding state - Enable adding/removing ipv6 address labels - Enable setting bridge parameter Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Enable some sysctls that are safe for the userns rootEric W. Biederman2012-11-194-22/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Enable the per device ipv4 sysctls: net/ipv4/conf/<if>/forwarding net/ipv4/conf/<if>/mc_forwarding net/ipv4/conf/<if>/accept_redirects net/ipv4/conf/<if>/secure_redirects net/ipv4/conf/<if>/shared_media net/ipv4/conf/<if>/rp_filter net/ipv4/conf/<if>/send_redirects net/ipv4/conf/<if>/accept_source_route net/ipv4/conf/<if>/accept_local net/ipv4/conf/<if>/src_valid_mark net/ipv4/conf/<if>/proxy_arp net/ipv4/conf/<if>/medium_id net/ipv4/conf/<if>/bootp_relay net/ipv4/conf/<if>/log_martians net/ipv4/conf/<if>/tag net/ipv4/conf/<if>/arp_filter net/ipv4/conf/<if>/arp_announce net/ipv4/conf/<if>/arp_ignore net/ipv4/conf/<if>/arp_accept net/ipv4/conf/<if>/arp_notify net/ipv4/conf/<if>/proxy_arp_pvlan net/ipv4/conf/<if>/disable_xfrm net/ipv4/conf/<if>/disable_policy net/ipv4/conf/<if>/force_igmp_version net/ipv4/conf/<if>/promote_secondaries net/ipv4/conf/<if>/route_localnet - Enable the global ipv4 sysctl: net/ipv4/ip_forward - Enable the per device ipv6 sysctls: net/ipv6/conf/<if>/forwarding net/ipv6/conf/<if>/hop_limit net/ipv6/conf/<if>/mtu net/ipv6/conf/<if>/accept_ra net/ipv6/conf/<if>/accept_redirects net/ipv6/conf/<if>/autoconf net/ipv6/conf/<if>/dad_transmits net/ipv6/conf/<if>/router_solicitations net/ipv6/conf/<if>/router_solicitation_interval net/ipv6/conf/<if>/router_solicitation_delay net/ipv6/conf/<if>/force_mld_version net/ipv6/conf/<if>/use_tempaddr net/ipv6/conf/<if>/temp_valid_lft net/ipv6/conf/<if>/temp_prefered_lft net/ipv6/conf/<if>/regen_max_retry net/ipv6/conf/<if>/max_desync_factor net/ipv6/conf/<if>/max_addresses net/ipv6/conf/<if>/accept_ra_defrtr net/ipv6/conf/<if>/accept_ra_pinfo net/ipv6/conf/<if>/accept_ra_rtr_pref net/ipv6/conf/<if>/router_probe_interval net/ipv6/conf/<if>/accept_ra_rt_info_max_plen net/ipv6/conf/<if>/proxy_ndp net/ipv6/conf/<if>/accept_source_route net/ipv6/conf/<if>/optimistic_dad net/ipv6/conf/<if>/mc_forwarding net/ipv6/conf/<if>/disable_ipv6 net/ipv6/conf/<if>/accept_dad net/ipv6/conf/<if>/force_tllao - Enable the global ipv6 sysctls: net/ipv6/bindv6only net/ipv6/icmp/ratelimit Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow the userns root to control vlans.Eric W. Biederman2012-11-191-6/+6
| | | | | | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Allow the vlan ioctls: SET_VLAN_INGRESS_PRIORITY_CMD SET_VLAN_EGRESS_PRIORITY_CMD SET_VLAN_FLAG_CMD SET_VLAN_NAME_TYPE_CMD ADD_VLAN_CMD DEL_VLAN_CMD Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root to control the network bridge code.Eric W. Biederman2012-11-193-18/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Allow setting bridge paramters via sysfs. Allow all of the bridge ioctls: BRCTL_ADD_IF BRCTL_DEL_IF BRCTL_SET_BRDIGE_FORWARD_DELAY BRCTL_SET_BRIDGE_HELLO_TIME BRCTL_SET_BRIDGE_MAX_AGE BRCTL_SET_BRIDGE_AGING_TIME BRCTL_SET_BRIDGE_STP_STATE BRCTL_SET_BRIDGE_PRIORITY BRCTL_SET_PORT_PRIORITY BRCTL_SET_PATH_COST BRCTL_ADD_BRIDGE BRCTL_DEL_BRDIGE Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root to control llc, netfilter, netlink, packet, and xfrmEric W. Biederman2012-11-198-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Allow creation of af_key sockets. Allow creation of llc sockets. Allow creation of af_packet sockets. Allow sending xfrm netlink control messages. Allow binding to netlink multicast groups. Allow sending to netlink multicast groups. Allow adding and dropping netlink multicast groups. Allow sending to all netlink multicast groups and port ids. Allow reading the netfilter SO_IP_SET socket option. Allow sending netfilter netlink messages. Allow setting and getting ip_vs netfilter socket options. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root to control ipv6Eric W. Biederman2012-11-1912-25/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Settings that merely control a single network device are allowed. Either the network device is a logical network device where restrictions make no difference or the network device is hardware NIC that has been explicity moved from the initial network namespace. In general policy and network stack state changes are allowed while resource control is left unchanged. Allow the SIOCSIFADDR ioctl to add ipv6 addresses. Allow the SIOCDIFADDR ioctl to delete ipv6 addresses. Allow the SIOCADDRT ioctl to add ipv6 routes. Allow the SIOCDELRT ioctl to delete ipv6 routes. Allow creation of ipv6 raw sockets. Allow setting the IPV6_JOIN_ANYCAST socket option. Allow setting the IPV6_FL_A_RENEW parameter of the IPV6_FLOWLABEL_MGR socket option. Allow setting the IPV6_TRANSPARENT socket option. Allow setting the IPV6_HOPOPTS socket option. Allow setting the IPV6_RTHDRDSTOPTS socket option. Allow setting the IPV6_DSTOPTS socket option. Allow setting the IPV6_IPSEC_POLICY socket option. Allow setting the IPV6_XFRM_POLICY socket option. Allow sending packets with the IPV6_2292HOPOPTS control message. Allow sending packets with the IPV6_2292DSTOPTS control message. Allow sending packets with the IPV6_RTHDRDSTOPTS control message. Allow setting the multicast routing socket options on non multicast routing sockets. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, and SIOCDELTUNNEL ioctls for setting up, changing and deleting tunnels over ipv6. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, SIOCDELTUNNEL ioctls for setting up, changing and deleting ipv6 over ipv4 tunnels. Allow the SIOCADDPRL, SIOCDELPRL, SIOCCHGPRL ioctls for adding, deleting, and changing the potential router list for ISATAP tunnels. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root to control ipv4Eric W. Biederman2012-11-1914-27/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Settings that merely control a single network device are allowed. Either the network device is a logical network device where restrictions make no difference or the network device is hardware NIC that has been explicity moved from the initial network namespace. In general policy and network stack state changes are allowed while resource control is left unchanged. Allow creating raw sockets. Allow the SIOCSARP ioctl to control the arp cache. Allow the SIOCSIFFLAG ioctl to allow setting network device flags. Allow the SIOCSIFADDR ioctl to allow setting a netdevice ipv4 address. Allow the SIOCSIFBRDADDR ioctl to allow setting a netdevice ipv4 broadcast address. Allow the SIOCSIFDSTADDR ioctl to allow setting a netdevice ipv4 destination address. Allow the SIOCSIFNETMASK ioctl to allow setting a netdevice ipv4 netmask. Allow the SIOCADDRT and SIOCDELRT ioctls to allow adding and deleting ipv4 routes. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for adding, changing and deleting gre tunnels. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for adding, changing and deleting ipip tunnels. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for adding, changing and deleting ipsec virtual tunnel interfaces. Allow setting the MRT_INIT, MRT_DONE, MRT_ADD_VIF, MRT_DEL_VIF, MRT_ADD_MFC, MRT_DEL_MFC, MRT_ASSERT, MRT_PIM, MRT_TABLE socket options on multicast routing sockets. Allow setting and receiving IPOPT_CIPSO, IP_OPT_SEC, IP_OPT_SID and arbitrary ip options. Allow setting IP_SEC_POLICY/IP_XFRM_POLICY ipv4 socket option. Allow setting the IP_TRANSPARENT ipv4 socket option. Allow setting the TCP_REPAIR socket option. Allow setting the TCP_CONGESTION socket option. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root control of the core of the network stack.Eric W. Biederman2012-11-194-13/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Settings that merely control a single network device are allowed. Either the network device is a logical network device where restrictions make no difference or the network device is hardware NIC that has been explicity moved from the initial network namespace. In general policy and network stack state changes are allowed while resource control is left unchanged. Allow ethtool ioctls. Allow binding to network devices. Allow setting the socket mark. Allow setting the socket priority. Allow setting the network device alias via sysfs. Allow setting the mtu via sysfs. Allow changing the network device flags via sysfs. Allow setting the network device group via sysfs. Allow the following network device ioctls. SIOCGMIIPHY SIOCGMIIREG SIOCSIFNAME SIOCSIFFLAGS SIOCSIFMETRIC SIOCSIFMTU SIOCSIFHWADDR SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI SIOCSIFHWBROADCAST SIOCSMIIREG SIOCBONDENSLAVE SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDCHANGEACTIVE SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Allow userns root to force the scm credsEric W. Biederman2012-11-191-3/+3
| | | | | | | | | If the user calling sendmsg has the appropriate privieleges in their user namespace allow them to set the uid, gid, and pid in the SCM_CREDENTIALS control message to any valid value. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* user_ns: get rid of duplicate code in net_ctl_permissionsZhao Hongjiang2012-11-191-2/+2
| | | | | | | | Get rid of duplicate code in net_ctl_permissions and fix the comment. Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Update the per network namespace sysctls to be available to the network ↵Eric W. Biederman2012-11-191-1/+11
| | | | | | | | | | | | | | namespace owner - Allow anyone with CAP_NET_ADMIN rights in the user namespace of the the netowrk namespace to change sysctls. - Allow anyone the uid of the user namespace root the same permissions over the network namespace sysctls as the global root. - Allow anyone with gid of the user namespace root group the same permissions over the network namespace sysctl as the global root group. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Push capable(CAP_NET_ADMIN) into the rtnl methodsEric W. Biederman2012-11-1917-1/+102
| | | | | | | | | | | | | | | | | | - In rtnetlink_rcv_msg convert the capable(CAP_NET_ADMIN) check to ns_capable(net->user-ns, CAP_NET_ADMIN). Allowing unprivileged users to make netlink calls to modify their local network namespace. - In the rtnetlink doit methods add capable(CAP_NET_ADMIN) so that calls that are not safe for unprivileged users are still protected. Later patches will remove the extra capable calls from methods that are safe for unprivilged users. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Don't export sysctls to unprivileged usersEric W. Biederman2012-11-1922-4/+98
| | | | | | | | | | | | | In preparation for supporting the creation of network namespaces by unprivileged users, modify all of the per net sysctl exports and refuse to allow them to unprivileged users. This makes it safe for unprivileged users in general to access per net sysctls, and allows sysctls to be exported to unprivileged users on an individual basis as they are deemed safe. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* sysctl: Pass useful parameters to sysctl permissionsEric W. Biederman2012-11-193-8/+7
| | | | | | | | | | | | | | | - Current is implicitly avaiable so passing current->nsproxy isn't useful. - The ctl_table_header is needed to find how the sysctl table is connected to the rest of sysctl. - ctl_table_root is avaiable in the ctl_table_header so no need to it. With these changes it becomes possible to write a version of net_sysctl_permission that takes into account the network namespace of the sysctl table, an important feature in extending the user namespace. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* userns: make each net (net_ns) belong to a user_nsEric W. Biederman2012-11-193-7/+20
| | | | | | | | | | | | | | | | | The user namespace which creates a new network namespace owns that namespace and all resources created in it. This way we can target capability checks for privileged operations against network resources to the user_ns which created the network namespace in which the resource lives. Privilege to the user namespace which owns the network namespace, or any parent user namespace thereof, provides the same privilege to the network resource. This patch is reworked from a version originally by Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netns: Deduplicate and fix copy_net_ns when !CONFIG_NET_NSEric W. Biederman2012-11-192-13/+9
| | | | | | | | | | | | | | | | | | The copy of copy_net_ns used when the network stack is not built is broken as it does not return -EINVAL when attempting to create a new network namespace. We don't even have a previous network namespace. Since we need a copy of copy_net_ns in net/net_namespace.h that is available when the networking stack is not built at all move the correct version of copy_net_ns from net_namespace.c into net_namespace.h Leaving us with just 2 versions of copy_net_ns. One version for when we compile in network namespace suport and another stub for all other occasions. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv6: Preserve ipv6 functionality needed by NETVlad Yasevich2012-11-182-3/+3
| | | | | | | | | Some pieces of network use core pieces of IPv6 stack. Keep them available while letting new GSO offload pieces depend on CONFIG_INET. Signed-off-by: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qlcnic: fix sparse warningsSony Chacko2012-11-183-53/+65
| | | | | | | | | | | | | | | | | | | | | | | | qlcnic_hw.c:1337:17: warning: cast removes address space of expression qlcnic_hw.c:1337:17: warning: incorrect type in argument 2 (different address spaces) qlcnic_hw.c:1337:17: expected void volatile [noderef] <asn:2>*addr qlcnic_hw.c:1337:17: got void *<noident> qlcnic_hw.c:1337:17: warning: cast removes address space of expression qlcnic_hw.c:1337:17: warning: incorrect type in argument 1 (different address spaces) qlcnic_hw.c:1337:17: expected void const volatile [noderef] <asn:2>*addr qlcnic_hw.c:1337:17: got void *<noident> The above warnings are originating from the macros QLCNIC_RD_DUMP_REG and QLCNIC_WR_DUMP_REG. The warnings are fixed and macros are replaced with equivalent functions in the only file from where it is called. The following warnings are fixed by making the functions static. qlcnic_hw.c:543:5: warning: symbol 'qlcnic_set_fw_loopback' was not declared. Should it be static? qlcnic_init.c:1853:6: warning: symbol 'qlcnic_process_rcv_diag' was not declared. Should it be static? Signed-off-by: Sony Chacko <sony.chacko@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* qlcnic: fix compiler warningsSony Chacko2012-11-185-25/+17
| | | | | | | | | | | | | | | | | | | | Fix the following warnings: qlcnic_main.c: In function 'qlcnic_update_cmd_producer': qlcnic_main.c:119:51: warning: unused parameter 'adapter' [-Wunused-parameter] qlcnic_main.c:119: warning: unused parameter adapter qlcnic_init.c: In function qlcnic_process_lro qlcnic_init.c:1586: warning: unused parameter sds_ring qlcnic_init.c: In function qlcnic_process_rcv_diag qlcnic_init.c:1854: warning: unused parameter sds_ring qlcnic_init.c: In function qlcnic_fetch_mac qlcnic_init.c:1938: warning: unused parameter adapter warning: 'pci_using_dac' may be used uninitialized in this function [-Wmaybe-uninitialized] qlcnic_main.c:1569:10: note: 'pci_using_dac' was declared here Signed-off-by: Sony Chacko <sony.chacko@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>