summaryrefslogtreecommitdiffstats
path: root/net/ipv6 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* net: Put fl6_* macros to struct flowi6 and use them again.David S. Miller2011-03-1311-41/+41
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv6: Convert to use flowi6 where applicable.David S. Miller2011-03-1323-494/+498
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Use flowi4 and flowi6 in xfrm layer.David S. Miller2011-03-132-24/+29
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Break struct flowi out into AF specific instances.David S. Miller2011-03-132-4/+4
| | | | | | | | | | | Now we have struct flowi4, flowi6, and flowidn for each address family. And struct flowi is just a union of them all. It might have been troublesome to convert flow_cache_uli_match() but as it turns out this function is completely unused and therefore can be simply removed. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flowi ports AF dependent.David S. Miller2011-03-1312-45/+45
| | | | | | | | | | | | Create two sets of port member accessors, one set prefixed by fl4_* and the other prefixed by fl6_* This will let us to create AF optimal flow instances. It will work because every context in which we access the ports, we have to be fully aware of which AF the flowi is anyways. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Put flowi_* prefix on AF independent members of struct flowiDavid S. Miller2011-03-1319-111/+111
| | | | | | | | | | I intend to turn struct flowi into a union of AF specific flowi structs. There will be a common structure that each variant includes first, much like struct sock_common. This is the first step to move in that direction. Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv4: Create and use route lookup helpers.David S. Miller2011-03-132-27/+23
| | | | | | | The idea here is this minimizes the number of places one has to edit in order to make changes to how flows are defined and used. Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2011-03-103-2/+5
|\ | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/bnx2x/bnx2x_cmn.c
| * ip6ip6: autoload ip6 tunnelstephen hemminger2011-03-101-0/+1
| | | | | | | | | | | | | | Add necessary alias to autoload ip6ip6 tunnel module. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'master' of /home/davem/src/GIT/linux-2.6/David S. Miller2011-03-101-1/+1
| |\
| | * net: don't allow CAP_NET_ADMIN to load non-netdev kernel modulesVasiliy Kulikov2011-03-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since a8f80e8ff94ecba629542d9b4b5f5a8ee3eb565c any process with CAP_NET_ADMIN may load any module from /lib/modules/. This doesn't mean that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are limited to /lib/modules/**. However, CAP_NET_ADMIN capability shouldn't allow anybody load any module not related to networking. This patch restricts an ability of autoloading modules to netdev modules with explicit aliases. This fixes CVE-2011-1019. Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior of loading netdev modules by name (without any prefix) for processes with CAP_SYS_MODULE to maintain the compatibility with network scripts that use autoloading netdev modules by aliases like "eth0", "wlan0". Currently there are only three users of the feature in the upstream kernel: ipip, ip_gre and sit. root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) -- root@albatros:~# grep Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: fffffff800001000 CapEff: fffffff800001000 CapBnd: fffffff800001000 root@albatros:~# modprobe xfs FATAL: Error inserting xfs (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted root@albatros:~# lsmod | grep xfs root@albatros:~# ifconfig xfs xfs: error fetching interface information: Device not found root@albatros:~# lsmod | grep xfs root@albatros:~# lsmod | grep sit root@albatros:~# ifconfig sit sit: error fetching interface information: Device not found root@albatros:~# lsmod | grep sit root@albatros:~# ifconfig sit0 sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 root@albatros:~# lsmod | grep sit sit 10457 0 tunnel4 2957 1 sit For CAP_SYS_MODULE module loading is still relaxed: root@albatros:~# grep Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: ffffffffffffffff CapEff: ffffffffffffffff CapBnd: ffffffffffffffff root@albatros:~# ifconfig xfs xfs: error fetching interface information: Device not found root@albatros:~# lsmod | grep xfs xfs 745319 0 Reference: https://lkml.org/lkml/2011/2/24/203 Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | ipv6: Don't create clones of host routes.David S. Miller2011-03-101-1/+3
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Addresses https://bugzilla.kernel.org/show_bug.cgi?id=29252 Addresses https://bugzilla.kernel.org/show_bug.cgi?id=30462 In commit d80bc0fd262ef840ed4e82593ad6416fa1ba3fc4 ("ipv6: Always clone offlink routes.") we forced the kernel to always clone offlink routes. The reason we do that is to make sure we never bind an inetpeer to a prefixed route. The logic turned on here has existed in the tree for many years, but was always off due to a protecting CPP define. So perhaps it's no surprise that there is a logic bug here. The problem is that we canot clone a route that is already a host route (ie. has DST_HOST set). Because if we do, an identical entry already exists in the routing tree and therefore the ip6_rt_ins() call is going to fail. This sets off a series of failures and high cpu usage, because when ip6_rt_ins() fails we loop retrying this operation a few times in order to handle a race between two threads trying to clone and insert the same host route at the same time. Fix this by simply using the route as-is when DST_HOST is set. Reported-by: slash@ac.auone-net.jp Reported-by: Ernst Sjöstrand <ernstp@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | mcast: net_device dev not usedHagen Paul Pfeifer2011-03-081-6/+0
| | | | | | | | | | | | | | | | ip6_mc_source(), ip6_mc_msfilter() as well as ip6_mc_msfget() declare and assign dev but do not use the variable afterwards. Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2011-03-041-7/+10
|\| | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/bnx2x/bnx2x.h
| * sysctl: ipv6: use correct net in ipv6_sysctl_rtcache_flushLucian Adrian Grijincu2011-02-251-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch issuing these commands: fd = open("/proc/sys/net/ipv6/route/flush") unshare(CLONE_NEWNET) write(fd, "stuff") would flush the newly created net, not the original one. The equivalent ipv4 code is correct (stores the net inside ->extra1). Acked-by: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: Use ERR_CAST in addrconf_dst_alloc.David S. Miller2011-03-031-6/+1
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv4: Make output route lookup return rtable directly.David S. Miller2011-03-022-7/+12
| | | | | | | | | | | | Instead of on the stack. Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Return dst directly from xfrm_lookup()David S. Miller2011-03-027-37/+45
| | | | | | | | | | | | Instead of on the stack. Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: Make icmp route lookup code a bit clearer.David S. Miller2011-03-021-51/+66
| | | | | | | | | | | | | | | | | | | | | | The route lookup code in icmpv6_send() is slightly tricky as a result of having to handle all of the requirements of RFC 4301 host relookups. Pull the route resolution into a seperate function, so that the error handling and route reference counting is hopefully easier to see and contained wholly within this new routine. Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Handle blackhole route creation via afinfo.David S. Miller2011-03-013-24/+12
| | | | | | | | | | | | | | That way we don't have to potentially do this in every xfrm_lookup() caller. Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: Normalize arguments to ip6_dst_blackhole().David S. Miller2011-03-012-9/+7
| | | | | | | | | | | | | | | | | | | | Return a dst pointer which is potentitally error encoded. Don't pass original dst pointer by reference, pass a struct net instead of a socket, and elide the flow argument since it is unnecessary. Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Kill XFRM_LOOKUP_WAIT flag.David S. Miller2011-03-011-2/+2
| | | | | | | | | | | | This can be determined from the flow flags instead. Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: Change final dst lookup arg name to "can_sleep"David S. Miller2011-03-011-6/+6
| | | | | | | | | | | | | | Since it indicates whether we are invoked from a sleepable context or not. Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Add FLOWI_FLAG_CAN_SLEEP.David S. Miller2011-03-011-0/+2
| | | | | | | | | | | | And set is in contexts where the route resolution can sleep. Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: Consolidate route lookup sequences.David S. Miller2011-03-018-117/+114
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Route lookups follow a general pattern in the ipv6 code wherein we first find the non-IPSEC route, potentially override the flow destination address due to ipv6 options settings, and then finally make an IPSEC search using either xfrm_lookup() or __xfrm_lookup(). __xfrm_lookup() is used when we want to generate a blackhole route if the key manager needs to resolve the IPSEC rules (in this case -EREMOTE is returned and the original 'dst' is left unchanged). Otherwise plain xfrm_lookup() is used and when asynchronous IPSEC resolution is necessary, we simply fail the lookup completely. All of these cases are encapsulated into two routines, ip6_dst_lookup_flow and ip6_sk_dst_lookup_flow. The latter of which handles unconnected UDP datagram sockets. Signed-off-by: David S. Miller <davem@davemloft.net>
* | inet: Remove unused sk_sndmsg_* from UFOHerbert Xu2011-03-011-1/+0
| | | | | | | | | | | | | | | | | | | | UFO doesn't really use the sk_sndmsg_* parameters so touching them is pointless. It can't use them anyway since the whole point of UFO is to use the original pages without copying. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: TX timestamps for IPv6 UDP packetsAnders Berggren2011-02-281-0/+17
| | | | | | | | | | | | | | | | | | Enabling TX timestamps (SO_TIMESTAMPING) for IPv6 UDP packets, in the same fashion as for IPv4. Necessary in order for NICs such as Intel 82580 to timestamp IPv6 packets. Signed-off-by: Anders Berggren <anders@halon.se> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: ignore rtnl_unicast() return codeHagen Paul Pfeifer2011-02-251-2/+1
| | | | | | | | | | | | | | | | rtnl_unicast() return value is not of interest, we can silently ignore it, save some instructions and four byte on the stack. Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: variable next is never used in this functionHagen Paul Pfeifer2011-02-251-3/+1
| | | | | | | | | | Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: hash is calculated but not used afterwardsHagen Paul Pfeifer2011-02-251-3/+0
| | | | | | | | | | | | | | | | hash is declared and assigned but not used anymore. ipv6_addr_hash() exhibit no side-effects. Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: totlen is declared and assigned but not usedHagen Paul Pfeifer2011-02-251-3/+0
| | | | | | | | | | Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Const'ify address arguments to ->dst_lookup()David S. Miller2011-02-241-2/+2
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Const'ify tmpl and address arguments to ->init_temprop()David S. Miller2011-02-241-2/+2
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Mark flowi arg to xfrm_type->reject() const.David S. Miller2011-02-231-1/+2
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Mark flowi arg to ->init_tempsel() const.David S. Miller2011-02-231-1/+1
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Mark flowi arg to ->fill_dst() const.David S. Miller2011-02-231-1/+1
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Mark flowi arg to ->get_tos() const.David S. Miller2011-02-231-1/+1
| | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* | tcp: Remove debug macro of TCP_CHECK_TIMERShan Wei2011-02-201-4/+0
| | | | | | | | | | | | | | | | | | | | Now, TCP_CHECK_TIMER is not used for debuging, it does nothing. And, it has been there for several years, maybe 6 years. Remove it to keep code clearer. Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2011-02-202-1/+2
|\| | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: Documentation/feature-removal-schedule.txt drivers/net/e1000e/netdev.c net/xfrm/xfrm_policy.c
| * Merge branch 'master' of ↵David S. Miller2011-02-201-1/+1
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
| | * netfilter: ip6t_LOG: fix a flaw in printing the MACJoerg Marx2011-02-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The flaw was in skipping the second byte in MAC header due to increasing the pointer AND indexed access starting at '1'. Signed-off-by: Joerg Marx <joerg.marx@secunet.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
| * | net: provide default_advmss() methods to blackhole dst_opsEric Dumazet2011-02-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 0dbaee3b37e118a (net: Abstract default ADVMSS behind an accessor.) introduced a possible crash in tcp_connect_init(), when dst->default_advmss() is called from dst_metric_advmss() Reported-by: George Spelvin <linux@horizon.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | net: Add initial_ref arg to dst_alloc().David S. Miller2011-02-181-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows avoiding multiple writes to the initial __refcnt. The most simplest cases of wanting an initial reference of "1" in ipv4 and ipv6 have been converted, the rest have been left along and kept at the existing "0". Signed-off-by: David S. Miller <davem@davemloft.net>
* | | inet: Create a mechanism for upward inetpeer propagation into routes.David S. Miller2011-02-101-2/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we didn't have a routing cache, we would not be able to properly propagate certain kinds of dynamic path attributes, for example PMTU information and redirects. The reason is that if we didn't have a routing cache, then there would be no way to lookup all of the active cached routes hanging off of sockets, tunnels, IPSEC bundles, etc. Consider the case where we created a cached route, but no inetpeer entry existed and also we were not asked to pre-COW the route metrics and therefore did not force the creation a new inetpeer entry. If we later get a PMTU message, or a redirect, and store this information in a new inetpeer entry, there is no way to teach that cached route about the newly existing inetpeer entry. The facilities implemented here handle this problem. First we create a generation ID. When we create a cached route of any kind, we remember the generation ID at the time of attachment. Any time we force-create an inetpeer entry in response to new path information, we bump that generation ID. The dst_ops->check() callback is where the knowledge of this event is propagated. If the global generation ID does not equal the one stored in the cached route, and the cached route has not attached to an inetpeer yet, we look it up and attach if one is found. Now that we've updated the cached route's information, we update the route's generation ID too. This clears the way for implementing PMTU and redirects directly in the inetpeer cache. There is absolutely no need to consult cached route information in order to maintain this information. At this point nothing bumps the inetpeer genids, that comes in the later changes which handle PMTUs and redirects using inetpeers. Signed-off-by: David S. Miller <davem@davemloft.net>
* | | inetpeer: Abstract address representation further.David S. Miller2011-02-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Future changes will add caching information, and some of these new elements will be addresses. Since the family is implicit via the ->daddr.family member, replicating the family in ever address we store is entirely redundant. Signed-off-by: David S. Miller <davem@davemloft.net>
* | | net: Kill NETEVENT_PMTU_UPDATE.David S. Miller2011-02-091-1/+0
| | | | | | | | | | | | | | | | | | | | | Nobody actually does anything in response to the event, so just kill it off. Signed-off-by: David S. Miller <davem@davemloft.net>
* | | inetpeer: Move ICMP rate limiting state into inet_peer entries.David S. Miller2011-02-053-9/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Like metrics, the ICMP rate limiting bits are cached state about a destination. So move it into the inet_peer entries. If an inet_peer cannot be bound (the reason is memory allocation failure or similar), the policy is to allow. Signed-off-by: David S. Miller <davem@davemloft.net>
* | | Merge branch 'master' of ↵David S. Miller2011-02-044-1/+108
|\| | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
| * | net: Provide compat support for SIOCGETMIFCNT_IN6 and SIOCGETSGCNT_IN6.David S. Miller2011-02-042-0/+94
| | | | | | | | | | | | Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net: Fix ipv6 neighbour unregister_sysctl_table warningEric W. Biederman2011-02-011-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In my testing of 2.6.37 I was occassionally getting a warning about sysctl table entries being unregistered in the wrong order. Digging in it turns out this dates back to the last great sysctl reorg done where Al Viro introduced the requirement that sysctl directories needed to be created before and destroyed after the files in them. It turns out that in that great reorg /proc/sys/net/ipv6/neigh was overlooked. So this patch fixes that oversight and makes an annoying warning message go away. >------------[ cut here ]------------ >WARNING: at kernel/sysctl.c:1992 unregister_sysctl_table+0x134/0x164() >Pid: 23951, comm: kworker/u:3 Not tainted 2.6.37-350888.2010AroraKernelBeta.fc14.x86_64 #1 >Call Trace: > [<ffffffff8103e034>] warn_slowpath_common+0x80/0x98 > [<ffffffff8103e061>] warn_slowpath_null+0x15/0x17 > [<ffffffff810452f8>] unregister_sysctl_table+0x134/0x164 > [<ffffffff810e7834>] ? kfree+0xc4/0xd1 > [<ffffffff813439b2>] neigh_sysctl_unregister+0x22/0x3a > [<ffffffffa02cd14e>] addrconf_ifdown+0x33f/0x37b [ipv6] > [<ffffffff81331ec2>] ? skb_dequeue+0x5f/0x6b > [<ffffffffa02ce4a5>] addrconf_notify+0x69b/0x75c [ipv6] > [<ffffffffa02eb953>] ? ip6mr_device_event+0x98/0xa9 [ipv6] > [<ffffffff813d2413>] notifier_call_chain+0x32/0x5e > [<ffffffff8105bdea>] raw_notifier_call_chain+0xf/0x11 > [<ffffffff8133cdac>] call_netdevice_notifiers+0x45/0x4a > [<ffffffff8133d2b0>] rollback_registered_many+0x118/0x201 > [<ffffffff8133d3af>] unregister_netdevice_many+0x16/0x6d > [<ffffffff8133d571>] default_device_exit_batch+0xa4/0xb8 > [<ffffffff81337c42>] ? cleanup_net+0x0/0x194 > [<ffffffff81337a2a>] ops_exit_list+0x4e/0x56 > [<ffffffff81337d36>] cleanup_net+0xf4/0x194 > [<ffffffff81053318>] process_one_work+0x187/0x280 > [<ffffffff8105441b>] worker_thread+0xff/0x19f > [<ffffffff8105431c>] ? worker_thread+0x0/0x19f > [<ffffffff8105776d>] kthread+0x7d/0x85 > [<ffffffff81003824>] kernel_thread_helper+0x4/0x10 > [<ffffffff810576f0>] ? kthread+0x0/0x85 > [<ffffffff81003820>] ? kernel_thread_helper+0x0/0x10 >---[ end trace 8a7e9310b35e9486 ]--- Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>