- 31 Jan, 2008 7 commits
-
-
Helge Deller authored
Signed-off-by:
Helge Deller <deller@gmx.de> Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Denis V. Lunev authored
The address of IPv6 raw sockets was shown in the wrong format, from IPv4 ones. The problem has been introduced by the commit 42a73808 ("[RAW]: Consolidate proc interface.") Thanks to Adrian Bunk who originally noticed the problem. Signed-off-by:
Denis V. Lunev <den@openvz.org> Signed-off-by:
-
Denis V. Lunev authored
Different hashtables are used for IPv6 and IPv4 raw sockets, so no need to check the socket family in the iterator over hashtables. Clean this out. Signed-off-by:
-
Eric Dumazet authored
Signed-off-by:
Eric Dumazet <dada1@cosmosbay.com> Signed-off-by:
-
Laszlo Attila Toth authored
A userspace program may wish to set the mark for each packets its send without using the netfilter MARK target. Changing the mark can be used for mark based routing without netfilter or for packet filtering. It requires CAP_NET_ADMIN capability. Signed-off-by:
Laszlo Attila Toth <panther@balabit.hu> Acked-by:
-
Herbert Xu authored
This patch adds support for combined mode algorithms with GCM being the first algorithm supported. Combined mode algorithms can be added through the xfrm_user interface using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms is identified by its name and the ICV length. For the purposes of matching algorithms in xfrm_tmpl structures, combined mode algorithms occupy the same name space as encryption algorithms. This is in line with how they are negotiated using IKE. Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Herbert Xu authored
This patch converts ESP to use the crypto_aead interface and in particular the authenc algorithm. This lays the foundations for future support of combined mode algorithms. Signed-off-by:
-
- 29 Jan, 2008 3 commits
-
-
Paul Moore authored
Most trusted OSs, with the exception of Linux, have the ability to specify static security labels for unlabeled networks. This patch adds this ability to the NetLabel packet labeling framework. If the NetLabel subsystem is called to determine the security attributes of an incoming packet it first checks to see if any recognized NetLabel packet labeling protocols are in-use on the packet. If none can be found then the unlabled connection table is queried and based on the packets incoming interface and address it is matched with a security label as configured by the administrator using the netlabel_tools package. The matching security label is returned to the caller just as if the packet was explicitly labeled using a labeling protocol. Signed-off-by:
Paul Moore <paul.moore@hp.com> Signed-off-by:
James Morris <jmorris@namei.org>
-
Paul Moore authored
In order to do any sort of IP header inspection of incoming packets we need to know which address family, AF_INET/AF_INET6/etc., it belongs to and since the sk_buff structure does not store this information we need to pass along the address family separate from the packet itself. Signed-off-by:
-
Paul Moore authored
This patch adds support to the NetLabel LSM secattr struct for a secid token and a type field, paving the way for full LSM/SELinux context support and "static" or "fallback" labels. In addition, this patch adds a fair amount of documentation to the core NetLabel structures used as part of the NetLabel kernel API. Signed-off-by:
-
- 28 Jan, 2008 30 commits
-
-
Patrick McHardy authored
Signed-off-by:
-
Denis V. Lunev authored
Basically, this piece looks relatively easy. Namespace is already available on the dst entry via device and the device is safe to dereferrence. Compare it with one of a searcher and skip entry if appropriate. The only exception is ip_rt_frag_needed. So, add namespace parameter to it. Signed-off-by:
-
Denis V. Lunev authored
ip_route_connect and ip_route_newports are a part of routing API presented to the socket layer. The namespace is available inside them through a socket. Signed-off-by:
-
Patrick McHardy authored
Signed-off-by:
-
Patrick McHardy authored
Signed-off-by:
-
Patrick McHardy authored
Convert packet schedulers to use the netlink API. Unfortunately a gradual conversion is not possible without breaking compilation in the middle or adding lots of casts, so this patch converts them all in one step. The patch has been mostly generated automatically with some minor edits to at least allow seperate conversion of classifiers and actions. Signed-off-by:
-
Patrick McHardy authored
Used to append data to a message without a header or padding. Signed-off-by:
-
Denis V. Lunev authored
Needed to propagate it down to the ip_route_output_flow. Signed-off-by:
-
Denis V. Lunev authored
Needed to propagate it down to the __ip_route_output_key. Signed_off_by: Denis V. Lunev <den@openvz.org> Signed-off-by: -
Denis V. Lunev authored
This is only required to propagate it down to the ip_route_output_slow. Signed-off-by:
-
Denis V. Lunev authored
Currently fib_select_default calls fib_get_table() with the init_net. Prepare it to provide a correct namespace to lookup default route. Signed-off-by:
-
Denis V. Lunev authored
The difference in the implementation of the fib_select_default when CONFIG_IP_MULTIPLE_TABLES is (not) defined looks negligible. Consolidate it and place into fib_frontend.c. Signed-off-by:
-
Denis V. Lunev authored
Two small issues fixed: - fib_select_multipath is exported from fib_semantics.c rather than from fib_frontend.c. So, move the declaration below appropriate comment. - struct rt_entry declaration is not used. Drop it. Signed-off-by:
-
Eric Dumazet authored
On x86_64, sizeof(struct rtable) is 0x148, which is rounded up to 0x180 bytes by SLAB allocator. We can reduce this to exactly 0x140 bytes, without alignment overhead, and store 12 struct rtable per PAGE instead of 10. rate_tokens is currently defined as an "unsigned long", while its content should not exceed 6*HZ. It can safely be converted to an unsigned int. Moving tclassid right after rate_tokens to fill the 4 bytes hole permits to save 8 bytes on 'struct dst_entry', which finally permits to save 8 bytes on 'struct rtable' Signed-off-by:
-
Pavel Emelyanov authored
On namespace start we mainly prepare the ctl variables. When the namespace is stopped we have to kill all the fragments that point to this namespace. The inet_frags_exit_net() handles it. Signed-off-by:
Pavel Emelyanov <xemul@openvz.org> Signed-off-by:
-
Pavel Emelyanov authored
The inet_frags.lru_list is used for evicting only, so we have to make it per-namespace, to evict only those fragments, who's namespace exceeded its high threshold, but not the whole hash. Besides, this helps to avoid long loops in evictor. The spinlock is not per-namespace because it protects the hash table as well, which is global. Signed-off-by:
-
Pavel Emelyanov authored
Since we have one hashtable to lookup the fragment, having different secret_interval-s for hash rebuild doesn't make sense, so move this one to inet_frags. The inet_frags_ctl becomes empty after this, so remove it. The appropriate ctl table is kept read-only in namespaces. Signed-off-by:
-
Pavel Emelyanov authored
This is the same as with the timeout variable. Currently, after exceeding the high threshold _all_ the fragments are evicted, but it will be fixed in later patch. Signed-off-by:
-
Pavel Emelyanov authored
Move it to the netns_frags, adjust the usage and make the appropriate ctl table writable. Now fragment, that live in different namespaces can live for different times. Signed-off-by:
-
Pavel Emelyanov authored
Each namespace has to have own tables to tune their different parameters, so duplicate the tables and register them. All the tables in sub-namespaces are temporarily made read-only. Signed-off-by:
-
Pavel Emelyanov authored
This is also simple, but introduces more changes, since then mem counter is altered in more places. Signed-off-by:
-
Pavel Emelyanov authored
This is simple - just move the variable from struct inet_frags to struct netns_frags and adjust the usage appropriately. Signed-off-by:
-
Pavel Emelyanov authored
Since fragment management code is consolidated, we cannot have the pointer from inet_frag_queue to struct net, since we must know what king of fragment this is. So, I introduce the netns_frags structure. This one is currently empty, but will be eventually filled with per-namespace attributes. Each inet_frag_queue is tagged with this one. The conntrack_reasm is not "netns-izated", so it has one static netns_frags instance to keep working in init namespace. Signed-off-by:
-
Pavel Emelyanov authored
This is a preparation for sysctl netns-ization. Move the ctl tables to the files, where the tuning variables reside. Plus make the helpers to register the tables. This will simplify the later patches and will keep similar things closer to each other. ipv4, ipv6 and conntrack_reasm are patched differently, but the result is all the tables are in appropriate files. Signed-off-by:
-
YOSHIFUJI Hideaki authored
Fix the following sparse warnings: | net/ipv6/route.c:2491:18: warning: symbol 'ipv6_route_sysctl_init' was not declared. Should it be static? | net/ipv6/icmp.c:922:18: warning: symbol 'ipv6_icmp_sysctl_init' was not declared. Should it be static? | net/ipv6/reassembly.c:628:6: warning: symbol 'ipv6_frag_sysctl_init' was not declared. Should it be static? Signed-off-by:YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
-
Denis V. Lunev authored
Signed-off-by:
-
Johannes Berg authored
This patch (based on Ron Rindjunsky's) creates a framework for a unified way to pass BSS configuration to drivers that require the information, e.g. for implementing power save mode. This patch introduces new ieee80211_bss_conf structure that is passed to the driver via the new bss_info_changed() callback when the BSS configuration changes. This new BSS configuration infrastructure adds the following new features: * drivers are notified of their association AID * drivers are notified of association status and replaces the erp_ie_changed() callback. The patch also does the relevant driver updates for the latter change. Signed-off-by:
Ron Rindjunsky <ron.rindjunsky@intel.com> Signed-off-by:
Johannes Berg <johannes@sipsolutions.net> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
Drivers that support mixed AP/STA operation may well need to know the type of a virtual interface when iterating over them. The easiest way to support that is to move the interface type variable into the vif structure. Signed-off-by:
-
Johannes Berg authored
This patch gets rid of the if_id stuff where possible in favour of a new per-virtual-interface structure "struct ieee80211_vif". This structure is located at the end of the per-interface structure and contains a variable length driver-use data area. This has two advantages: * removes the need to look up interfaces by if_id, this is better for working with network namespaces and performance * allows drivers to store and retrieve per-interface data without having to allocate own lists/hash tables Signed-off-by:
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
