1. 14 Jan, 2015 1 commit
  2. 23 Nov, 2014 1 commit
  3. 18 Nov, 2014 1 commit
  4. 11 Nov, 2014 1 commit
    • Joe Perches's avatar
      net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited · ba7a46f1
      Joe Perches authored
      
      
      Use the more common dynamic_debug capable net_dbg_ratelimited
      and remove the LIMIT_NETDEBUG macro.
      
      All messages are still ratelimited.
      
      Some KERN_<LEVEL> uses are changed to KERN_DEBUG.
      
      This may have some negative impact on messages that were
      emitted at KERN_INFO that are not not enabled at all unless
      DEBUG is defined or dynamic_debug is enabled.  Even so,
      these messages are now _not_ emitted by default.
      
      This also eliminates the use of the net_msg_warn sysctl
      "/proc/sys/net/core/warnings".  For backward compatibility,
      the sysctl is not removed, but it has no function.  The extern
      declaration of net_msg_warn is removed from sock.h and made
      static in net/core/sysctl_net_core.c
      
      Miscellanea:
      
      o Update the sysctl documentation
      o Remove the embedded uses of pr_fmt
      o Coalesce format fragments
      o Realign arguments
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba7a46f1
  5. 23 Oct, 2014 1 commit
  6. 07 Oct, 2014 1 commit
  7. 23 Sep, 2014 1 commit
    • Eric Dumazet's avatar
      icmp: add a global rate limitation · 4cdf507d
      Eric Dumazet authored
      Current ICMP rate limiting uses inetpeer cache, which is an RBL tree
      protected by a lock, meaning that hosts can be stuck hard if all cpus
      want to check ICMP limits.
      
      When say a DNS or NTP server process is restarted, inetpeer tree grows
      quick and machine comes to its knees.
      
      iptables can not help because the bottleneck happens before ICMP
      messages are even cooked and sent.
      
      This patch adds a new global limitation, using a token bucket filter,
      controlled by two new sysctl :
      
      icmp_msgs_per_sec - INTEGER
          Limit maximal number of ICMP packets sent per second from this host.
          Only messages whose type matches icmp_ratemask are
          controlled by this limit.
          Default: 1000
      
      icmp_msgs_burst - INTEGER
          icmp_msgs_per_sec controls number of ICMP packets sent per second,
          while icmp_msgs_burst controls the burst size of these packets.
          Default: 50
      
      Note that if we really want to send millions of ICMP messages per
      second, we might extend idea and infra added in commit 04ca6973
      
      
      ("ip: make IP identifiers less predictable") :
      add a token bucket in the ip_idents hash and no longer rely on inetpeer.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4cdf507d
  8. 24 Aug, 2014 1 commit
    • Ian Morris's avatar
      ipv6: White-space cleansing : Line Layouts · 67ba4152
      Ian Morris authored
      
      
      This patch makes no changes to the logic of the code but simply addresses
      coding style issues as detected by checkpatch.
      
      Both objdump and diff -w show no differences.
      
      A number of items are addressed in this patch:
      * Multiple spaces converted to tabs
      * Spaces before tabs removed.
      * Spaces in pointer typing cleansed (char *)foo etc.
      * Remove space after sizeof
      * Ensure spacing around comparators such as if statements.
      Signed-off-by: default avatarIan Morris <ipm@chirality.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67ba4152
  9. 31 Jul, 2014 1 commit
  10. 13 May, 2014 1 commit
    • Lorenzo Colitti's avatar
      net: add a sysctl to reflect the fwmark on replies · e110861f
      Lorenzo Colitti authored
      
      
      Kernel-originated IP packets that have no user socket associated
      with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
      are emitted with a mark of zero. Add a sysctl to make them have
      the same mark as the packet they are replying to.
      
      This allows an administrator that wishes to do so to use
      mark-based routing, firewalling, etc. for these replies by
      marking the original packets inbound.
      
      Tested using user-mode linux:
       - ICMP/ICMPv6 echo replies and errors.
       - TCP RST packets (IPv4 and IPv6).
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e110861f
  11. 08 May, 2014 1 commit
  12. 30 Apr, 2014 1 commit
  13. 31 Mar, 2014 1 commit
  14. 09 Feb, 2014 1 commit
  15. 21 Jan, 2014 1 commit
  16. 14 Jan, 2014 2 commits
  17. 07 Jan, 2014 1 commit
  18. 01 Jan, 2014 1 commit
  19. 05 Sep, 2013 1 commit
    • Duan Jiong's avatar
      ipv6:introduce function to find route for redirect · b55b76b2
      Duan Jiong authored
      RFC 4861 says that the IP source address of the Redirect is the
      same as the current first-hop router for the specified ICMP
      Destination Address, so the gateway should be taken into
      consideration when we find the route for redirect.
      
      There was once a check in commit
      a6279458 ("NDISC: Search over
      all possible rules on receipt of redirect.") and the check
      went away in commit b94f1c09
      
      
      ("ipv6: Use icmpv6_notify() to propagate redirect, instead of
      rt6_redirect()").
      
      The bug is only "exploitable" on layer-2 because the source
      address of the redirect is checked to be a valid link-local
      address but it makes spoofing a lot easier in the same L2
      domain nonetheless.
      
      Thanks very much for Hannes's help.
      Signed-off-by: default avatarDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b55b76b2
  20. 03 Sep, 2013 1 commit
  21. 13 Jun, 2013 1 commit
  22. 29 May, 2013 1 commit
  23. 25 May, 2013 1 commit
    • Lorenzo Colitti's avatar
      net: ipv6: Add IPv6 support to the ping socket. · 6d0bfe22
      Lorenzo Colitti authored
      
      
      This adds the ability to send ICMPv6 echo requests without a
      raw socket. The equivalent ability for ICMPv4 was added in
      2011.
      
      Instead of having separate code paths for IPv4 and IPv6, make
      most of the code in net/ipv4/ping.c dual-stack and only add a
      few IPv6-specific bits (like the protocol definition) to a new
      net/ipv6/ping.c. Hopefully this will reduce divergence and/or
      duplication of bugs in the future.
      
      Caveats:
      
      - Setting options via ancillary data (e.g., using IPV6_PKTINFO
        to specify the outgoing interface) is not yet supported.
      - There are no separate security settings for IPv4 and IPv6;
        everything is controlled by /proc/net/ipv4/ping_group_range.
      - The proc interface does not yet display IPv6 ping sockets
        properly.
      
      Tested with a patched copy of ping6 and using raw socket calls.
      Compiles and works with all of CONFIG_IPV6={n,m,y}.
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d0bfe22
  24. 29 Apr, 2013 2 commits
  25. 08 Mar, 2013 1 commit
  26. 18 Jan, 2013 1 commit
  27. 18 Nov, 2012 2 commits
    • Eric W. Biederman's avatar
      net: Enable some sysctls that are safe for the userns root · c027aab4
      Eric W. Biederman authored
      
      
      - Enable the per device ipv4 sysctls:
         net/ipv4/conf/<if>/forwarding
         net/ipv4/conf/<if>/mc_forwarding
         net/ipv4/conf/<if>/accept_redirects
         net/ipv4/conf/<if>/secure_redirects
         net/ipv4/conf/<if>/shared_media
         net/ipv4/conf/<if>/rp_filter
         net/ipv4/conf/<if>/send_redirects
         net/ipv4/conf/<if>/accept_source_route
         net/ipv4/conf/<if>/accept_local
         net/ipv4/conf/<if>/src_valid_mark
         net/ipv4/conf/<if>/proxy_arp
         net/ipv4/conf/<if>/medium_id
         net/ipv4/conf/<if>/bootp_relay
         net/ipv4/conf/<if>/log_martians
         net/ipv4/conf/<if>/tag
         net/ipv4/conf/<if>/arp_filter
         net/ipv4/conf/<if>/arp_announce
         net/ipv4/conf/<if>/arp_ignore
         net/ipv4/conf/<if>/arp_accept
         net/ipv4/conf/<if>/arp_notify
         net/ipv4/conf/<if>/proxy_arp_pvlan
         net/ipv4/conf/<if>/disable_xfrm
         net/ipv4/conf/<if>/disable_policy
         net/ipv4/conf/<if>/force_igmp_version
         net/ipv4/conf/<if>/promote_secondaries
         net/ipv4/conf/<if>/route_localnet
      
      - Enable the global ipv4 sysctl:
         net/ipv4/ip_forward
      
      - Enable the per device ipv6 sysctls:
         net/ipv6/conf/<if>/forwarding
         net/ipv6/conf/<if>/hop_limit
         net/ipv6/conf/<if>/mtu
         net/ipv6/conf/<if>/accept_ra
         net/ipv6/conf/<if>/accept_redirects
         net/ipv6/conf/<if>/autoconf
         net/ipv6/conf/<if>/dad_transmits
         net/ipv6/conf/<if>/router_solicitations
         net/ipv6/conf/<if>/router_solicitation_interval
         net/ipv6/conf/<if>/router_solicitation_delay
         net/ipv6/conf/<if>/force_mld_version
         net/ipv6/conf/<if>/use_tempaddr
         net/ipv6/conf/<if>/temp_valid_lft
         net/ipv6/conf/<if>/temp_prefered_lft
         net/ipv6/conf/<if>/regen_max_retry
         net/ipv6/conf/<if>/max_desync_factor
         net/ipv6/conf/<if>/max_addresses
         net/ipv6/conf/<if>/accept_ra_defrtr
         net/ipv6/conf/<if>/accept_ra_pinfo
         net/ipv6/conf/<if>/accept_ra_rtr_pref
         net/ipv6/conf/<if>/router_probe_interval
         net/ipv6/conf/<if>/accept_ra_rt_info_max_plen
         net/ipv6/conf/<if>/proxy_ndp
         net/ipv6/conf/<if>/accept_source_route
         net/ipv6/conf/<if>/optimistic_dad
         net/ipv6/conf/<if>/mc_forwarding
         net/ipv6/conf/<if>/disable_ipv6
         net/ipv6/conf/<if>/accept_dad
         net/ipv6/conf/<if>/force_tllao
      
      - Enable the global ipv6 sysctls:
         net/ipv6/bindv6only
         net/ipv6/icmp/ratelimit
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c027aab4
    • Eric W. Biederman's avatar
      net: Don't export sysctls to unprivileged users · 464dc801
      Eric W. Biederman authored
      
      
      In preparation for supporting the creation of network namespaces
      by unprivileged users, modify all of the per net sysctl exports
      and refuse to allow them to unprivileged users.
      
      This makes it safe for unprivileged users in general to access
      per net sysctls, and allows sysctls to be exported to unprivileged
      users on an individual basis as they are deemed safe.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      464dc801
  28. 01 Nov, 2012 1 commit
  29. 12 Jul, 2012 1 commit
  30. 10 Jul, 2012 1 commit
  31. 19 Jun, 2012 1 commit
  32. 15 Jun, 2012 1 commit
    • David S. Miller's avatar
      ipv6: Handle PMTU in ICMP error handlers. · 81aded24
      David S. Miller authored
      
      
      One tricky issue on the ipv6 side vs. ipv4 is that the ICMP callouts
      to handle the error pass the 32-bit info cookie in network byte order
      whereas ipv4 passes it around in host byte order.
      
      Like the ipv4 side, we have two helper functions.  One for when we
      have a socket context and one for when we do not.
      
      ip6ip6 tunnels are not handled here, because they handle PMTU events
      by essentially relaying another ICMP packet-too-big message back to
      the original sender.
      
      This patch allows us to get rid of rt6_do_pmtu_disc().  It handles all
      kinds of situations that simply cannot happen when we do the PMTU
      update directly using a fully resolved route.
      
      In fact, the "plen == 128" check in ip6_rt_update_pmtu() can very
      likely be removed or changed into a BUG_ON() check.  We should never
      have a prefixed ipv6 route when we get there.
      
      Another piece of strange history here is that TCP and DCCP, unlike in
      ipv4, never invoke the update_pmtu() method from their ICMP error
      handlers.  This is incredibly astonishing since this is the context
      where we have the most accurate context in which to make a PMTU
      update, namely we have a fully connected socket and associated cached
      socket route.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81aded24
  33. 09 Jun, 2012 1 commit
  34. 18 May, 2012 1 commit
  35. 15 May, 2012 1 commit
  36. 02 Apr, 2012 1 commit
  37. 28 Mar, 2012 1 commit