1. 22 Apr, 2009 8 commits
  2. 20 Apr, 2009 1 commit
  3. 16 Apr, 2009 1 commit
    • Patrick McHardy's avatar
      netfilter: nf_nat: add support for persistent mappings · 98d500d6
      Patrick McHardy authored
      The removal of the SAME target accidentally removed one feature that is
      not available from the normal NAT targets so far, having multi-range
      mappings that use the same mapping for each connection from a single
      client. The current behaviour is to choose the address from the range
      based on source and destination IP, which breaks when communicating
      with sites having multiple addresses that require all connections to
      originate from the same IP address.
      Introduce a IP_NAT_RANGE_PERSISTENT option that controls whether the
      destination address is taken into account for selecting addresses.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
  4. 11 Apr, 2009 1 commit
    • Vlad Yasevich's avatar
      ipv6: Fix NULL pointer dereference with time-wait sockets · 499923c7
      Vlad Yasevich authored
      Commit b2f5e7cd
      (ipv6: Fix conflict resolutions during ipv6 binding)
      introduced a regression where time-wait sockets were
      not treated correctly.  This resulted in the following:
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000062
      IP: [<ffffffff805d7d61>] ipv4_rcv_saddr_equal+0x61/0x70
      Call Trace:
      [<ffffffffa033847b>] ipv6_rcv_saddr_equal+0x1bb/0x250 [ipv6]
      [<ffffffffa03505a8>] inet6_csk_bind_conflict+0x88/0xd0 [ipv6]
      [<ffffffff805bb18e>] inet_csk_get_port+0x1ee/0x400
      [<ffffffffa0319b7f>] inet6_bind+0x1cf/0x3a0 [ipv6]
      [<ffffffff8056d17c>] ? sockfd_lookup_light+0x3c/0xd0
      [<ffffffff8056ed49>] sys_bind+0x89/0x100
      [<ffffffff80613ea2>] ? trace_hardirqs_on_thunk+0x3a/0x3c
      [<ffffffff8020bf9b>] system_call_fastpath+0x16/0x1b
      Tested-by: default avatarBrian Haley <brian.haley@hp.com>
      Tested-by: default avatarEd Tomlinson <edt@aei.ca>
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  5. 06 Apr, 2009 1 commit
  6. 02 Apr, 2009 1 commit
  7. 27 Mar, 2009 17 commits
    • Paul Moore's avatar
      netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections · 07feee8f
      Paul Moore authored
      This patch cleans up a lot of the Smack network access control code.  The
      largest changes are to fix the labeling of incoming TCP connections in a
      manner similar to the recent SELinux changes which use the
      security_inet_conn_request() hook to label the request_sock and let the label
      move to the child socket via the normal network stack mechanisms.  In addition
      to the incoming TCP connection fixes this patch also removes the smk_labled
      field from the socket_smack struct as the minor optimization advantage was
      outweighed by the difficulty in maintaining it's proper state.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    • Paul Moore's avatar
      netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
      Paul Moore authored
      The current NetLabel/SELinux behavior for incoming TCP connections works but
      only through a series of happy coincidences that rely on the limited nature of
      standard CIPSO (only able to convey MLS attributes) and the write equality
      imposed by the SELinux MLS constraints.  The problem is that network sockets
      created as the result of an incoming TCP connection were not on-the-wire
      labeled based on the security attributes of the parent socket but rather based
      on the wire label of the remote peer.  The issue had to do with how IP options
      were managed as part of the network stack and where the LSM hooks were in
      relation to the code which set the IP options on these newly created child
      sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
      label it was promptly cleared by the network stack and reset based on the IP
      options of the remote peer.
      This patch, in conjunction with a prior patch that adjusted the LSM hook
      locations, works to set the correct on-the-wire label format for new incoming
      connections through the security_inet_conn_request() hook.  Besides the
      correct behavior there are many advantages to this change, the most significant
      is that all of the NetLabel socket labeling code in SELinux now lives in hooks
      which can return error codes to the core stack which allows us to finally get
      ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
      the NetLabel/SELinux glue code.  In the process of developing this patch I
      also ran into a small handful of AF_INET6 cleanliness issues that have been
      fixed which should make the code safer and easier to extend in the future.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    • Johannes Berg's avatar
      mac80211/iwlwifi: move virtual A-MDPU queue bookkeeping to iwlwifi · e4e72fb4
      Johannes Berg authored
      This patch removes all the virtual A-MPDU-queue bookkeeping from
      mac80211. Curiously, iwlwifi already does its own bookkeeping, so
      it doesn't require much changes except where it needs to handle
      starting and stopping the queues in mac80211.
      To handle the queue stop/wake properly, we rewrite the software
      queue number for aggregation frames and internally to iwlwifi keep
      track of the queues that map into the same AC queue, and only talk
      to mac80211 about the AC queue. The implementation requires calling
      two new functions, iwl_stop_queue and iwl_wake_queue instead of the
      mac80211 counterparts.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Cc: Reinette Chattre <reinette.chatre@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      mac80211: fix aggregation to not require queue stop · cd8ffc80
      Johannes Berg authored
      Instead of stopping the entire AC queue when enabling aggregation
      (which was only done for hardware with aggregation queues) buffer
      the packets for each station, and release them to the pending skb
      queue once aggregation is turned on successfully.
      We get a little more code, but it becomes conceptually simpler and
      we can remove the entire virtual queue mechanism from mac80211 in
      a follow-up patch.
      This changes how mac80211 behaves towards drivers that support
      aggregation but have no hardware queues -- those drivers will now
      not be handed packets while the aggregation session is being
      established, but only after it has been fully established.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      mac80211: unify and fix TX aggregation start · b1720231
      Johannes Berg authored
      When TX aggregation becomes operational, we do a number of steps:
       1) print a debug message
       2) wake the virtual queue
       3) notify the driver
      Unfortunately, 1) and 3) are only done if the driver is first to
      reply to the aggregation request, it is, however, possible that the
      remote station replies before the driver! Thus, unify the code for
      this and call the new function ieee80211_agg_tx_operational in both
      places where TX aggregation can become operational.
      Additionally, rename the driver notification from
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      mac80211: rate control status only for controlled packets · 2b874e83
      Johannes Berg authored
      This patch changes mac80211 to not notify the rate control algorithm's
      tx_status() method when reporting status for a packet that didn't go
      through the rate control algorithm's get_rate() method.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Kalle Valo's avatar
      mac80211: add beacon filtering support · 04de8381
      Kalle Valo authored
      Add IEEE80211_HW_BEACON_FILTERING flag so that driver inform that it supports
      beacon filtering. Drivers need to call the new function
      ieee80211_beacon_loss() to notify about beacon loss.
      Signed-off-by: default avatarKalle Valo <kalle.valo@nokia.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Kalle Valo's avatar
      cfg80211: add feature to hold bss · a08c1c1a
      Kalle Valo authored
      In beacon filtering there needs to be a way to not expire the BSS even
      when no beacons are received. Add an interface to cfg80211 to hold
      BSS and make sure that it's not expired.
      Signed-off-by: default avatarKalle Valo <kalle.valo@nokia.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Kalle Valo's avatar
      mac80211: disable power save when scanning · 9050bdd8
      Kalle Valo authored
      When software scanning we need to disable power save so that all possible
      probe responses and beacons are received. For hardware scanning assume that
      hardware will take care of that and document that assumption.
      Signed-off-by: default avatarKalle Valo <kalle.valo@nokia.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Jouni Malinen's avatar
      nl80211: Remove NL80211_CMD_SET_MGMT_EXTRA_IE · 65fc73ac
      Jouni Malinen authored
      The functionality that NL80211_CMD_SET_MGMT_EXTRA_IE provided can now
      be achieved with cleaner design by adding IE(s) into
      Since this is a very recently added command and there are no known (or
      known planned) applications using NL80211_CMD_SET_MGMT_EXTRA_IE and
      taken into account how much extra complexity it adds to the IE
      processing we have now (and need to add in the future to fix IE order
      in couple of frames), it looks like the best option is to just remove
      the implementation of this command for now. The enum values themselves
      are left to avoid changing the nl80211 command or attribute numbers.
      Signed-off-by: default avatarJouni Malinen <jouni.malinen@atheros.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Jouni Malinen's avatar
      nl80211: Add MLME primitives to support external SME · 636a5d36
      Jouni Malinen authored
      This patch adds new nl80211 commands to allow user space to request
      authentication and association (and also deauthentication and
      disassociation). The commands are structured to allow separate
      authentication and association steps, i.e., the interface between
      kernel and user space is similar to the MLME SAP interface in IEEE
      802.11 standard and an user space application takes the role of the
      The patch introduces MLME-AUTHENTICATE.request,
      MLME-{,RE}ASSOCIATE.request, MLME-DEAUTHENTICATE.request, and
      MLME-DISASSOCIATE.request primitives. The authentication and
      association commands request the actual operations in two steps
      (assuming the driver supports this; if not, separate authentication
      step is skipped; this could end up being a separate "connect"
      The initial implementation for mac80211 uses the current
      net/mac80211/mlme.c for actual sending and processing of management
      frames and the new nl80211 commands will just stop the current state
      machine from moving automatically from authentication to association.
      Future cleanup may move more of the MLME operations into cfg80211.
      The goal of this design is to provide more control of authentication and
      association process to user space without having to move the full MLME
      implementation. This should be enough to allow IEEE 802.11r FT protocol
      and 802.11s SAE authentication to be implemented. Obviously, this will
      also bring the extra benefit of not having to use WEXT for association
      requests with mac80211. An example implementation of a user space SME
      using the new nl80211 commands is available for wpa_supplicant.
      This patch is enough to get IEEE 802.11r FT protocol working with
      over-the-air mechanism (over-the-DS will need additional MLME
      primitives for handling the FT Action frames).
      Signed-off-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Jouni Malinen's avatar
      nl80211: Event notifications for MLME events · 6039f6d2
      Jouni Malinen authored
      Add new nl80211 event notifications (and a new multicast group, "mlme")
      for informing user space about received and processed Authentication,
      (Re)Association Response, Deauthentication, and Disassociation frames in
      station and IBSS modes (i.e., MLME SAP interface primitives
      MLME-DISASSOCIATE.indication). The event data is encapsulated as the 802.11
      management frame since we already have the frame in that format and it
      includes all the needed information.
      This is the initial step in providing MLME SAP interface for
      authentication and association with nl80211. In other words, kernel code
      will act as the MLME and a user space application can control it as the
      Signed-off-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      mac80211: kill IEEE80211_CONF_SHORT_SLOT_TIME · b3a90285
      Johannes Berg authored
      No drivers use it any more, so it can now be removed safely.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      wireless: radiotap updates · aae89831
      Johannes Berg authored
      Radiotap was updated to include a "bad PLCP" flag and standardise
      the "bad FCS" flag in the "flags" rather than "RX flags" field,
      this patch updates Linux to that standard.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      mac80211: reduce max number of queues · 51b38147
      Johannes Berg authored
      No hw/driver actually supports more than four queues right now,
      and we allocate a number of things per queue which means we
      waste a bit of memory. Reduce the maximum number to four to
      accurately reflect what we do (and need for QoS). Even if we
      had hardware supporting more queues we couldn't take advantage
      of that right now anyway.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Johannes Berg's avatar
      mac80211: remove ieee80211_num_regular_queues · 176be728
      Johannes Berg authored
      This inline is useless and actually makes the code _longer_
      rather than shorter.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    • Thierry Reding's avatar
      net: Add support for the OpenCores 10/100 Mbps Ethernet MAC. · a1702857
      Thierry Reding authored
      This patch adds a platform device driver that supports the OpenCores 10/100
      Mbps Ethernet MAC.
      The driver expects three resources: one IORESOURCE_MEM resource defines the
      memory region for the core's memory-mapped registers while a second
      IORESOURCE_MEM resource defines the network packet buffer space. The third
      resource, of type IORESOURCE_IRQ, associates an interrupt with the driver.
      Signed-off-by: default avatarThierry Reding <thierry.reding@avionic-design.de>
      Acked-by: default avatarFlorian Fainelli <florian@openwrt.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  8. 25 Mar, 2009 6 commits
  9. 24 Mar, 2009 1 commit
  10. 21 Mar, 2009 3 commits
    • Lennert Buytenhek's avatar
      dsa: add switch chip cascading support · e84665c9
      Lennert Buytenhek authored
      The initial version of the DSA driver only supported a single switch
      chip per network interface, while DSA-capable switch chips can be
      interconnected to form a tree of switch chips.  This patch adds support
      for multiple switch chips on a network interface.
      An example topology for a 16-port device with an embedded CPU is as
      	+-----+          +--------+       +--------+
      	|     |eth0    10| switch |9    10| switch |
      	| CPU +----------+        +-------+        |
      	|     |          | chip 0 |       | chip 1 |
      	+-----+          +---++---+       +---++---+
      	                     ||               ||
      	                     ||               ||
      	                     ||1000baseT      ||1000baseT
      	                     ||ports 1-8      ||ports 9-16
      This requires a couple of interdependent changes in the DSA layer:
      - The dsa platform driver data needs to be extended: there is still
        only one netdevice per DSA driver instance (eth0 in the example
        above), but each of the switch chips in the tree needs its own
        mii_bus device pointer, MII management bus address, and port name
        array. (include/net/dsa.h)  The existing in-tree dsa users need
        some small changes to deal with this. (arch/arm)
      - The DSA and Ethertype DSA tagging modules need to be extended to
        use the DSA device ID field on receive and demultiplex the packet
        accordingly, and fill in the DSA device ID field on transmit
        according to which switch chip the packet is heading to.
      - The concept of "CPU port", which is the switch chip port that the
        CPU is connected to (port 10 on switch chip 0 in the example), needs
        to be extended with the concept of "upstream port", which is the
        port on the switch chip that will bring us one hop closer to the CPU
        (port 10 for both switch chips in the example above).
      - The dsa platform data needs to specify which ports on which switch
        chips are links to other switch chips, so that we can enable DSA
        tagging mode on them.  (For inter-switch links, we always use
        non-EtherType DSA tagging, since it has lower overhead.  The CPU
        link uses dsa or edsa tagging depending on what the 'root' switch
        chip supports.)  This is done by specifying "dsa" for the given
        port in the port array.
      - The dsa platform data needs to be extended with information on via
        which port to reach any given switch chip from any given switch chip.
        This info is specified via the per-switch chip data struct ->rtable[]
        array, which gives the nexthop ports for each of the other switches
        in the tree.
      For the example topology above, the dsa platform data would look
      something like this:
      	static struct dsa_chip_data sw[2] = {
      			.mii_bus	= &foo,
      			.sw_addr	= 1,
      			.port_names[0]	= "p1",
      			.port_names[1]	= "p2",
      			.port_names[2]	= "p3",
      			.port_names[3]	= "p4",
      			.port_names[4]	= "p5",
      			.port_names[5]	= "p6",
      			.port_names[6]	= "p7",
      			.port_names[7]	= "p8",
      			.port_names[9]	= "dsa",
      			.port_names[10]	= "cpu",
      			.rtable		= (s8 []){ -1, 9, },
      		}, {
      			.mii_bus	= &foo,
      			.sw_addr	= 2,
      			.port_names[0]	= "p9",
      			.port_names[1]	= "p10",
      			.port_names[2]	= "p11",
      			.port_names[3]	= "p12",
      			.port_names[4]	= "p13",
      			.port_names[5]	= "p14",
      			.port_names[6]	= "p15",
      			.port_names[7]	= "p16",
      			.port_names[10]	= "dsa",
      			.rtable		= (s8 []){ 10, -1, },
      	static struct dsa_platform_data pd = {
      		.netdev		= &foo,
      		.nr_switches	= 2,
      		.sw		= sw,
      Signed-off-by: default avatarLennert Buytenhek <buytenh@marvell.com>
      Tested-by: default avatarGary Thomas <gary@mlbassoc.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Stephen Hemminger's avatar
      snap: use const for descriptor · 7ca98fa2
      Stephen Hemminger authored
      Protocols should be able to use constant value for the descriptor.
      Minor whitespace cleanup as well
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Acked-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Vlad Yasevich's avatar
      sctp: Clean up TEST_FRAME hacks. · 8d2f9e81
      Vlad Yasevich authored
      Remove 2 TEST_FRAME hacks that are no longer needed.  These allowed
      sctp regression tests to compile before, but are no longer needed.
      Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>