1. 13 Jan, 2014 5 commits
    • Hannes Frederic Sowa's avatar
      ipv4: introduce hardened ip_no_pmtu_disc mode · 8ed1dc44
      Hannes Frederic Sowa authored
      This new ip_no_pmtu_disc mode only allowes fragmentation-needed errors
      to be honored by protocols which do more stringent validation on the
      ICMP's packet payload. This knob is useful for people who e.g. want to
      run an unmodified DNS server in a namespace where they need to use pmtu
      for TCP connections (as they are used for zone transfers or fallback
      for requests) but don't want to use possibly spoofed UDP pmtu information.
      
      Currently the whitelisted protocols are TCP, SCTP and DCCP as they check
      if the returned packet is in the window or if the association is valid.
      
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: John Heffner <johnwheffner@gmail.com>
      Suggested-by: default avatarFlorian Weimer <fweimer@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ed1dc44
    • Hannes Frederic Sowa's avatar
      ipv6: introduce ip6_dst_mtu_forward and protect forwarding path with it · 0954cf9c
      Hannes Frederic Sowa authored
      In the IPv6 forwarding path we are only concerend about the outgoing
      interface MTU, but also respect locked MTUs on routes. Tunnel provider
      or IPSEC already have to recheck and if needed send PtB notifications
      to the sending host in case the data does not fit into the packet with
      added headers (we only know the final header sizes there, while also
      using path MTU information).
      
      The reason for this change is, that path MTU information can be injected
      into the kernel via e.g. icmp_err protocol handler without verification
      of local sockets. As such, this could cause the IPv6 forwarding path to
      wrongfully emit Packet-too-Big errors and drop IPv6 packets.
      
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: John Heffner <johnwheffner@gmail.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0954cf9c
    • Hannes Frederic Sowa's avatar
      ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing · f87c10a8
      Hannes Frederic Sowa authored
      While forwarding we should not use the protocol path mtu to calculate
      the mtu for a forwarded packet but instead use the interface mtu.
      
      We mark forwarded skbs in ip_forward with IPSKB_FORWARDED, which was
      introduced for multicast forwarding. But as it does not conflict with
      our usage in unicast code path it is perfect for reuse.
      
      I moved the functions ip_sk_accept_pmtu, ip_sk_use_pmtu and ip_skb_dst_mtu
      along with the new ip_dst_mtu_maybe_forward to net/ip.h to fix circular
      dependencies because of IPSKB_FORWARDED.
      
      Because someone might have written a software which does probe
      destinations manually and expects the kernel to honour those path mtus
      I introduced a new per-namespace "ip_forward_use_pmtu" knob so someone
      can disable this new behaviour. We also still use mtus which are locked on a
      route for forwarding.
      
      The reason for this change is, that path mtus information can be injected
      into the kernel via e.g. icmp_err protocol handler without verification
      of local sockets. As such, this could cause the IPv4 forwarding path to
      wrongfully emit fragmentation needed notifications or start to fragment
      packets along a path.
      
      Tunnel and ipsec output paths clear IPCB again, thus IPSKB_FORWARDED
      won't be set and further fragmentation logic will use the path mtu to
      determine the fragmentation size. They also recheck packet size with
      help of path mtu discovery and report appropriate errors.
      
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: John Heffner <johnwheffner@gmail.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f87c10a8
    • Terry Lam's avatar
      HHF qdisc: fix jiffies-time conversion. · 6c76a07a
      Terry Lam authored
      This is to be compatible with the use of "get_time" (i.e. default
      time unit in us) in iproute2 patch for HHF as requested by Stephen.
      Signed-off-by: default avatarTerry Lam <vtlam@google.com>
      Acked-by: default avatarNandita Dukkipati <nanditad@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c76a07a
    • Joe Perches's avatar
      qlcnic: Convert vmalloc/memset to kcalloc · f3c0773f
      Joe Perches authored
      vmalloc is a limited resource.  Don't use it unnecessarily.
      
      It seems this allocation should work with kcalloc.
      
      Remove unnecessary memset(,0,) of buf as it's completely
      overwritten as the previously only unset field in
      struct qlcnic_pci_func_cfg is now set to 0.
      
      Use kfree instead of vfree.
      Use ETH_ALEN instead of 6.
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Acked-by: default avatarJitendra Kalsaria <jitendra.kalsaria@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f3c0773f
  2. 12 Jan, 2014 10 commits
  3. 11 Jan, 2014 17 commits
  4. 10 Jan, 2014 8 commits
    • David S. Miller's avatar
      Merge tag 'batman-adv-for-davem' of git://git.open-mesh.org/linux-merge · 45593c2b
      David S. Miller authored
      Included changes:
      - substitute FSF address with URL
      - deselect current bat-GW when GW-client mode gets deactivated
      - send every DHCP packet using bat-unicast messages when GW-client mode is
        enabled
      - implement the Extended Isolation mechanism (it is an enhancement of the
        already existing batman-AP-isolation). This mechanism allows the user to drop
        packets exchanged by selected clients by using netfilter marks.
      - fix typ0 in header guard
      - minor code cleanups
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45593c2b
    • David S. Miller's avatar
      Merge branch 'tcp_metrics_saddr' · 795709af
      David S. Miller authored
      Christoph Paasch says:
      
      ====================
      Make tcp-metrics source-address aware
      
      Currently tcp-metrics only stores per-destination addresses. This brings
      problems, when a host has multiple interfaces (e.g., a smartphone having
      WiFi/3G):
      
      For example, a host contacting a server over WiFi will store the tcp-metrics
      per destination IP. If then the host contacts the same server over 3G, the
      same tcp-metrics will be used, although the path-characteristics are completly
      different (e.g., the ssthresh is probably not the same).
      
      In case of TFO this is not a problem, as the server will provide us a new cookie
      once he saw our SYN+DATA with an incorrect cookie.
      It may be (in case of carrier-grade NAT), that we keep the same public IP but
      have a different private IP. Thus, we better reuse the old cookie even if our
      source-IP has changed. However, this scenario is probably very uncommon, as
      carriers try to provide the same src-IP to the clients behind their CGN.
      
      Patches 1 + 2 add the source-IP to the tcp metrics.
      
      Patches 3 to 5 modify the netlink-api to support the source-IP. From now on,
      when using the command "ip tcp_metrics delete address ADDRESS" all entries
      which match this destination IP will be deleted.
      
      Today's iproute2 will complain when doing "ip tcp_metrics flush PREFIX" if
      several entries are present for the same destination-IP but with different
      source-IPs:
      
      root@client:~/test# ip tcp_metrics
      10.2.1.2 age 3.640sec rtt 16250us rttvar 15000us cwnd 10
      10.2.1.2 age 4.030sec rtt 18750us rttvar 15000us cwnd 10
      root@client:~/test# ip tcp_metrics flush 10.2.1.2/16
      Failed to send flush request
      : No such process
      
      Follow-up patches will modify iproute2 to handle this correctly and allow
      specifying the source-IP in the get/del commands.
      
      v2: Added the patch that allows to selectively get/del of tcp-metrics based
          on src-IP and moved the patch that adds the new netlink attribute before
          the other patches.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      795709af
    • Christoph Paasch's avatar
      tcp: metrics: Allow selective get/del of tcp-metrics based on src IP · 3e7013dd
      Christoph Paasch authored
      We want to be able to get/del tcp-metrics based on the src IP. This
      patch adds the necessary parsing of the netlink attribute and if the
      source address is set, it will match on this one too.
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e7013dd
    • Christoph Paasch's avatar
      tcp: metrics: Delete all entries matching a certain destination · bbf852b9
      Christoph Paasch authored
      As we now can have multiple entries per destination-IP, the "ip
      tcp_metrics delete address ADDRESS" command deletes all of them.
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbf852b9
    • Christoph Paasch's avatar
      tcp: metrics: New netlink attribute for src IP and dumped in netlink reply · 8a59359c
      Christoph Paasch authored
      This patch adds a new netlink attribute for the source-IP and appends it
      to the netlink reply. Now, iproute2 can have access to the source-IP.
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8a59359c
    • Christoph Paasch's avatar
      tcp: metrics: Add source-address to tcp-metrics · a5443028
      Christoph Paasch authored
      We add the source-address to the tcp-metrics, so that different metrics
      will be used per source/destination-pair. We use the destination-hash to
      store the metric inside the hash-table. That way, deleting and dumping
      via "ip tcp_metrics" is easy.
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5443028
    • Christoph Paasch's avatar
      tcp: metrics: rename tcpm_addr to tcpm_daddr · 324fd55a
      Christoph Paasch authored
      As we will add also the source-address, we rename all accesses to the
      tcp-metrics address to use "daddr".
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      324fd55a
    • David S. Miller's avatar
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next · 1a6c1e5b
      David S. Miller authored
      John W. Linville says:
      
      ====================
      Please pull these updates for the 3.14 stream!
      
      For the mac80211 bits, Johannes says:
      
      "Felix adds some helper functions for P2P NoA software tracking, Joe
      fixes alignment (but as this apparently never caused issues I didn't
      send it to 3.13), Kyeyoon/Jouni add QoS-mapping support (a Hotspot 2.0
      feature), Weilong fixed a bunch of checkpatch errors and I get to play
      fire-fighter or so and clean up other people's locking issues. I also
      added nl80211 vendor-specific events, as we'd discussed at the wireless
      summit."
      
      For the iwlwifi bits, Emmanuel says:
      
      "I have here a rework of the interrupt handling to meet RT kernel
      requirements - basically we don't take any lock in the primary interrupt
      handler. This gave me a good reason to clean things up a bit on the way.
      There is also a fix of the QoS mapping along with a few workarounds for
      hardware / firmware issues that are hard to hit.
      Three fixes suggested by static analyzers, and other various stuff.
      Most importantly, I update the Copyright note to include the new year."
      
      For the bluetooth bits, Gustavo says:
      
      "More patches to 3.14. The bulk of changes here is the 6LoWPAN support for
      Bluetooth LE Devices. The commits that touches net/ieee802154/ are already
      acked by David Miller. Other than that we have some RFCOMM fixes and
      improvements plus fixes and clean ups all over the tree."
      
      Beyond that, ath9k, brcmfmac, mwifiex, and wil6210 get their usual
      level of attention.  The wl1251 driver gets a number of updates,
      and there are a handful of other bits here and there.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a6c1e5b