1. 30 Sep, 2014 38 commits
  2. 29 Sep, 2014 2 commits
    • Michael Braun's avatar
      macvlan: add source mode · 79cf79ab
      Michael Braun authored
      This patch adds a new mode of operation to macvlan, called "source".
      It allows one to set a list of allowed mac address, which is used
      to match against source mac address from received frames on underlying
      interface.
      This enables creating mac based VLAN associations, instead of standard
      port or tag based. The feature is useful to deploy 802.1x mac based
      behavior, where drivers of underlying interfaces doesn't allows that.
      
      Configuration is done through the netlink interface using e.g.:
       ip link add link eth0 name macvlan0 type macvlan mode source
       ip link add link eth0 name macvlan1 type macvlan mode source
       ip link set link dev macvlan0 type macvlan macaddr add 00:11:11:11:11:11
       ip link set link dev macvlan0 type macvlan macaddr add 00:22:22:22:22:22
       ip link set link dev macvlan0 type macvlan macaddr add 00:33:33:33:33:33
       ip link set link dev macvlan1 type macvlan macaddr add 00:33:33:33:33:33
       ip link set link dev macvlan1 type macvlan macaddr add 00:44:44:44:44:44
      
      This allows clients with MAC addresses 00:11:11:11:11:11,
      00:22:22:22:22:22 to be part of only VLAN associated with macvlan0
      interface. Clients with MAC addresses 00:44:44:44:44:44 with only VLAN
      associated with macvlan1 interface. And client with MAC address
      00:33:33:33:33:33 to be associated with both VLANs.
      
      Based on work of Stefan Gula <steweg@gmail.com>
      
      v8: last version of Stefan Gula for Kernel 3.2.1
      v9: rework onto linux-next 2014-03-12 by Michael Braun
          add MACADDR_SET command, enable to configure mac for source mode
          while creating interface
      v10:
        - reduce indention level
        - rename source_list to source_entry
        - use aligned 64bit ether address
        - use hash_64 instead of addr[5]
      v11:
        - rebase for 3.14 / linux-next 20.04.2014
      v12
        - rebase for linux-next 2014-09-25
      Signed-off-by: default avatarMichael Braun <michael-dev@fami-braun.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79cf79ab
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 85224844
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      pull request: netfilter/ipvs updates for net-next
      
      The following patchset contains Netfilter/IPVS updates for net-next,
      most relevantly they are:
      
      1) Four patches to make the new nf_tables masquerading support
         independent of the x_tables infrastructure. This also resolves a
         compilation breakage if the masquerade target is disabled but the
         nf_tables masq expression is enabled.
      
      2) ipset updates via Jozsef Kadlecsik. This includes the addition of the
         skbinfo extension that allows you to store packet metainformation in the
         elements. This can be used to fetch and restore this to the packets through
         the iptables SET target, patches from Anton Danilov.
      
      3) Add the hash:mac set type to ipset, from Jozsef Kadlecsick.
      
      4) Add simple weighted fail-over scheduler via Simon Horman. This provides
         a fail-over IPVS scheduler (unlike existing load balancing schedulers).
         Connections are directed to the appropriate server based solely on
         highest weight value and server availability, patch from Kenny Mathis.
      
      5) Support IPv6 real servers in IPv4 virtual-services and vice versa.
         Simon Horman informs that the motivation for this is to allow more
         flexibility in the choice of IP version offered by both virtual-servers
         and real-servers as they no longer need to match: An IPv4 connection
         from an end-user may be forwarded to a real-server using IPv6 and
         vice versa. No ip_vs_sync support yet though. Patches from Alex Gartrell
         and Julian Anastasov.
      
      6) Add global generation ID to the nf_tables ruleset. When dumping from
         several different object lists, we need a way to identify that an update
         has ocurred so userspace knows that it needs to refresh its lists. This
         also includes a new command to obtain the 32-bits generation ID. The
         less significant 16-bits of this ID is also exposed through res_id field
         in the nfnetlink header to quickly detect the interference and retry when
         there is no risk of ID wraparound.
      
      7) Move br_netfilter out of the bridge core. The br_netfilter code is
         built in the bridge core by default. This causes problems of different
         kind to people that don't want this: Jesper reported performance drop due
         to the inconditional hook registration and I remember to have read complains
         on netdev from people regarding the unexpected behaviour of our bridging
         stack when br_netfilter is enabled (fragmentation handling, layer 3 and
         upper inspection). People that still need this should easily undo the
         damage by modprobing the new br_netfilter module.
      
      8) Dump the set policy nf_tables that allows set parameterization. So
         userspace can keep user-defined preferences when saving the ruleset.
         From Arturo Borrero.
      
      9) Use __seq_open_private() helper function to reduce boiler plate code
         in x_tables, From Rob Jones.
      
      10) Safer default behaviour in case that you forget to load the protocol
         tracker. Daniel Borkmann and Florian Westphal detected that if your
         ruleset is stateful, you allow traffic to at least one single SCTP port
         and the SCTP protocol tracker is not loaded, then any SCTP traffic may
         be pass through unfiltered. After this patch, the connection tracking
         classifies SCTP/DCCP/UDPlite/GRE packets as invalid if your kernel has
         been compiled with support for these modules.
      ====================
      
      Trivially resolved conflict in include/linux/skbuff.h, Eric moved some
      netfilter skbuff members around, and the netfilter tree adjusted the
      ifdef guards for the bridging info pointer.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      85224844