1. 03 Jan, 2014 1 commit
    • Daniel Borkmann's avatar
      netfilter: nf_nat: add full port randomization support · 34ce3240
      Daniel Borkmann authored
      We currently use prandom_u32() for allocation of ports in tcp bind(0)
      and udp code. In case of plain SNAT we try to keep the ports as is
      or increment on collision.
      
      SNAT --random mode does use per-destination incrementing port
      allocation. As a recent paper pointed out in [1] that this mode of
      port allocation makes it possible to an attacker to find the randomly
      allocated ports through a timing side-channel in a socket overloading
      attack conducted through an off-path attacker.
      
      So, NF_NAT_RANGE_PROTO_RANDOM actually weakens the port randomization
      in regard to the attack described in this paper. As we need to keep
      compatibility, add another flag called NF_NAT_RANGE_PROTO_RANDOM_FULLY
      that would replace the NF_NAT_RANGE_PROTO_RANDOM hash-based port
      selection algorithm with a simple prandom_u32() in order to mitigate
      this attack vector. Note that the lfsr113's internal state is
      periodically reseeded by the kernel through a local secure entropy
      source.
      
      More details can be found in [1], the basic idea is to send bursts
      of packets to a socket to overflow its receive queue and measure
      the latency to detect a possible retransmit when the port is found.
      Because of increasing ports to given destination and port, further
      allocations can be predicted. This information could then be used by
      an attacker for e.g. for cache-poisoning, NS pinning, and degradation
      of service attacks against DNS servers [1]:
      
        The best defense against the poisoning attacks is to properly
        deploy and validate DNSSEC; DNSSEC provides security not only
        against off-path attacker but even against MitM attacker. We hope
        that our results will help motivate administrators to adopt DNSSEC.
        However, full DNSSEC deployment make take significant time, and
        until that happens, we recommend short-term, non-cryptographic
        defenses. We recommend to support full port randomisation,
        according to practices recommended in [2], and to avoid
        per-destination sequential port allocation, which we show may be
        vulnerable to derandomisation attacks.
      
      Joint work between Hannes Frederic Sowa and Daniel Borkmann.
      
       [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
       [2] http://arxiv.org/pdf/1205.5190v1.pdfSigned-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      34ce3240
  2. 27 Dec, 2013 1 commit
    • Geert Uytterhoeven's avatar
      ipvs: Remove unused variable ret from sync_thread_master() · 9dcbe1b8
      Geert Uytterhoeven authored
      net/netfilter/ipvs/ip_vs_sync.c: In function 'sync_thread_master':
      net/netfilter/ipvs/ip_vs_sync.c:1640:8: warning: unused variable 'ret' [-Wunused-variable]
      
      Commit 35a2af94 ("sched/wait: Make the
      __wait_event*() interface more friendly") changed how the interruption
      state is returned. However, sync_thread_master() ignores this state,
      now causing a compile warning.
      
      According to Julian Anastasov <ja@ssi.bg>, this behavior is OK:
      
          "Yes, your patch looks ok to me. In the past we used ssleep() but IPVS
           users were confused why IPVS threads increase the load average. So, we
           switched to _interruptible calls and later the socket polling was
           added."
      
      Document this, as requested by Peter Zijlstra, to avoid precious developers
      disappearing in this pitfall in the future.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      9dcbe1b8
  3. 24 Dec, 2013 1 commit
  4. 21 Dec, 2013 1 commit
  5. 20 Dec, 2013 2 commits
  6. 13 Dec, 2013 1 commit
  7. 12 Dec, 2013 13 commits
    • Florent Fourcot's avatar
      ipv6: fix incorrect type in declaration · 68536053
      Florent Fourcot authored
      Introduced by 1397ed35
        "ipv6: add flowinfo for tcp6 pkt_options for all cases"
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      
      V2: fix the title, add empty line after the declaration (Sergei Shtylyov
      feedbacks)
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68536053
    • Olof Johansson's avatar
      net: eth: 8390: remove section warning in etherh.c · 335802d1
      Olof Johansson authored
      Commit c45f812f ('8390 : Replace ei_debug with msg_enable/NETIF_MSG_*
      feature') ended up moving the printout of version[] from something that
      will be compiled out due to defines, to something that is now evaluated
      at runtime.
      
      That means that what always used to be an access to an __initdata string
      from non-__init code started showing up as a section mismatch when it
      didn't before.
      
      All other 8390 versions skip __initdata on the version string, and
      starting to annotate the whole chain of callers with __init seems like
      more churn than it's worth on this driver, so remove it from etherh.c as well.
      
      Fixes: c45f812f ('8390 : Replace ei_debug with msg_enable/NETIF_MSG_* feature')
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      335802d1
    • Jerry Chu's avatar
      net-gro: Prepare GRO stack for the upcoming tunneling support · 299603e8
      Jerry Chu authored
      This patch modifies the GRO stack to avoid the use of "network_header"
      and associated macros like ip_hdr() and ipv6_hdr() in order to allow
      an arbitary number of IP hdrs (v4 or v6) to be used in the
      encapsulation chain. This lays the foundation for various IP
      tunneling support (IP-in-IP, GRE, VXLAN, SIT,...) to be added later.
      
      With this patch, the GRO stack traversing now is mostly based on
      skb_gro_offset rather than special hdr offsets saved in skb (e.g.,
      skb->network_header). As a result all but the top layer (i.e., the
      the transport layer) must have hdrs of the same length in order for
      a pkt to be considered for aggregation. Therefore when adding a new
      encap layer (e.g., for tunneling), one must check and skip flows
      (e.g., by setting NAPI_GRO_CB(p)->same_flow to 0) that have a
      different hdr length.
      
      Note that unlike the network header, the transport header can and
      will continue to be set by the GRO code since there will be at
      most one "transport layer" in the encap chain.
      Signed-off-by: default avatarH.K. Jerry Chu <hkchu@google.com>
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      299603e8
    • David S. Miller's avatar
      Merge branch 'macvtap_capture' · a46dc748
      David S. Miller authored
      Vlad Yasevich says:
      
      ====================
      Add packet capture support on macvtap device
      
      Change from RFC:
        - moved to the rx_handler approach.
      
      This series adds support for packet capturing on macvtap device.
      The initial approach was to simply export the capturing code as
      a function from the core network.  While simple, it was not
      a very architecturally clean approach.
      
      The new appraoch is to provide macvtap with its rx_handler which can
      is attached to the macvtap device itself.   Macvlan will simply requeue
      the packet with an updated skb->dev.  BTW, macvlan layer already does this
      for macvlan devices.  So, now macvtap and macvlan have almost the
      same exact input path.
      
      I've toyed with short-circuting the input path for macvtap by returning
      RX_HANDLER_ANOTHER, but that just made the code more complicated and
      didn't provide any kind of measurable gain (at least according to
      netperf and perf runs on the host).
      
      To see if there was a performance regression, I ran 1, 2 and 4 netperf
      STREAM and MAERTS tests agains the VM from both remote host and another
      guest on the same system.   The command ran was
          netperf -H $host -t $test -l 20 -i 10 -I 95 -c -C
      
      The numbers I was getting with the new code were consistently very
      slightly (1-2%) better then the old code.  I don't consider this
      an improvement, but it's not a regression! :)
      
      Running 'perf record' on the host didn't show any new hot spots
      and cpu utilization stayed about the same.  This was better
      then I expected from simply looking at the code.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a46dc748
    • Vlad Yasevich's avatar
      macvlan: Remove custom recieve and forward handlers · 2f6a1b66
      Vlad Yasevich authored
      Since now macvlan and macvtap use the same receive and
      forward handlers, we can remove them completely and use
      netif_rx and dev_forward_skb() directly.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f6a1b66
    • Vlad Yasevich's avatar
      macvtap: Add support of packet capture on macvtap device. · 6acf54f1
      Vlad Yasevich authored
      Macvtap device currently doesn not allow a user to capture
      traffic on due to the fact that it steals the packets
      from the network stack before the skb->dev is set correctly
      on the receive side, and that use uses macvlan transmit
      path directly on the send side.  As a result, we never
      get a change to give traffic to the taps while the correct
      device is set in the skb.
      
      This patch makes macvtap device behave almost exaclty like
      macvlan.  On the send side, we switch to using dev_queue_xmit().
      On the receive side, to deliver packets to macvtap, we now
      use netif_rx and dev_forward_skb just like macvlan.  The only
      differnce now is that macvtap has its own rx_handler which is
      attached to the macvtap netdev.  It is here that we now steal
      the packet and provide it to the socket.
      
      As a result, we can now capture traffic on the macvtap device:
         tcpdump -i macvtap0
      
      It also gives us the abilit to add tc actions to the macvtap
      device and actually utilize different bandwidth management
      queues on output.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6acf54f1
    • David S. Miller's avatar
      Merge branch 'bpf' · 70f56132
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      bpf/filter updates
      
      This set adds just two minimal helper tools that complement the
      already available bpf_jit_disasm and complete BPF tooling; plus
      it adds and an extensive documentation update of filter.txt.
      
      Please see individual descriptions for details.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70f56132
    • Daniel Borkmann's avatar
      filter: doc: improve BPF documentation · 7924cd5e
      Daniel Borkmann authored
      This patch significantly updates the BPF documentation and describes
      its internal architecture, Linux extensions, and handling of the
      kernel's BPF and JIT engine, plus documents how development can be
      facilitated with the help of bpf_dbg, bpf_asm, bpf_jit_disasm.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7924cd5e
    • Daniel Borkmann's avatar
      filter: bpf_asm: add minimal bpf asm tool · 3f356385
      Daniel Borkmann authored
      There are a couple of valid use cases for a minimal low-level bpf asm
      like tool, for example, using/linking to libpcap is not an option, the
      required BPF filters use Linux extensions that are not supported by
      libpcap's compiler, a filter might be more complex and not cleanly
      implementable with libpcap's compiler, particular filter codes should
      be optimized differently than libpcap's internal BPF compiler does,
      or for security audits of emitted BPF JIT code for prepared set of BPF
      instructions resp. BPF JIT compiler development in general.
      
      Then, in such cases writing such a filter in low-level syntax can be
      an good alternative, for example, xt_bpf and cls_bpf users might have
      requirements that could result in more complex filter code, or one that
      cannot be expressed with libpcap (e.g. different return codes in
      cls_bpf for flowids on various BPF code paths).
      
      Moreover, BPF JIT implementors may wish to manually write test cases
      in order to verify the resulting JIT image, and thus need low-level
      access to BPF code generation as well. Therefore, complete the available
      toolchain for BPF with this small bpf_asm helper tool for the tools/net/
      directory. These 3 complementary minimal helper tools round up and
      facilitate BPF development.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f356385
    • Daniel Borkmann's avatar
      filter: bpf_dbg: add minimal bpf debugger · fd981e3c
      Daniel Borkmann authored
      This patch adds a minimal BPF debugger that "emulates" the kernel's
      BPF engine (w/o extensions) and allows for single stepping (forwards
      and backwards through BPF code) or running with >=1 breakpoints through
      selected or all packets from a pcap file with a provided user filter
      in order to facilitate verification of a BPF program. When a breakpoint
      is being hit, it dumps all register contents, decoded instructions and
      in case of branches both decoded branch targets as well as other useful
      information.
      
      Having this facility is in particular useful to verify BPF programs
      against given test traffic *before* attaching to a live system.
      
      With the general availability of cls_bpf, xt_bpf, socket filters,
      team driver and e.g. PTP code, all BPF users, quite often a single
      more complex BPF program is being used. Reasons for a more complex
      BPF program are primarily to optimize execution time for making a
      verdict when multiple simple BPF programs are combined into one in
      order to prevent parsing same headers multiple times. In particular,
      for cls_bpf that can have various return paths for encoding flowids,
      and xt_bpf to come to a fw verdict this can be the case.
      
      Therefore, as this can result in more complex and harder to debug
      code, it would be very useful to have this minimal tool for testing
      purposes. It can also be of help for BPF JIT developers as filters
      are "test attached" to the kernel on a temporary socket thus
      triggering a JIT image dump when enabled. The tool uses an interactive
      libreadline shell with auto-completion and history support.
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd981e3c
    • Olof Johansson's avatar
      net: eth: cpsw: 64-bit phys_addr_t and sparse cleanup · 1a3b5056
      Olof Johansson authored
      Minor fix for printk format of a phys_addr_t, and the switch of two local
      functions to static since they're not used outside of the file.
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1a3b5056
    • Olof Johansson's avatar
      net: eth: davinci_cpdma: Mark a local variable static · df784160
      Olof Johansson authored
      Only used locally. Found by sparse.
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df784160
    • Olof Johansson's avatar
      net: eth: davinci_cpdma: 64-bit phys/dma_addr_t cleanup · c767db51
      Olof Johansson authored
      Silences the below warnings when building with ARM_LPAE enabled, which
      gives longer dma_addr_t by default:
      
      drivers/net/ethernet/ti/davinci_cpdma.c: In function 'cpdma_desc_pool_create':
      drivers/net/ethernet/ti/davinci_cpdma.c:182:3: warning: passing argument 3 of 'dma_alloc_attrs' from incompatible pointer type [enabled by default]
      drivers/net/ethernet/ti/davinci_cpdma.c: In function 'desc_phys':
      drivers/net/ethernet/ti/davinci_cpdma.c:222:25: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
      drivers/net/ethernet/ti/davinci_cpdma.c:223:8: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c767db51
  8. 11 Dec, 2013 20 commits