1. 13 Mar, 2012 1 commit
  2. 12 Mar, 2012 1 commit
    • Joe Perches's avatar
      net: Convert printks to pr_<level> · 058bd4d2
      Joe Perches authored
      
      
      Use a more current kernel messaging style.
      
      Convert a printk block to print_hex_dump.
      Coalesce formats, align arguments.
      Use %s, __func__ instead of embedding function names.
      
      Some messages that were prefixed with <foo>_close are
      now prefixed with <foo>_fini.  Some ah4 and esp messages
      are now not prefixed with "ip ".
      
      The intent of this patch is to later add something like
        #define pr_fmt(fmt) "IPv4: " fmt.
      to standardize the output messages.
      
      Text size is trivially reduced. (x86-32 allyesconfig)
      
      $ size net/ipv4/built-in.o*
         text	   data	    bss	    dec	    hex	filename
       887888	  31558	 249696	1169142	 11d6f6	net/ipv4/built-in.o.new
       887934	  31558	 249800	1169292	 11d78c	net/ipv4/built-in.o.old
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      058bd4d2
  3. 24 Feb, 2012 1 commit
  4. 15 Feb, 2012 1 commit
  5. 28 Jan, 2012 1 commit
  6. 26 Jan, 2012 1 commit
    • Willem de Bruijn's avatar
      ipv6: Fix ip_gre lockless xmits. · f2b3ee9e
      Willem de Bruijn authored
      Tunnel devices set NETIF_F_LLTX to bypass HARD_TX_LOCK.  Sit and
      ipip set this unconditionally in ops->setup, but gre enables it
      conditionally after parameter passing in ops->newlink. This is
      not called during tunnel setup as below, however, so GRE tunnels are
      still taking the lock.
      
      modprobe ip_gre
      ip tunnel add test0 mode gre remote 10.5.1.1 dev lo
      ip link set test0 up
      ip addr add 10.6.0.1 dev test0
       # cat /sys/class/net/test0/features
       # $DIR/test_tunnel_xmit 10 10.5.2.1
      ip route add 10.5.2.0/24 dev test0
      ip tunnel del test0
      
      The newlink callback is only called in rtnl_netlink, and only if
      the device is new, as it calls register_netdevice internally. Gre
      tunnels are created at 'ip tunnel add' with ioctl SIOCADDTUNNEL,
      which calls ipgre_tunnel_locate, which calls register_netdev.
      rtnl_newlink is called at 'ip link set', but skips ops->newlink
      and the device is up with locking still enabled. The equivalent
      ipip tunnel works fine, btw (just substitute 'method gre' for
      'method ipip').
      
      On kernels before /sys/class/net/*/features was removed [1],
      the first commented out line returns 0x6000 with method gre,
      which indicates that NETIF_F_LLTX (0x1000) is not set. With ipip,
      it reports 0x7000. This test cannot be used on recent kernels where
      the sysfs file is removed (and ETHTOOL_GFEATURES does not currently
      work for tunnel devices, because they lack dev->ethtool_ops).
      
      The second commented out line calls a simple transmission test [2]
      that sends on 24 cores at maximum rate. Results of a single run:
      
      ipip:			19,372,306
      gre before patch:	 4,839,753
      gre after patch:	19,133,873
      
      This patch replicates the condition check in ipgre_newlink to
      ipgre_tunnel_locate. It works for me, both with oseq on and off.
      This is the first time I looked at rtnetlink and iproute2 code,
      though, so someone more knowledgeable should probably check the
      patch. Thanks.
      
      The tail of both functions is now identical, by the way. To avoid
      code duplication, I'll be happy to rework this and merge the two.
      
      [1] http://patchwork.ozlabs.org/patch/104610/
      [2] http://kernel.googlecode.com/files/xmit_udp_parallel.c
      
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f2b3ee9e
  7. 24 Jan, 2012 2 commits
  8. 11 Dec, 2011 1 commit
  9. 05 Dec, 2011 1 commit
  10. 18 Nov, 2011 1 commit
  11. 08 Nov, 2011 1 commit
  12. 20 Oct, 2011 1 commit
  13. 18 Jul, 2011 1 commit
  14. 05 May, 2011 1 commit
  15. 04 May, 2011 1 commit
  16. 22 Apr, 2011 1 commit
  17. 12 Mar, 2011 1 commit
  18. 09 Mar, 2011 1 commit
    • Vasiliy Kulikov's avatar
      net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules · 8909c9ad
      Vasiliy Kulikov authored
      Since a8f80e8f any process with
      CAP_NET_ADMIN may load any module from /lib/modules/.  This doesn't mean
      that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are
      limited to /lib/modules/**.  However, CAP_NET_ADMIN capability shouldn't
      allow anybody load any module not related to networking.
      
      This patch restricts an ability of autoloading modules to netdev modules
      with explicit aliases.  This fixes CVE-2011-1019.
      
      Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior
      of loading netdev modules by name (without any prefix) for processes
      with CAP_SYS_MODULE to maintain the compatibility with network scripts
      that use autoloading netdev modules by aliases like "eth0", "wlan0".
      
      Currently there are only three users of the feature in the upstream
      kernel: ipip, ip_gre and sit.
      
          root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) --
          root@albatros:~# grep Cap /proc/$$/status
          CapInh:	0000000000000000
          CapPrm:	fffffff800001000
          CapEff:	fffffff800001000
          CapBnd:	fffffff800001000
          root@albatros:~# modprobe xfs
          FATAL: Error inserting xfs
          (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted
          root@albatros:~# lsmod | grep xfs
          root@albatros:~# ifconfig xfs
          xfs: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep xfs
          root@albatros:~# lsmod | grep sit
          root@albatros:~# ifconfig sit
          sit: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep sit
          root@albatros:~# ifconfig sit0
          sit0      Link encap:IPv6-in-IPv4
      	      NOARP  MTU:1480  Metric:1
      
          root@albatros:~# lsmod | grep sit
          sit                    10457  0
          tunnel4                 2957  1 sit
      
      For CAP_SYS_MODULE module loading is still relaxed:
      
          root@albatros:~# grep Cap /proc/$$/status
          CapInh:	0000000000000000
          CapPrm:	ffffffffffffffff
          CapEff:	ffffffffffffffff
          CapBnd:	ffffffffffffffff
          root@albatros:~# ifconfig xfs
          xfs: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep xfs
          xfs                   745319  0
      
      Reference: https://lkml.org/lkml/2011/2/24/203
      
      Signed-off-by: default avatarVasiliy Kulikov <segoon@openwall.com>
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Acked-by: default avatarKees Cook <kees.cook@canonical.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8909c9ad
  19. 02 Mar, 2011 1 commit
  20. 11 Feb, 2011 1 commit
  21. 13 Dec, 2010 2 commits
    • David S. Miller's avatar
      ipv4: Don't pre-seed hoplimit metric. · 323e126f
      David S. Miller authored
      
      
      Always go through a new ip4_dst_hoplimit() helper, just like ipv6.
      
      This allowed several simplifications:
      
      1) The interim dst_metric_hoplimit() can go as it's no longer
         userd.
      
      2) The sysctl_ip_default_ttl entry no longer needs to use
         ipv4_doint_and_flush, since the sysctl is not cached in
         routing cache metrics any longer.
      
      3) ipv4_doint_and_flush no longer needs to be exported and
         therefore can be marked static.
      
      When ipv4_doint_and_flush_strategy was removed some time ago,
      the external declaration in ip.h was mistakenly left around
      so kill that off too.
      
      We have to move the sysctl_ip_default_ttl declaration into
      ipv4's route cache definition header net/route.h, because
      currently net/ip.h (where the declaration lives now) has
      a back dependency on net/route.h
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      323e126f
    • David S. Miller's avatar
  22. 09 Dec, 2010 1 commit
    • David S. Miller's avatar
      net: Abstract away all dst_entry metrics accesses. · defb3519
      David S. Miller authored
      
      
      Use helper functions to hide all direct accesses, especially writes,
      to dst_entry metrics values.
      
      This will allow us to:
      
      1) More easily change how the metrics are stored.
      
      2) Implement COW for metrics.
      
      In particular this will help us put metrics into the inetpeer
      cache if that is what we end up doing.  We can make the _metrics
      member a pointer instead of an array, initially have it point
      at the read-only metrics in the FIB, and then on the first set
      grab an inetpeer entry and point the _metrics member there.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      defb3519
  23. 01 Dec, 2010 2 commits
  24. 17 Nov, 2010 1 commit
  25. 15 Nov, 2010 1 commit
  26. 12 Nov, 2010 1 commit
  27. 30 Oct, 2010 1 commit
  28. 27 Oct, 2010 1 commit
  29. 19 Oct, 2010 1 commit
  30. 05 Oct, 2010 1 commit
    • Eric Dumazet's avatar
      net: add a core netdev->rx_dropped counter · caf586e5
      Eric Dumazet authored
      In various situations, a device provides a packet to our stack and we
      drop it before it enters protocol stack :
      - softnet backlog full (accounted in /proc/net/softnet_stat)
      - bad vlan tag (not accounted)
      - unknown/unregistered protocol (not accounted)
      
      We can handle a per-device counter of such dropped frames at core level,
      and automatically adds it to the device provided stats (rx_dropped), so
      that standard tools can be used (ifconfig, ip link, cat /proc/net/dev)
      
      This is a generalization of commit 8990f468
      
       (net: rx_dropped
      accounting), thus reverting it.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caf586e5
  31. 30 Sep, 2010 1 commit
  32. 29 Sep, 2010 1 commit
    • Eric Dumazet's avatar
      ip_gre: lockless xmit · b790e01a
      Eric Dumazet authored
      
      
      GRE tunnels can benefit from lockless xmits, using NETIF_F_LLTX
      
      Note: If tunnels are created with the "oseq" option, LLTX is not
      enabled :
      
      Even using an atomic_t o_seq, we would increase chance for packets being
      out of order at receiver.
      
      Bench on a 16 cpus machine (dual E5540 cpus), 16 threads sending
      10000000 UDP frames via one gre tunnel (size:200 bytes per frame)
      
      Before patch :
      real	3m0.094s
      user	0m9.365s
      sys	47m50.103s
      
      After patch:
      real	0m29.756s
      user	0m11.097s
      sys	7m33.012s
      
      Last problem to solve is the contention on dst :
      
      38660.00 21.4% __ip_route_output_key          vmlinux
      20786.00 11.5% dst_release                    vmlinux
      14191.00  7.8% __xfrm_lookup                  vmlinux
      12410.00  6.9% ip_finish_output               vmlinux
       4540.00  2.5% ip_push_pending_frames         vmlinux
       4427.00  2.4% ip_append_data                 vmlinux
       4265.00  2.4% __alloc_skb                    vmlinux
       4140.00  2.3% __ip_local_out                 vmlinux
       3991.00  2.2% dev_queue_xmit                 vmlinux
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b790e01a
  33. 28 Sep, 2010 1 commit
    • Eric Dumazet's avatar
      ip_gre: percpu stats accounting · e985aad7
      Eric Dumazet authored
      
      
      Le lundi 27 septembre 2010 à 14:29 +0100, Ben Hutchings a écrit :
      
      > > diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
      > > index 5d6ddcb..de39b22 100644
      > > --- a/net/ipv4/ip_gre.c
      > > +++ b/net/ipv4/ip_gre.c
      > [...]
      > > @@ -377,7 +405,7 @@ static struct ip_tunnel *ipgre_tunnel_locate(struct net *net,
      > >  	if (parms->name[0])
      > >  		strlcpy(name, parms->name, IFNAMSIZ);
      > >  	else
      > > -		sprintf(name, "gre%%d");
      > > +		strcpy(name, "gre%d");
      > >
      > >  	dev = alloc_netdev(sizeof(*t), name, ipgre_tunnel_setup);
      > >  	if (!dev)
      > [...]
      >
      > This is a valid fix, but doesn't belong in this patch!
      >
      
      Sorry ? It was not a fix, but at most a cleanup ;)
      
      Anyway I forgot the gretap case...
      
      [PATCH 2/4 v2] ip_gre: percpu stats accounting
      
      Maintain per_cpu tx_bytes, tx_packets, rx_bytes, rx_packets.
      
      Other seldom used fields are kept in netdev->stats structure, possibly
      unsafe.
      
      This is a preliminary work to support lockless transmit path, and
      correct RX stats, that are already unsafe.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e985aad7
  34. 23 Sep, 2010 1 commit
  35. 20 Sep, 2010 2 commits
  36. 16 Sep, 2010 1 commit