1. 28 Apr, 2016 2 commits
  2. 04 Apr, 2016 1 commit
    • Soheil Hassas Yeganeh's avatar
      sock: enable timestamping using control messages · c14ac945
      Soheil Hassas Yeganeh authored
      Currently, SOL_TIMESTAMPING can only be enabled using setsockopt.
      This is very costly when users want to sample writes to gather
      tx timestamps.
      Add support for enabling SO_TIMESTAMPING via control messages by
      using tsflags added in `struct sockcm_cookie` (added in the previous
      patches in this series) to set the tx_flags of the last skb created in
      a sendmsg. With this patch, the timestamp recording bits in tx_flags
      of the skbuff is overridden if SO_TIMESTAMPING is passed in a cmsg.
      Please note that this is only effective for overriding the recording
      timestamps flags. Users should enable timestamp reporting (e.g.,
      socket options and then should ask for SOF_TIMESTAMPING_TX_*
      using control messages per sendmsg to sample timestamps for each
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  3. 03 Dec, 2015 1 commit
    • Eric Dumazet's avatar
      ipv6: kill sk_dst_lock · 6bd4f355
      Eric Dumazet authored
      While testing the np->opt RCU conversion, I found that UDP/IPv6 was
      using a mixture of xchg() and sk_dst_lock to protect concurrent changes
      to sk->sk_dst_cache, leading to possible corruptions and crashes.
      ip6_sk_dst_lookup_flow() uses sk_dst_check() anyway, so the simplest
      way to fix the mess is to remove sk_dst_lock completely, as we did for
      __ip6_dst_store() and ip6_dst_store() share same implementation.
      sk_setup_caps() being called with socket lock being held or not,
      we have to use sk_dst_set() instead of __sk_dst_set()
      Note that I had to move the "np->dst_cookie = rt6_get_cookie(rt);"
      in ip6_dst_store() before the sk_setup_caps(sk, dst) call.
      This is because ip6_dst_store() can be called from process context,
      without any lock held.
      As soon as the dst is installed in sk->sk_dst_cache, dst can be freed
      from another cpu doing a concurrent ip6_dst_store()
      Doing the dst dereference before doing the install is needed to make
      sure no use after free would trigger.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  4. 27 Oct, 2015 1 commit
  5. 13 Oct, 2015 1 commit
  6. 31 Jul, 2015 1 commit
    • Roopa Prabhu's avatar
      ipv6: change ipv6_stub_impl.ipv6_dst_lookup to take net argument · 343d60aa
      Roopa Prabhu authored
      This patch adds net argument to ipv6_stub_impl.ipv6_dst_lookup
      for use cases where sk is not available (like mpls).
      sk appears to be needed to get the namespace 'net' and is optional
      otherwise. This patch series changes ipv6_stub_impl.ipv6_dst_lookup
      to take net argument. sk remains optional.
      All callers of ipv6_stub_impl.ipv6_dst_lookup have been modified
      to pass net. I have modified them to use already available
      'net' in the scope of the call. I can change them to
      sock_net(sk) to avoid any unintended change in behaviour if sock
      namespace is different. They dont seem to be from code inspection.
      Signed-off-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  7. 25 May, 2015 2 commits
  8. 31 Mar, 2015 1 commit
  9. 14 Jan, 2015 1 commit
  10. 24 Nov, 2014 1 commit
  11. 18 Nov, 2014 1 commit
  12. 11 Nov, 2014 1 commit
    • Joe Perches's avatar
      net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited · ba7a46f1
      Joe Perches authored
      Use the more common dynamic_debug capable net_dbg_ratelimited
      and remove the LIMIT_NETDEBUG macro.
      All messages are still ratelimited.
      Some KERN_<LEVEL> uses are changed to KERN_DEBUG.
      This may have some negative impact on messages that were
      emitted at KERN_INFO that are not not enabled at all unless
      DEBUG is defined or dynamic_debug is enabled.  Even so,
      these messages are now _not_ emitted by default.
      This also eliminates the use of the net_msg_warn sysctl
      "/proc/sys/net/core/warnings".  For backward compatibility,
      the sysctl is not removed, but it has no function.  The extern
      declaration of net_msg_warn is removed from sock.h and made
      static in net/core/sysctl_net_core.c
      o Update the sysctl documentation
      o Remove the embedded uses of pr_fmt
      o Coalesce format fragments
      o Realign arguments
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  13. 24 Oct, 2014 1 commit
  14. 07 Oct, 2014 1 commit
  15. 23 Sep, 2014 1 commit
    • Eric Dumazet's avatar
      icmp: add a global rate limitation · 4cdf507d
      Eric Dumazet authored
      Current ICMP rate limiting uses inetpeer cache, which is an RBL tree
      protected by a lock, meaning that hosts can be stuck hard if all cpus
      want to check ICMP limits.
      When say a DNS or NTP server process is restarted, inetpeer tree grows
      quick and machine comes to its knees.
      iptables can not help because the bottleneck happens before ICMP
      messages are even cooked and sent.
      This patch adds a new global limitation, using a token bucket filter,
      controlled by two new sysctl :
      icmp_msgs_per_sec - INTEGER
          Limit maximal number of ICMP packets sent per second from this host.
          Only messages whose type matches icmp_ratemask are
          controlled by this limit.
          Default: 1000
      icmp_msgs_burst - INTEGER
          icmp_msgs_per_sec controls number of ICMP packets sent per second,
          while icmp_msgs_burst controls the burst size of these packets.
          Default: 50
      Note that if we really want to send millions of ICMP messages per
      second, we might extend idea and infra added in commit 04ca6973
      ("ip: make IP identifiers less predictable") :
      add a token bucket in the ip_idents hash and no longer rely on inetpeer.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  16. 25 Aug, 2014 1 commit
    • Ian Morris's avatar
      ipv6: White-space cleansing : Line Layouts · 67ba4152
      Ian Morris authored
      This patch makes no changes to the logic of the code but simply addresses
      coding style issues as detected by checkpatch.
      Both objdump and diff -w show no differences.
      A number of items are addressed in this patch:
      * Multiple spaces converted to tabs
      * Spaces before tabs removed.
      * Spaces in pointer typing cleansed (char *)foo etc.
      * Remove space after sizeof
      * Ensure spacing around comparators such as if statements.
      Signed-off-by: default avatarIan Morris <ipm@chirality.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  17. 01 Aug, 2014 1 commit
  18. 13 May, 2014 1 commit
    • Lorenzo Colitti's avatar
      net: add a sysctl to reflect the fwmark on replies · e110861f
      Lorenzo Colitti authored
      Kernel-originated IP packets that have no user socket associated
      with them (e.g., ICMP errors and echo replies, TCP RSTs, etc.)
      are emitted with a mark of zero. Add a sysctl to make them have
      the same mark as the packet they are replying to.
      This allows an administrator that wishes to do so to use
      mark-based routing, firewalling, etc. for these replies by
      marking the original packets inbound.
      Tested using user-mode linux:
       - ICMP/ICMPv6 echo replies and errors.
       - TCP RST packets (IPv4 and IPv6).
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  19. 09 May, 2014 1 commit
  20. 30 Apr, 2014 1 commit
  21. 31 Mar, 2014 1 commit
  22. 10 Feb, 2014 1 commit
  23. 22 Jan, 2014 1 commit
  24. 15 Jan, 2014 1 commit
  25. 14 Jan, 2014 1 commit
  26. 07 Jan, 2014 1 commit
  27. 02 Jan, 2014 1 commit
  28. 05 Sep, 2013 1 commit
    • Duan Jiong's avatar
      ipv6:introduce function to find route for redirect · b55b76b2
      Duan Jiong authored
      RFC 4861 says that the IP source address of the Redirect is the
      same as the current first-hop router for the specified ICMP
      Destination Address, so the gateway should be taken into
      consideration when we find the route for redirect.
      There was once a check in commit
      a6279458 ("NDISC: Search over
      all possible rules on receipt of redirect.") and the check
      went away in commit b94f1c09
      ("ipv6: Use icmpv6_notify() to propagate redirect, instead of
      The bug is only "exploitable" on layer-2 because the source
      address of the redirect is checked to be a valid link-local
      address but it makes spoofing a lot easier in the same L2
      domain nonetheless.
      Thanks very much for Hannes's help.
      Signed-off-by: default avatarDuan Jiong <duanj.fnst@cn.fujitsu.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  29. 04 Sep, 2013 1 commit
  30. 13 Jun, 2013 1 commit
  31. 29 May, 2013 1 commit
  32. 26 May, 2013 1 commit
    • Lorenzo Colitti's avatar
      net: ipv6: Add IPv6 support to the ping socket. · 6d0bfe22
      Lorenzo Colitti authored
      This adds the ability to send ICMPv6 echo requests without a
      raw socket. The equivalent ability for ICMPv4 was added in
      Instead of having separate code paths for IPv4 and IPv6, make
      most of the code in net/ipv4/ping.c dual-stack and only add a
      few IPv6-specific bits (like the protocol definition) to a new
      net/ipv6/ping.c. Hopefully this will reduce divergence and/or
      duplication of bugs in the future.
      - Setting options via ancillary data (e.g., using IPV6_PKTINFO
        to specify the outgoing interface) is not yet supported.
      - There are no separate security settings for IPv4 and IPv6;
        everything is controlled by /proc/net/ipv4/ping_group_range.
      - The proc interface does not yet display IPv6 ping sockets
      Tested with a patched copy of ping6 and using raw socket calls.
      Compiles and works with all of CONFIG_IPV6={n,m,y}.
      Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  33. 29 Apr, 2013 2 commits
  34. 08 Mar, 2013 1 commit
  35. 18 Jan, 2013 1 commit
  36. 19 Nov, 2012 2 commits
    • Eric W. Biederman's avatar
      net: Enable some sysctls that are safe for the userns root · c027aab4
      Eric W. Biederman authored
      - Enable the per device ipv4 sysctls:
      - Enable the global ipv4 sysctl:
      - Enable the per device ipv6 sysctls:
      - Enable the global ipv6 sysctls:
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eric W. Biederman's avatar
      net: Don't export sysctls to unprivileged users · 464dc801
      Eric W. Biederman authored
      In preparation for supporting the creation of network namespaces
      by unprivileged users, modify all of the per net sysctl exports
      and refuse to allow them to unprivileged users.
      This makes it safe for unprivileged users in general to access
      per net sysctls, and allows sysctls to be exported to unprivileged
      users on an individual basis as they are deemed safe.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>