1. 10 Nov, 2016 14 commits
    • Yotam Gigi's avatar
      tc_act: Remove tcf_act macro · f41cd11d
      Yotam Gigi authored
      
      
      tc_act macro addressed a non existing field, and was not used in the
      kernel source.
      Signed-off-by: default avatarYotam Gigi <yotamg@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f41cd11d
    • David S. Miller's avatar
      Merge branch 'ipv6-sr' · 5db5b395
      David S. Miller authored
      David Lebrun says:
      
      ====================
      net: add support for IPv6 Segment Routing
      
      v5:
       - Check SRH validity when adding a new route with lwtunnels and
         when setting an IPV6_RTHDR socket option.
       - Check that hdr->segments_left is not out of bounds when processing
         an SR-enabled packet.
       - Add __ro_after_init attribute to seg6_genl_policy structure.
       - Add CONFIG_IPV6_SEG6_INLINE option to enable or disable
         direct header insertion.
      
      v4:
       - Change @cleanup in ipv6_srh_rcv() from int to bool
       - Move checksum helper functions into header file
       - Add common definition for SR TLVs
       - Add comments for HMAC computation algorithm
       - Use rhashtable to store HMAC infos instead of linked list
       - Remove packed attribute for struct sr6_tlv_hmac
       - Use dst cache only if CONFIG_DST_CACHE is enabled
      
      v3:
       - Fix compilation for CONFIG_IPV6={n,m}
      
      v2:
       - Remove packed attribute from sr6 struct and replaced unaligned
         16-bit flags with two 8-bit flags.
       - SR code now included by default. Option CONFIG_IPV6_SEG6_HMAC
         exists for HMAC support (which requires crypto dependencies).
       - Replace "hidden" calls to mutex_{un,}lock to direct calls.
       - Fix reverse xmas tree coding style.
       - Fix cast-from-void*'s.
       - Update skb->csum to account for SR modifications.
       - Add dst_cache in seg6_output.
      
      Segment Routing (SR) is a source routing paradigm, architecturally
      defined in draft-ietf-spring-segment-routing-09 [1]. The IPv6 flavor of
      SR is defined in draft-ietf-6man-segment-routing-header-02 [2].
      
      The main idea is that an SR-enabled packet contains a list of segments,
      which represent mandatory waypoints. Each waypoint is called a segment
      endpoint. The SR-enabled packet is routed normally (e.g. shortest path)
      between the segment endpoints. A node that inserts an SRH into a packet
      is called an ingress node, and a node that is the last segment endpoint
      is called an egress node.
      
      From an IPv6 viewpoint, an SR-enabled packet contains an IPv6 extension
      header, which is a Routing Header type 4, defined as follows:
      
      struct ipv6_sr_hdr {
              __u8    nexthdr;
              __u8    hdrlen;
              __u8    type;
              __u8    segments_left;
              __u8    first_segment;
              __u8    flag_1;
              __u8    flag_2;
              __u8    reserved;
      
              struct in6_addr segments[0];
      };
      
      The first 4 bytes of the SRH is consistent with the Routing Header
      definition in RFC 2460. The type is set to `4' (SRH).
      
      Each segment is encoded as an IPv6 address. The segments are encoded in
      reverse order: segments[0] is the last segment of the path, and
      segments[first_segment] is the first segment of the path.
      
      segments[segments_left] points to the currently active segment and
      segments_left is decremented at each segment endpoint.
      
      There exist two ways for a packet to receive an SRH, we call them
      encap mode and inline mode. In the encap mode, the packet is encapsulated
      in an outer IPv6 header that contains the SRH. The inner (original) packet
      is not modified. A virtual tunnel is thus created between the ingress node
      (the node that encapsulates) and the egress node (the last segment of the path).
      Once an encapsulated SR packet reaches the egress node, the node decapsulates
      the packet and performs a routing decision on the inner packet. This kind of
      SRH insertion is intended to use for routers that encapsulates in-transit
      packet.
      
      The second SRH insertion method, the inline mode, acts by directly inserting
      the SRH right after the IPv6 header of the original packet. For this method,
      if a particular flag (SR6_FLAG_CLEANUP) is set, then the penultimate segment
      endpoint must strip the SRH from the packet before forwarding it to the last
      segment endpoint. This insertion method is intended to use for endhosts,
      however it is also used for in-transit packets by some industry actors.
      Note that directly inserting extension headers may break several mechanisms
      such as Path MTU Discovery, IPSec AH, etc. For this reason, this insertion
      method is only available if CONFIG_IPV6_SEG6_INLINE is enabled.
      
      Finally, the SRH may contain TLVs after the segments list. Several types of
      TLVs are defined, but we currently consider only the HMAC TLV. This TLV is
      an answer to the deprecation of the RH0 and enables to ensure the authenticity
      and integrity of the SRH. The HMAC text contains the flags, the first_segment
      index, the full list of segments, and the source address of the packet. While
      SR is intended to use mostly within a single administrative domain, the HMAC
      TLV allows to verify SR packets coming from an untrusted source.
      
      This patches series implements support for the IPv6 flavor of SR and is
      logically divided into the following components:
      
              (1) Data plane support (patch 01). This patch adds a function
                  in net/ipv6/exthdrs.c to handle the Routing Header type 4.
                  It enables the kernel to act as a segment endpoint, by supporting
                  the following operations: decrementation of the segments_left field,
                  cleanup flag support (removal of the SRH if we are the penultimate
                  segment endpoint) and decapsulation of the inner packet as an egress
                  node.
      
              (2) Control plane support (patches 02..03 and 07..09). These patches enables
                  to insert SRH on locally emitted and/or forwarded packets, both with
                  encap mode and with inline mode. The SRH insertion is controlled through
                  the lightweight tunnels mechanism. Furthermore, patch 08 enables the
                  applications to insert an SRH on a per-socket basis, through the
                  setsockopt() system call. The mechanism to specify a per-socket
                  Routing Header was already defined for RH0 and no special modification
                  was performed on this side. However, the code to actually push the RH
                  onto the packets had to be adapted for the SRH specifications.
      
              (3) HMAC support (patches 04..06). These patches adds the support of the
                  HMAC TLV verification for the dataplane part, and generation for
                  the control plane part. Two hashing algorithms are supported
                  (SHA-1 as legacy and SHA-256 as required by the IETF draft), but
                  additional algorithms can be easily supported by simply adding an
                  entry into an array.
      
      [1] https://tools.ietf.org/html/draft-ietf-spring-segment-routing-09
      [2] https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-02
      
      
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5db5b395
    • David Lebrun's avatar
      ipv6: sr: add documentation file for per-interface sysctls · 8bc66a44
      David Lebrun authored
      
      
      This patch adds documentation for some SR-related per-interface
      sysctls.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8bc66a44
    • David Lebrun's avatar
      ipv6: sr: add support for SRH injection through setsockopt · a149e7c7
      David Lebrun authored
      
      
      This patch adds support for per-socket SRH injection with the setsockopt
      system call through the IPPROTO_IPV6, IPV6_RTHDR options.
      The SRH is pushed through the ipv6_push_nfrag_opts function.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a149e7c7
    • David Lebrun's avatar
      ipv6: add source address argument for ipv6_push_nfrag_opts · 613fa3ca
      David Lebrun authored
      
      
      This patch prepares for insertion of SRH through setsockopt().
      The new source address argument is used when an HMAC field is
      present in the SRH, which must be filled. The HMAC signature
      process requires the source address as input text.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      613fa3ca
    • David Lebrun's avatar
      ipv6: sr: add calls to verify and insert HMAC signatures · 9baee834
      David Lebrun authored
      
      
      This patch enables the verification of the HMAC signature for transiting
      SR-enabled packets, and its insertion on encapsulated/injected SRH.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9baee834
    • David Lebrun's avatar
      ipv6: sr: implement API to control SR HMAC structure · 4f4853dc
      David Lebrun authored
      
      
      This patch provides an implementation of the genetlink commands
      to associate a given HMAC key identifier with an hashing algorithm
      and a secret.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f4853dc
    • David Lebrun's avatar
      ipv6: sr: add core files for SR HMAC support · bf355b8d
      David Lebrun authored
      
      
      This patch adds the necessary functions to compute and check the HMAC signature
      of an SR-enabled packet. Two HMAC algorithms are supported: hmac(sha1) and
      hmac(sha256).
      
      In order to avoid dynamic memory allocation for each HMAC computation,
      a per-cpu ring buffer is allocated for this purpose.
      
      A new per-interface sysctl called seg6_require_hmac is added, allowing a
      user-defined policy for processing HMAC-signed SR-enabled packets.
      A value of -1 means that the HMAC field will always be ignored.
      A value of 0 means that if an HMAC field is present, its validity will
      be enforced (the packet is dropped is the signature is incorrect).
      Finally, a value of 1 means that any SR-enabled packet that does not
      contain an HMAC signature or whose signature is incorrect will be dropped.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bf355b8d
    • David Lebrun's avatar
      ipv6: sr: add support for SRH encapsulation and injection with lwtunnels · 6c8702c6
      David Lebrun authored
      
      
      This patch creates a new type of interfaceless lightweight tunnel (SEG6),
      enabling the encapsulation and injection of SRH within locally emitted
      packets and forwarded packets.
      
      >From a configuration viewpoint, a seg6 tunnel would be configured as follows:
      
        ip -6 ro ad fc00::1/128 encap seg6 mode encap segs fc42::1,fc42::2,fc42::3 dev eth0
      
      Any packet whose destination address is fc00::1 would thus be encapsulated
      within an outer IPv6 header containing the SRH with three segments, and would
      actually be routed to the first segment of the list. If `mode inline' was
      specified instead of `mode encap', then the SRH would be directly inserted
      after the IPv6 header without outer encapsulation.
      
      The inline mode is only available if CONFIG_IPV6_SEG6_INLINE is enabled. This
      feature was made configurable because direct header insertion may break
      several mechanisms such as PMTUD or IPSec AH.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c8702c6
    • David Lebrun's avatar
      ipv6: sr: add code base for control plane support of SR-IPv6 · 915d7e5e
      David Lebrun authored
      
      
      This patch adds the necessary hooks and structures to provide support
      for SR-IPv6 control plane, essentially the Generic Netlink commands
      that will be used for userspace control over the Segment Routing
      kernel structures.
      
      The genetlink commands provide control over two different structures:
      tunnel source and HMAC data. The tunnel source is the source address
      that will be used by default when encapsulating packets into an
      outer IPv6 header + SRH. If the tunnel source is set to :: then an
      address of the outgoing interface will be selected as the source.
      
      The HMAC commands currently just return ENOTSUPP and will be implemented
      in a future patch.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      915d7e5e
    • David Lebrun's avatar
      ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header) · 1ababeba
      David Lebrun authored
      Implement minimal support for processing of SR-enabled packets
      as described in
      https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-02
      
      .
      
      This patch implements the following operations:
      - Intermediate segment endpoint: incrementation of active segment and rerouting.
      - Egress for SR-encapsulated packets: decapsulation of outer IPv6 header + SRH
        and routing of inner packet.
      - Cleanup flag support for SR-inlined packets: removal of SRH if we are the
        penultimate segment endpoint.
      
      A per-interface sysctl seg6_enabled is provided, to accept/deny SR-enabled
      packets. Default is deny.
      
      This patch does not provide support for HMAC-signed packets.
      Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ababeba
    • Arnd Bergmann's avatar
      net: mii: report 0 for unknown lp_advertising · dc0b2c9c
      Arnd Bergmann authored
      The newly introduced mii_ethtool_get_link_ksettings function sets
      lp_advertising to an uninitialized value when BMCR_ANENABLE is not
      set:
      
      drivers/net/mii.c: In function 'mii_ethtool_get_link_ksettings':
      drivers/net/mii.c:224:2: error: 'lp_advertising' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      As documented in include/uapi/linux/ethtool.h, the value is
      expected to be zero when we don't know it, so let's initialize
      it to that.
      
      Fixes: bc8ee596
      
       ("net: mii: add generic function to support ksetting support")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc0b2c9c
    • Jan Beulich's avatar
      xen-netback: prefer xenbus_scanf() over xenbus_gather() · 6c27f99d
      Jan Beulich authored
      
      
      For single items being collected this should be preferred as being more
      typesafe (as the compiler can check format string and to-be-written-to
      variable match) and more efficient (requiring one less parameter to be
      passed).
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c27f99d
    • Hangbin Liu's avatar
      igmp: Document sysctl force_igmp_version · 1af92836
      Hangbin Liu authored
      
      
      There is some difference between force_igmp_version and force_mld_version.
      Add document to make users aware of this.
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1af92836
  2. 09 Nov, 2016 26 commits