From: Mahesh Bandewar
RX queue config for bonding master could be different from its slave
device(s). With the commit 6a9e461f6fe4 ("bonding: pass link-local
packets to bonding master also."), the packet is reinjected into stack
with skb->dev as bonding master. This potenti
From: Mahesh Bandewar
Syzkaller reported this on a slightly older kernel but it's still
applicable to the current kernel -
==
WARNING: possible circular locking dependency detected
4.18.0-next-20180823+ #46 Not tainted
From: Mahesh Bandewar
Commit b89f04c61efe ("bonding: deliver link-local packets with
skb->dev set to link that packets arrived on") changed the behavior
of how link-local-multicast packets are processed. The change in
the behavior broke some legacy use cases where these packets
From: Mahesh Bandewar
A local program using iproute2 lib pointed out the issue and looking
at the code it is pretty obvious -
a = (struct nlmsghdr *)b;
...
free(b);
if (a->nlmsg_seq == seq)
...
Fixes: 86bf43c7c2fd ("lib/libnetlink: update rtnl_talk to support mal
From: Mahesh Bandewar
The primary theme is to make clang compile the iproute2 package without
warnings. Along with this there are two other misc patches in the series.
First patch uses the preferred_family when operating with maddr feature.
Prior to this patch, it would always open an AF_INET
From: Mahesh Bandewar
When creating socket() AF_INET is used irrespective of the family
that is given at the command-line (with -4, -6, or -0). This change
will open the socket with the preferred family.
Signed-off-by: Mahesh Bandewar
---
ip/ipmaddr.c | 13 -
1 file changed, 12
From: Mahesh Bandewar
These are primarily fixes for "string is not string literal" warnings
/ errors (with -Werror -Wformat-nonliteral). This should be a no-op
change. I had to replace couple of print helper functions with the
code they call as it was becoming harder to eliminate thes
From: Mahesh Bandewar
These are primarily fixes for "string is not string literal" warnings
/ errors (with -Werror -Wformat-nonliteral). This should be a no-op
change. I had to replace couple of print helper functions with the
code they call as it was becoming harder to eliminate thes
From: Mahesh Bandewar
The primary theme is to make clang compile the iproute2 package without
warnings. Along with this there are two other misc patches in the series.
First patch uses the preferred_family when operating with maddr feature.
Prior to this patch, it would always open an AF_INET
From: Mahesh Bandewar
Signed-off-by: Mahesh Bandewar
---
tc/m_ematch.h | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/tc/m_ematch.h b/tc/m_ematch.h
index f634f19164fa..80b02cfad6cc 100644
--- a/tc/m_ematch.h
+++ b/tc/m_ematch.h
@@ -20,7 +20,7 @@ struct bstr
From: Mahesh Bandewar
When creating socket() AF_INET is used irrespective of the family
that is given at the command-line (with -4, -6, or -0). This change
will open the socket with the preferred family.
Signed-off-by: Mahesh Bandewar
---
ip/ipmaddr.c | 13 -
1 file changed, 12
From: Mahesh Bandewar
These are primarily fixes for "string is not string literal" warnings
/ errors (with -Werror -Wformat-nonliteral). This should be a no-op
change. I had to replace couple of print helper functions with the
code they call as it was becoming harder to eliminate thes
From: Mahesh Bandewar
When creating socket() AF_INET is used irrespective of the family
that is given at the command-line (with -4, -6, or -0). This change
will open the socket with the preferred family.
Signed-off-by: Mahesh Bandewar
---
ip/ipmaddr.c | 13 -
1 file changed, 12
From: Mahesh Bandewar
Commit b89f04c61efe ("bonding: deliver link-local packets with
skb->dev set to link that packets arrived on") changed the behavior
of how link-local-multicast packets are processed. The change in
the behavior broke some legacy use cases where these packets
From: Mahesh Bandewar
Commit b89f04c61efe ("bonding: deliver link-local packets with
skb->dev set to link that packets arrived on") changed the behavior
of how link-local-multicast packets are processed. The change in
the behavior broke some legacy use cases where these packets
From: Mahesh Bandewar
Commit b89f04c61efe ("bonding: deliver link-local packets with
skb->dev set to link that packets arrived on") changed the behavior
of how link-local-multicast packets are processed. The change in
the behavior broke some legacy use cases where these packets
From: Mahesh Bandewar <mahe...@google.com>
Add a sysctl variable kernel.controlled_userns_caps_whitelist. Capability
mask is stored in kernel as kernel_cap_t type (array of u32). This sysctl
takes input as comma separated hex u32 words. For simplicity one could
see this sysctl to o
From: Mahesh Bandewar <mahe...@google.com>
TL;DR version
-
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-name
From: Mahesh Bandewar <mahe...@google.com>
With this new notion of "controlled" user-namespaces, the controlled
user-namespaces are marked at the time of their creation while the
capabilities of processes that belong to them are controlled using the
global mask.
Init-u
From: Mahesh Bandewar <mahe...@google.com>
This reverts commit 92ff42645028fa6f9b8aa767718457b9264316b4.
Even though the check added is not that taxing, it's not really needed.
First of all this will be per packet cost and second thing is that the
eth_type_trans() already does this cor
From: Mahesh Bandewar <mahe...@google.com>
While crossing namespace boundary IPvlan aggressively scrubs packets.
This is creating problems. First thing is that scrubbing changes the
packet type in skb meta-data to PACKET_HOST. This causes erroneous
packet delivery when dev_forward_skb
From: Mahesh Bandewar <mahe...@google.com>
IPvlan currently scrubs packets at every location where packets may be
crossing namespace boundary. Though this is desirable, currently IPvlan
does it more than necessary. e.g. packets that are going to take
dev_forward_skb() path will get scrub
From: Mahesh Bandewar <mahe...@google.com>
Packets that don't have dest mac as the mac of the master device should
not be entertained by the IPvlan rx-handler. This is mostly true as the
packet path mostly takes care of that, except when the master device is
a virtual device. As demons
From: Mahesh Bandewar <mahe...@google.com>
TL;DR version
-
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-name
From: Mahesh Bandewar <mahe...@google.com>
Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
takes input as capability mask expressed as two comma separated hex
u32 words. The mask, however, is stored in kernel as kernel_cap_t type.
Any capabilities that are no
From: Mahesh Bandewar <mahe...@google.com>
TL;DR version
-
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-name
From: Mahesh Bandewar <mahe...@google.com>
Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
takes input as capability mask expressed as two comma separated hex
u32 words. The mask, however, is stored in kernel as kernel_cap_t type.
Any capabilities that are no
From: Mahesh Bandewar <mahe...@google.com>
With this new notion of "controlled" user-namespaces, the controlled
user-namespaces are marked at the time of their creation while the
capabilities of processes that belong to them are controlled using the
global mask.
Init-u
From: Mahesh Bandewar <mahe...@google.com>
TL;DR version
-
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-name
From: Mahesh Bandewar <mahe...@google.com>
With this new notion of "controlled" user-namespaces, the controlled
user-namespaces are marked at the time of their creation while the
capabilities of processes that belong to them are controlled using the
global mask.
Init-u
From: Mahesh Bandewar <mahe...@google.com>
Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
takes input as capability mask expressed as two comma separated hex
u32 words. The mask, however, is stored in kernel as kernel_cap_t type.
Any capabilities that are no
From: Mahesh Bandewar <mahe...@google.com>
IPvlan supported bridge-only functionality prior to commits
a190d04db937 ('ipvlan: introduce 'private' attribute for all
existing modes.') and fe89aa6b250c ('ipvlan: implement VEPA mode').
These two commits allow to configure the VEPA and private
From: Mahesh Bandewar <mahe...@google.com>
IPvlan has always been operating in bridge-mode for its supported modes i.e.
if the packets are destined to the adjacent neighbor dev, then IPvlan driver
will switch the packet internally without needing the packets to hit the
wire or get routed. H
From: Mahesh Bandewar <mahe...@google.com>
This is very similar to the Macvlan VEPA mode, however, there is some
difference. IPvlan uses the mac-address of the lower device, so the VEPA
mode has implications of ICMP-redirects for packets destined for its
immediate neighbors sharing same
From: Mahesh Bandewar <mahe...@google.com>
IPvlan has always operated in bridge mode. However there are scenarios
where each slave should be able to talk through the master device but
not necessarily across each other. Think of an environment where each
of a namespace is a private and indep
From: Mahesh Bandewar <mahe...@google.com>
If the underlying master ever changes its L2 (e.g. bonding device),
then make sure that the IPvlan slaves always emit packets with the
current L2 of the master instead of the stale mac addr which was
copied during the device creation. The probl
From: Mahesh Bandewar <mahe...@google.com>
Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
takes input as capability mask expressed as two comma separated hex
u32 words. The mask, however, is stored in kernel as kernel_cap_t type.
Any capabilities that are no
From: Mahesh Bandewar <mahe...@google.com>
[Same as the previous RFC series sent on 9/21]
TL;DR version
-
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-73
From: Mahesh Bandewar <mahe...@google.com>
With this new notion of "controlled" user-namespaces, the controlled
user-namespaces are marked at the time of their creation while the
capabilities of processes that belong to them are controlled using the
global mask.
Init-u
From: Mahesh Bandewar <mahe...@google.com>
Some NIC drivers don't have correct speed/duplex settings at the
time they send NETDEV_UP notification and that messes up the
bonding state. Especially 802.3ad mode which is very sensitive
to these settings. In the current implementation we
From: Mahesh Bandewar <mahe...@google.com>
TL;DR version
-
Creating a sandbox environment with namespaces is challenging
considering what these sandboxed processes can engage into. e.g.
CVE-2017-6074, CVE-2017-7184, CVE-2017-7308 etc. just to name few.
Current form of user-name
From: Mahesh Bandewar <mahe...@google.com>
With this new notion of "controlled" user-namespaces, the controlled
user-namespaces are marked at the time of their creation while the
capabilities of processes that belong to them are controlled using the
global mask.
Init-u
From: Mahesh Bandewar <mahe...@google.com>
Add a sysctl variable kernel.controlled_userns_caps_whitelist. This
takes input as capability mask expressed as two comma separated hex
u32 words. The mask, however, is stored in kernel as kernel_cap_t type.
Any capabilities that are no
From: Mahesh Bandewar <mahe...@google.com>
If the ARP processing creates a neigh entry, it's immediately marked
as STALE without timer and stays that way in that state as long as
host do not send traffic to that neighbour.
I observed this on hosts which are in IPv6 environment,
From: Mahesh Bandewar <mahe...@google.com>
Net stack initialization currently initializes fib-trie after the
first call to netdevice_notifier() call. In fact fib_trie initialization
needs to happen before first rtnl_register(). It does not cause any problem
since there are no devi
From: Mahesh Bandewar <mahe...@google.com>
Net stack initialization currently initializes fib-trie after the
first call to netdevice_notifier() call. It does not cause any problem
since there are no devices UP at this moment, but trying to bring 'lo'
UP at initialization woul
From: Mahesh Bandewar <mahe...@google.com>
loopback devices are always brought up right after its initialization
including the case of network namespace creation. e.g.
ip netns add foo
ip -netns foo link set lo up
This patch will eliminate the need to do that separately and would
From: Mahesh Bandewar <mahe...@google.com>
In almost every scenario the loopback device is brought UP after
initialization. So there is no point of bringing up the device in
DOWN state followed by device UP operation. This change exposed
another issue of fib-trie initialization which is cor
From: Mahesh Bandewar <mahe...@google.com>
Every address gets added with TENTATIVE flag even for the addresses with
IFA_F_NODAD flag and dad-work is scheduled for them. During this DAD process
we realize it's an address with NODAD and complete the process without
sending any probe. H
From: Mahesh Bandewar <mahe...@google.com>
A process inside random user-ns should not load a module, which is
currently possible. As demonstrated in following scenario -
Create namespaces; especially a user-ns and become root inside.
$ unshare -rfUp -- unshare -unm -- bash
Try t
From: Mahesh Bandewar <mahe...@google.com>
Earlier patch 4493b81bea ("bonding: initialize work-queues during
creation of bond") moved the work-queue initialization from bond_open()
to bond_create(). However this caused the link those are created using
netlink 'create bond opti
From: Mahesh Bandewar <mahe...@google.com>
Earlier patch 4493b81bea ("bonding: initialize work-queues during
creation of bond") moved the work-queue initialization from bond_open()
to bond_create(). However this caused the link those are created using
netlink 'create bond opti
From: Mahesh Bandewar <mahe...@google.com>
When link transitions from LINK_FAIL to LINK_UP, the commit phase is
not called. This leads to an erroneous state causing slave-link state to
get stuck in "going down" state while its speed and duplex are perfectly
fine. This issue
From: Mahesh Bandewar <mahe...@google.com>
Earlier patch c4adfc822bf5 ("bonding: make speed, duplex setting
consistent with link state") made an attempt to keep slave state
consistent with speed and duplex settings. Unfortunately link-state
transition is used to change the active
From: Mahesh Bandewar <mahe...@google.com>
bond_miimon_commit() marks the link UP after attempting to get the speed
and duplex settings for the link. There is a possibility that
bond_update_speed_duplex() could fail. This is another place where it
could result into an inconsistent bondin
From: Mahesh Bandewar <mahe...@google.com>
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net/bonding/bond_3ad.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index
From: Mahesh Bandewar <mahe...@google.com>
The primary issue is that mii-inspect phase updates link-state and
expects changes to be committed during the mii-commit phase. After
the inspect phase if it fails to acquire rtnl-mutex, the commit
phase (bond_mii_commit) doesn't get
From: Mahesh Bandewar <mahe...@google.com>
Split the function into two (a) propose (b) commit phase without
changing the semantics for the original API.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
include/net/bonding.h | 22 +-
1 file changed, 17 inse
From: Mahesh Bandewar <mahe...@google.com>
The mii monitoring is divided into two phases - inspect and commit. The
inspect phase technically should not make any changes to the state and
defer it to the commit phase. However detected link state inconsistencies
on several machines and disc
From: Mahesh Bandewar <mahe...@google.com>
bond_update_speed_duplex() retrieves speed and duplex settings. There
is a possibility of failure in retrieving these values but caller has
to assume it's always successful. This leads to having inconsistent
slave link settings. If these (speed,
From: Mahesh Bandewar <mahe...@google.com>
Few cleanup patches that I have accumulated over some time now.
(a) First two patches are basically to move the work-queue initialization
from every ndo_open / bond_open operation to once at the beginning while
port creation. Work
From: Mahesh Bandewar <mahe...@google.com>
Initializing work-queues every time ifup operation performed is unnecessary
and can be performed only once when the port is created.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net/bonding/bond_main.c | 4 ++--
1 fil
From: Mahesh Bandewar <mahe...@google.com>
In preparation to move the work-queue initialization to port creation
from current port_open phase. Work-queue initialization does not make
sense every time we do 'ifup/ifdown'. So moving to port creation phase.
Arp monitoring work d
From: Mahesh Bandewar <mahe...@google.com>
LACP state-machine defines "port-moved" state when the same ActorSystemID
and Port are seen in a LACPDU received on different port. The state is
never set since it's not implemented. However the state-machine attempts
to clear that st
From: Mahesh Bandewar <mahe...@google.com>
Many of the bond param variables are declared global while it's not
really necessary for these variables to be global. So moving them to
the location these are used.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers
From: Mahesh Bandewar <mahe...@google.com>
Eliminate hard-coded value and use the default that is set.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net/bonding/bond_main.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers
From: Mahesh Bandewar <mahe...@google.com>
Eliminate hard-coded value and use the default that is set.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net/bonding/bond_main.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers
From: Mahesh Bandewar <mahe...@google.com>
In preparation to move the work-queue initialization to port creation
from current port_open phase. Work-queue initialization does not make
sense every time we do 'ifup/ifdown'. So moving to port creation phase.
Arp monitoring work d
From: Mahesh Bandewar <mahe...@google.com>
LACP state-machine defines "port-moved" state when the same ActorSystemID
and Port are seen in a LACPDU received on different port. The state is
never set since it's not implemented. However the state-machine attempts
to clear that st
From: Mahesh Bandewar <mahe...@google.com>
Initializing work-queues every time ifup operation performed is unnecessary
and can be performed only once when the port is created.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net/bonding/bond_main.c | 4 ++--
1 fil
From: Mahesh Bandewar <mahe...@google.com>
Few cleanup patches that I have accumulated over some time now.
(a) First two patches are basically to move the work-queue initialization
from every ndo_open / bond_open operation to once at the beginning while
port creation. Work
From: Mahesh Bandewar <mahe...@google.com>
netdev_rx_handler_register() was recently split into two parts - (a) check
if the handler is used, (b) register the new handler, parts. This is
helpful in scenarios like bonding where at the time of registration there
is too much state to
From: Mahesh Bandewar <mahe...@google.com>
netdev_is_rx_handler_busy() check is a superset of netif_is_ipvlan_port()
check and hence should be preferred.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net/macvlan.c | 2 +-
1 file changed, 1 insertion(+), 1 delet
From: Mahesh Bandewar <mahe...@google.com>
netdev_rx_handler_register() checks to see if the handler is already
busy which was recently separated into netdev_is_rx_handler_busy(). So
use the same function inside register() to avoid code duplication.
Essentially this change should be a
From: Mahesh Bandewar <mahe...@google.com>
IPvlan checks if the master device is already used by checking a
specific device (here it's macvlan device). This is technically not
sufficient and it should just ensure the rx_handler is busy or not.
This would be a super check that includes m
From: Mahesh Bandewar <mahe...@google.com>
In the last patch da36e13cf65 ("ipvlan: improvise dev_id generation
logic in IPvlan") I missed some part of Dave's suggestion and because
of that the dev_id creation could fail in a corner case scenario. This
would happen when more or
From: Mahesh Bandewar <mahe...@google.com>
The patch 009146d117b ("ipvlan: assign unique dev-id for each slave
device.") used ida_simple_get() to generate dev_ids assigned to the
slave devices. However (Eric has pointed out that) there is a shortcoming
with that approach a
From: Mahesh Bandewar <mahe...@google.com>
The patch 009146d117b ("ipvlan: assign unique dev-id for each slave
device.") used ida_simple_get() to generate dev_ids assigned to the
slave devices. However (Eric has pointed out that) there is a shortcoming
with that approach a
From: Mahesh Bandewar <mahe...@google.com>
RTM_NEWADDR notification is sent when IFA_F_TENTATIVE is cleared from
the address. So if the address is added and deleted before DAD probes
completes, the RTM_DELADDR will be sent for which there was no
RTM_NEWADDR causing asymmetry in notifi
From: Mahesh Bandewar <mahe...@google.com>
IPvlan setup uses one mac-address (of master). The IPv6 link-local
addresses are derived using the mac-address on the link. Lack of
dev-ids makes these link-local addresses same for all slaves including
that of master device. dev-ids are necessary
From: Mahesh Bandewar <mahe...@google.com>
In an IPvlan setup when master is set in loopback mode e.g.
ethtool -K eth0 set loopback on
where eth0 is master device for IPvlan setup.
The failure is caused by the faulty logic that determines if the
packet is from TX-path vs. RX-path b
From: Mahesh Bandewar <mahe...@google.com>
In an IPvlan setup when master is set in loopback mode e.g.
ethtool -K eth0 set loopback on
where eth0 is master device for IPvlan setup.
The failure actually happens while processing mulitcast packets
but that's a result of unconditi
From: Mahesh Bandewar <mahe...@google.com>
[ cut here ]
kernel BUG at include/linux/skbuff.h:1737!
Call Trace:
[] dev_forward_skb+0x92/0xd0
[] ipvlan_process_multicast+0x395/0x4c0 [ipvlan]
[] ? ipvlan_process_multicast+0xd7/0x4c0 [ipvlan]
[] ? process_one_work
From: Mahesh Bandewar <mahe...@google.com>
If initial broadcast probe(s) is/are lost, the neigh entry wont have
valid address of the neighbour. In a situation like this, the fall
back should be to send a broadcast probe, however the code logic
continues sending ucast probes to 00:00:00:00
From: Mahesh Bandewar <mahe...@google.com>
The new mode 'l3s' can be set like -
ip link add link dev type ipvlan mode l3s
e.g. ip link add link eth0 dev ipvl0 type ipvlan mode l3s
Also did some trivial code restructuring.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
From: Mahesh Bandewar <mahe...@google.com>
kbuild-build-bot reported that if NETFILTER is not selected, the
build fails pointing to netfilter symbols.
Fixes: 4fbae7d83c98 ("ipvlan: Introduce l3s mode")
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
drivers/net
From: Mahesh Bandewar <mahe...@google.com>
Add _nf_register_hooks() and _nf_unregister_hooks() calls which allow
caller to hold RTNL mutex.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
CC: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter.h | 2 ++
ne
From: Mahesh Bandewar <mahe...@google.com>
In a typical IPvlan L3 setup where master is in default-ns and
each slave is into different (slave) ns. In this setup egress
packet processing for traffic originating from slave-ns will
hit all NF_HOOKs in slave-ns as well as default-ns. Howeve
From: Mahesh Bandewar <mahe...@google.com>
Same old problem with new approach especially from suggestions from
earlier patch-series.
First thing is that this is introduced as a new mode rather than
modifying the old (L3) mode. So the behavior of the existing modes is
pre
From: Mahesh Bandewar <mahe...@google.com>
Make ip6_route_input_lookup available outside of ipv6 the module
similar to ip_route_input_noref in the IPv4 world.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
include/net/ip6_route.h | 3 +++
net/ipv6/route.c| 7
From: Mahesh Bandewar <mahe...@google.com>
Same old problem with new approach especially from suggestions from
earlier patch-series.
First thing is that this is introduced as a new mode rather than
modifying the old (L3) mode. So the behavior of the existing modes is
pre
From: Mahesh Bandewar <mahe...@google.com>
Add _nf_register_hooks() and _nf_unregister_hooks() calls which allow
caller to hold RTNL mutex.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
CC: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter.h | 2 ++
ne
From: Mahesh Bandewar <mahe...@google.com>
Make ip6_route_input_lookup available outside of ipv6 the module
similar to ip_route_input_noref in the IPv4 world.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
include/net/ip6_route.h | 3 +++
net/ipv6/route.c| 7
From: Mahesh Bandewar <mahe...@google.com>
In a typical IPvlan L3 setup where master is in default-ns and
each slave is into different (slave) ns. In this setup egress
packet processing for traffic originating from slave-ns will
hit all NF_HOOKs in slave-ns as well as default-ns. Howeve
From: Mahesh Bandewar <mahe...@google.com>
In a typical IPvlan L3 setup where master is in default-ns and
each slave is into different (slave) ns. In this setup egress
packet processing for traffic originating from slave-ns will
hit all NF_HOOKs in slave-ns as well as default-ns. Howeve
From: Mahesh Bandewar <mahe...@google.com>
Add _nf_register_hooks() and _nf_unregister_hooks() calls which allow
caller to hold RTNL mutex.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
CC: Pablo Neira Ayuso <pa...@netfilter.org>
---
include/linux/netfilter.h | 2 ++
ne
From: Mahesh Bandewar <mahe...@google.com>
Make ip6_route_input_lookup available outside of ipv6 the module
similar to ip_route_input_noref in the IPv4 world.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
include/net/ip6_route.h | 3 +++
net/ipv6/route.c| 7
From: Mahesh Bandewar <mahe...@google.com>
Same old problem with new approach especially from suggestions from
earlier patch-series.
First thing is that this is introduced as a new mode rather than
modifying the old (L3) mode. So the behavior of the existing modes is
pre
From: Mahesh Bandewar <mahe...@google.com>
Add _nf_register_hooks() and _nf_unregister_hooks() calls which allow
caller to hold RTNL mutex.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
include/linux/netfilter.h | 2 ++
net/netfilter/core
From: Mahesh Bandewar <mahe...@google.com>
Make ip6_route_input_lookup available outside of ipv6 the module
similar to ip_route_input_noref in the IPv4 world.
Signed-off-by: Mahesh Bandewar <mahe...@google.com>
---
include/net/ip6_route.h | 3 +++
net/ipv6/route.c| 7
1 - 100 of 180 matches
Mail list logo