RESEND: [PATCH] Interface Stat Clearing Framework, skge support, ethtool support]
Resending this - saw no response.
Hey folks,
A few months back I posted an in-progress patch for adding a clear_stats
framework similar to the get_stats framework and implimenting support
for it in the skge driver (the one NIC I have access to), as well as
adding the ethtool support for it.
While a few people said they didn't see the need for it, other people
did see the need for it, and I know it's a common request on many
sysadmin mailing lists I'm on.
Since no one seemed to have any technical issue with the patch, I've
cleaned up the patch, tested it, and fixed a few minor issues.
Unless someone has an objection, I'd think this would be useful to a lot
of people.
There are two patches attached:
interface_stats_clear.patch - the kernel patch against 2.6.17-rc3-git2
ethtool3-clearstats.patch - the ethtool patch to add the -z flag to
support it.
If the kernel patch gets accepted I'll send a more complete ethtool
patch with documentation updates, etc.
Thanks.
--
Phil Dibowitz [EMAIL PROTECTED]
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Suess
This patch adds support for clearing interface statistics using the ethtool interface adding a new 0x23 command. It adds a clear_stats function pointer to the net_device struct, and then impliments local functions in the driver much the say get_stats works. The ethtool funtion pointer points to the same functions. The driver-local functions are currently only implimented in the skge driver.
Signed-off-by: Phil Dibowitz <[EMAIL PROTECTED]>
---
diff -puN include/linux/netdevice.h~interface_stats_clear include/linux/netdevice.h
--- linux-2.6.17-rc3-git2/include/linux/netdevice.h~interface_stats_clear 2006-04-29 19:44:41.0 -0700
+++ linux-2.6.17-rc3-git2-phil/include/linux/netdevice.h 2006-04-29 19:44:41.0 -0700
@@ -319,6 +319,7 @@ struct net_device
struct net_device_stats* (*get_stats)(struct net_device *dev);
+ void (*clear_stats)(struct net_device *dev);
struct iw_statistics* (*get_wireless_stats)(struct net_device *dev);
/* List of functions to handle Wireless Extensions (instead of ioctl).
diff -puN drivers/net/skge.c~interface_stats_clear drivers/net/skge.c
--- linux-2.6.17-rc3-git2/drivers/net/skge.c~interface_stats_clear 2006-04-29 19:44:41.0 -0700
+++ linux-2.6.17-rc3-git2-phil/drivers/net/skge.c 2006-04-29 19:44:41.0 -0700
@@ -44,7 +44,7 @@
#include "skge.h"
#define DRV_NAME "skge"
-#define DRV_VERSION "1.5"
+#define DRV_VERSION "1.6"
#define PFX DRV_NAME " "
#define DEFAULT_TX_RING_SIZE 128
@@ -97,6 +97,8 @@ static int xm_phy_write(struct skge_hw *
static int gm_phy_write(struct skge_hw *hw, int port, u16 reg, u16 val);
static void genesis_get_stats(struct skge_port *skge, u64 *data);
static void yukon_get_stats(struct skge_port *skge, u64 *data);
+static void genesis_clear_stats(struct skge_port *skge);
+static void yukon_clear_stats(struct skge_port *skge);
static void yukon_init(struct skge_hw *hw, int port);
static void genesis_mac_init(struct skge_hw *hw, int port);
static void genesis_link_up(struct skge_port *skge);
@@ -366,6 +368,15 @@ static struct net_device_stats *skge_get
return &skge->net_stats;
}
+static void skge_clear_stats(struct net_device *dev)
+{
+ struct skge_port *skge = netdev_priv(dev);
+ if (skge->hw->chip_id == CHIP_ID_GENESIS)
+ genesis_clear_stats(skge);
+ else
+ yukon_clear_stats(skge);
+}
+
static void skge_get_strings(struct net_device *dev, u32 stringset, u8 *data)
{
int i;
@@ -722,6 +733,7 @@ static struct ethtool_ops skge_ethtool_o
.phys_id = skge_phys_id,
.get_stats_count = skge_get_stats_count,
.get_ethtool_stats = skge_get_ethtool_stats,
+ .clear_ethtool_stats = skge_clear_stats,
.get_perm_addr = ethtool_op_get_perm_addr,
};
@@ -1383,6 +1395,20 @@ static void genesis_get_stats(struct skg
data[i] = xm_read32(hw, port, skge_stats[i].xmac_offset);
}
+static void genesis_clear_stats(struct skge_port *skge)
+{
+ struct skge_hw *hw = skge->hw;
+ int port = skge->port;
+
+ /*
+ * This is based on reading other parts of the driver
+ * and is not yet tested.
+ */
+
+ xm_write16(hw, port, XM_STAT_CMD, 0 | XM_SC_CLR_RXC
+ | XM_SC_CLR_TXC);
+}
+
static void genesis_mac_intr(struct skge_hw *hw, int port)
{
struct skge_port *skge = netdev_priv(hw->dev[port]);
@@ -1871,6 +1897,21 @@ static void yukon_get_stats(struct skge_
skge_stats[i].gma_offset);
}
+static void yukon_clear_stats(struct skge_port *skge)
+{
+ struct skge_hw *hw = skge->hw;
+ int port = skge->port;
+ u16 reg;
+ int i;
+
+ reg = gma_read16(hw, port, GM_PHY_ADDR);
+ /* this read is important, or we sometimes get no effect */
+ gma_write16(hw, port, GM_PHY_ADDR, reg | GM_PAR_MIB_CLR);
+ for (i = 0; i < GM
Re: ipsec tunnel asymmetrical mtu
Marco Berizzi wrote: Herbert Xu wrote: However, the fact that the tcpdump causes more chunky packets to make it through could be an indication that there is a bug somewhere in our NAT/IPsec code or at least a suboptimal memory allocation strategy that's somehow avoided when AF_PACKET pins the skb down. JFYI: same problem with 2.6.17-rc4-git5 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCHSET 0/7] SECMARK 2.0
The following patchset is an updated version of secmark, which I'd like to propose for inclusion in either Dave or Andrew's tree for subsequent merge into mainline during the 2.6.18 merge window. Secmark implements a new scheme for adding security markings to packets via iptables, as well as changes to SELinux to use these markings for security policy enforcement. The rationale for this scheme is explained and discussed in detail in the original threads: http://thread.gmane.org/gmane.linux.network/34927/ http://thread.gmane.org/gmane.linux.network/35244/ Since the last posting, I've fully separated the conntrack-related functionality of SECMARK into the CONNSECMARK target, following the original suggestion by Patrick McHardy. This indeed keeps the code cleaner and only requires one extra rule per service. I've also added a boot param for SELinux to control whether the new packet controls are used or not. Examples of policy and rulesets, as well as a full archive of patches for iptables and SELinux userland, may be found at: http://people.redhat.com/jmorris/selinux/secmark/ The code has been tested with various compilation options and in several scenarios, including with 'complicated' protocols such as FTP and also with the new generic conntrack code with IPv6 connection tracking. I'm not sure if this would be better in Dave or Andrew's tree. It touches a lot of the core networking, although not very heavily, and most of the Netfilter stuff is new targets. There's already an SELinux patch in -mm which affects the SELinux components in this patchset (I rebased against current -mm because of this). I'll send the Netfilter userland patches separately to the netfilter developers. Cumulative diffstat: Documentation/kernel-parameters.txt |9 + include/linux/netfilter/xt_CONNSECMARK.h | 13 + include/linux/netfilter/xt_SECMARK.h | 26 ++ include/linux/netfilter_ipv4/ip_conntrack.h |4 include/linux/selinux.h | 32 +++ include/linux/skbuff.h | 22 ++ include/net/netfilter/nf_conntrack.h |4 include/net/netfilter/nf_conntrack_compat.h | 26 ++ net/Kconfig |7 net/core/skbuff.c|3 net/ipv4/ip_output.c |1 net/ipv4/netfilter/Kconfig | 12 + net/ipv4/netfilter/ip_conntrack_core.c |3 net/ipv4/netfilter/ip_conntrack_standalone.c |5 net/ipv4/netfilter/ipt_REJECT.c |1 net/ipv6/ip6_output.c|1 net/netfilter/Kconfig| 32 +++ net/netfilter/Makefile |2 net/netfilter/nf_conntrack_core.c|3 net/netfilter/nf_conntrack_standalone.c |5 net/netfilter/xt_CONNSECMARK.c | 155 + net/netfilter/xt_SECMARK.c | 156 + security/selinux/Kconfig |2 security/selinux/exports.c | 22 ++ security/selinux/hooks.c | 241 ++- security/selinux/include/av_perm_to_string.h |3 security/selinux/include/av_permissions.h|3 security/selinux/include/class_to_string.h |1 security/selinux/include/flask.h |1 security/selinux/include/xfrm.h |2 security/selinux/selinuxfs.c | 59 ++ security/selinux/xfrm.c | 12 - 32 files changed, 747 insertions(+), 121 deletions(-) -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 01/07] secmark: Add new flask definitions to SELinux
This patch adds support for a new object class ('packet'), and associated
permissions ('send', 'recv', 'relabelto'). These are used to enforce
security policy for network packets labeled with SECMARK, and for adding
labeling rules.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
security/selinux/include/av_perm_to_string.h |3 +++
security/selinux/include/av_permissions.h|3 +++
security/selinux/include/class_to_string.h |1 +
security/selinux/include/flask.h |1 +
4 files changed, 8 insertions(+)
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/security/selinux/include/av_permissions.h
linux-2.6.17-rc4-mm1.w/security/selinux/include/av_permissions.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/av_permissions.h
2006-05-16 23:35:11.0 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/av_permissions.h
2006-05-17 01:13:15.0 -0400
@@ -956,3 +956,6 @@
#define APPLETALK_SOCKET__SEND_MSG0x0010UL
#define APPLETALK_SOCKET__NAME_BIND 0x0020UL
+#define PACKET__SEND 0x0001UL
+#define PACKET__RECV 0x0002UL
+#define PACKET__RELABELTO 0x0004UL
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/security/selinux/include/av_perm_to_string.h
linux-2.6.17-rc4-mm1.w/security/selinux/include/av_perm_to_string.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/av_perm_to_string.h
2006-03-20 00:53:29.0 -0500
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/av_perm_to_string.h
2006-05-17 01:13:33.0 -0400
@@ -239,3 +239,6 @@
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
+ S_(SECCLASS_PACKET, PACKET__SEND, "send")
+ S_(SECCLASS_PACKET, PACKET__RECV, "recv")
+ S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/security/selinux/include/class_to_string.h
linux-2.6.17-rc4-mm1.w/security/selinux/include/class_to_string.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/class_to_string.h
2006-05-16 23:35:11.0 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/class_to_string.h
2006-05-17 01:10:46.0 -0400
@@ -59,3 +59,4 @@
S_("association")
S_("netlink_kobject_uevent_socket")
S_("appletalk_socket")
+S_("packet")
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/include/flask.h
linux-2.6.17-rc4-mm1.w/security/selinux/include/flask.h
--- linux-2.6.17-rc4-mm1.p/security/selinux/include/flask.h 2006-05-16
23:35:11.0 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/include/flask.h 2006-05-17
01:09:43.0 -0400
@@ -61,6 +61,7 @@
#define SECCLASS_ASSOCIATION 54
#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
#define SECCLASS_APPLETALK_SOCKET56
+#define SECCLASS_PACKET 57
/*
* Security identifier indices for initial entities
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 02/07] secmark: Add SELinux exports
This patch exports adds new functions to the in-kernel SELinux API in
support of the new secmark-based packet controls.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
include/linux/selinux.h| 32
security/selinux/exports.c | 22 ++
2 files changed, 54 insertions(+)
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/selinux.h
linux-2.6.17-rc4-mm1.w/include/linux/selinux.h
--- linux-2.6.17-rc4-mm1.p/include/linux/selinux.h 2006-05-17
01:03:34.0 -0400
+++ linux-2.6.17-rc4-mm1.w/include/linux/selinux.h 2006-05-17
01:18:57.0 -0400
@@ -118,6 +118,27 @@ void selinux_get_ipc_sid(const struct ke
*/
void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
+/**
+ * selinux_string_to_sid - map a security context string to a security ID
+ * @str: the security context string to be mapped
+ * @sid: ID value returned via this.
+ *
+ * Returns 0 if successful, with the SID stored in sid. A value
+ * of zero for sid indicates no SID could be determined (but no error
+ * occurred).
+ */
+int selinux_string_to_sid(char *str, u32 *sid);
+
+/**
+ * selinux_relabel_packet_permission - check permission to relabel a packet
+ * @sid: ID value to be applied to network packet (via SECMARK, most
likely)
+ *
+ * Returns 0 if the current task is allowed to label packets with the
+ * supplied security ID. Note that it is implicit that the packet is
always
+ * being relabeled from the default unlabled value, and that the access
+ * control decision is made in the AVC.
+ */
+int selinux_relabel_packet_permission(u32 sid);
#else
@@ -172,6 +193,17 @@ static inline void selinux_get_task_sid(
*sid = 0;
}
+static inline int selinux_string_to_sid(const char *str, u32 *sid)
+{
+ *sid = 0;
+ return 0;
+}
+
+static inline int selinux_relabel_packet_permission(u32 sid)
+{
+ return 0;
+}
+
#endif /* CONFIG_SECURITY_SELINUX */
#endif /* _LINUX_SELINUX_H */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/exports.c
linux-2.6.17-rc4-mm1.w/security/selinux/exports.c
--- linux-2.6.17-rc4-mm1.p/security/selinux/exports.c 2006-05-17
01:03:34.0 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/exports.c 2006-05-17
01:18:57.0 -0400
@@ -72,3 +72,25 @@ void selinux_get_task_sid(struct task_st
*sid = 0;
}
+int selinux_string_to_sid(char *str, u32 *sid)
+{
+ if (selinux_enabled)
+ return security_context_to_sid(str, strlen(str), sid);
+ else {
+ *sid = 0;
+ return 0;
+ }
+}
+EXPORT_SYMBOL_GPL(selinux_string_to_sid);
+
+int selinux_relabel_packet_permission(u32 sid)
+{
+ if (selinux_enabled) {
+ struct task_security_struct *tsec = current->security;
+
+ return avc_has_perm(tsec->sid, sid, SECCLASS_PACKET,
+ PACKET__RELABELTO, NULL);
+ }
+ return 0;
+}
+EXPORT_SYMBOL_GPL(selinux_relabel_packet_permission);
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 03/07] secmark: Add secmark support to core networking.
This patch adds a secmark field to the skbuff structure, to allow security
subsystems to place security markings on network packets. This is similar
to the nfmark field, except is intended for implementing security policy,
rather than than networking policy.
This patch was already acked in principle by Dave Miller.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
include/linux/skbuff.h | 22 ++
net/Kconfig |7 +++
net/core/skbuff.c |3 ++-
net/ipv4/ip_output.c|1 +
net/ipv4/netfilter/ipt_REJECT.c |1 +
net/ipv6/ip6_output.c |1 +
6 files changed, 34 insertions(+), 1 deletion(-)
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/include/linux/skbuff.h
linux-2.6.17-rc4-mm1.w/include/linux/skbuff.h
--- linux-2.6.17-rc4-mm1.p/include/linux/skbuff.h 2006-05-17
01:04:35.0 -0400
+++ linux-2.6.17-rc4-mm1.w/include/linux/skbuff.h 2006-05-17
01:29:36.0 -0400
@@ -208,6 +208,7 @@ enum {
* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
* @tc_index: Traffic control index
* @tc_verd: traffic control verdict
+ * @secmark: security marking
*/
struct sk_buff {
@@ -284,6 +285,9 @@ struct sk_buff {
__u16 tc_verd;/* traffic control verdict */
#endif
#endif
+#ifdef CONFIG_NETWORK_SECMARK
+ __u32 secmark;
+#endif
/* These elements must be at the end, see alloc_skb() for details. */
@@ -1395,5 +1399,23 @@ static inline void nf_reset(struct sk_bu
static inline void nf_reset(struct sk_buff *skb) {}
#endif /* CONFIG_NETFILTER */
+#ifdef CONFIG_NETWORK_SECMARK
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff
*from)
+{
+ to->secmark = from->secmark;
+}
+
+static inline void skb_init_secmark(struct sk_buff *skb)
+{
+ skb->secmark = 0;
+}
+#else
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff
*from)
+{ }
+
+static inline void skb_init_secmark(struct sk_buff *skb)
+{ }
+#endif
+
#endif /* __KERNEL__ */
#endif /* _LINUX_SKBUFF_H */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/core/skbuff.c
linux-2.6.17-rc4-mm1.w/net/core/skbuff.c
--- linux-2.6.17-rc4-mm1.p/net/core/skbuff.c2006-05-17 01:04:35.0
-0400
+++ linux-2.6.17-rc4-mm1.w/net/core/skbuff.c2006-05-17 01:29:36.0
-0400
@@ -464,7 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff
n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
C(input_dev);
#endif
-
+ skb_copy_secmark(n, skb);
#endif
C(truesize);
atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_bu
#endif
new->tc_index = old->tc_index;
#endif
+ skb_copy_secmark(new, old);
atomic_set(&new->users, 1);
skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/ip_output.c
linux-2.6.17-rc4-mm1.w/net/ipv4/ip_output.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/ip_output.c 2006-05-17 01:04:35.0
-0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/ip_output.c 2006-05-17 01:29:36.0
-0400
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_b
nf_bridge_get(to->nf_bridge);
#endif
#endif
+ skb_copy_secmark(to, from);
}
/*
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ipt_REJECT.c
linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ipt_REJECT.c 2006-05-17
01:04:35.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ipt_REJECT.c 2006-05-17
01:29:36.0 -0400
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *o
/* This packet will not be the same as the other: clear nf fields */
nf_reset(nskb);
nskb->nfmark = 0;
+ skb_init_secmark(nskb);
tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/ipv6/ip6_output.c
linux-2.6.17-rc4-mm1.w/net/ipv6/ip6_output.c
--- linux-2.6.17-rc4-mm1.p/net/ipv6/ip6_output.c2006-05-17
01:04:35.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv6/ip6_output.c2006-05-17
01:29:36.0 -0400
@@ -458,6 +458,7 @@ static void ip6_copy_metadata(struct sk_
nf_bridge_get(to->nf_bridge);
#endif
#endif
+ skb_copy_secmark(to, from);
}
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/Kconfig
linux-2.6.17-rc4-mm1.w/net/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/Kconfig 2006-05-17 01:04:35.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/Kconfig 2006-05-17 01:29:36.0 -0400
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
endif # if INET
+config NETWORK_SECMARK
+ bool "Security Marking"
+
[PATCH 04/07] secmark: Add xtables SECMARK target
This patch adds a SECMARK target to xtables, allowing the admin to apply
security marks to packets via both iptables and ip6tables.
The target currently handles SELinux security marking, but can be extended
for other purposes as needed.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_SECMARK.h | 26 +
net/netfilter/Kconfig|9 ++
net/netfilter/Makefile |1
net/netfilter/xt_SECMARK.c | 156 +++
4 files changed, 192 insertions(+)
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_SECMARK.h
linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_SECMARK.h
--- linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_SECMARK.h 1969-12-31
19:00:00.0 -0500
+++ linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_SECMARK.h 2006-05-17
01:31:26.0 -0400
@@ -0,0 +1,26 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL 0x01/* SELinux */
+#define SECMARK_SELCTX_MAX 256
+
+struct xt_secmark_target_selinux_info {
+ u_int32_t selsid;
+ char selctx[SECMARK_SELCTX_MAX];
+};
+
+struct xt_secmark_target_info {
+ u_int8_t mode;
+ union {
+ struct xt_secmark_target_selinux_info sel;
+ } u;
+};
+
+#endif /*_XT_SECMARK_H_target */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig
linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig2006-05-17
01:03:27.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig2006-05-17
01:31:26.0 -0400
@@ -174,6 +174,15 @@ config NETFILTER_XT_TARGET_NOTRACK
If you want to compile it as a module, say M here and read
. If unsure, say `N'.
+config NETFILTER_XT_TARGET_SECMARK
+ tristate '"SECMARK" target support'
+ depends on NETFILTER_XTABLES && NETWORK_SECMARK
+ help
+ The SECMARK target allows security marking of network
+ packets, for use with security subsystems.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_COMMENT
tristate '"comment" match support'
depends on NETFILTER_XTABLES
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile
linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile 2006-05-17
01:03:27.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile 2006-05-17
01:31:26.0 -0400
@@ -28,6 +28,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMAR
obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/xt_SECMARK.c
linux-2.6.17-rc4-mm1.w/net/netfilter/xt_SECMARK.c
--- linux-2.6.17-rc4-mm1.p/net/netfilter/xt_SECMARK.c 1969-12-31
19:00:00.0 -0500
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/xt_SECMARK.c 2006-05-17
01:31:52.0 -0400
@@ -0,0 +1,156 @@
+/*
+ * Module for modifying the secmark field of the skb, for use by
+ * security subsystems.
+ *
+ * Based on the nfmark match by:
+ * (C) 1999-2001 Marc Boucher <[EMAIL PROTECTED]>
+ *
+ * (C) 2006 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include
+#include
+#include
+#include
+#include
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("ip[6]tables SECMARK modification module");
+MODULE_ALIAS("ipt_SECMARK");
+MODULE_ALIAS("ip6t_SECMARK");
+
+#define PFX "SECMARK: "
+
+static u8 mode;
+
+static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
+ const struct net_device *out, unsigned int hooknum,
+ const struct xt_target *target,
+ const void *targinfo, void *userinfo)
+{
+ u32 secmark = 0;
+ const struct xt_secmark_target_info *info = targinfo;
+
+ BUG_ON(info->mode != mode);
+
+ switch (mode) {
+ case SECMARK_MODE_SEL:
+ secmark = info->u.sel.selsid;
+ break;
+
+ default:
+ BUG();
+ }
+
+ if ((*pskb)->secmark != secmark)
+ (*pskb)->secmark = secmark;
+
+ return XT_CONTINUE;
+}
+
+s
[PATCH 05/07] secmark: Add secmark support to conntrack
This patch adds a secmark field to IP and NF conntracks, so that security
markings on packets can be copied to their associated connections, and
also copied back to packets as required. This is similar to the network
mark field currently used with conntrack, although it is intended for
enforcement of security policy rather than network policy.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
include/linux/netfilter_ipv4/ip_conntrack.h |4
include/net/netfilter/nf_conntrack.h |4
include/net/netfilter/nf_conntrack_compat.h | 26 ++
net/ipv4/netfilter/Kconfig | 12
net/ipv4/netfilter/ip_conntrack_core.c |3 +++
net/ipv4/netfilter/ip_conntrack_standalone.c |5 +
net/netfilter/Kconfig| 12
net/netfilter/nf_conntrack_core.c|3 +++
net/netfilter/nf_conntrack_standalone.c |5 +
9 files changed, 74 insertions(+)
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/include/linux/netfilter_ipv4/ip_conntrack.h
linux-2.6.17-rc4-mm1.w/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.17-rc4-mm1.p/include/linux/netfilter_ipv4/ip_conntrack.h
2006-05-16 23:35:11.0 -0400
+++ linux-2.6.17-rc4-mm1.w/include/linux/netfilter_ipv4/ip_conntrack.h
2006-05-17 01:39:42.0 -0400
@@ -120,6 +120,10 @@ struct ip_conntrack
u_int32_t mark;
#endif
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+ u_int32_t secmark;
+#endif
+
/* Traversed often, so hopefully in different cacheline to top */
/* These are my tuples; original and reply */
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack_compat.h
linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack_compat.h
--- linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack_compat.h
2006-03-20 00:53:29.0 -0500
+++ linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack_compat.h
2006-05-17 01:39:42.0 -0400
@@ -20,6 +20,19 @@ static inline u_int32_t *nf_ct_get_mark(
}
#endif /* CONFIG_IP_NF_CONNTRACK_MARK */
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
+ u_int32_t *ctinfo)
+{
+ struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
+
+ if (ct)
+ return &ct->secmark;
+ else
+ return NULL;
+}
+#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
+
#ifdef CONFIG_IP_NF_CT_ACCT
static inline struct ip_conntrack_counter *
nf_ct_get_counters(const struct sk_buff *skb)
@@ -70,6 +83,19 @@ static inline u_int32_t *nf_ct_get_mark(
}
#endif /* CONFIG_NF_CONNTRACK_MARK */
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
+ u_int32_t *ctinfo)
+{
+ struct nf_conn *ct = nf_ct_get(skb, ctinfo);
+
+ if (ct)
+ return &ct->secmark;
+ else
+ return NULL;
+}
+#endif /* CONFIG_NF_CONNTRACK_MARK */
+
#ifdef CONFIG_NF_CT_ACCT
static inline struct ip_conntrack_counter *
nf_ct_get_counters(const struct sk_buff *skb)
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack.h
linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack.h
--- linux-2.6.17-rc4-mm1.p/include/net/netfilter/nf_conntrack.h 2006-05-16
23:35:11.0 -0400
+++ linux-2.6.17-rc4-mm1.w/include/net/netfilter/nf_conntrack.h 2006-05-17
01:39:42.0 -0400
@@ -113,6 +113,10 @@ struct nf_conn
u_int32_t mark;
#endif
+#ifdef CONFIG_NF_CONNTRACK_SECMARK
+ u_int32_t secmark;
+#endif
+
/* Storage reserved for other modules: */
union nf_conntrack_proto proto;
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_core.c
linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_core.c
2006-05-16 23:34:59.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_core.c
2006-05-17 01:39:42.0 -0400
@@ -724,6 +724,9 @@ init_conntrack(struct ip_conntrack_tuple
/* this is ugly, but there is no other place where to put it */
conntrack->nat.masq_index = exp->master->nat.masq_index;
#endif
+#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
+ conntrack->secmark = exp->master->secmark;
+#endif
nf_conntrack_get(&conntrack->master->ct_general);
CONNTRACK_STAT_INC(expect_new);
} else {
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_standalone.c
linux-2.6.17-rc4-mm1.w/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.17-rc4-mm1.p/net/ipv4/netfilter/ip_conntrack_standalone.c
2006-05-16 23:34:59.0 -0400
+++
[PATCH 06/07] secmark: Add CONNSECMARK xtables target
This patch adds a new xtables target, CONNSECMARK, which is used to
specify rules for copying security marks from packets to connections, and
for copyying security marks back from connections to packets. This is
similar to the CONNMARK target, but is more limited in scope in that it
only allows copying of security marks to and from packets, as this is all
it needs to do.
A typical scenario would be to apply a security mark to a 'new' packet
with SECMARK, then copy that to its conntrack via CONNMARK, and then
restore the security mark from the connection to established and related
packets on that connection.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
include/linux/netfilter/xt_CONNSECMARK.h | 13 ++
net/netfilter/Kconfig| 11 ++
net/netfilter/Makefile |1
net/netfilter/xt_CONNSECMARK.c | 155 +++
4 files changed, 180 insertions(+)
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_CONNSECMARK.h
linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_CONNSECMARK.h
--- linux-2.6.17-rc4-mm1.p/include/linux/netfilter/xt_CONNSECMARK.h
1969-12-31 19:00:00.0 -0500
+++ linux-2.6.17-rc4-mm1.w/include/linux/netfilter/xt_CONNSECMARK.h
2006-05-17 19:54:52.0 -0400
@@ -0,0 +1,13 @@
+#ifndef _XT_CONNSECMARK_H_target
+#define _XT_CONNSECMARK_H_target
+
+enum {
+ CONNSECMARK_SAVE = 1,
+ CONNSECMARK_RESTORE,
+};
+
+struct xt_connsecmark_target_info {
+ u_int8_t mode;
+};
+
+#endif /*_XT_CONNSECMARK_H_target */
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig
linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Kconfig2006-05-17
19:54:43.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Kconfig2006-05-17
19:54:52.0 -0400
@@ -195,6 +195,17 @@ config NETFILTER_XT_TARGET_SECMARK
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_TARGET_CONNSECMARK
+ tristate '"CONNSECMARK" target support'
+ depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK ||
IP_NF_CONNTRACK_SECMARK)
+ help
+ The CONNSECMARK target copies security markings from packets
+ to connections, and restores security markings from connections
+ to packets (if the packets are not already marked). This would
+ normally be used in conjunction with the SECMARK target.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_COMMENT
tristate '"comment" match support'
depends on NETFILTER_XTABLES
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile
linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile
--- linux-2.6.17-rc4-mm1.p/net/netfilter/Makefile 2006-05-17
19:53:39.0 -0400
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/Makefile 2006-05-17
19:54:52.0 -0400
@@ -29,6 +29,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) +
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
# matches
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/net/netfilter/xt_CONNSECMARK.c
linux-2.6.17-rc4-mm1.w/net/netfilter/xt_CONNSECMARK.c
--- linux-2.6.17-rc4-mm1.p/net/netfilter/xt_CONNSECMARK.c 1969-12-31
19:00:00.0 -0500
+++ linux-2.6.17-rc4-mm1.w/net/netfilter/xt_CONNSECMARK.c 2006-05-17
19:55:25.0 -0400
@@ -0,0 +1,155 @@
+/*
+ * This module is used to copy security markings from packets
+ * to connections, and restore security markings from connections
+ * back to packets. This would normally be performed in conjunction
+ * with the SECMARK target and state match.
+ *
+ * Based somewhat on CONNMARK:
+ * Copyright (C) 2002,2004 MARA Systems AB
+ *by Henrik Nordstrom <[EMAIL PROTECTED]>
+ *
+ * (C) 2006 Red Hat, Inc., James Morris <[EMAIL PROTECTED]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include
+#include
+#include
+#include
+#include
+
+#define PFX "CONNSECMARK: "
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <[EMAIL PROTECTED]>");
+MODULE_DESCRIPTION("ip[6]tables CONNSECMARK module");
+MODULE_ALIAS("ipt_CONNSECMARK");
+MODULE_ALIAS("ip6t_CONNSECMARK");
+
+/*
+ * If the packet has a security mark and the connection does not, copy
+ * the security mark from the packet to the connection.
+ */
+static void secmark_save(struct sk_buff *skb)
+{
+ if (skb->secmark) {
+ u32 *connsecmark;
+ enum ip_conntrack_info ctinfo;
+
[PATCH 07/07] secmark: Add new packet controls to SELinux
This patch adds new per-packet access controls to SELinux, replacing the
old packet controls.
Packets are labeled with the iptables SECMARK and CONNSECMARK targets,
then security policy for the packets is enforced with these controls.
To allow for a smooth transition to the new controls, the old code is
still present, but not active by default. To restore previous behavior,
the old controls may be activated at runtime by writing a '1' to
/selinux/compat_net, and also via the kernel boot parameter
selinux_compat_net. Switching between the network control models requires
the security load_policy permission. The old controls will probably
eventually be removed and any continued use is discouraged.
Please apply.
Signed-off-by: James Morris <[EMAIL PROTECTED]>
---
Documentation/kernel-parameters.txt |9 +
security/selinux/Kconfig|2
security/selinux/hooks.c| 241 +++-
security/selinux/include/xfrm.h |2
security/selinux/selinuxfs.c| 59
security/selinux/xfrm.c | 12 -
6 files changed, 205 insertions(+), 120 deletions(-)
diff -purN -X dontdiff
linux-2.6.17-rc4-mm1.p/Documentation/kernel-parameters.txt
linux-2.6.17-rc4-mm1.w/Documentation/kernel-parameters.txt
--- linux-2.6.17-rc4-mm1.p/Documentation/kernel-parameters.txt 2006-05-18
03:07:47.0 -0400
+++ linux-2.6.17-rc4-mm1.w/Documentation/kernel-parameters.txt 2006-05-17
23:45:13.0 -0400
@@ -1414,6 +1414,15 @@ running once the system is up.
If enabled at boot time, /selinux/disable can be used
later to disable prior to initial policy load.
+ selinux_compat_net =
+ [SELINUX] Set initial selinux_compat_net flag value.
+Format: { "0" | "1" }
+0 -- use new secmark-based packet controls
+1 -- use legacy packet controls
+Default value is 0 (preferred).
+Value can be changed at runtime via
+/selinux/compat_net.
+
serialnumber[BUGS=IA-32]
sg_def_reserved_size= [SCSI]
diff -purN -X dontdiff linux-2.6.17-rc4-mm1.p/security/selinux/hooks.c
linux-2.6.17-rc4-mm1.w/security/selinux/hooks.c
--- linux-2.6.17-rc4-mm1.p/security/selinux/hooks.c 2006-05-18
03:07:47.0 -0400
+++ linux-2.6.17-rc4-mm1.w/security/selinux/hooks.c 2006-05-17
21:01:07.0 -0400
@@ -80,6 +80,7 @@
extern unsigned int policydb_loaded_version;
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
+extern int selinux_compat_net;
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing = 0;
@@ -3216,47 +3217,16 @@ static int selinux_socket_unix_may_send(
return 0;
}
-static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
struct avc_audit_data *ad,
+ u32 sock_sid, u16 sock_class, u16
family, char *addrp, int len)
{
- u16 family;
- char *addrp;
- int len, err = 0;
+ int err = 0;
u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
- u32 sock_sid = 0;
- u16 sock_class = 0;
- struct socket *sock;
- struct net_device *dev;
- struct avc_audit_data ad;
- family = sk->sk_family;
- if (family != PF_INET && family != PF_INET6)
+ if (!skb->dev)
goto out;
- /* Handle mapped IPv4 packets arriving via IPv6 sockets */
- if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
- family = PF_INET;
-
- read_lock_bh(&sk->sk_callback_lock);
- sock = sk->sk_socket;
- if (sock) {
- struct inode *inode;
- inode = SOCK_INODE(sock);
- if (inode) {
- struct inode_security_struct *isec;
- isec = inode->i_security;
- sock_sid = isec->sid;
- sock_class = isec->sclass;
- }
- }
- read_unlock_bh(&sk->sk_callback_lock);
- if (!sock_sid)
- goto out;
-
- dev = skb->dev;
- if (!dev)
- goto out;
-
- err = sel_netif_sids(dev, &if_sid, NULL);
+ err = sel_netif_sids(skb->dev, &if_sid, NULL);
if (err)
goto out;
@@ -3279,44 +3249,88 @@ static int selinux_socket_sock_rcv_skb(s
break;
}
- AVC_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = dev->name;
- ad.u.net.family = family;
-
- err = selinux_parse_skb(skb, &ad, &addrp, &
[PATCH] Fix "ntohl(ntohs" bugs
Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
---
net/ipv4/ipcomp.c |2 +-
net/ipv4/xfrm4_policy.c |2 +-
net/ipv6/ipcomp6.c |2 +-
net/xfrm/xfrm_input.c |2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/ipcomp.c
+++ 1/net/ipv4/ipcomp.c
@@ -210,7 +210,7 @@ static void ipcomp4_err(struct sk_buff *
skb->h.icmph->code != ICMP_FRAG_NEEDED)
return;
- spi = ntohl(ntohs(ipch->cpi));
+ spi = htonl(ntohs(ipch->cpi));
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr,
spi, IPPROTO_COMP, AF_INET);
if (!x)
--- a/net/ipv4/xfrm4_policy.c
+++ 1/net/ipv4/xfrm4_policy.c
@@ -221,7 +221,7 @@ _decode_session4(struct sk_buff *skb, st
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
u16 *ipcomp_hdr = (u16 *)xprth;
- fl->fl_ipsec_spi = ntohl(ntohs(ipcomp_hdr[1]));
+ fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
}
break;
default:
--- a/net/ipv6/ipcomp6.c
+++ 1/net/ipv6/ipcomp6.c
@@ -208,7 +208,7 @@ static void ipcomp6_err(struct sk_buff *
if (type != ICMPV6_DEST_UNREACH && type != ICMPV6_PKT_TOOBIG)
return;
- spi = ntohl(ntohs(ipcomph->cpi));
+ spi = htonl(ntohs(ipcomph->cpi));
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP,
AF_INET6);
if (!x)
return;
--- a/net/xfrm/xfrm_input.c
+++ 1/net/xfrm/xfrm_input.c
@@ -62,7 +62,7 @@ int xfrm_parse_spi(struct sk_buff *skb,
case IPPROTO_COMP:
if (!pskb_may_pull(skb, sizeof(struct ip_comp_hdr)))
return -EINVAL;
- *spi = ntohl(ntohs(*(u16*)(skb->h.raw + 2)));
+ *spi = htonl(ntohs(*(u16*)(skb->h.raw + 2)));
*seq = 0;
return 0;
default:
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Netchannel subsystem update.
This updates brings new features to the following supported:
* unified cache to store netchannels (IPv4 and stub for fied cache
to store netchannels (IPv4 and stub for IPv6 hashes, TCP and UDP)
* skb queueing mechanism
* netchannel creation/removing/reading commands
* netchannel's callback to allocate/free pages (for
example to get data from mapped area) not only from SLAB cache
* netchannel's callback to move/copy data to userspace
Added:
* memory limits (soft limits, since update is not protected).
* blocking reading.
* two types of data reading backends (copy_to_user(), copy to (could be
mapped) area).
Patch against previous release is attached.
Userspace application, design and implementation notes, full patchsets
can be found at project homepage [1].
1. Network channel homepage.
http://tservice.net.ru/~s0mbre/old/?section=projects&item=netchannel
I would like to rise a question about how netchannel object should be
handled by system in general, i.e. should netchannels be associated with
process or they should live by themselfs, i.e. like routes?
My implementation allows netchannels to be setup permanently, so process
can exit and then new one can bind to existing netchannel and read it's
data, but it requires some tricks to create mapping of it's pages into
process' context...
Also if netchannel is created, but no process is associated with it, who
will process protocol state machine?
Signed-off-by: Evgeniy Polyakov <[EMAIL PROTECTED]>
diff --git a/include/linux/netchannel.h b/include/linux/netchannel.h
index e87a148..7ab2fa0 100644
--- a/include/linux/netchannel.h
+++ b/include/linux/netchannel.h
@@ -32,13 +32,20 @@ enum netchannel_commands {
NETCHANNEL_DUMP,
};
+enum netchannel_type {
+ NETCHANNEL_COPY_USER = 0,
+ NETCHANNEL_MMAP,
+ NETCHANEL_VM_HACK,
+};
+
struct unetchannel
{
__u32 src, dst; /* source/destination
hashes */
__u16 sport, dport; /* source/destination
ports */
__u8proto; /* IP protocol number */
- __u8listen;
- __u8reserved[2];
+ __u8type; /* Netchannel type */
+ __u8memory_limit_order; /* Memor limit order */
+ __u8reserved;
};
struct unetchannel_control
@@ -46,6 +53,8 @@ struct unetchannel_control
struct unetchannel unc;
__u32 cmd;
__u32 len;
+ __u32 flags;
+ __u32 timeout;
};
#ifdef __KERNEL__
@@ -60,9 +69,14 @@ struct netchannel
struct page * (*nc_alloc_page)(unsigned int size);
void(*nc_free_page)(struct page *page);
- int (*nc_read_data)(struct netchannel *, unsigned
int *len, void __user *arg);
+ int (*nc_read_data)(struct netchannel *, unsigned
int *timeout, unsigned int *len, void *arg);
+
+ struct sk_buff_head recv_queue;
+ wait_queue_head_t wait;
+
+ unsigned intqlen;
- struct sk_buff_head list;
+ void*priv;
};
struct netchannel_cache_head
@@ -71,5 +85,15 @@ struct netchannel_cache_head
struct mutexmutex;
};
+#define NETCHANNEL_MAX_ORDER 32
+#define NETCHANNEL_MIN_ORDER PAGE_SHIFT
+
+struct netchannel_mmap
+{
+ struct page **page;
+ unsigned intpnum;
+ unsigned intpoff;
+};
+
#endif /* __KERNEL__ */
#endif /* __NETCHANNEL_H */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index accd00b..ba82aa2 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -301,7 +301,6 @@ struct sk_buff {
* Handling routines are only of interest to the kernel
*/
#include
-#include
#include
@@ -316,10 +315,11 @@ static inline struct sk_buff *alloc_skb(
}
#ifdef CONFIG_NETCHANNEL
+struct unetchannel;
extern struct sk_buff *netchannel_alloc(struct unetchannel *unc, unsigned int
header_size,
unsigned int total_size, gfp_t gfp_mask);
#else
-static struct sk_buff *netchannel_alloc(struct unetchannel *unc, unsigned int
header_size,
+static struct sk_buff *netchannel_alloc(void *unc, unsigned int header_size,
unsigned int total_size, gfp_t gfp_mask)
{
return NULL;
diff --git a/net/core/netchannel.c b/net/core/netchannel.c
index 169a764..96e5e5b 100644
--- a/net/core/netchannel.c
+++ b/net/core/netchannel.c
@@ -27,6 +27,8 @@
#include
#include
#include
+#include
+#include
#include
#include
@@ -127,6 +129,7 @@ static void netchannel_free_rcu(struct r
{
struct netchannel *nc = container_of(rcu, struct netchannel, rcu_head);
+ netchannel_cleanup(nc);
kmem_cache_free(netchannel_cache
Re: [PATCH] Gianfar SKB Recycling Support
> > With grant of the description, it looks negative in the memory management, > but actually, the amount of memory usage in the driver layer is less than > the ordinaly gianfar (around half), especially the NAPI is enable. This > recycling is introduced in order to chop down the critical path memory > usage. Explain? > Forwarding performance goes up 60 to 100% better, and amount of memory > usage is half. And what happens when the box doesn't route and isn't under full network load? -Andi - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IPSEC]: Optimise be16/be32 conversions
On Thu, May 18, 2006 at 09:37:33AM +, Alexey Dobriyan wrote:
>
> --- a/net/ipv4/ipcomp.c
> +++ 1/net/ipv4/ipcomp.c
> @@ -210,7 +210,7 @@ static void ipcomp4_err(struct sk_buff *
> skb->h.icmph->code != ICMP_FRAG_NEEDED)
> return;
>
> - spi = ntohl(ntohs(ipch->cpi));
> + spi = htonl(ntohs(ipch->cpi));
Unfortunately the gcc on i386 generates horrible code for that construct.
So lets bite the bullet and optimise it ourselves.
[IPSEC]: Optimise be16/be32 conversions
Up until now we've used constructs such as ntohl(ntohs(x)) to convert
between be16 and be32 quantities, in particular, the CPI for IPComp.
The compiler dutifully generates code on i386 to perform both operations
rather than optimising them away.
So it's worthwhile to add new primitives to handle these operations
specifically. The following patch addes be16_to_be32 and be32_to_be16
and uses them for IPComp.
This patch was prompted by a sparse clean-up patch from Alexey Dobriyan.
Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
diff --git a/include/linux/byteorder/big_endian.h
b/include/linux/byteorder/big_endian.h
index bef8789..7ea1042 100644
--- a/include/linux/byteorder/big_endian.h
+++ b/include/linux/byteorder/big_endian.h
@@ -101,6 +101,9 @@
#define __cpu_to_be16s(x) do {} while (0)
#define __be16_to_cpus(x) do {} while (0)
+#define __be32_to_be16(x) ((__force __be16)(__be32)x)
+#define __be16_to_be32(x) ((__force __be32)(__be16)x)
+
#include
#endif /* _LINUX_BYTEORDER_BIG_ENDIAN_H */
diff --git a/include/linux/byteorder/generic.h
b/include/linux/byteorder/generic.h
index e86e4a9..0bafb90 100644
--- a/include/linux/byteorder/generic.h
+++ b/include/linux/byteorder/generic.h
@@ -124,6 +124,8 @@
#define be32_to_cpus __be32_to_cpus
#define cpu_to_be16s __cpu_to_be16s
#define be16_to_cpus __be16_to_cpus
+#define be32_to_be16 __be32_to_be16
+#define be16_to_be32 __be16_to_be32
#endif
diff --git a/include/linux/byteorder/little_endian.h
b/include/linux/byteorder/little_endian.h
index 86e62b7..ab6abcd 100644
--- a/include/linux/byteorder/little_endian.h
+++ b/include/linux/byteorder/little_endian.h
@@ -101,6 +101,9 @@
#define __cpu_to_be16s(x) __swab16s((x))
#define __be16_to_cpus(x) __swab16s((x))
+#define __be32_to_be16(x) ((__force __be16)((__force __u32)(__be32)x >> 16))
+#define __be16_to_be32(x) ((__force __be32)((__force __u32)(__be16)x << 16))
+
#include
#endif /* _LINUX_BYTEORDER_LITTLE_ENDIAN_H */
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index cd810f4..db04339 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -188,7 +188,7 @@
ipch = (struct ip_comp_hdr *)((char *)iph + iph->ihl * 4);
ipch->nexthdr = iph->protocol;
ipch->flags = 0;
- ipch->cpi = htons((u16 )ntohl(x->id.spi));
+ ipch->cpi = be32_to_be16(x->id.spi);
iph->protocol = IPPROTO_COMP;
ip_send_check(iph);
return 0;
@@ -210,7 +210,7 @@
skb->h.icmph->code != ICMP_FRAG_NEEDED)
return;
- spi = ntohl(ntohs(ipch->cpi));
+ spi = be16_to_be32(ipch->cpi);
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr,
spi, IPPROTO_COMP, AF_INET);
if (!x)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index f285bbf..30b671c 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -219,9 +219,9 @@
case IPPROTO_COMP:
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
- u16 *ipcomp_hdr = (u16 *)xprth;
+ __be16 *ipcomp_hdr = (__be16 *)xprth;
- fl->fl_ipsec_spi = ntohl(ntohs(ipcomp_hdr[1]));
+ fl->fl_ipsec_spi = be16_to_be32(ipcomp_hdr[1]);
}
break;
default:
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 05eb67d..6ed793e 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -190,7 +190,7 @@
ipch = (struct ipv6_comp_hdr *)start;
ipch->nexthdr = *skb->nh.raw;
ipch->flags = 0;
- ipch->cpi = htons((u16 )ntohl(x->id.spi));
+ ipch->cpi = be32_to_be16(x->id.spi);
*skb->nh.raw = IPPROTO_COMP;
out_ok:
@@ -208,7 +208,7 @@
if (type != ICMPV6_DEST_UNREACH && type != ICMPV6_PKT_TOOBIG)
return;
- spi = ntohl(ntohs(ipcomph->cpi));
+ spi = be16_to_be32(ipcomph->cpi);
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP,
AF_INET6);
if (!x)
return;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index b549710..65f208d 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_inpu
Re: [IPSEC]: Optimise be16/be32 conversions
On Thu, May 18, 2006 at 02:39:08PM +0200, Lennert Buytenhek wrote:
> On Thu, May 18, 2006 at 10:36:32PM +1000, Herbert Xu wrote:
>
> > +#define __be32_to_be16(x) ((__force __be16)(__be32)x)
> > +#define __be16_to_be32(x) ((__force __be32)(__be16)x)
> > [...]
> > +#define __be32_to_be16(x) ((__force __be16)((__force __u32)(__be32)x >>
> > 16))
> > +#define __be16_to_be32(x) ((__force __be32)((__force __u32)(__be16)x <<
> > 16))
>
> Sure that that's safe without the parens?
Good point. Here is a fixed version.
[IPSEC]: Optimise be16/be32 conversions
Up until now we've used constructs such as ntohl(ntohs(x)) to convert
between be16 and be32 quantities, in particular, the CPI for IPComp.
The compiler dutifully generates code on i386 to perform both operations
rather than optimising them away.
So it's worthwhile to add new primitives to handle these operations
specifically. The following patch addes be16_to_be32 and be32_to_be16
and uses them for IPComp.
This patch was prompted by a sparse clean-up patch from Alexey Dobriyan
and incorporates parentheses from Lennert Buytenhek :)
Signed-off-by: Herbert Xu <[EMAIL PROTECTED]>
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
diff --git a/include/linux/byteorder/big_endian.h
b/include/linux/byteorder/big_endian.h
index bef8789..9b0279a 100644
--- a/include/linux/byteorder/big_endian.h
+++ b/include/linux/byteorder/big_endian.h
@@ -101,6 +101,9 @@
#define __cpu_to_be16s(x) do {} while (0)
#define __be16_to_cpus(x) do {} while (0)
+#define __be32_to_be16(x) ((__force __be16)(__be32)(x))
+#define __be16_to_be32(x) ((__force __be32)(__be16)(x))
+
#include
#endif /* _LINUX_BYTEORDER_BIG_ENDIAN_H */
diff --git a/include/linux/byteorder/generic.h
b/include/linux/byteorder/generic.h
index e86e4a9..0bafb90 100644
--- a/include/linux/byteorder/generic.h
+++ b/include/linux/byteorder/generic.h
@@ -124,6 +124,8 @@
#define be32_to_cpus __be32_to_cpus
#define cpu_to_be16s __cpu_to_be16s
#define be16_to_cpus __be16_to_cpus
+#define be32_to_be16 __be32_to_be16
+#define be16_to_be32 __be16_to_be32
#endif
diff --git a/include/linux/byteorder/little_endian.h
b/include/linux/byteorder/little_endian.h
index 86e62b7..0633776 100644
--- a/include/linux/byteorder/little_endian.h
+++ b/include/linux/byteorder/little_endian.h
@@ -101,6 +101,9 @@
#define __cpu_to_be16s(x) __swab16s((x))
#define __be16_to_cpus(x) __swab16s((x))
+#define __be32_to_be16(x) ((__force __be16)((__force __u32)(__be32)(x) >> 16))
+#define __be16_to_be32(x) ((__force __be32)((__force __u32)(__be16)(x) << 16))
+
#include
#endif /* _LINUX_BYTEORDER_LITTLE_ENDIAN_H */
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index cd810f4..db04339 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -188,7 +188,7 @@
ipch = (struct ip_comp_hdr *)((char *)iph + iph->ihl * 4);
ipch->nexthdr = iph->protocol;
ipch->flags = 0;
- ipch->cpi = htons((u16 )ntohl(x->id.spi));
+ ipch->cpi = be32_to_be16(x->id.spi);
iph->protocol = IPPROTO_COMP;
ip_send_check(iph);
return 0;
@@ -210,7 +210,7 @@
skb->h.icmph->code != ICMP_FRAG_NEEDED)
return;
- spi = ntohl(ntohs(ipch->cpi));
+ spi = be16_to_be32(ipch->cpi);
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr,
spi, IPPROTO_COMP, AF_INET);
if (!x)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index f285bbf..30b671c 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -219,9 +219,9 @@
case IPPROTO_COMP:
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
- u16 *ipcomp_hdr = (u16 *)xprth;
+ __be16 *ipcomp_hdr = (__be16 *)xprth;
- fl->fl_ipsec_spi = ntohl(ntohs(ipcomp_hdr[1]));
+ fl->fl_ipsec_spi = be16_to_be32(ipcomp_hdr[1]);
}
break;
default:
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 05eb67d..6ed793e 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -190,7 +190,7 @@
ipch = (struct ipv6_comp_hdr *)start;
ipch->nexthdr = *skb->nh.raw;
ipch->flags = 0;
- ipch->cpi = htons((u16 )ntohl(x->id.spi));
+ ipch->cpi = be32_to_be16(x->id.spi);
*skb->nh.raw = IPPROTO_COMP;
out_ok:
@@ -208,7 +208,7 @@
if (type != ICMPV6_DEST_UNREACH && type != ICMPV6_PKT_TOOBIG)
return;
- spi = ntohl(ntohs(ipcomph->cpi));
+ spi = be16_to_be32(ipcomph->cpi);
x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP,
AF_INET6);
if (!x)
return;
diff --git a/net/xfrm/xfrm
[PATCH] gre_in_range: 16/32 bit fix
GRE keys are 16 bit.
Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
---
net/ipv4/netfilter/ip_nat_proto_gre.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/ipv4/netfilter/ip_nat_proto_gre.c
+++ 1/net/ipv4/netfilter/ip_nat_proto_gre.c
@@ -49,15 +49,15 @@ gre_in_range(const struct ip_conntrack_t
const union ip_conntrack_manip_proto *min,
const union ip_conntrack_manip_proto *max)
{
- u_int32_t key;
+ __be16 key;
if (maniptype == IP_NAT_MANIP_SRC)
key = tuple->src.u.gre.key;
else
key = tuple->dst.u.gre.key;
- return ntohl(key) >= ntohl(min->gre.key)
- && ntohl(key) <= ntohl(max->gre.key);
+ return ntohs(key) >= ntohs(min->gre.key)
+ && ntohs(key) <= ntohs(max->gre.key);
}
/* generate unique tuple ... */
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] gre_unique_tuple: 16/32 bit fixes
GRE keys are 16 bit.
Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
---
net/ipv4/netfilter/ip_nat_proto_gre.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/netfilter/ip_nat_proto_gre.c
+++ 1/net/ipv4/netfilter/ip_nat_proto_gre.c
@@ -81,14 +81,14 @@ gre_unique_tuple(struct ip_conntrack_tup
min = 1;
range_size = 0x;
} else {
- min = ntohl(range->min.gre.key);
- range_size = ntohl(range->max.gre.key) - min + 1;
+ min = ntohs(range->min.gre.key);
+ range_size = ntohs(range->max.gre.key) - min + 1;
}
DEBUGP("min = %u, range_size = %u\n", min, range_size);
for (i = 0; i < range_size; i++, key++) {
- *keyptr = htonl(min + key % range_size);
+ *keyptr = htons(min + key % range_size);
if (!ip_nat_used_tuple(tuple, conntrack))
return 1;
}
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] gre_in_range: 16/32 bit fix
Alexey Dobriyan wrote: > GRE keys are 16 bit. Thanks, I've combined both patches and added them to me tree, will push to Dave soon. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Please pull 'upstream' branch of wireless-2.6
On Wed, May 17, 2006 at 10:23:34PM +0100, Daniel Drake wrote: > John W. Linville wrote: > >Daniel Drake: > > set_security implementation inside softmac > > If it's not too late, can you drop this one? Well, it's your patch. If you want to withdraw it, I'll comply. --- The following changes since commit 59d4b684fbe74b25ac8593f39d2aaa86aa485b1f: John W. Linville: Merge branch 'upstream-fixes' into upstream are found in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6.git upstream Arjan van de Ven: unused exports in wireless drivers drivers/net/wireless/hostap/hostap_80211_tx.c |1 - drivers/net/wireless/hostap/hostap_ap.c | 11 --- drivers/net/wireless/hostap/hostap_main.c |2 -- 3 files changed, 0 insertions(+), 14 deletions(-) diff --git a/drivers/net/wireless/hostap/hostap_80211_tx.c b/drivers/net/wireless/hostap/hostap_80211_tx.c index 06a5214..4a5be70 100644 --- a/drivers/net/wireless/hostap/hostap_80211_tx.c +++ b/drivers/net/wireless/hostap/hostap_80211_tx.c @@ -534,5 +534,4 @@ int hostap_master_start_xmit(struct sk_b } -EXPORT_SYMBOL(hostap_dump_tx_80211); EXPORT_SYMBOL(hostap_master_start_xmit); diff --git a/drivers/net/wireless/hostap/hostap_ap.c b/drivers/net/wireless/hostap/hostap_ap.c index 06c3fa3..ba13125 100644 --- a/drivers/net/wireless/hostap/hostap_ap.c +++ b/drivers/net/wireless/hostap/hostap_ap.c @@ -3276,17 +3276,6 @@ EXPORT_SYMBOL(hostap_init_data); EXPORT_SYMBOL(hostap_init_ap_proc); EXPORT_SYMBOL(hostap_free_data); EXPORT_SYMBOL(hostap_check_sta_fw_version); -EXPORT_SYMBOL(hostap_handle_sta_tx); -EXPORT_SYMBOL(hostap_handle_sta_release); EXPORT_SYMBOL(hostap_handle_sta_tx_exc); -EXPORT_SYMBOL(hostap_update_sta_ps); -EXPORT_SYMBOL(hostap_handle_sta_rx); -EXPORT_SYMBOL(hostap_is_sta_assoc); -EXPORT_SYMBOL(hostap_is_sta_authorized); -EXPORT_SYMBOL(hostap_add_sta); -EXPORT_SYMBOL(hostap_update_rates); -EXPORT_SYMBOL(hostap_add_wds_links); -EXPORT_SYMBOL(hostap_wds_link_oper); #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT -EXPORT_SYMBOL(hostap_deauth_all_stas); #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */ diff --git a/drivers/net/wireless/hostap/hostap_main.c b/drivers/net/wireless/hostap/hostap_main.c index 8dd4c44..93786f4 100644 --- a/drivers/net/wireless/hostap/hostap_main.c +++ b/drivers/net/wireless/hostap/hostap_main.c @@ -1125,11 +1125,9 @@ EXPORT_SYMBOL(hostap_set_auth_algs); EXPORT_SYMBOL(hostap_dump_rx_header); EXPORT_SYMBOL(hostap_dump_tx_header); EXPORT_SYMBOL(hostap_80211_header_parse); -EXPORT_SYMBOL(hostap_80211_prism_header_parse); EXPORT_SYMBOL(hostap_80211_get_hdrlen); EXPORT_SYMBOL(hostap_get_stats); EXPORT_SYMBOL(hostap_setup_dev); -EXPORT_SYMBOL(hostap_proc); EXPORT_SYMBOL(hostap_set_multicast_list_queue); EXPORT_SYMBOL(hostap_set_hostapd); EXPORT_SYMBOL(hostap_set_hostapd_sta); -- John W. Linville [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Please pull 'upstream' branch of wireless-2.6
John W. Linville wrote: On Wed, May 17, 2006 at 10:23:34PM +0100, Daniel Drake wrote: John W. Linville wrote: Daniel Drake: set_security implementation inside softmac If it's not too late, can you drop this one? Well, it's your patch. If you want to withdraw it, I'll comply. Please do. I didn't sign off or send it to you directly as I wasn't asking for inclusion, but I'll make that clearer next time. Thanks, Daniel - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1a/5] sky2: allow dual port usage
If both ports are receiving on the SysKonnect dual port cards,
then it appears the bus interface unit can give an interrupt status
for frame before DMA has completed. This leads to bogus frames
and general confusion. This is why receive checksumming is also
messed up on dual port cards.
A workaround for the out of order receive problem is to eliminating
split transactions on PCI-X.
This version is based of the current linux-2.6.git including earlier
patch to disable dual ports.
Signed-off-by: Stephen Hemminger <[EMAIL PROTECTED]>
--- sky2.orig/drivers/net/sky2.c2006-05-18 11:08:10.0 -0700
+++ sky2/drivers/net/sky2.c 2006-05-18 11:11:48.0 -0700
@@ -1020,19 +1020,26 @@
struct sky2_hw *hw = sky2->hw;
unsigned port = sky2->port;
u32 ramsize, rxspace, imask;
- int err;
+ int cap, err = -ENOMEM;
struct net_device *otherdev = hw->dev[sky2->port^1];
- /* Block bringing up both ports at the same time on a dual port card.
-* There is an unfixed bug where receiver gets confused and picks up
-* packets out of order. Until this is fixed, prevent data corruption.
+ /*
+* On dual port PCI-X card, there is an problem where status
+* can be received out of order due to split transactions
*/
- if (otherdev && netif_running(otherdev)) {
- printk(KERN_INFO PFX "dual port support is disabled.\n");
- return -EBUSY;
- }
-
- err = -ENOMEM;
+ if (otherdev && netif_running(otherdev) &&
+ (cap = pci_find_capability(hw->pdev, PCI_CAP_ID_PCIX))) {
+ struct sky2_port *osky2 = netdev_priv(otherdev);
+ u16 cmd;
+
+ cmd = sky2_pci_read16(hw, cap + PCI_X_CMD);
+ cmd &= ~PCI_X_CMD_MAX_SPLIT;
+ sky2_pci_write16(hw, cap + PCI_X_CMD, cmd);
+
+ sky2->rx_csum = 0;
+ osky2->rx_csum = 0;
+ }
+
if (netif_msg_ifup(sky2))
printk(KERN_INFO PFX "%s: enabling interface\n", dev->name);
@@ -3078,12 +3085,7 @@
sky2->duplex = -1;
sky2->speed = -1;
sky2->advertising = sky2_supported_modes(hw);
-
- /* Receive checksum disabled for Yukon XL
-* because of observed problems with incorrect
-* values when multiple packets are received in one interrupt
-*/
- sky2->rx_csum = (hw->chip_id != CHIP_ID_YUKON_XL);
+ sky2->rx_csum = 1;
spin_lock_init(&sky2->phy_lock);
sky2->tx_pending = TX_DEF_PENDING;
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Bugme-new] [Bug 6579] New: Kernel Oops, IRDA stack related
[EMAIL PROTECTED] wrote: > > http://bugzilla.kernel.org/show_bug.cgi?id=6579 > >Summary: Kernel Oops, IRDA stack related > Kernel Version: v2.6.16.16 + squashfs v3.0 patch > Status: NEW > Severity: normal > Owner: [EMAIL PROTECTED] > Submitter: [EMAIL PROTECTED] > > > Most recent kernel where this bug did not occur: > v2.6.16.16 - haven't tried earlier versions. Just now started using IRDA for > phone management. > > Distribution: > Debian Unstable/Uptodate. Kernel is vanilla v2.6.16.16 + squashfs 3.0 patch > applied. Otherwise clean tree. > > Hardware Environment: > Evo N800v, > Software Environment: > Linux huh 2.6.16.16-evo #1 Fri May 12 12:17:14 EEST 2006 i686 GNU/Linux > > Gnu C 4.0.4 > Gnu make 3.81 > binutils 2.16.91 > util-linux 2.12r > mount 2.12r > module-init-tools 3.2.2 > e2fsprogs 1.39-WIP > reiserfsprogs 3.6.19 > xfsprogs 2.7.16 > pcmcia-cs 3.2.8 > nfs-utils 1.0.7 > Linux C Library2.3.6 > Dynamic linker (ldd) 2.3.6 > Procps 3.2.6 > Net-tools 1.60 > Console-tools 0.2.3 > Sh-utils 5.94 > udev 092 > Modules Loaded option radeon drm nfsd lockd sunrpc ipv6 deflate > zlib_deflate zlib_inflate twofish serpent aes blowfish des sha256 sha1 md5 > crypto_null dm_mod irnet ppp_generic slhc irlan ircomm_tty ircomm pl2303 > usbserial pcmcia firmware_class snd_intel8x0 snd_ac97_codec snd_ac97_bus > snd_pcm_oss snd_mixer_oss irtty_sir sir_dev pcspkr snd_pcm snd_timer irda > 8250_pnp ohci_hcd ide_cd crc_ccitt floppy ehci_hcd 8250 serial_core > yenta_socket > cdrom snd rsrc_nonstatic soundcore pcmcia_core snd_page_alloc intel_agp > agpgart > > Problem Description: > > Recently I've started using IRDA, to manage phone/calendar & co on Nokia 6310 > phone. For this task I am using IRDA and xgnokii management software. > Sometimes > for no reason I am getting oopses at random addresses. System is not locking > up > or so. It always prints oops followed by messages : > > May 14 00:40:52 huh kernel: <1>Fixing recursive fault but reboot is needed! > > After reboot it takes again some time - ooops is reported at different > location > (mostly random, but backtrace is same). > > Steps to reproduce: > It is quite simple, attempt to download phonebook, calendar, then attempt to > upload. Sometimes it happens during logo download/upload. > > Oops will be added in the next comments. > It's hitting list_head poisoning in irda_release->sock_def_wakeup->__wake_up_common. Appears to be a post-2.6.16 regression. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
16/32 bit issues at nfulnl_recv_config
I'm talking about net/netfilter/nfnetlink_log.c::^nfulnl_recv_config
below. I'm totally confused and beer supply almost ended, so can someone else
also look at it...
Put your attention at line 905:
net/netfilter/nfnetlink_log.c:
902 if (nfula[NFULA_CFG_FLAGS-1]) {
903 u_int16_t flags =
904 *(u_int16_t
*)NFA_DATA(nfula[NFULA_CFG_FLAGS-1]);
905 nfulnl_set_flags(inst, ntohl(flags));
1) Cast should be made to __be16, and history of fixing endian warning
slightly above supports it.
2) Assuming __be16, ntohl(__be16) is whooops.
3) nfulnl_set_flags() wants something 16-bit wide as a second argument,
so ntohling there is double whoops.
4) NFULNL_CFG_F_SEQ* defines fit into 16 bit and are host-endian;
inst->flags is &'ed with host endian so it's probably host-endian and
static int
nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
^
this should be made __be16.
{
spin_lock_bh(&inst->lock);
inst->flags = ntohs(flags);
spin_unlock_bh(&inst->lock);
return 0;
}
What to do with lines 903-905 if it is.
Alexey "confused in Moscow" Dobriyan
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/4] myri10ge - Driver header files
Randy.Dunlap wrote:
>> [PATCH 2/4] myri10ge - Driver header files
>>
>> myri10ge_mcp.h| 205
>> ++
>> myri10ge_mcp_gen_header.h | 58 +
>>
>
> Please use "diffstat -p 1 -w 70" is documented in
> Documentation/SubmittingPatches.
>
Ok, will do.
>> +/* 16 Bytes */
>>
> What is 16 bytes here?
>
>> +struct mcp_slot {
>> +u16 checksum;
>> +u16 length;
>> +};
>>
Looks like I have problems to compute the size of this type.
Thanks,
Brice
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 3/4] myri10ge - Driver core
Roland Dreier wrote:
> Still some suspicious uses of volatile here.
>
> For example:
>
>
>> +struct myri10ge_priv {
>>
> ...
>
>> +volatile u8 __iomem *sram;
>>
>
> as far as I can see this is always used with proper __iomem accessors,
> often with casts to strip the volatile anyway. So why is volatile needed?
>
> I would suggest an audit of all uses of volatile in the driver, since
> "volatile" in drivers really should be read "there's probably a bug
> here, and if not something very tricky is going on." If there are any
> valid uses of volatile then a comment should explain why, so that
> future reviewers don't have to try and puzzle out which of the
> two possible translations of volatile is correct.
>
You are right, we audited the code and it looks like we don't need any
volatile.
Thanks,
Brice
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 3/4] myri10ge - Driver core
Arnd Bergmann wrote:
>> +for (sleep_total = 0;
>> + sleep_total < (15 * 1000) && response->result == 0x;
>> + sleep_total += 10) {
>> +udelay(10);
>> +}
>>
>
> udelay does not sleep. If you want to sleep, use msleep instead.
>
This place is actually the only one where we don't want to use msleep.
This function (myri10ge_send_cmd) might be called from various context
(spinlocked or not) and pass orders to the NIC whose processing time
depends a lot on the command. Of course, we don't have any place where a
long operation is passed from a spinlocked context :) But, we need the
tiny udelay granularity for the spinlocked case, and the long loop for
operations that are long to process in the NIC.
Concerning all the other places where you suggested to use msleep, you
were right.
> The __iomem variable need not be volatile.
As Roland pointed out, there was too many volatile in this code. We are
reworking this together with the sparse annotations.
>> +printk("myri10ge: %s: %s IRQ %d, tx bndry %d, fw %s, WC %s\n",
>> + netdev->name, (mgp->msi_enabled ? "MSI" : "xPIC"),
>> + pdev->irq, mgp->tx.boundary, mgp->fw_name,
>> + (mgp->mtrr >= 0 ? "Enabled" : "Disabled"));
>> +
>>
>
> missing printk level (KERN_DEBUG?). Could probably use dev_printk.
>
When are we supposed to call dev_printk or not in such a driver ?
>> +#define MYRI10GE_PCI_VENDOR_MYRICOM 0x14c1
>> +#define MYRI10GE_PCI_DEVICE_Z8E 0x0008
>>
>
> Shouldn't the vendor ID go to pci_ids.h?
>
That's what I thought but i was told that the fashion these days is to
keep the IDs with the driver that uses them. I'll happy to move as long
as everybody agrees :)
Thanks a lot for all your comments,
Brice
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: 16/32 bit issues at nfulnl_recv_config
Alexey Dobriyan wrote:
> I'm talking about net/netfilter/nfnetlink_log.c::^nfulnl_recv_config
> below. I'm totally confused and beer supply almost ended, so can someone else
> also look at it...
>
> Put your attention at line 905:
>
> net/netfilter/nfnetlink_log.c:
>
>902if (nfula[NFULA_CFG_FLAGS-1]) {
>903u_int16_t flags =
>904*(u_int16_t
> *)NFA_DATA(nfula[NFULA_CFG_FLAGS-1]);
>905nfulnl_set_flags(inst, ntohl(flags));
>
>
> 1) Cast should be made to __be16, and history of fixing endian warning
>slightly above supports it.
> 2) Assuming __be16, ntohl(__be16) is whooops.
> 3) nfulnl_set_flags() wants something 16-bit wide as a second argument,
>so ntohling there is double whoops.
> 4) NFULNL_CFG_F_SEQ* defines fit into 16 bit and are host-endian;
>inst->flags is &'ed with host endian so it's probably host-endian and
>
>static int
>nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
> ^
> this should be made __be16.
>{
> spin_lock_bh(&inst->lock);
> inst->flags = ntohs(flags);
> spin_unlock_bh(&inst->lock);
> return 0;
>}
>
>What to do with lines 903-905 if it is.
I checked the userspace code, "flags" is indeed a u16 in network byte
order, so the ntohl in line 905 needs to become ntohs and the other
one can just go, as done by this patch.
[NETFILTER]: nfnetlink_log: fix byteorder confusion
flags is a u16, so use htons instead of htonl. Also avoid double
conversion.
Noticed by Alexey Dobriyan <[EMAIL PROTECTED]>
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit ad1dcdc1f150f613ff8625fed88ed5c1d089d09a
tree fa34bb52998bd56144639dfe6b2c286b114ae59a
parent f372e5df6ab4cd1e1498489562af2095fb5aec7c
author Patrick McHardy <[EMAIL PROTECTED]> Fri, 19 May 2006 03:12:08 +0200
committer Patrick McHardy <[EMAIL PROTECTED]> Fri, 19 May 2006 03:12:08 +0200
net/netfilter/nfnetlink_log.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index c60273c..61cdda4 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -321,7 +321,7 @@ static int
nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
{
spin_lock_bh(&inst->lock);
- inst->flags = ntohs(flags);
+ inst->flags = flags;
spin_unlock_bh(&inst->lock);
return 0;
@@ -902,7 +902,7 @@ nfulnl_recv_config(struct sock *ctnl, st
if (nfula[NFULA_CFG_FLAGS-1]) {
u_int16_t flags =
*(u_int16_t *)NFA_DATA(nfula[NFULA_CFG_FLAGS-1]);
- nfulnl_set_flags(inst, ntohl(flags));
+ nfulnl_set_flags(inst, ntohs(flags));
}
out_put:
Re: [PATCH 3/4] myri10ge - Driver core
Am Friday 19 May 2006 01:56 schrieb Brice Goglin: > This place is actually the only one where we don't want to use msleep. > This function (myri10ge_send_cmd) might be called from various context > (spinlocked or not) and pass orders to the NIC whose processing time > depends a lot on the command. Of course, we don't have any place where a > long operation is passed from a spinlocked context :) But, we need the > tiny udelay granularity for the spinlocked case, and the long loop for > operations that are long to process in the NIC. I don't see any spinlocks in your code and the function does not seem to be called from the interrupt handler or the softirq either. Maybe I'm missed something, but where is this ever called in an atomic context? > > missing printk level (KERN_DEBUG?). Could probably use dev_printk. > > When are we supposed to call dev_printk or not in such a driver ? Whenever you have a device associated with the message, it makes sense to use the dev_printk family of functions. > >> +#define MYRI10GE_PCI_VENDOR_MYRICOM 0x14c1 > >> +#define MYRI10GE_PCI_DEVICE_Z8E 0x0008 > > > > Shouldn't the vendor ID go to pci_ids.h? > > That's what I thought but i was told that the fashion these days is to > keep the IDs with the driver that uses them. I'll happy to move as long > as everybody agrees :) My understanding is that vendor IDs should go to the common file because they are likely to be used by multiple drivers whereas device IDs only need to be present in the one device driver for that particular device. Arnd <>< - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 3/4] myri10ge - Driver core
Arnd Bergmann wrote: > Am Friday 19 May 2006 01:56 schrieb Brice Goglin: > >> This place is actually the only one where we don't want to use msleep. >> This function (myri10ge_send_cmd) might be called from various context >> (spinlocked or not) and pass orders to the NIC whose processing time >> depends a lot on the command. Of course, we don't have any place where a >> long operation is passed from a spinlocked context :) But, we need the >> tiny udelay granularity for the spinlocked case, and the long loop for >> operations that are long to process in the NIC. >> > > I don't see any spinlocks in your code and the function does not > seem to be called from the interrupt handler or the softirq either. > Maybe I'm missed something, but where is this ever called in an > atomic context? > dev_mc_upload() from net/core/dev_mcast.c does spin_lock_bh(&dev->xmit_lock); __dev_mc_upload(dev); which calls dev->set_multicast_list(), which is myri10ge_set_multicast_list() which calls myri10ge_change_promisc which calls myri10ge_send_cmd > Whenever you have a device associated with the message, it makes > sense to use the dev_printk family of functions. > Ok, thanks. > My understanding is that vendor IDs should go to the common file > because they are likely to be used by multiple drivers whereas > device IDs only need to be present in the one device driver for > that particular device. > Make sense. I will change it. Thanks again, Brice - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
