From: Xiaolan Zhang [EMAIL PROTECTED]
Date: Tue, 6 Jun 2006 10:55:58 -0400
Singned-off-by: Catherine Zhang [EMAIL PROTECTED]
James, is this enough or do I need to modify the original patch to add the
above line? The code was taken from various pieces of patches originally
from Trent and
From: David Miller [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 23:40:03 -0700 (PDT)
From: Xiaolan Zhang [EMAIL PROTECTED]
Date: Tue, 6 Jun 2006 10:55:58 -0400
Singned-off-by: Catherine Zhang [EMAIL PROTECTED]
James, is this enough or do I need to modify the original patch to add the
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:52 -0700
From: Christopher J. PeBenito [EMAIL PROTECTED]
Add a security class for appletalk sockets so that they can be
distinguished in SELinux policy. Please apply.
Signed-off-by: Stephen Smalley [EMAIL PROTECTED]
Acked-by: James
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:54 -0700
This patch:
Add support for a new object class ('packet'), and associated permissions
('send', 'recv', 'relabelto'). These are used to enforce security policy for
network packets labeled with SECMARK, and for adding labeling
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:54 -0700
From: James Morris [EMAIL PROTECTED]
Add and export new functions to the in-kernel SELinux API in support of the
new secmark-based packet controls.
Signed-off-by: James Morris [EMAIL PROTECTED]
Signed-off-by: Andrew Morton
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:55 -0700
Add a secmark field to the skbuff structure, to allow security subsystems to
place security markings on network packets. This is similar to the nfmark
field, except is intended for implementing security policy, rather than than
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:56 -0700
Add a SECMARK target to xtables, allowing the admin to apply security marks to
packets via both iptables and ip6tables.
The target currently handles SELinux security marking, but can be extended
for other purposes as needed.
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:57 -0700
Add a secmark field to IP and NF conntracks, so that security markings on
packets can be copied to their associated connections, and also copied back to
packets as required. This is similar to the network mark field currently used
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:58 -0700
Add a new xtables target, CONNSECMARK, which is used to specify rules for
copying security marks from packets to connections, and for copyying security
marks back from connections to packets. This is similar to the CONNMARK
From: [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:20:59 -0700
Add new per-packet access controls to SELinux, replacing the old packet
controls.
...
Signed-off-by: James Morris [EMAIL PROTECTED]
Cc: Stephen Smalley [EMAIL PROTECTED]
Signed-off-by: Andrew Morton [EMAIL PROTECTED]
Applied to
Hi:
[NET] ppp: Remove unnecessary pskb_may_pull
In ppp_receive_nonmp_frame, we call pskb_may_pull(skb, skb-len) if the
tailroom is = 124. This is pointless because this pskb_may_pull is only
needed if the skb is non-linear. However, if it is non-linear then the
tailroom would be zero.
So it
Hi:
The following patches are based on net-2.6.18.
[NET]: Clean up skb_linearize
The linearisation operation doesn't need to be super-optimised. So we can
replace __skb_linearize with __pskb_pull_tail which does the same thing but
is more general.
Also, most users of skb_linearize end up
Hi:
[NET]: skb_trim audit
I found a few more spots where pskb_trim_rcsum could be used but were not.
This patch changes them to use it.
Also, sk_filter can get paged skb data. Therefore we must use pskb_trim
instead of skb_trim.
Signed-off-by: Herbert Xu [EMAIL PROTECTED]
Cheers,
--
Visit
Hi:
[NET]: Warn in __skb_trim if skb is paged
It's better to warn and fail rather than rarely triggering BUG on paths
that incorrectly call skb_trim/__skb_trim on a non-linear skb.
Signed-off-by: Herbert Xu [EMAIL PROTECTED]
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert
Marco Berizzi wrote:
Marco Berizzi wrote:
Herbert Xu wrote:
However, the fact that the tcpdump causes more chunky packets to
make it through could be an indication that there is a bug somewhere
in our NAT/IPsec code or at least a suboptimal memory allocation
strategy that's somehow avoided
On Fri, 9 Jun 2006, David Miller wrote:
Remember James, you're on the hook now to shrink sk_buff
when you get a chance :-)
Yep, I remember.
--
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More
Quoting David Miller:
| From: Gerrit Renker [EMAIL PROTECTED]
| Date: Thu, 8 Jun 2006 21:09:33 +0100
|
| That is why I held back regarding the IPv6 port:
snip
|
| It's not like an ipv6 port is such a big pile of work.
|
I see the point and will port to v6 (have asked colleages for
On Friday 09 June 2006 03:56, Jeremy Fitzhardinge wrote:
Rafael J. Wysocki wrote:
Please try doing echo 8 /proc/sys/kernel/printk before suspend.
Um, why? That would increase the amount of log output, but I don't see
how it would help with netconsole preventing suspend, or not being
Hi,
I am working on a small application using iptables/libipq. In this, the
application would capture a specific packets based on the destination IP
address. Then I encapsulate this IP packet inside another new IP packet.
My problem is that the encapsulation part works fine in
On Wed, 2006-06-07 at 13:12 -0500, Larry Finger wrote:
(ie, add the hh before the x to tell the print that it's a char)
That doesn't work - the result is
%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx%hx
Looks like the kernel doesn't support that modifier.
I
A similar fix is included in the myri10ge update that Jeff merged into
netdev yesterday.
thanks,
Brice
[EMAIL PROTECTED] wrote:
From: Andrew Morton [EMAIL PROTECTED]
drivers/net/myri10ge/myri10ge.c: In function 'myri10ge_submit_8rx':
drivers/net/myri10ge/myri10ge.c:772: error:
On Fri, Jun 09, 2006 at 05:43:24AM +0200, Andi Kleen wrote:
No one out on the internet, but it would be trivial for someone outside
his house. All his traffic will be on a long unsecured cable.
That is why I would never bridge home ethernet traffic onto a DSL line.
Hmm, traffic sent between
Hello,
here is the URL for our device driver. It is a tarball containing
a patch set for kernel 2.6.17-rc6. This version should compile
without warning.
http://prdownloads.sourceforge.net/ibmehcad/ehea_EHEA_0005_2.6.17-rc6.tgz?download
Signed-off-by: Jan-Bernd Themann [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
From: Adrian Bunk [EMAIL PROTECTED]
Remove the assert()'s from drivers/char/hw_random.c since you both needed
to enable a manual option in the driver source to make them effective and
they only covered some obviously impossible cases.
Signed-off-by: Adrian Bunk [EMAIL
Johannes Berg wrote:
On Wed, 2006-06-07 at 13:12 -0500, Larry Finger wrote:
but why doesn't it work?
No idea. If we had a dump maybe we could tell :/
Do you mean a special dump, or is the kernel debug output and wpa_supplicant
debug output sufficient?
Larry
-
To unsubscribe from this
Herbert Xu wrote:
Daniel Drake [EMAIL PROTECTED] wrote:
More specifically, we're talking about drivers/usb/net/usbnet.c and the
usbnet_disconnect() function. The race I am highlighting is that
usbnet's hard_start_xmit handler (usbnet_start_xmit) may be running when
the disconnect happens.
On Fri, 2006-06-09 at 10:31 -0500, Larry Finger wrote:
Do you mean a special dump, or is the kernel debug output and wpa_supplicant
debug output sufficient?
I was thinking of packet dumps but earlier you said you couldn't create
any so I'm out of ideas for now.
johannes
signature.asc
Hello,
I have a problem where my machine freezes as soon as I send it data at
high speeds. It works perfectly fine when transferring files slowly
(over the internet for instance). But after sending some data for a few
seconds at relatively high speed (let's say 10MB/sec), the whole
machine just
Johannes Berg wrote:
On Fri, 2006-06-09 at 10:31 -0500, Larry Finger wrote:
Do you mean a special dump, or is the kernel debug output and wpa_supplicant
debug output sufficient?
I was thinking of packet dumps but earlier you said you couldn't create
any so I'm out of ideas for now.
On Fri, Jun 09, 2006 at 07:50:25AM +0200, Andi Kleen wrote:
On Friday 09 June 2006 07:23, David Miller wrote:
From: Auke Kok [EMAIL PROTECTED]
Date: Thu, 08 Jun 2006 22:13:48 -0700
netconsole should retry. There is no timeout programmed here since that
might
lose important
If IPv6 addresses are ordered by scope, then ipv6_dev_get_saddr() can
break-out of the device addr_list for() loop when the candidate source
address scope is less than the destination address scope.
Signed-off-by: Brian Haley [EMAIL PROTECTED]
diff --git a/net/ipv6/addrconf.c
Jeff Garzik [EMAIL PROTECTED] :
Randy.Dunlap wrote:
Conversely, any reason to use the RealTek r1000 driver?
FWIW, RealTek emailed me about merging r1000. I suggested that, if the
Which one ?
r1000_n.c where #define RELEASE_DATE 2006/02/23
--
Ueimor
-
To unsubscribe from this list: send
Hi-
+#define EHEA_MEM_START 0xc000
You probably don't want to hardcode this. Maybe KERNELBASE from page.h?
+
+int ehea_reg_mr_adapter(struct ehea_adapter *adapter)
+{
+ int i;
+ u64 hret;
+ u64 start = EHEA_MEM_START;
+ u64 end = (u64) high_memory;
+
Francois Romieu wrote:
Jeff Garzik [EMAIL PROTECTED] :
Randy.Dunlap wrote:
Conversely, any reason to use the RealTek r1000 driver?
FWIW, RealTek emailed me about merging r1000. I suggested that, if the
Which one ?
r1000_n.c where #define RELEASE_DATE 2006/02/23
They didn't say. Just
From: Herbert Xu [EMAIL PROTECTED]
Date: Fri, 9 Jun 2006 15:48:16 +1000
On Thu, Jun 01, 2006 at 09:15:03PM +1000, herbert wrote:
OK, here is a patch which does this.
[NET]: Add netif_tx_lock
Just noticed that I showed dyslexia in winbond.c :) Here is the corrected
version.
Andi Kleen wrote:
If your laptop has firewire you can also use firescope.
(ftp://ftp.suse.com/pub/people/ak/firescope/)
..
FW keeps running as long as nobody resets the ieee1394 chip.
This looks interesting. But how does one set it up for use
on the *other* end of that firewire cable?
Ack,
Jeff, please pull this patch from:
git://lost.foo-projects.org/~ahkok/git/netdev-2.6 upstream
which is against netdev-2.6#upstream cac925a4aab1b7233d3beb591f53498816058a08
Cheers,
Auke
---
Signed-off-by: Linas Vepstas [EMAIL PROTECTED]
Cc: Jesse Brandeburg [EMAIL PROTECTED]
On Fri, 9 Jun 2006, Herbert Xu wrote:
Could you post an exact sequence of commands that reproduces the bug?
That would help us in verifying your fix.
Publish a large number of ARP entries (greater than 10 required on my
system):
'arp -Ds IP iface pub'
View output of /proc/net/arp:
'dd
The network isolation relies on the fact that an application can not
use IP addresses not belonging to the container in which it's
running. This patch isolates the inet device level by adding a
structure namespace pointer in the structure in_ifaddr. When an ip
address is set inside a network
Adds to the network namespace a device list view. This view is emptied
when the unshare is done. The view is filled/emptied by a set of
function which can be called by an external module.
Replace-Subject: [Network namespace] Network device sharing by view
Signed-off-by: Daniel Lezcano [EMAIL
The dev list view is filled and used from here. The dev_base_list has
been replaced to the dev list view and devices can be accessed only if
the view has the device in its list. All calls from the userspace,
ioctls, netlinks and procfs, will use the network devices view instead
of the global
This patch is for testing purpose. It allows to read which network
devices are accessible and to add a network device to the view.
This RFC hack is purely for discussing the best way to do that.
After unsharing with CLONE_NEWNET flag:
--
To see which devices
This patch partially isolates ipv4 by adding the network namespace
structure in the structure sock, bind bucket and skbuf. When a socket
is created, the pointer to the network namespace is stored in the
struct sock and the socket belongs to the namespace by this way. That
allows to identify
This patch adds to the nsproxy the network namespace and a set of
functions to unshare it. The network namespace structure should be
filled later with the identified network ressources needed for more
isolation.
Replace-Subject: [Network namespace] Network namespace structure
Signed-off-by:
The following patches create a private network namespace for use
within containers. This is intended for use with system containers
like vserver, but might also be useful for restricting individual
applications' access to the network stack.
These patches isolate traffic inside the network
Pavel Machek wrote:
if you plug zd1201 into USB, it starts jamming radio,
immediately. Enable/disable, or iwlist wlan0 scan, or basically any
operation unjams the radio. This patch works it around:
Can we be any more specific?
What is the interference - is it transmitting random packets, or
Hi!
I'll try to.
if you plug zd1201 into USB, it starts jamming radio,
immediately. Enable/disable, or iwlist wlan0 scan, or basically any
operation unjams the radio. This patch works it around:
Can we be any more specific?
What is the interference - is it transmitting random packets,
From: Herbert Xu [EMAIL PROTECTED]
Date: Fri, 9 Jun 2006 17:43:44 +1000
[NET] ppp: Remove unnecessary pskb_may_pull
Applied, thanks a lot.
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at
From: Herbert Xu [EMAIL PROTECTED]
Date: Fri, 9 Jun 2006 17:42:34 +1000
[NET]: Clean up skb_linearize
Looks good, applied to net-2.6.18
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at
From: Herbert Xu [EMAIL PROTECTED]
Date: Fri, 9 Jun 2006 17:55:39 +1000
[NET]: Warn in __skb_trim if skb is paged
It's better to warn and fail rather than rarely triggering BUG on paths
that incorrectly call skb_trim/__skb_trim on a non-linear skb.
Signed-off-by: Herbert Xu [EMAIL
From: Herbert Xu [EMAIL PROTECTED]
Date: Fri, 9 Jun 2006 17:44:33 +1000
[NET]: skb_trim audit
I found a few more spots where pskb_trim_rcsum could be used but were not.
This patch changes them to use it.
Also, sk_filter can get paged skb data. Therefore we must use pskb_trim
instead of
On Fri, Jun 09, 2006 at 04:29:13PM +0100, Daniel Drake wrote:
Can I interpret your response as: If the TX queue is disabled in
advance, no hard_start_xmit functions will be running on any CPU after
synchronize_net() has returned?
Correct. All callers of hard_start_xmit do so under RCU or
On Fri, 9 Jun 2006, [EMAIL PROTECTED] wrote:
When an outgoing packet has the loopback destination addres, the
skbuff is filled with the network namespace. So the loopback packets
never go outside the namespace. This approach facilitate the migration
of loopback because identification is done
James Morris wrote:
On Fri, 9 Jun 2006, [EMAIL PROTECTED] wrote:
When an outgoing packet has the loopback destination addres, the
skbuff is filled with the network namespace. So the loopback packets
never go outside the namespace. This approach facilitate the migration
of loopback because
On Fri, 9 Jun 2006, Rick Jones wrote:
I think you'll need to make it so this code has zero impact when not
configured.
Indeed, and over stuff other than loopback too. I'll not so humbly suggest :)
Yes, I meant the whole lot.
- James
--
James Morris
[EMAIL PROTECTED]
-
To unsubscribe
55 matches
Mail list logo