Netdev List
 help / color / mirror / Atom feed
* [PATCH 2/9] [TCP]: Rename update_send_head & include related increment to it
From: Ilpo Järvinen @ 2007-12-31 10:47 UTC (permalink / raw)
  To: David Miller; +Cc: netdev
In-Reply-To: <1199098077874-git-send-email-ilpo.jarvinen@helsinki.fi>

There's very little need to have the packets_out incrementing in
a separate function. Also name the combined function
appropriately.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
---
 net/ipv4/tcp_output.c |   32 ++++++++++++--------------------
 1 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 7a4834a..1ca638b 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -61,29 +61,22 @@ int sysctl_tcp_base_mss __read_mostly = 512;
 /* By default, RFC2861 behavior.  */
 int sysctl_tcp_slow_start_after_idle __read_mostly = 1;
 
-static inline void tcp_packets_out_inc(struct sock *sk,
-				       const struct sk_buff *skb)
-{
-	struct tcp_sock *tp = tcp_sk(sk);
-	int orig = tp->packets_out;
-
-	tp->packets_out += tcp_skb_pcount(skb);
-	if (!orig)
-		inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
-					  inet_csk(sk)->icsk_rto, TCP_RTO_MAX);
-}
-
-static void update_send_head(struct sock *sk, struct sk_buff *skb)
+static void tcp_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
+	unsigned int prior_packets = tp->packets_out;
 
 	tcp_advance_send_head(sk, skb);
 	tp->snd_nxt = TCP_SKB_CB(skb)->end_seq;
-	tcp_packets_out_inc(sk, skb);
 
 	/* Don't override Nagle indefinately with F-RTO */
 	if (tp->frto_counter == 2)
 		tp->frto_counter = 3;
+
+	tp->packets_out += tcp_skb_pcount(skb);
+	if (!prior_packets)
+		inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+					  inet_csk(sk)->icsk_rto, TCP_RTO_MAX);
 }
 
 /* SND.NXT, if window was not shrunk.
@@ -1410,7 +1403,7 @@ static int tcp_mtu_probe(struct sock *sk)
 		/* Decrement cwnd here because we are sending
 		* effectively two packets. */
 		tp->snd_cwnd--;
-		update_send_head(sk, nskb);
+		tcp_event_new_data_sent(sk, nskb);
 
 		icsk->icsk_mtup.probe_size = tcp_mss_to_mtu(sk, nskb->len);
 		tp->mtu_probe.probe_seq_start = TCP_SKB_CB(nskb)->seq;
@@ -1494,7 +1487,7 @@ static int tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle)
 		/* Advance the send_head.  This one is sent out.
 		 * This call will increment packets_out.
 		 */
-		update_send_head(sk, skb);
+		tcp_event_new_data_sent(sk, skb);
 
 		tcp_minshall_update(tp, mss_now, skb);
 		sent_pkts++;
@@ -1553,7 +1546,7 @@ void tcp_push_one(struct sock *sk, unsigned int mss_now)
 		TCP_SKB_CB(skb)->when = tcp_time_stamp;
 
 		if (likely(!tcp_transmit_skb(sk, skb, 1, sk->sk_allocation))) {
-			update_send_head(sk, skb);
+			tcp_event_new_data_sent(sk, skb);
 			tcp_cwnd_validate(sk);
 			return;
 		}
@@ -2528,9 +2521,8 @@ int tcp_write_wakeup(struct sock *sk)
 			TCP_SKB_CB(skb)->flags |= TCPCB_FLAG_PSH;
 			TCP_SKB_CB(skb)->when = tcp_time_stamp;
 			err = tcp_transmit_skb(sk, skb, 1, GFP_ATOMIC);
-			if (!err) {
-				update_send_head(sk, skb);
-			}
+			if (!err)
+				tcp_event_new_data_sent(sk, skb);
 			return err;
 		} else {
 			if (tp->urg_mode &&
-- 
1.5.0.6


^ permalink raw reply related

* [PATCH 1/9] [TCP]: Make invariant check complain about invalid sacked_out
From: Ilpo Järvinen @ 2007-12-31 10:47 UTC (permalink / raw)
  To: David Miller; +Cc: netdev
In-Reply-To: <11990980772344-git-send-email-ilpo.jarvinen@helsinki.fi>

Earlier resolution for NewReno's sacked_out should now keep
it small enough for this to become invariant-like check.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
---
 net/ipv4/tcp_input.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 722c9cb..41f4b86 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2504,11 +2504,8 @@ tcp_fastretrans_alert(struct sock *sk, int pkts_acked, int flag)
 				    (tcp_fackets_out(tp) > tp->reordering));
 	int fast_rexmit = 0;
 
-	/* Some technical things:
-	 * 1. Reno does not count dupacks (sacked_out) automatically. */
-	if (!tp->packets_out)
+	if (WARN_ON(!tp->packets_out && tp->sacked_out))
 		tp->sacked_out = 0;
-
 	if (WARN_ON(!tp->sacked_out && tp->fackets_out))
 		tp->fackets_out = 0;
 
-- 
1.5.0.6


^ permalink raw reply related

* [PATCH net-2.6.25 0/9]: TCP cleanups & minor changes.
From: Ilpo Järvinen @ 2007-12-31 10:47 UTC (permalink / raw)
  To: David Miller; +Cc: netdev

Hi Dave,

The first one is restored after getting removed in the
straight-forward revert we did.

Please check that the TCPCB_URG removal is indeed valid. I couldn't
find any use for it but there might be some non-obviously named
things I've missed.

I did a larger cleanup with indent for tcp_input and tcp_output
because I started to find so many unnecessarily line split &
missing spaces here and there. There's still a lot to do because
not every case has a trivial solution but at least something got
cleaner :-).

These should apply cleanly to the rebased net-2.6.25. I did some
trivial test with them before the rebase.                        
                                                    
   
-- 
 i.



^ permalink raw reply

* [PATCH 3/9] [TCP]: Remove unnecessary local variables
From: Ilpo Järvinen @ 2007-12-31 10:47 UTC (permalink / raw)
  To: David Miller; +Cc: netdev
In-Reply-To: <11990980773391-git-send-email-ilpo.jarvinen@helsinki.fi>

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
---
 net/ipv4/tcp_output.c |   11 +++--------
 1 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 1ca638b..025dddf 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -995,9 +995,8 @@ unsigned int tcp_current_mss(struct sock *sk, int large_allowed)
 static void tcp_cwnd_validate(struct sock *sk)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
-	__u32 packets_out = tp->packets_out;
 
-	if (packets_out >= tp->snd_cwnd) {
+	if (tp->packets_out >= tp->snd_cwnd) {
 		/* Network is feed fully. */
 		tp->snd_cwnd_used = 0;
 		tp->snd_cwnd_stamp = tcp_time_stamp;
@@ -1042,17 +1041,13 @@ static unsigned int tcp_mss_split_point(struct sock *sk, struct sk_buff *skb,
  */
 static inline unsigned int tcp_cwnd_test(struct tcp_sock *tp, struct sk_buff *skb)
 {
-	u32 in_flight, cwnd;
-
 	/* Don't be strict about the congestion window for the final FIN.  */
 	if ((TCP_SKB_CB(skb)->flags & TCPCB_FLAG_FIN) &&
 	    tcp_skb_pcount(skb) == 1)
 		return 1;
 
-	in_flight = tcp_packets_in_flight(tp);
-	cwnd = tp->snd_cwnd;
-	if (in_flight < cwnd)
-		return (cwnd - in_flight);
+	if (tcp_packets_in_flight(tp) < tp->snd_cwnd)
+		return tp->snd_cwnd - tcp_packets_in_flight(tp);
 
 	return 0;
 }
-- 
1.5.0.6


^ permalink raw reply related

* Re: [PATCH 1/3] [UDP]: add udp_mem, udp_rmem_min and udp_wmem_min
From: Herbert Xu @ 2007-12-31  9:11 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David Miller, haoki, netdev, tyasui, mhiramat, satoshi.oshima.fk,
	billfink, andi, johnpol, shemminger, yoshfuji, yumiko.sugita.yf
In-Reply-To: <4778AE48.1040701@cosmosbay.com>

On Mon, Dec 31, 2007 at 09:54:32AM +0100, Eric Dumazet wrote:
>
> Maybe I read the patch incorrectly, or we could add some new sysctl so that
> we not try to uncharge memory if a socket 'forward_alloc' is beyond a given 
> limit (say 2 pages), so that number of atomic_inc/dec on 
> udp_memory_allocated (or tcp_memory_allocated) is reduced.

I don't have time to go through these patches right now but
that was the whole point of using forward_alloc, i.e., avoid
touching the global for every packet.

So if it's still doing that then we're doing something wrong.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply

* Re: [PATCH net-2.6.25 4/7][ATM]: [br2864] routed support
From: Christoph Hellwig @ 2007-12-31  9:09 UTC (permalink / raw)
  To: chas williams - CONTRACTOR; +Cc: netdev, davem
In-Reply-To: <200712300107.lBU17O8i003566@cmf.nrl.navy.mil>

> +#define BR2684_ETHERTYPE_LEN	2
> +#define BR2684_PAD_LEN		2
> +
> +#define LLC		0xaa, 0xaa, 0x03
> +#define SNAP_BRIDGED	0x00, 0x80, 0xc2
> +#define SNAP_ROUTED	0x00, 0x00, 0x00
> +#define PID_ETHERNET	0x00, 0x07
> +#define ETHERTYPE_IPV4	0x08, 0x00
> +#define ETHERTYPE_IPV6	0x86, 0xdd
> +#define PAD_BRIDGED	0x00, 0x00
> +
> +static unsigned char ethertype_ipv4[] =
> +	{ ETHERTYPE_IPV4 };
> +static unsigned char ethertype_ipv6[] =
> +	{ ETHERTYPE_IPV6 };
>  static unsigned char llc_oui_pid_pad[] =
> -    { 0xAA, 0xAA, 0x03, 0x00, 0x80, 0xC2, 0x00, 0x07, 0x00, 0x00 };
> -#define PADLEN	(2)
> +	{ LLC, SNAP_BRIDGED, PID_ETHERNET, PAD_BRIDGED };
> +static unsigned char llc_oui_ipv4[] =
> +	{ LLC, SNAP_ROUTED, ETHERTYPE_IPV4 };
> +static unsigned char llc_oui_ipv6[] =
> +	{ LLC, SNAP_ROUTED, ETHERTYPE_IPV6 };

I think this should be in a global header.  And IIRC we already have
at least some of these somewhere as part of the general llc support.


^ permalink raw reply

* Re: [PATCH 1/3] [UDP]: add udp_mem, udp_rmem_min and udp_wmem_min
From: Eric Dumazet @ 2007-12-31  8:54 UTC (permalink / raw)
  To: David Miller
  Cc: haoki, herbert, netdev, tyasui, mhiramat, satoshi.oshima.fk,
	billfink, andi, johnpol, shemminger, yoshfuji, yumiko.sugita.yf
In-Reply-To: <20071231.001925.151533664.davem@davemloft.net>

David Miller a écrit :
> From: Hideo AOKI <haoki@redhat.com>
> Date: Sun, 30 Dec 2007 04:01:46 -0500
> 
>> diff -pruN net-2.6.25-t12t19m-p4/net/ipv4/proc.c net-2.6.25-t12t19m-p5/net/ipv4/proc.c
>> --- net-2.6.25-t12t19m-p4/net/ipv4/proc.c	2007-12-27 10:19:02.000000000 -0500
>> +++ net-2.6.25-t12t19m-p5/net/ipv4/proc.c	2007-12-29 21:09:21.000000000 -0500
>> @@ -56,7 +56,8 @@ static int sockstat_seq_show(struct seq_
>>  		   sock_prot_inuse(&tcp_prot), atomic_read(&tcp_orphan_count),
>>  		   tcp_death_row.tw_count, atomic_read(&tcp_sockets_allocated),
>>  		   atomic_read(&tcp_memory_allocated));
>> -	seq_printf(seq, "UDP: inuse %d\n", sock_prot_inuse(&udp_prot));
>> +	seq_printf(seq, "UDP: inuse %d mem %d\n", sock_prot_inuse(&udp_prot),
>> +		   atomic_read(&udp_memory_allocated));
>>  	seq_printf(seq, "UDPLITE: inuse %d\n", sock_prot_inuse(&udplite_prot));
>>  	seq_printf(seq, "RAW: inuse %d\n", sock_prot_inuse(&raw_prot));
>>  	seq_printf(seq,  "FRAG: inuse %d memory %d\n",
> 
> More careless patch creation.  :-/
> 
> This breaks the build because udp_memory_allocated is not added until
> patch 2.
> 
> Once again I'll combine all three patches into one but I am extremely
> angry about how careless and broken these two patch submissions were.

I am a litle bit concerned about performance of IVR servers
using SIP protocol.

On those servers, each active channel typically emits/receives 50 UDP/RTP 
frames per second. With G729 codec, each packet contains 10 bytes of payload, 
and about 40 bytes of IP/UDP/RTP encapsulation. (So these messages are very
small)

As I am currently enjoying hollidays at home, I am not able to test on my 
server farm the performance impact of this new UDP receive accounting.

If I understand well the patch, each time a packet is received (on a socket
with no previous message available in its receive queue), we are going to 
atomic_inc(&some_global_var). Then the user thread that will transfert this
message to user land will atomic_dec(&some_global_var). (Granted server is
in normal condition, ie each UDP socket holds at most one message in its
receive or transmit queue)

I have some machines with 400 active SIP channels, so that new hot cache line
will probably slow down our SMP servers, because of cache line ping pong.

I will probably setup a test next week and let you know the results.

Maybe I read the patch incorrectly, or we could add some new sysctl so that
we not try to uncharge memory if a socket 'forward_alloc' is beyond a given 
limit (say 2 pages), so that number of atomic_inc/dec on udp_memory_allocated 
(or tcp_memory_allocated) is reduced.

Thank you

^ permalink raw reply

* Re: [PATCH 1/3] [UDP]: add udp_mem, udp_rmem_min and udp_wmem_min
From: David Miller @ 2007-12-31  8:19 UTC (permalink / raw)
  To: haoki
  Cc: herbert, netdev, tyasui, mhiramat, satoshi.oshima.fk, billfink,
	andi, johnpol, shemminger, yoshfuji, yumiko.sugita.yf
In-Reply-To: <47775E7A.60708@redhat.com>

From: Hideo AOKI <haoki@redhat.com>
Date: Sun, 30 Dec 2007 04:01:46 -0500

> diff -pruN net-2.6.25-t12t19m-p4/net/ipv4/proc.c net-2.6.25-t12t19m-p5/net/ipv4/proc.c
> --- net-2.6.25-t12t19m-p4/net/ipv4/proc.c	2007-12-27 10:19:02.000000000 -0500
> +++ net-2.6.25-t12t19m-p5/net/ipv4/proc.c	2007-12-29 21:09:21.000000000 -0500
> @@ -56,7 +56,8 @@ static int sockstat_seq_show(struct seq_
>  		   sock_prot_inuse(&tcp_prot), atomic_read(&tcp_orphan_count),
>  		   tcp_death_row.tw_count, atomic_read(&tcp_sockets_allocated),
>  		   atomic_read(&tcp_memory_allocated));
> -	seq_printf(seq, "UDP: inuse %d\n", sock_prot_inuse(&udp_prot));
> +	seq_printf(seq, "UDP: inuse %d mem %d\n", sock_prot_inuse(&udp_prot),
> +		   atomic_read(&udp_memory_allocated));
>  	seq_printf(seq, "UDPLITE: inuse %d\n", sock_prot_inuse(&udplite_prot));
>  	seq_printf(seq, "RAW: inuse %d\n", sock_prot_inuse(&raw_prot));
>  	seq_printf(seq,  "FRAG: inuse %d memory %d\n",

More careless patch creation.  :-/

This breaks the build because udp_memory_allocated is not added until
patch 2.

Once again I'll combine all three patches into one but I am extremely
angry about how careless and broken these two patch submissions were.

^ permalink raw reply

* Re: [PATCH 2/4] [CORE]: adding memory accounting points
From: David Miller @ 2007-12-31  7:58 UTC (permalink / raw)
  To: haoki
  Cc: herbert, vladislav.yasevich, netdev, lksctp-developers, tyasui,
	mhiramat, satoshi.oshima.fk, billfink, andi, johnpol, shemminger,
	yoshfuji, yumiko.sugita.yf
In-Reply-To: <47775C20.5010004@redhat.com>

From: Hideo AOKI <haoki@redhat.com>
Date: Sun, 30 Dec 2007 03:51:44 -0500

> To consolidate memory accounting functions, this patch adds memory
> accounting calls to network core functions. Moreover, present
> memory accounting call is renamed to new accounting call.
> 
> Cc: Satoshi Oshima <satoshi.oshima.fk@hitachi.com>
> Cc: Masami Hiramatsu <mhiramat@redhat.com>
> signed-off-by: Takahiro Yasui <tyasui@redhat.com>
> signed-off-by: Hideo Aoki <haoki@redhat.com>

This patch would not apply, because is contained changes
present in the first patch, specifically:

> diff -pruN net-2.6.25-t12t19m-p1/include/net/sock.h net-2.6.25-t12t19m-p2/include/net/sock.h
> --- net-2.6.25-t12t19m-p1/include/net/sock.h	2007-12-29 20:16:31.000000000 -0500
> +++ net-2.6.25-t12t19m-p2/include/net/sock.h	2007-12-29 20:28:15.000000000 -0500
> @@ -1116,7 +1116,7 @@ static inline int skb_copy_to_page(struc
>  	skb->data_len	     += copy;
>  	skb->truesize	     += copy;
>  	sk->sk_wmem_queued   += copy;
> -	sk->sk_forward_alloc -= copy;
> +	sk_mem_charge(sk, copy);
>  	return 0;
>  }
> 
> @@ -1142,6 +1142,7 @@ static inline void skb_set_owner_r(struc
>  	skb->sk = sk;
>  	skb->destructor = sock_rfree;
>  	atomic_add(skb->truesize, &sk->sk_rmem_alloc);
> +	sk_mem_charge(sk, skb->truesize);
>  }
> 
>  extern void sk_reset_timer(struct sock *sk, struct timer_list* timer,

And now I see exactly what you did, and it is quite careless.

You wrote one big patch then tried to split it up by hand.  This
proves to me that you did not test the patches individually.  Even
worse, you did not even try to apply each patch nor compile the tree
each step along the way as a basic sanity check.

This wastes a lot of my time, as well as the time of other developers
who might want to try out and test your changes.

I will fix it up this time, but please do not ever do this again.

^ permalink raw reply

* Re: [PATCH 0/4] New interface for memory accounting (take 1)
From: David Miller @ 2007-12-31  7:34 UTC (permalink / raw)
  To: haoki
  Cc: herbert, vladislav.yasevich, netdev, lksctp-developers, tyasui,
	mhiramat, satoshi.oshima.fk, billfink, andi, johnpol, shemminger,
	yoshfuji, yumiko.sugita.yf
In-Reply-To: <47775B25.7020401@redhat.com>

From: Hideo AOKI <haoki@redhat.com>
Date: Sun, 30 Dec 2007 03:47:33 -0500

> Hello,
> 
> This patch set introduces new memory accounting interface.
> Current interface is written for stream protocols only.
> To enable memory accounting in other protocols (e.g. UDP),
> I enhanced the interface and updated TCP and SCTP memory
> accounting.
> 
> The patch set consists of the following 4 patches.
> 
> [1/4] introducing new memory accounting interface
> [2/4] adding memory accounting points to consolidate functions
> [3/4] updating TCP to use new interface
> [4/4] updating SCTP to use new interface
> 
> The patch set was tested on net-2.6.25 tree.

I like this work very much and will add this to net-2.6.25
But I will have to combine it all into one patch.

You cannot have one patch which breaks the build in any way.  All of
the kernel must build properly after each patch in your patchset is
applied.

Since patch 1 renames all of the sk_stream_*() functions, TCP and SCTP
stop building.

We enforce this rule, otherwise when users try to use "git bisect" to
find out where regressions are added, they will get stuck in places
like this where the tree will not build due to such careless
changesets.

Thank you.

^ permalink raw reply

* Re: [PATCH] remove useless code from fib6_del_route
From: David Miller @ 2007-12-31  7:27 UTC (permalink / raw)
  To: guijianfeng; +Cc: netdev
In-Reply-To: <4774A1DC.9060308@cn.fujitsu.com>

From: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
Date: Fri, 28 Dec 2007 15:12:28 +0800

> There are useless codes in fib6_del_route(). The following patch
> has been tested, every thing looks fine, as usual.
> 
> Signed-off-by: Gui Jianfeng<guijianfeng@cn.fujitsu.com>

Patch applied to net-2.6.25, thanks.

^ permalink raw reply

* Re: [PATCH net-2.6.25] [NEIGH] Remove unused method from include/net/neighbour.h
From: David Miller @ 2007-12-31  7:26 UTC (permalink / raw)
  To: ramirose; +Cc: netdev
In-Reply-To: <eb3ff54b0712280756m45c92c0bhc1298f6b428ac3ed@mail.gmail.com>

From: "Rami Rosen" <ramirose@gmail.com>
Date: Fri, 28 Dec 2007 17:56:46 +0200

> It seems to me that neigh_is_valid() inline method from
> include/net/neighbour.h can be removed since it is not used.
> 
> Though it can be considered as an API for future use, and
> indeed we have neigh_is_connected() method in this same header (which is BTW
> used only in one place, drivers/net/cxgb3/l2t.c), we can easily notice
> that we don't have
> any accessor method to check whether the neighbour is in NUD_IN_TIMER
> (not to mention that we don't have methods to check the single neighbour states,
> like NUD_REACHABLE or NUD_DELAY or the other ones). So for consistency
> I suggest to
> consider removing the neigh_is_valid() method.
>
> Signed-off-by: Rami Rosen <ramirose@gmail.com>

This is a helper function which was used by drivers implementing
support for the old fast routing code which we removed years ago.

So yes we should remove this.

Patch applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25] [IPv4] Remove unused define in include/net/arp.h (HAVE_ARP_CREATE)
From: David Miller @ 2007-12-31  7:23 UTC (permalink / raw)
  To: ramirose; +Cc: netdev
In-Reply-To: <eb3ff54b0712280720r723856afi55f591e214b7ed14@mail.gmail.com>

From: "Rami Rosen" <ramirose@gmail.com>
Date: Fri, 28 Dec 2007 17:20:34 +0200

> Signed-off-by: Rami Rosen <ramirose@gmail.com>

This was added long ago by some bonding driver infrastructure changes
so that code could check whether the arp_create() helper function
existed in the kernel.

But it is totally unused now and yes it should be removed.

Patch applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 7/7][ATM]: [he] fixing compilation when you define USE_RBPS_POOL/USE_RBPL_POOL
From: David Miller @ 2007-12-31  7:20 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300108.lBU18UUa003635@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:08:30 -0500

>     [ATM]: [he] fixing compilation when you define USE_RBPS_POOL/USE_RBPL_POOL
>     
>     Signed-off-by: Jorge Boncompte <jorge@dti2.net>
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 6/7][ATM]: [ambassador] kmalloc + memset conversion to kzalloc
From: David Miller @ 2007-12-31  7:19 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300108.lBU18CjE003595@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:08:12 -0500

>     [ATM]: [ambassador] kmalloc + memset conversion to kzalloc
>     
>     Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 5/7][ATM]: [br2864] whitespace cleanup
From: David Miller @ 2007-12-31  7:18 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300107.lBU17nCH003581@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:07:49 -0500

>     [ATM]: [br2864] whitespace cleanup
>     
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 4/7][ATM]: [br2864] routed support
From: David Miller @ 2007-12-31  7:18 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300107.lBU17O8i003566@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:07:24 -0500

>     [ATM]: [br2864] routed support
>     
>     From: Eric Kinzie <ekinzie@cmf.nrl.navy.mil>
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 3/7][ATM]: [he] This patch removes the ancient version string.
From: David Miller @ 2007-12-31  7:16 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300106.lBU16umE003551@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:06:56 -0500

>     [ATM]: [he] This patch removes the ancient version string.
>     
>     Signed-off-by: Adrian Bunk <bunk@stusta.de>
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 2/7][ATM]: Convert struct class_device to struct device
From: David Miller @ 2007-12-31  7:16 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300106.lBU16O1P003529@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:06:24 -0500

>     [ATM]: Convert struct class_device to struct device
>     
>     Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
>     Cc: Tony Jones <tonyj@suse.de>
>     Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* Re: [PATCH net-2.6.25 1/7][ATM]: atm is no longer experimental
From: David Miller @ 2007-12-31  7:15 UTC (permalink / raw)
  To: chas; +Cc: netdev
In-Reply-To: <200712300106.lBU16311003517@cmf.nrl.navy.mil>

From: "chas williams - CONTRACTOR" <chas@cmf.nrl.navy.mil>
Date: Sat, 29 Dec 2007 20:06:03 -0500

>     [ATM]: atm is no longer experimental
>     
>     From: Robert P. J. Day <rpjday@mindspring.com>
>     Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>

Applied.

^ permalink raw reply

* (no subject)
From: Ramesh R @ 2007-12-31  7:03 UTC (permalink / raw)
  To: netdev

subscribe linux-wireless

^ permalink raw reply

* [PATCH net-2.6.25] Add packet filtering based on process's security context.
From: Tetsuo Handa @ 2007-12-31  6:21 UTC (permalink / raw)
  To: netdev, netfilter-devel, linux-security-module; +Cc: sam

Hello.

This is a repost of a patch submitted at http://lkml.org/lkml/2007/11/19/545 .

Current status is that I'm waiting for Samir Bellabes's answer
whether we can handle the following example without this patch.

Tetsuo Handa wrote:
> Hello.
> 
> Samir Bellabes wrote:
> > >> what differences between you approach and netfilter in this case ? if
> > >> it's about packet filtering, you already have all you wishes in
> > >> netfilter project.
> > > Except a hook for making decision with the name of process who picks that packet up known.
> > 
> > I think that we really don't need it, because we can catch the
> > informations as I explained.
> 
> Well, I haven't understood yet why we don't need it.
> 
> How can you know the the name of process who copies that datagram to its userspace memory?
> A socket may be shared by multiple different executable files,
> so the name of the executable file is not known until
> one of processes who share the socket issues accept()/recvmsg() syscall.
> 
> Are you saying that I should not use the name of the executable file?
> 
> Regards.
> 

Tetsuo Handa wrote:
> Hello.
> 
> I made an example.
> 
> Usage:
> 
>   Compile app1 and app2 and run /tmp/app1 .
> 
>   Run something like
>    curl http://localhost:10000/
>   to connect to /tmp/app1.
> 
> I want to know that */tmp/app2* accepts TCP connection
> so that the user can control
> whether this TCP connection from 127.0.0.1 port N
> should be accepted by */tmp/app2* or not.
> 
> How can we do this without socket_post_accept() change?
> 
> Regards.
> 
> ---------- app1.c start ----------
> /* gcc -Wall -O2 -o /tmp/app1 app1.c */
> #include <fcntl.h>
> #include <netinet/in.h>
> #include <stdio.h>
> #include <string.h>
> #include <sys/select.h>
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <unistd.h>
> 
> int main(int argc, char *argv[]) {
> 	const int fd = socket(PF_INET, SOCK_STREAM, 0);
> 	struct sockaddr_in addr;
> 	char buf[16];
> 	memset(&addr, 0, sizeof(addr));
> 	addr.sin_family = AF_INET;
> 	addr.sin_addr.s_addr = htonl(INADDR_ANY);
> 	addr.sin_port = htons(10000);
> 	fprintf(stderr, "%s started.\n", argv[0]);
> 	if (bind(fd, (struct sockaddr *) &addr, sizeof(addr))) {
> 		fprintf(stderr, "Can't bind()\n");
> 		return 1;
> 	} else if (listen(fd, 5)) {
> 		fprintf(stderr, "Can't listen()\n");
> 		return 1;
> 	}
> 	while (1) {
> 		fd_set rfds;
> 		FD_ZERO(&rfds);
> 		FD_SET(fd, &rfds);
> 		select(fd + 1, &rfds, NULL, NULL, NULL);
> 		if (FD_ISSET(fd, &rfds)) break;
> 		fprintf(stderr, "Can't select()\n");
> 		return 1;
> 	}
> 	if (fcntl(fd, FD_CLOEXEC, 0)) {
> 		fprintf(stderr, "Can't fcntl()\n");
> 		return 1;
> 	}
> 	snprintf(buf, sizeof(buf), "%d", fd);
> 	execlp("/tmp/app2", "app2", buf, NULL);
> 	fprintf(stderr, "Can't execve()\n");
> 	return 1;
> }
> ---------- app1.c end ----------
> 
> ---------- app2.c start ----------
> /* gcc -Wall -O2 -o /tmp/app2 app2.c */
> #include <netinet/in.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/socket.h>
> #include <sys/types.h>
> #include <unistd.h>
> 
> int main(int argc, char *argv[]) {
> 	int lfd;
> 	if (argc != 2) {
> 		fprintf(stderr, "Bad parameter.\n");
> 		return 1;
> 	}
> 	fprintf(stderr, "%s started.\n", argv[0]);
> 	lfd = atoi(argv[1]);
> 	while (1) {
> 		struct sockaddr_in addr;
> 		socklen_t size = sizeof(addr);
> 		int fd = accept(lfd, (struct sockaddr *) &addr, &size);
> 		char c;
> 		if (fd == EOF) {
> 			fprintf(stderr, "Can't accept()\n");
> 			return 1;
> 		}
> 		while (read(fd, &c, 1) == 1 && write(fd, &c, 1) == 1);
> 		close(fd);
> 	}
> 	return 0;
> }
> ---------- app2.c end ----------
> 

Regards.
----------
Subject: Add packet filtering based on process's security context.

This patch allows LSM modules filter incoming connections/datagrams
based on the process's security context who is attempting to pick up.

There are already hooks to filter incoming connections/datagrams
based on the socket's security context, but these hooks are not
applicable when one wants to do TCP Wrapper-like filtering
(e.g. App1 is permitted to accept TCP connections from 192.168.0.0/16).

Precautions: This approach has a side effect which unlikely occurs.

If a socket is shared by multiple processes with differnt policy,
the process who should be able to accept this connection
will not be able to accept this connection
because socket_post_accept() aborts this connection.
But if socket_post_accept() doesn't abort this connection,
the process who must not be able to accept this connection
will repeat accept() forever, which is a worse side effect.

Similarly, if a socket is shared by multiple processes with differnt policy,
the process who should be able to pick up this datagram
will not be able to pick up this datagram
because socket_post_recv_datagram() discards this datagram.
But if socket_post_recv_datagram() doesn't discard this datagram,
the process who must not be able to pick up this datagram
will repeat recvmsg() forever, which is a worse side effect.

So, don't give different permissions between processes who shares one socket.
Otherwise, some connections/datagrams cannot be delivered to intended process.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 include/linux/security.h |   34 +++++++++++++++++++++++++++++-----
 net/core/datagram.c      |   29 ++++++++++++++++++++++++++++-
 net/socket.c             |    7 +++++--
 security/dummy.c         |   13 ++++++++++---
 security/security.c      |   10 ++++++++--
 5 files changed, 80 insertions(+), 13 deletions(-)

--- net-2.6.25.orig/include/linux/security.h
+++ net-2.6.25/include/linux/security.h
@@ -781,8 +781,12 @@ struct request_sock;
  * @socket_post_accept:
  *	This hook allows a security module to copy security
  *	information into the newly created socket's inode.
+ *	This hook also allows a security module to filter connections
+ *	from unwanted peers based on the process accepting this connection.
+ *	The connection will be aborted if this hook returns nonzero.
  *	@sock contains the listening socket structure.
  *	@newsock contains the newly created server socket for connection.
+ *	Return 0 if permission is granted.
  * @socket_sendmsg:
  *	Check permission before transmitting a message to another socket.
  *	@sock contains the socket structure.
@@ -796,6 +800,15 @@ struct request_sock;
  *	@size contains the size of message structure.
  *	@flags contains the operational flags.
  *	Return 0 if permission is granted.  
+ * @socket_post_recv_datagram:
+ *	Check permission after receiving a datagram.
+ *	This hook allows a security module to filter packets
+ *	from unwanted peers based on the process receiving this datagram.
+ *	The packet will be discarded if this hook returns nonzero.
+ *	@sk contains the socket.
+ *	@skb contains the socket buffer.
+ *	@flags contains the operational flags.
+ *	Return 0 if permission is granted.
  * @socket_getsockname:
  *	Check permission before the local address (name) of the socket object
  *	@sock is retrieved.
@@ -1387,12 +1400,13 @@ struct security_operations {
 			       struct sockaddr * address, int addrlen);
 	int (*socket_listen) (struct socket * sock, int backlog);
 	int (*socket_accept) (struct socket * sock, struct socket * newsock);
-	void (*socket_post_accept) (struct socket * sock,
-				    struct socket * newsock);
+	int (*socket_post_accept) (struct socket *sock, struct socket *newsock);
 	int (*socket_sendmsg) (struct socket * sock,
 			       struct msghdr * msg, int size);
 	int (*socket_recvmsg) (struct socket * sock,
 			       struct msghdr * msg, int size, int flags);
+	int (*socket_post_recv_datagram) (struct sock *sk, struct sk_buff *skb,
+					  unsigned int flags);
 	int (*socket_getsockname) (struct socket * sock);
 	int (*socket_getpeername) (struct socket * sock);
 	int (*socket_getsockopt) (struct socket * sock, int level, int optname);
@@ -2297,10 +2311,12 @@ int security_socket_bind(struct socket *
 int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
 int security_socket_listen(struct socket *sock, int backlog);
 int security_socket_accept(struct socket *sock, struct socket *newsock);
-void security_socket_post_accept(struct socket *sock, struct socket *newsock);
+int security_socket_post_accept(struct socket *sock, struct socket *newsock);
 int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
 int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
 			    int size, int flags);
+int security_socket_post_recv_datagram(struct sock *sk, struct sk_buff *skb,
+				       unsigned int flags);
 int security_socket_getsockname(struct socket *sock);
 int security_socket_getpeername(struct socket *sock);
 int security_socket_getsockopt(struct socket *sock, int level, int optname);
@@ -2376,9 +2392,10 @@ static inline int security_socket_accept
 	return 0;
 }
 
-static inline void security_socket_post_accept(struct socket * sock, 
-					       struct socket * newsock)
+static inline int security_socket_post_accept(struct socket *sock,
+					      struct socket *newsock)
 {
+	return 0;
 }
 
 static inline int security_socket_sendmsg(struct socket * sock, 
@@ -2394,6 +2411,13 @@ static inline int security_socket_recvms
 	return 0;
 }
 
+static inline int security_socket_post_recv_datagram(struct sock *sk,
+						     struct sk_buff *skb,
+						     unsigned int flags)
+{
+	return 0;
+}
+
 static inline int security_socket_getsockname(struct socket * sock)
 {
 	return 0;
--- net-2.6.25.orig/net/socket.c
+++ net-2.6.25/net/socket.c
@@ -1454,13 +1454,16 @@ asmlinkage long sys_accept(int fd, struc
 			goto out_fd;
 	}
 
+	/* Filter connections from unwanted peers. */
+	err = security_socket_post_accept(sock, newsock);
+	if (err)
+		goto out_fd;
+
 	/* File flags are not inherited via accept() unlike another OSes. */
 
 	fd_install(newfd, newfile);
 	err = newfd;
 
-	security_socket_post_accept(sock, newsock);
-
 out_put:
 	fput_light(sock->file, fput_needed);
 out:
--- net-2.6.25.orig/security/dummy.c
+++ net-2.6.25/security/dummy.c
@@ -748,10 +748,10 @@ static int dummy_socket_accept (struct s
 	return 0;
 }
 
-static void dummy_socket_post_accept (struct socket *sock, 
-				      struct socket *newsock)
+static int dummy_socket_post_accept(struct socket *sock,
+				    struct socket *newsock)
 {
-	return;
+	return 0;
 }
 
 static int dummy_socket_sendmsg (struct socket *sock, struct msghdr *msg,
@@ -766,6 +766,12 @@ static int dummy_socket_recvmsg (struct 
 	return 0;
 }
 
+static int dummy_socket_post_recv_datagram(struct sock *sk, struct sk_buff *skb,
+					   unsigned int flags)
+{
+	return 0;
+}
+
 static int dummy_socket_getsockname (struct socket *sock)
 {
 	return 0;
@@ -1099,6 +1105,7 @@ void security_fixup_ops (struct security
 	set_to_dummy_if_null(ops, socket_post_accept);
 	set_to_dummy_if_null(ops, socket_sendmsg);
 	set_to_dummy_if_null(ops, socket_recvmsg);
+	set_to_dummy_if_null(ops, socket_post_recv_datagram);
 	set_to_dummy_if_null(ops, socket_getsockname);
 	set_to_dummy_if_null(ops, socket_getpeername);
 	set_to_dummy_if_null(ops, socket_setsockopt);
--- net-2.6.25.orig/net/core/datagram.c
+++ net-2.6.25/net/core/datagram.c
@@ -55,6 +55,7 @@
 #include <net/checksum.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
+#include <linux/security.h>
 
 /*
  *	Is a socket 'connection oriented' ?
@@ -148,6 +149,7 @@ struct sk_buff *__skb_recv_datagram(stru
 {
 	struct sk_buff *skb;
 	long timeo;
+	unsigned long cpu_flags;
 	/*
 	 * Caller is allowed not to check sk->sk_err before skb_recv_datagram()
 	 */
@@ -165,7 +167,6 @@ struct sk_buff *__skb_recv_datagram(stru
 		 * Look at current nfs client by the way...
 		 * However, this function was corrent in any case. 8)
 		 */
-		unsigned long cpu_flags;
 
 		spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
 		skb = skb_peek(&sk->sk_receive_queue);
@@ -179,6 +180,14 @@ struct sk_buff *__skb_recv_datagram(stru
 		}
 		spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
 
+		/* Filter packets from unwanted peers. */
+		if (skb) {
+			error = security_socket_post_recv_datagram(sk, skb,
+								   flags);
+			if (error)
+				goto force_dequeue;
+		}
+
 		if (skb)
 			return skb;
 
@@ -191,6 +200,24 @@ struct sk_buff *__skb_recv_datagram(stru
 
 	return NULL;
 
+force_dequeue:
+	/* Drop this packet because LSM says "Don't pass it to the caller". */
+	if (!(flags & MSG_PEEK))
+		goto no_peek;
+	/*
+	 * If this packet is MSG_PEEK'ed, dequeue it forcibly
+	 * so that this packet won't prevent the caller from picking up
+	 * next packet.
+	 */
+	spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+	if (skb == skb_peek(&sk->sk_receive_queue)) {
+		__skb_unlink(skb, &sk->sk_receive_queue);
+		atomic_dec(&skb->users);
+		/* Do I have something to do with skb->peeked ? */
+	}
+	spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
+no_peek:
+	kfree_skb(skb);
 no_packet:
 	*err = error;
 	return NULL;
--- net-2.6.25.orig/security/security.c
+++ net-2.6.25/security/security.c
@@ -869,9 +869,9 @@ int security_socket_accept(struct socket
 	return security_ops->socket_accept(sock, newsock);
 }
 
-void security_socket_post_accept(struct socket *sock, struct socket *newsock)
+int security_socket_post_accept(struct socket *sock, struct socket *newsock)
 {
-	security_ops->socket_post_accept(sock, newsock);
+	return security_ops->socket_post_accept(sock, newsock);
 }
 
 int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
@@ -885,6 +885,12 @@ int security_socket_recvmsg(struct socke
 	return security_ops->socket_recvmsg(sock, msg, size, flags);
 }
 
+int security_socket_post_recv_datagram(struct sock *sk, struct sk_buff *skb,
+				       unsigned int flags)
+{
+	return security_ops->socket_post_recv_datagram(sk, skb, flags);
+}
+
 int security_socket_getsockname(struct socket *sock)
 {
 	return security_ops->socket_getsockname(sock);

^ permalink raw reply

* Re: [usb regression] Re: [PATCH 2.6.24-rc3] Fix /proc/net breakage
From: Greg KH @ 2007-12-31  5:25 UTC (permalink / raw)
  To: Alan Stern
  Cc: Andreas Mohr, Ingo Molnar, Alexey Dobriyan, Andrew Morton,
	David Woodhouse, Eric W. Biederman, Linus Torvalds,
	Rafael J. Wysocki, Pavel Machek, kernel list, netdev,
	Pavel Emelyanov, Denis V. Lunev
In-Reply-To: <Pine.LNX.4.44L0.0712301526090.1963-100000@netrider.rowland.org>

On Sun, Dec 30, 2007 at 03:34:45PM -0500, Alan Stern wrote:
> On Sun, 30 Dec 2007, Ingo Molnar wrote:
> 
> > * Andreas Mohr <andi@lisas.de> wrote:
> > 
> > > (yes, that's all there is, despite CONFIG_USB_DEBUG being set)
> > > 
> > > The LED of a usb stick isn't active either, for obvious reasons.
> > > 
> > > And keep in mind that this is a (relatively old) OHCI-only machine... 
> > > (which had the 2.6.19 lsmod showing ohci-hcd just fine and working 
> > > fine with WLAN USB)
> > > 
> > > Now pondering whether to try -rc6 proper or whether to revert specific 
> > > guilty-looking USB changes... And wondering how to properly elevate 
> > > this issue (prompt Greg about it, new thread, bug #, ...?)
> 
> It looks like Greg misused the debugfs API -- which is ironic, because
> he wrote debugfs in the first place!  :-)

Oh crap, sorry, I did mess that up :(

> Let me know if this patch fixes the problem.  If it does, I'll submit 
> it to Greg with all the proper accoutrements.

This isn't going to work if CONFIG_DEBUGFS is not enabled either :(

> Index: 2.6.24-rc6-mm1/drivers/usb/host/ohci-hcd.c
> ===================================================================
> --- 2.6.24-rc6-mm1.orig/drivers/usb/host/ohci-hcd.c
> +++ 2.6.24-rc6-mm1/drivers/usb/host/ohci-hcd.c
> @@ -1067,14 +1067,8 @@ static int __init ohci_hcd_mod_init(void
>  
>  #ifdef DEBUG
>  	ohci_debug_root = debugfs_create_dir("ohci", NULL);
> -	if (!ohci_debug_root || IS_ERR(ohci_debug_root)) {
> -		if (!ohci_debug_root)
> -			retval = -ENOENT;
> -		else
> -			retval = PTR_ERR(ohci_debug_root);
> -
> -		goto error_debug;
> -	}
> +	if (!ohci_debug_root)
> +		return -ENOENT;

It needs to check for ERR_PTR(-ENODEV) which is the return value if
debugfs is not enabled, and if so, just ignore things.

If NULL is returned, or anything else, it's a real error.

So, try something like:
	if (!ohci_debug_root) {
		retval = -ENOENT;
		goto error_debug;
	}
	if (IS_ERR(ohci_debug_root) && PTR_ERR(ohci_debug_root) != -ENODEV) {
		retval = PTR_ERR(ohci_debug_root);
		goto error_debug;
	}

and let me know of that works for you.

Although the combination of CONFIG_USB_DEBUG and not CONFIG_DEBUGFS is
strange, we could just enable CONFIG_DEBUGFS is USB_DEBUG is enabled and
then simplify this logic a bunch at the same time.

thanks,

greg k-h

^ permalink raw reply

* Re: [IPSEC]: Move all calls to xfrm_audit_state_icvfail to xfrm_input
From: David Miller @ 2007-12-31  5:11 UTC (permalink / raw)
  To: herbert; +Cc: netdev
In-Reply-To: <20071231042355.GA9215@gondor.apana.org.au>

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Mon, 31 Dec 2007 15:23:55 +1100

> [IPSEC]: Move all calls to xfrm_audit_state_icvfail to xfrm_input
>     
> Let's nip the code duplication in the bud :)
>     
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied.

^ permalink raw reply

* Re: [IPSEC]: Fix transport-mode async resume on intput without netfilter
From: David Miller @ 2007-12-31  5:11 UTC (permalink / raw)
  To: herbert; +Cc: netdev
In-Reply-To: <20071231003117.GA595@gondor.apana.org.au>

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Mon, 31 Dec 2007 11:31:18 +1100

> [IPSEC]: Fix transport-mode async resume on intput without netfilter
> 
> When netfilter is off the transport-mode async resumption doesn't work
> because we don't push back the IP header.  This patch fixes that by
> moving most of the code outside of ifdef NETFILTER since the only part
> that's not common is the short-circuit in the protocol handler.
> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied.

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox