Netdev List
 help / color / mirror / Atom feed
* The Sum of £1,000,000.00
From: Liliam Cristina Agudelo Morimitsu @ 2011-09-12 15:35 UTC (permalink / raw)




The Sum of £1,000,000.00 has been awarded to your E-mail ID. Send;
Names.
Country.
Tel.

^ permalink raw reply

* Re: [PATCH net-next-2.6] can/sja1000: driver for PEAK PCAN PCI/PCIe cards
From: Oliver Hartkopp @ 2011-09-12 15:49 UTC (permalink / raw)
  To: Wolfgang Grandegger
  Cc: Netdev, SocketCAN Core Mailing List, linux, Thomas Wiedemann
In-Reply-To: <4E6A2EB2.5070601@grandegger.com>

On 09/09/11 17:20, Wolfgang Grandegger wrote:


> 
>> I'll also test your driver on Monday.
> 
> Thanks,


Hi Wolfgang,

even if i only had my hardware-patched PEAK PCI ExpressCard hardware here
(which is to be removed in the supported PCI device list due to the missing
I2C initialization), i successfully tested your driver.

Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>

So let's wait for some feedback from Thomas, when he's back to the office ;-)

Tnx & best regards,
Oliver

^ permalink raw reply

* Mail Box Quota Exceeded
From: Deborah T. Cartwright @ 2011-09-12 16:04 UTC (permalink / raw)


Your web mail quota has exceeded the set quota which is 3GB. you are
currently running on 3.9 GB.
To re-activate and increase your web mail quota please click the link
below.
https://docs.google.com/spreadsheet/viewform?formkey=dDRwLWpBNjZrbVJpeUJnNVZZY1ZuN1E6MQ&theme=0AX42CRMsmRFbUy1jYWNjZmUzNi1iNzViLTRhZGUtYmIzNy1jYmE5MWFiMWQyZjU&ifq

Failure to do so may result in the cancellation of your web mail
account.
Thanks, and sorry for the inconvenience
Local-host.

^ permalink raw reply

* Re: [PATCH] per-cgroup tcp buffer limitation
From: Glauber Costa @ 2011-09-12 16:30 UTC (permalink / raw)
  To: Greg Thelen
  Cc: linux-kernel, linux-mm, containers, netdev, xemul,
	David S. Miller, Hiroyouki Kamezawa, Eric W. Biederman,
	Suleiman Souhlal
In-Reply-To: <CAHH2K0YbmE_tt-LQSB=4L0oYc+CwNAjMQr0YViPn9=M-epST7A@mail.gmail.com>


>>> With some more knobs such a uswapd could
>>> attempt to keep ahead of demand.  But eventually direct reclaim would
>>> be needed to satisfy rapid growth spikes.  Example: If the 100M container
>>> starts with limits of 20M kmem and 80M user memory but later its kernel
>>> memory needs grow to 70M.  With separate user and kernel memory
>>> limits the kernel memory allocation could fail despite there being
>>> reclaimable user pages available.
>>
>> No no, this is a ratio, not a *limit*. A limit is something you
>> should not be allowed to go over. A good limit of kernel memory for
>> a 100 Mb container could be something like... 100 mb. But there is
>> more to that.
>>
>> Risking being a bit polemic here, I think that when we do
>> containers, we have to view the kernel a little bit like a shared resource
>> that is not accounted to anybody. It is easy to account things like tcp
>> buffer, but who do you account page tables for shared pages to? Or pinned
>> dentries for shared filesystems ?
>
> This is a tough challenge.  If you don't account page tables, then
> fork bombs can grab lots of kernel memory.  Containing such pigs is
> good.  We are working on some patches that charge page tables to the
> memcg they are allocated from.  This charge is checked against the
> memcg's limit and thus the page table allocation may fail due if over
> limit.
>
> I suggest charging dentries to the cgroup that allocated the dentry.
> If containers are used for isolation, then it seems that containers
> should typically not share files.  That would break isolation.  Of
> course there are shared files (/bin/bash, etc), but at least those are
> read-only.

You mean first allocated ? I actually considered that a while ago.
Specially with page tables, to whom do you account shared ptes ?
If we're doing first allocated, one way to fork bomb then, although 
clearly harder, is to have a cgroup mapping ptes that were already 
mapped before by other cgroups. A part of them is trivial to guess,
some others can be guessed more cleverly by the type of workload
you expect other containers in the box to be running.

This way you map a lot, and nothing is charged to you.
With dentries, first allocated might be possible if you assume files
are not shared, indeed... there are some shared use cases for exported 
directories... humm, but  maybe there are ways to contain those cases
as well.

>
>> Being the shared table under everybody, the kernel is more or less
>> like buffers inside a physical hdd, or cache lines. You know it is
>> there, you know it has a size, but provided you have some sane
>> protections, you don't really care - because in most cases you can't
>> - who is using it.
>
> I agree that it makes sense to not bother charging fixed sized
> resources (struct page, etc.) to containers; they are part of the
> platform.  But the set of resources that a process can allocate are
> ideally charged to a cgroup to limit container memory usage (i.e.
> prevent DoS attacks, isolate performance).
>
Agreed.

>>> The job should have a way to
>>> transition to memory limits to 70M+ kernel and 30M- of user.
>>
>> Yes, and I don't see how what I propose prevents that.
>
> I don't think your current proposal prevents that.  I was thinking
> about the future of the proposed kmem cgroup.  I want to make sure the
> kernel has a way to apply reclaim pressure bidirectionally between
> cgroup kernel memory and cgroup user memory.

I see.

>>> If kmem expands to include reclaimable kernel memory (e.g. dentry) then I
>>> presume the kernel would have no way to exchange unused user pages for
>>> dentry
>>> pages even if the user memory in the container is well below its limit.
>>>   This is
>>> motivation for the above user assisted direct reclaim.
>>
>> Dentry is not always reclaimable. If it is pinned, it is non
>> reclaimable. Speaking of it, Would you take a look at
>> https://lkml.org/lkml/2011/8/14/110 ?
>>
>> I am targetting dentry as well. But since it is hard to assign a
>> dentry to a process all the time, going through a different path. I
>> however, haven't entirely given up of doing it cgroups based, so any
>> ideas are welcome =)
>
> My hope is that dentry consumption can be effectively limited by
> limiting the memory needed to allocate the dentries.  IOW: with a
> memcg aware slab allocator which, when possible, charges the calling
> process' cgroup.

If you have patches for that, even early patches, I'd like to take a 
look at them.

>> Well, I am giving this an extra thought... Having separate knobs
>> adds flexibility, but - as usual - also complexity. For the goals I
>> have in mind, "kernel memory" would work just as fine.
>>
>> If you look carefully at the other patches in the series besides
>> this one, you'll see that it is just a matter of billing from kernel
>> memory instead of tcp-memory, and then all the rest is the same.
>>
>> Do you think that a single kernel-memory knob would be better for
>> your needs? I am willing to give it a try.
>
> Regarding the tcp buffers we're discussing, how does an application
> consume lots of buffer memory?  IOW, what would a malicious app do to
> cause a grows of tcp buffer usage?  Or is this the kind of resource
> that is difficult to directly exploit?
>
> Also, how does the pressure get applied.  I see you have a
> per-protocol, per-cgroup pressure pressure setting.  Once set, how
> does this pressure cause memory to be freed?  It looks like the
> pressure is set when allocating memory and later when packets are
> freed the associated memory _might_ be freed if pressure was
> previously detected.  Did I get this right?

See below:

> For me the primary concern is that both user and kernel memory are
> eventually charged to the same counter with an associated limit.
> Per-container memory pressure is based on this composite limit.  So I
> don't have a strong opinion as to how many kernel memory counters
> there are so long as they also feed into container memory usage
> counter.

Okay.

>
>>> I think
>>> memcg aware slab accounting does a good job of limiting a job's
>>> memory allocations.
>>> Would such slab accounting meet your needs?
>>
>> Well, the slab alone, no. There are other objects - like tcp buffers
>> - that aren't covered by the slab. Others are usually shared among
>> many cgroups, and others don't really belong to anybody in
>> particular.igh
>
> Sorry, I am dumb wrt. networking.  I thought that these tcp buffers
> were allocated using slab with __alloc_skb().  Are they done in
> container process context or arbitrary context?

You are right. They come from the slab with alloc_skb. But consider the 
following code, from tcp.c:

         skb = alloc_skb_fclone(size + sk->sk_prot->max_header, gfp);
         if (skb) {
                 if (sk_wmem_schedule(sk, skb->truesize)) {
                         /*
                          * Make sure that we have exactly size bytes
                          * available to the caller, no more, no less.
                          */
                         skb_reserve(skb, skb_tailroom(skb) - size);
                         return skb;
                 }
                 __kfree_skb(skb);
         } else {
		...
	}

Limiting the slab may be enough to prevent kernel memory abuse (sorry, I 
should have made this clear from the start). However, if the allocation 
succeed, a container can then kfree it, because someone else
is starving the network.

Of course, my patchset also limits kernel memory usage. But I agree that 
if we do slab accounting, only the network specific part remains.

>> How do you think then, about turning this into 2 files inside memcg:
>>
>>   - kernel_memory_hard_limit.
>>   - kernel_memory_soft_limit.
>>
>> tcp memory would be the one defined in /proc, except if it is
>> greater than any of the limits. Instead of testing for memory
>> allocation against kmem.tcp_allocated_memory, we'd test it against
>> memcg.kmem_pinned_memory.
>
> memcg control files currently include:
>    memory.limit_in_bytes
>    memory.soft_limit_in_bytes
>    memory.usage_in_bytes
>
> If you want a kernel memory limit, then we can introduce two new memcg APIs:
>    memory.kernel_limit_in_bytes
>    memory.kernel_soft_limit_in_bytes
>    memory.kernel_usage_in_bytes
>
> Any memory charged to memory.kernel_limit_in_bytes would also be
> charged to memory.limit_in_bytes.  IOW, memory.limit_in_bytes would
> include both user pages (as it does today) and some kernel pages.
>
> With these new files there are two cgroup memory limits: total and
> kernel.  The total limit is a combination of user and some kinds of
> kernel memory.

Nice.

> Kernel page reclaim would occur if memory.kernel_usage_in_bytes
> exceeds memory.kernel_limit_in_bytes.  There would be no need to
> reclaim user pages in this situation.  If kernel usage exceeds
> kernel_soft_limit_in_bytes, then the protocol pressure flags would be
> set.

SGTM. ATLAIJI as well.

> Memcg-wide page reclaim would occur if memory.usage_in_bytes exceeds
> memory.limit_in_bytes.  This reclaim would consider either container
> kernel memory or user pages associated with the container.
>
> This would be a behavioral memcg change which would need to be
> carefully considered.  Today the limit_in_bytes is just a user byte
> count that does not include kernel memory.

This makes me wonder that maybe I should just add a tcp-specific file to 
memcg (so all memory-related information goes in the same place), but
not account this memory as kernel memory. When you have slab-aware 
memcg, let it handle the accounting.

Alternatively, I could start doing basic accounting to pave the way, and 
later on this accounting is removing in favor or the slab-based
one.

What do you think ?

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply

* Re: [PATCH] ipv6: Create module parameter for use_tempaddr
From: Paul Stewart @ 2011-09-12 16:37 UTC (permalink / raw)
  To: netdev; +Cc: davem, brian.haley
In-Reply-To: <CAMcMvsgZ8t=dh5G=QuFKODCyrBX56nveztq=0QBwaUfO46KL9Q@mail.gmail.com>

Hello, folks.  I've been trying to upstream (or open a discussion on)
adding a module parameter to enable IPv6 address privacy as a module
parameter.  The author listed for if_inet6.c is not a bouncing email
address.  Does anyone else have a suggestion for where to get this
change vetted?  I'm now CC'ing the author and reviewer of the last
module parameter change for ipv6.

--
Paul

On Tue, Sep 6, 2011 at 4:56 PM, Paul Stewart <pstew@chromium.org> wrote:
> On Wed, Aug 31, 2011 at 11:03 PM, Paul Stewart <pstew@chromium.org> wrote:
>> When ipv6 is used as a module, there is no good place to set
>> the default value for use_tempaddr.  Using sysctl.conf will
>> set this parameter too early -- before the module is loaded.
>> To solve this, create a module parameter that will set the
>> default value of use_tempaddr for all devices.
>>
>> Signed-off-by: Paul Stewart <pstew@chromium.org>
>> ---
>>  include/linux/ipv6.h |    1 +
>>  net/ipv6/addrconf.c  |    3 +++
>>  net/ipv6/af_inet6.c  |    8 ++++++++
>>  3 files changed, 12 insertions(+), 0 deletions(-)
>>
>> diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
>> index 0c99776..0d45a7c 100644
>> --- a/include/linux/ipv6.h
>> +++ b/include/linux/ipv6.h
>> @@ -178,6 +178,7 @@ struct ipv6_devconf {
>>  struct ipv6_params {
>>        __s32 disable_ipv6;
>>        __s32 autoconf;
>> +       __s32 use_tempaddr;
>>  };
>>  extern struct ipv6_params ipv6_defaults;
>>  #endif
>> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
>> index f012ebd..27314a2 100644
>> --- a/net/ipv6/addrconf.c
>> +++ b/net/ipv6/addrconf.c
>> @@ -4609,6 +4609,9 @@ static int __net_init addrconf_init_net(struct net *net)
>>                /* these will be inherited by all namespaces */
>>                dflt->autoconf = ipv6_defaults.autoconf;
>>                dflt->disable_ipv6 = ipv6_defaults.disable_ipv6;
>> +#ifdef CONFIG_IPV6_PRIVACY
>> +               dflt->use_tempaddr = ipv6_defaults.use_tempaddr;
>> +#endif
>>        }
>>
>>        net->ipv6.devconf_all = all;
>> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
>> index 3b5669a..5022950 100644
>> --- a/net/ipv6/af_inet6.c
>> +++ b/net/ipv6/af_inet6.c
>> @@ -76,6 +76,9 @@ static DEFINE_SPINLOCK(inetsw6_lock);
>>  struct ipv6_params ipv6_defaults = {
>>        .disable_ipv6 = 0,
>>        .autoconf = 1,
>> +#ifdef CONFIG_IPV6_PRIVACY
>> +       .use_tempaddr = 0,
>> +#endif
>>  };
>>
>>  static int disable_ipv6_mod = 0;
>> @@ -89,6 +92,11 @@ MODULE_PARM_DESC(disable_ipv6, "Disable IPv6 on all interfaces");
>>  module_param_named(autoconf, ipv6_defaults.autoconf, int, 0444);
>>  MODULE_PARM_DESC(autoconf, "Enable IPv6 address autoconfiguration on all interfaces");
>>
>> +#ifdef CONFIG_IPV6_PRIVACY
>> +module_param_named(use_tempaddr, ipv6_defaults.use_tempaddr, int, 0444);
>> +MODULE_PARM_DESC(use_tempaddr, "Enable IPv6 address privacy for autoconfiguration by default");
>> +#endif
>> +
>>  static __inline__ struct ipv6_pinfo *inet6_sk_generic(struct sock *sk)
>>  {
>>        const int offset = sk->sk_prot->obj_size - sizeof(struct ipv6_pinfo);
>> --
>> 1.7.3.1
>>
>>
>

^ permalink raw reply

* Re: [PATCH] per-cgroup tcp buffer limitation
From: Glauber Costa @ 2011-09-12 16:57 UTC (permalink / raw)
  To: Paul Menage
  Cc: Greg Thelen, linux-kernel, linux-mm, containers, netdev, xemul,
	David S. Miller, Hiroyouki Kamezawa, Eric W. Biederman,
	Suleiman Souhlal, Lennart Poettering
In-Reply-To: <CALdu-PCrYPZx38o44ZyFrbQ6H39-vNPKey_Tpm4HRUNHNFMpyA@mail.gmail.com>

On 09/12/2011 02:03 AM, Paul Menage wrote:
> On Thu, Sep 8, 2011 at 9:17 PM, Glauber Costa<glommer@parallels.com>  wrote:
>> On 09/08/2011 06:53 PM, Greg Thelen wrote:
>>>
>>> On Wed, Sep 7, 2011 at 9:44 PM, Glauber Costa<glommer@parallels.com>
>>>   wrote:
>>>
>>> Thanks for your ideas and patience.
>>
>> Likewise. It is turning out to be a very fruitful
>> discussion.
>>
>
> This also got a fair bit of attention at LPC on Thursday - shame you
> couldn't make it, but I hope you had no problems getting your visa!

Apart from the trip to the nearest consulate and 4 hours in a line, no 
problems =) I can now legally enter the United States - so wait for me 
next time!

>
> I definitely think that there was no consensus reached on unified
> versus split charging - but I think that we can work around that and
> keep everyone happy, see below.

I think at this point there is at least consensus that this could very 
well live in memcg, right ?
>
>>
>> Risking being a bit polemic here, I think that when we do
>> containers, we have to view the kernel a little bit like a shared resource
>> that is not accounted to anybody. It is easy to account things like tcp
>> buffer, but who do you account page tables for shared pages to? Or pinned
>> dentries for shared filesystems ?
>
> I'd say that if filesystems (or page tables) are shared between
> containers / cgroups, then it's fair to do first-touch accounting. But
> if a filesystem is shared between multiple processes in just one
> container / cgroup then it should definitely be charged to that cgroup
> (which you get automatically with first-touch accounting).
>
> It might be reasonable to also allow the sysadmin to request a more
> expensive form of accounting (probably either charge-all or
> equal-share), if the code to support that didn't interfere with the
> performance of the normal first-touch charging mechanism, or
> complicate the code too much.

I personally think equal share is a nightmare. But charge-all for shared 
resources is quite acceptable even as a default if people are not 
heavily concerned about precise accounting, in the sense that all 
containers should sum up to one (well, I am not)

> On the subject of filesystems specifically, see Greg Thelen's proposal
> for using bind mounts to account on a bind mount to a given cgroup -
> that could apply to dentries, page tables and other kernel memory as
> well as page cache.

Care to point me to it ?

>> Good that it scares you, it should. OTOH, userspace being
>> able to set parameters to it, has nothing scary at all. A daemon in
>> userspace can detect that you need more kernel space memory , and
>> then - according to a policy you abide to - write to a file allowing
>> it more, or maybe not - according to that same policy. It is very
>> far away from "userspace driven reclaim".
>
> It can do that, but it's a bit messy when all userspace really wants
> to do is say "limit the total to X GB".
>
>
>> No, I don't necessarily feel that need. I just thought it was
>> cleaner to have entities with different purposes in different
>> cgroups. If moving it to the memory controller would help you in any
>> way, I can just do it. 80 % of this work is independent of where a
>> cgroup file lives.
>
> My feeling is also that it's more appropriate for this to live in
> memcg. While the ability to mount subsystems separately gives nice
> flexibility, in the case of userspace versus kernel memory, I'm having
> trouble envisaging a realistic situation where you'd want them mounted
> on different hierarchies.

Right.
>>   - kernel_memory_hard_limit.
>>   - kernel_memory_soft_limit.
>>
>> tcp memory would be the one defined in /proc, except if it is
>> greater than any of the limits. Instead of testing for memory
>> allocation against kmem.tcp_allocated_memory, we'd test it against
>> memcg.kmem_pinned_memory.
>>
>
> This is definitely an improvement, but I'd say it's not enough. I
> think we should consider something like:
One step at a time =)

>
> - a root cgroup file (memory.unified?) that controls whether memory
> limits are unified or split.
> - this file can only be modified when there are no memory cgroups
> created (other than the root, which we shouldn't be charging, I think)

Okay.

> - the 'active' control determines whether (all) child cgroups will
> have  memory.{limit,usage}_in_bytes files, or
> memory.{kernel,user}_{limit,usage}_in_bytes files
> - kernel memory will be charged either against 'kernel' or 'total'
> depending on the value of unified

You mean for display/pressure purposes, right? Internally, I think once 
we have kernel memory, we always charge it to kernel memory, regardless 
of anything else. The value in unified field will only take place when 
we need to grab this value.

I don't personally see a reason for not having all files present at all 
times.

> - userspace memory will be charged either against 'user' or 'total'
>
> That way the kernel doesn't force a unified or split decision on
> anyone, with I think zero performance hit and not much extra code.

Yes, I think not forcing it is not only an interesting way of settling 
this, but also an interesting feature.

> You could even take this a step further. The following is probably
> straying into the realm of overly-flexible, but I'll throw it into the
> discussion anyway:
>
> - define counters for various types of memory (e.g. total, user,
> kernel, network, tcp, pagetables, dentries, etc)

Hummm, I like it, but I also fear that in the future we'll hit some 
resource whose origin is hard to track... /me trying to think of such
potential monster...

It is overly flexible if we're exposing these counters and expecting the 
user to do anything with them. It is perfectly fine if a single file, 
when read, displays this information as statistics.


> - document what kind of memory is potentially charged against each
> counter. (e.g. TCP buffers would be potentially charged against 'tcp',
> 'network', 'kernel' and 'total')

That, I think, is overly flexible. I think what I said above makes sense 
for very well defined entities such the slab. If we have something that 
can be accounted to more to one general (kernel/user) and one specific 
(slab) entity, we're getting too complex.

> - have a memory.counters root cgroup file that allows the user to
> specify which of the available counters are active. (only writeable
> when no child cgroups, to avoid inconsistencies caused by changes
> while memory is charged)
>
> - default memory.counters to 'total'
>
> - when memory.counters is updated, the memcg code builds the set of
> targets for each chargeable entity. (e.g. if you enabled 'network' and
> 'total', then we'd update the charge_tcp array to contain something
> like {&network_counter,&total_counter, NULL })
>
> - charging for an object (TCP allocation, pagecache page, pagetable,
> dentry, etc) just involves (trying to) charge all the counters set up
> in that object's array. Since these arrays will be immutable once
> child cgroups are being charged, they should be fairly well predicted.
>
> This would give complete flexibility to userspace on the policy for
> charging and reporting without incurring performance overhead for
> systems that didn't care about some particular counter. (And without
> complicating the code too much, I think).

While I do think it is overly complicated, I think that a sound use case 
for this would bring it to the "complicated" realm only. It sounds like 
a nice feature if there are users for it.

Not only for containers - that tend to be generic in most cases - but 
maybe people enclosing services in isolated cgroups can come up with 
profiles that will, for instance, disallow or allow very little disk 
activity on a network-profiled cgroup and vice versa.

I am adding Lennart to this discussion, since if there is anyone crazy 
enough to come up with an interesting use case for something strange, 
it'll be systemd.

^ permalink raw reply

* Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
From: Roopa Prabhu @ 2011-09-12 17:02 UTC (permalink / raw)
  To: Michael S. Tsirkin
  Cc: Sridhar Samudrala, netdev, dragos.tatulea, arnd, dwang2, benve,
	kaber, davem, eric.dumazet, mchan, kvm
In-Reply-To: <20110911190325.GC4740@redhat.com>




On 9/11/11 12:03 PM, "Michael S. Tsirkin" <mst@redhat.com> wrote:

> On Sun, Sep 11, 2011 at 06:18:01AM -0700, Roopa Prabhu wrote:
>> 
>> 
>> 
>> On 9/11/11 2:44 AM, "Michael S. Tsirkin" <mst@redhat.com> wrote:
>> 
>>> 
>>> Yes, but what I mean is, if the size of the single filter table
>>> is limited, we need to decide how many addresses is
>>> each guest allowed. If we let one guest ask for
>>> as many as it wants, it can lock others out.
>> 
>> Yes true. In these cases ie when the number of unicast addresses being
>> registered is more than it can handle, The VF driver will put the VF  in
>> promiscuous mode (Or at least its supposed to do. I think all drivers do
>> that).
>> 
>> 
>> Thanks,
>> Roopa
> 
> Right, so that works at least but likely performs worse
> than a hardware filter. So we better allocate it in
> some fair way, as a minimum. Maybe a way for
> the admin to control that allocation is useful.

Yes I think we will have to do something like that. There is a maximum that
hw can support. Might need to consider that too. But there is no interface
to get that today. I think the virtualization case gets a little trickier.
Virtio-net allows upto 64 unicast addresses. But the lowerdev may allow only
upto say 10 unicast addresses (I think intel supports 10 unicast addresses
on the VF). Am not sure if there is a good way to notify the guest of
blocked addresses. Maybe putting the lower dev in promiscuous mode could be
a policy decision too in this case.

One other thing, I had indicated that I will look up details on opening my
patch for non-passthru to enable hw filtering (without adding filtering
support in macvlan right away. Ie phase1). Turns out in current code in
macvlan_handle_frame, for non-passthru case, it does not fwd unicast pkts
destined to macs other than the ones in macvlan hash. So a filter or hash
lookup there for additional unicast addresses needs to be definitely added
for non-passthru.

Thanks,
Roopa


 


^ permalink raw reply

* Incorrect routing to lo in spite of correct record in routing table
From: Марк Коренберг @ 2011-09-12 17:14 UTC (permalink / raw)
  To: netdev

Suppose this (note netowrk masks):

[mmarkk@mmarkk-devel ~]# uname -a
Linux mmarkk-devel 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT
2010 x86_64 x86_64 x86_64 GNU/Linux

[mmarkk@mmarkk-devel ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/32 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    inet 10.80.20.21/16 brd 10.80.255.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
    inet 127.0.0.2/32 scope host dummy0

[mmarkk@mmarkk-devel ~]# ip route show
10.80.0.0/16 dev eth0  proto kernel  scope link  src 10.80.20.21
unreachable 127.0.0.0/8 <---------------------- has been added by hand
default via 10.80.90.40 dev eth0

[mmarkk@mmarkk-devel ~]# ip route show table local
broadcast 10.80.0.0 dev eth0  proto kernel  scope link  src 10.80.20.21
local 10.80.20.21 dev eth0  proto kernel  scope host  src 10.80.20.21
local 127.0.0.2 dev dummy0  proto kernel  scope host  src 127.0.0.2
broadcast 10.80.255.255 dev eth0  proto kernel  scope link  src 10.80.20.21
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1

[mmarkk@mmarkk-devel ~]# ip route flush cache

[mmarkk@mmarkk-devel ~]# ip route get 127.0.0.3
RTNETLINK answers: Network is unreachable <------------ good, that is OK

[mmarkk@mmarkk-devel ~]# ip route get 127.0.0.1
local 127.0.0.1 dev lo  src 127.0.0.1  <--------- Good, that's OK too
    cache <local>  mtu 16436 advmss 16396 hoplimit 64

[mmarkk@mmarkk-devel ~]# ip route get 127.0.0.2
local 127.0.0.2 dev lo  src 127.0.0.2 <------------ HAY! this is not I
want. Why device is "lo" (instead of dummy0) ?!
    cache <local>  mtu 16436 advmss 16396 hoplimit 64

=========================
The problem is that I want to do DNAT to localhost. I know, why DNAT
to 127.0.0.1 (to interface "lo") does not work. I decide to do that
using interface dummy0. It works as expected if I choose any address
not in 127.0.0.0/8.

RFC 3330 said:
-------------
A datagram sent by a higher level protocol to an  address anywhere
within this block should loop back inside the host. This is ordinarily
implemented using only 127.0.0.1/32 for loopback, but no addresses
within this block should ever appear on any network anywhere
-------------
So, my question: Why the kernel routes 127.0.0.2 to lo (instead of dummy0) ?

Well, If kernel is so smart to route any 127.0.0.0/8 to "lo", why it
routes 127.0.0.3 to default gateway if I remove "unreachable
127.0.0.0/8" ?!

I think there is some bug in kernel. What are you thinking about?

-- 
Segmentation fault

^ permalink raw reply

* Re: Memory leak in ip_dst_cache
From: Kumar S @ 2011-09-12 17:16 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: Neil Horman, netdev
In-Reply-To: <1315808931.3174.17.camel@edumazet-laptop>

----- Original Message -----
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Kumar S <ps2kumar@yahoo.com>
Cc: Neil Horman <nhorman@tuxdriver.com>; netdev <netdev@vger.kernel.org>
Sent: Sunday, September 11, 2011 11:28 PM
Subject: Re: Memory leak in ip_dst_cache

Le dimanche 11 septembre 2011 à 23:07 -0700, Kumar S a écrit :
>> ----- Original Message -----
>> From: Eric Dumazet <eric.dumazet@gmail.com>
> >To: Kumar S <ps2kumar@yahoo.com>
> >Cc: Neil Horman <nhorman@tuxdriver.com>; netdev <netdev@vger.kernel.org>
> >Sent: Sunday, September 11, 2011 10:40 PM
> Subject: Re: Memory leak in ip_dst_cache
> >
>> Le dimanche 11 septembre 2011 à 20:38 -0700, Kumar S a écrit :
>> 
>> Please dont top post.
>> 
> >>> Thanks Neil. I did try with prink(). I do see entries getting aged
> >>> out, but they are not getting deallocated. This seems to be happening
> >>>because of "ref_cnt". When the route entries are added the ref_cnt is
> >>> set to 1. Looks this is causing trouble clearing the entries
> >>> completely. If I set the ref_cnt to 0, I can see it working. Now I'm
> >>> trying to understand whether this is right. Please let me know if you
> >>> have any thoughts on it.
>> 
> >>I believe I already explained what was happening.
>> 
> >>A tcp socket has a pointer to a dst, so it holds a reference on it, to
> >>make sure no freeing of dst can happen while at least some socket still
> >>can reference dst. (It could reference freed memory and crash)
>> 
> >>As soon as the tcp socket will try to transmit some data, the dst will
> >>be checked and we notice its obsolete : We then release the refcount and
> >>dst pointer.
> >
> >>Later, the garbage collector can notice dst refcount is zero and can
> >>free dst.
> >
> >>If you have dormant tcp sockets (no trafic at all), they hold their dst.
> >>A dormant tcp socket has a pretty more expensive memory cost than its
> >>dst. (Socket structure, dentry, inode, and probably in user land a
> >>thread or process, and data)
> > 
>> Thanks Eric for detailed explanation. You did mention this before.
>> What I see is the cache entries related to the TCP sockets are getting
> >cleared, whenever they age out. But the issue we see here is with the
> >broadcast messages such as SMB messages and network neighbor hood
>> messages. They never get freed. There is no traffic to those
> >destinations from our board. 

>What do you mean ? Your box is a router only ?

>Those SMB messages are going through it ?
 
Our box is a stand-alone system with L2 Quick Engine. This QE forwards all broadcast to the other ports and also a copy to the CPU port. 

^ permalink raw reply

* Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
From: Roopa Prabhu @ 2011-09-12 17:23 UTC (permalink / raw)
  To: Sridhar Samudrala
  Cc: Michael S. Tsirkin, netdev, dragos.tatulea, arnd, dwang2, benve,
	kaber, davem, eric.dumazet, mchan, kvm
In-Reply-To: <4E6D8AF3.7080406@us.ibm.com>




On 9/11/11 9:30 PM, "Sridhar Samudrala" <sri@us.ibm.com> wrote:

> On 9/11/2011 6:18 AM, Roopa Prabhu wrote:
>> 
>> 
>> On 9/11/11 2:44 AM, "Michael S. Tsirkin"<mst@redhat.com>  wrote:
>> 
>>>> AFAIK, though it might maintain a single filter table space in hw, hw does
>>>> know which filter belongs to which VF. And the OS driver does not need to
>>>> do
>>>> anything special. The VF driver exposes a VF netdev. And any uc/mc
>>>> addresses
>>>> registered with a VF netdev are registered with the hw by the driver. And
>>>> hw
>>>> will filter and send only pkts that the VF has expressed interest in.
>>>> 
>>>> No special filter partitioning in hw is required.
>>>> 
>>>> Thanks,
>>>> Roopa
>>> Yes, but what I mean is, if the size of the single filter table
>>> is limited, we need to decide how many addresses is
>>> each guest allowed. If we let one guest ask for
>>> as many as it wants, it can lock others out.
>> Yes true. In these cases ie when the number of unicast addresses being
>> registered is more than it can handle, The VF driver will put the VF  in
>> promiscuous mode (Or at least its supposed to do. I think all drivers do
>> that).
>> 
> What does putting VF in promiscuous mode mean?  How can the NIC decide
> which set
> of mac addresses are passed to the VF? Does it mean VF sees all the
> packets received
> by the NIC including packets destined for other VFs/PF?
> 
Yes I think so. After your question I looked at 2 other  VF drivers and
looks like they return error if num unicast addresses exceeds the number
supported by hw and don't put the VF in promiscuous mode. But one could put
the VF in promiscuous mode by changing IFF_FLAGS I think.

The original in-kernel passthru mode code puts the VF in promiscuous mode by
default. Am assuming that works well with other sriov cards you got a chance
to try out with.

Thanks,
Roopa

^ permalink raw reply

* Re: Memory leak in ip_dst_cache
From: Eric Dumazet @ 2011-09-12 17:57 UTC (permalink / raw)
  To: Kumar S; +Cc: Neil Horman, netdev
In-Reply-To: <1315847801.41447.YahooMailNeo@web113916.mail.gq1.yahoo.com>

Le lundi 12 septembre 2011 à 10:16 -0700, Kumar S a écrit :
> ----- Original Message -----
> From: Eric Dumazet <eric.dumazet@gmail.com>

> >What do you mean ? Your box is a router only ?
> 
> >Those SMB messages are going through it ?
>  
> Our box is a stand-alone system with L2 Quick Engine. This QE forwards
> all broadcast to the other ports and also a copy to the CPU port. 

It sounds like a modified kernel, maybe you added a bug in the code...

^ permalink raw reply

* [PATCH] Check net->nfnl for NULL in ctnetlink_conntrack_event to, avoid Oops on container destroy
From: Tim Gardner @ 2011-09-12 18:03 UTC (permalink / raw)
  To: kaber, linux-kernel
  Cc: David Miller, netfilter-devel, netfilter, coreteam, netdev

[-- Attachment #1: Type: text/plain, Size: 331 bytes --]

Patrick,

I received this patch from a developer that uses lxc and network name 
spaces. I don't know the locking semantics well enough for CT to judge 
whether this fix is sufficient. Bug info can be found at 
http://bugs.launchpad.net/bugs/843892 . See comment #7 for his analysis.

rtg
-- 
Tim Gardner tim.gardner@canonical.com

[-- Attachment #2: 0001-Check-net-nfnl-for-NULL-in-ctnetlink_conntrack_event.patch --]
[-- Type: text/x-patch, Size: 939 bytes --]

>From dcb64e27c7daaf4affe5b1a617b45a9a0364b4ad Mon Sep 17 00:00:00 2001
From: Alex Bligh <alex@alex.org.uk>
Date: Sat, 10 Sep 2011 13:29:12 +0100
Subject: [PATCH] Check net->nfnl for NULL in ctnetlink_conntrack_event to
 avoid Oops on container destroy


Signed-off-by: Alex Bligh <alex@alex.org.uk>
---
 net/netfilter/nf_conntrack_netlink.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 482e90c..0790d0a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -570,6 +570,11 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
 		return 0;
 
 	net = nf_ct_net(ct);
+
+	/* container deinit, netlink may have died before death_by_timeout */
+	if (!net->nfnl)
+		return 0;
+
 	if (!item->report && !nfnetlink_has_listeners(net, group))
 		return 0;
 
-- 
1.7.5.4


^ permalink raw reply related

* Temporary(?) relocation of wireless git trees...
From: John W. Linville @ 2011-09-12 18:13 UTC (permalink / raw)
  To: linux-wireless
  Cc: David Woodhouse, Stephen Rothwell, David S. Miller, netdev,
	linux-kernel

With no news on when the kernel.org trees will be accessible again
(which could be 10 minutes from now for all I know), I have pushed
my local copies to Infradead.  This should be equivalent to what was
last pushed to kernel.org almost two weeks ago.

The "current" wireless tree is here:

	git://git.infradead.org/users/linville/wireless.git

The "next" wireless tree is here:

	git://git.infradead.org/users/linville/wireless-next.git

The "testing" wireless tree is here:

	git://git.infradead.org/users/linville/wireless-testing.git

I don't know how long these trees will be on Infradead or when (or
if) they will return to kernel.org.  Such changes will be determined
as conditions change.  Please be flexible.

Thanks,

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

^ permalink raw reply

* Re: [PATCH] Check net->nfnl for NULL in ctnetlink_conntrack_event to, avoid Oops on container destroy
From: Tim Gardner @ 2011-09-12 18:42 UTC (permalink / raw)
  To: kaber
  Cc: linux-kernel, David Miller, netfilter-devel, netfilter, coreteam,
	netdev
In-Reply-To: <4E6E4961.9070802@canonical.com>

On 09/12/2011 12:03 PM, Tim Gardner wrote:
> Patrick,
>
> I received this patch from a developer that uses lxc and network name
> spaces. I don't know the locking semantics well enough for CT to judge
> whether this fix is sufficient. Bug info can be found at
> http://bugs.launchpad.net/bugs/843892 . See comment #7 for his analysis.
>
> rtg

Never mind. Looks like Alex already sent this patch on Sept 10 with the 
subject 'Fix repeatable Oops on container destroy with conntrack'.

rtg

-- 
Tim Gardner tim.gardner@canonical.com

^ permalink raw reply

* Re: Incorrect routing to lo in spite of correct record in routing table
From: Eric Dumazet @ 2011-09-12 18:47 UTC (permalink / raw)
  To: Марк Коренберг
  Cc: netdev
In-Reply-To: <CAEmTpZGKnU4z4J43XGa-1YZ0WW6rnKdpTRJDFEeUTfVmZQH84g@mail.gmail.com>

Le lundi 12 septembre 2011 à 23:14 +0600, Марк Коренберг a écrit :
> Suppose this (note netowrk masks):
> 
> [mmarkk@mmarkk-devel ~]# uname -a
> Linux mmarkk-devel 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT
> 2010 x86_64 x86_64 x86_64 GNU/Linux
> 
> [mmarkk@mmarkk-devel ~]# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>     inet 127.0.0.1/32 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>     inet 10.80.20.21/16 brd 10.80.255.255 scope global eth0
> 3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
>     inet 127.0.0.2/32 scope host dummy0
> 
> [mmarkk@mmarkk-devel ~]# ip route show
> 10.80.0.0/16 dev eth0  proto kernel  scope link  src 10.80.20.21
> unreachable 127.0.0.0/8 <---------------------- has been added by hand
> default via 10.80.90.40 dev eth0
> 
> [mmarkk@mmarkk-devel ~]# ip route show table local
> broadcast 10.80.0.0 dev eth0  proto kernel  scope link  src 10.80.20.21
> local 10.80.20.21 dev eth0  proto kernel  scope host  src 10.80.20.21
> local 127.0.0.2 dev dummy0  proto kernel  scope host  src 127.0.0.2
> broadcast 10.80.255.255 dev eth0  proto kernel  scope link  src 10.80.20.21
> local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
> 
> [mmarkk@mmarkk-devel ~]# ip route flush cache
> 
> [mmarkk@mmarkk-devel ~]# ip route get 127.0.0.3
> RTNETLINK answers: Network is unreachable <------------ good, that is OK
> 
> [mmarkk@mmarkk-devel ~]# ip route get 127.0.0.1
> local 127.0.0.1 dev lo  src 127.0.0.1  <--------- Good, that's OK too
>     cache <local>  mtu 16436 advmss 16396 hoplimit 64
> 
> [mmarkk@mmarkk-devel ~]# ip route get 127.0.0.2
> local 127.0.0.2 dev lo  src 127.0.0.2 <------------ HAY! this is not I
> want. Why device is "lo" (instead of dummy0) ?!
>     cache <local>  mtu 16436 advmss 16396 hoplimit 64
> 
> =========================
> The problem is that I want to do DNAT to localhost. I know, why DNAT
> to 127.0.0.1 (to interface "lo") does not work. I decide to do that
> using interface dummy0. It works as expected if I choose any address
> not in 127.0.0.0/8.
> 
> RFC 3330 said:
> -------------
> A datagram sent by a higher level protocol to an  address anywhere
> within this block should loop back inside the host. This is ordinarily
> implemented using only 127.0.0.1/32 for loopback, but no addresses
> within this block should ever appear on any network anywhere
> -------------
> So, my question: Why the kernel routes 127.0.0.2 to lo (instead of dummy0) ?
> 
> Well, If kernel is so smart to route any 127.0.0.0/8 to "lo", why it
> routes 127.0.0.3 to default gateway if I remove "unreachable
> 127.0.0.0/8" ?!
> 

Because you have 127.0.0.1/32 on lo, not 127.0.0.1/8

> I think there is some bug in kernel. What are you thinking about?
> 

I have no idea why you think there is a bug.

127.0.0.2 (dummy0) is a local address like 10.80.20.21 (eth0)

When you ping 10.80.20.21, the frame goes through loopback, not eth0.

# ip ro get 10.80.20.21
local 10.80.20.21 dev lo  src 10.80.20.21 
    cache <local> 

BTW, if you 'ifconfig lo down', ping to 10.80.20.21 doesnt work.

^ permalink raw reply

* Re: [PATCH net-next] af_unix: dont send SCM_CREDENTIALS by default
From: Tim Chen @ 2011-09-12 19:15 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: Yan, Zheng, Yan, Zheng, netdev@vger.kernel.org,
	davem@davemloft.net, sfr@canb.auug.org.au, jirislaby@gmail.com,
	sedat.dilek@gmail.com, Shi, Alex, Valdis Kletnieks
In-Reply-To: <1315544777.5410.19.camel@edumazet-laptop>

On Fri, 2011-09-09 at 07:06 +0200, Eric Dumazet wrote:
> Le jeudi 08 septembre 2011 à 02:24 -0700, Tim Chen a écrit :
> 
> > Looking forward to the patch.  This should improve the scalability of
> > af_unix.
> 
> Here it is, based on top on previous one [af_unix: Fix use-after-free
> crashes]
> 
> Thanks
> 
> [PATCH net-next] af_unix: dont send SCM_CREDENTIALS by default
> 
> Since commit 7361c36c5224 (af_unix: Allow credentials to work across
> user and pid namespaces) af_unix performance dropped a lot.
> 
> This is because we now take a reference on pid and cred in each write(),
> and release them in read(), usually done from another process,
> eventually from another cpu. This triggers false sharing.
> 
> # Events: 154K cycles
> #
> # Overhead  Command       Shared Object                               Symbol
> # ........  .......  ..................  ...................................
> #
>     10.40%  hackbench  [kernel.kallsyms]   [k] put_pid
>      8.60%  hackbench  [kernel.kallsyms]   [k] unix_stream_recvmsg
>      7.87%  hackbench  [kernel.kallsyms]   [k] unix_stream_sendmsg
>      6.11%  hackbench  [kernel.kallsyms]   [k] do_raw_spin_lock
>      4.95%  hackbench  [kernel.kallsyms]   [k] unix_scm_to_skb
>      4.87%  hackbench  [kernel.kallsyms]   [k] pid_nr_ns
>      4.34%  hackbench  [kernel.kallsyms]   [k] cred_to_ucred
>      2.39%  hackbench  [kernel.kallsyms]   [k] unix_destruct_scm
>      2.24%  hackbench  [kernel.kallsyms]   [k] sub_preempt_count
>      1.75%  hackbench  [kernel.kallsyms]   [k] fget_light
>      1.51%  hackbench  [kernel.kallsyms]   [k] __mutex_lock_interruptible_slowpath
>      1.42%  hackbench  [kernel.kallsyms]   [k] sock_alloc_send_pskb
> 
> 
> This patch includes SCM_CREDENTIALS information in a af_unix message/skb
> only if requested by the sender, [man 7 unix for details how to include
> ancillary data using sendmsg() system call]
> 
> Note: This might break buggy applications that expected SCM_CREDENTIAL
> from an unaware write() system call.
> 
> Performance boost in hackbench : more than 50% gain on a 16 thread
> machine (2 quad-core cpus, 2 threads per core)
> 
> hackbench 20 thread 2000
> 
> 4.224 sec instead of 9.102 sec
> 
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

This speeds up the case where we're not passing SCM_CREDENTIALS nicely.

Acked-by: Tim Chen <tim.c.chen@linux.intel.com>

^ permalink raw reply

* [PATCH RFC v2 0/5] netfilter reverse path filter matches
From: Florian Westphal @ 2011-09-12 19:42 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev

Version 2 of the ipv4/v6 reverse path filter matches discussed during
nfws 2011.

The ipv4 match (ipt_rpfilter) tries to do exactly what the current
fib_validate_source does.  The main problem with this is that
we need to do an additional fib lookup to get the oif in the match.
[ delaying until FORWARD is invoked is not possible because by
  that point the stack might have already sent icmp errors ].

Patrick McHardy suggested to simply attach the result as the dst, so
ipv4 input path doesn't have to do it again.

This works, but does have a few side effects wrt. route-by-mark and
TPROXY, see patch changelog for details.

The ipv6 version does a pure 'reverse' lookup instead.  This makes
things a lot easier (e.g. when multiple route entries exist), but has
the caveat that a real reply packet might be handled differently due to
policy routing rules.

Userspace part is stored in my iptables repository on
http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/iptables.git (branch 'rpfilter').

Kernel patches are located in the 'xt_rpfilter_5' branch on
http://git.breakpoint.cc/cgi-bin/gitweb.cgi?p=fw/nf-next.git
(patches will be sent as followup to this email).

[ in case you are wondering: the earlier xt_rpfilter version was
  removed -- causes too many module  dependency issues and most of the
  code cannot be shared anyway ].

Thanks,
Florian

^ permalink raw reply

* [RFC PATCH 1/5] net: ipv4: export fib_table_lookup
From: Florian Westphal @ 2011-09-12 19:42 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, Florian Westphal
In-Reply-To: <1315856552-1422-1-git-send-email-fw@strlen.de>

modules using fib_lookup() fail to link when
CONFIG_IP_MULTIPLE_TABLES is not set.

The reason is that in this case fib_lookup is a static inline
helper that calls fib_table_lookup.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/ipv4/fib_trie.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 58c25ea..e13eb24 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1606,6 +1606,7 @@ found:
 	rcu_read_unlock();
 	return ret;
 }
+EXPORT_SYMBOL_GPL(fib_table_lookup);
 
 /*
  * Remove the leaf and return parent.
-- 
1.7.3.4


^ permalink raw reply related

* [RFC PATCH 2/5] net: ipv4: move ip_rcv route error counter handling into helper function
From: Florian Westphal @ 2011-09-12 19:42 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, Florian Westphal
In-Reply-To: <1315856552-1422-1-git-send-email-fw@strlen.de>

This will avoid code duplication and messing with mib counters
in the planned netfilter reverse path filter match.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/net/ip.h    |    1 +
 net/ipv4/ip_input.c |   21 ++++++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/include/net/ip.h b/include/net/ip.h
index e9ea7c7..0001633 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -95,6 +95,7 @@ extern int		ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
 					      struct ip_options_rcu *opt);
 extern int		ip_rcv(struct sk_buff *skb, struct net_device *dev,
 			       struct packet_type *pt, struct net_device *orig_dev);
+extern void		ip_rcv_inc_route_err_stats(struct net *net, int err);
 extern int		ip_local_deliver(struct sk_buff *skb);
 extern int		ip_mr_input(struct sk_buff *skb);
 extern int		ip_output(struct sk_buff *skb);
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index c8f48ef..43679f4 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -314,6 +314,17 @@ drop:
 	return -1;
 }
 
+void ip_rcv_inc_route_err_stats(struct net *net, int err)
+{
+	if (err == -EHOSTUNREACH)
+		IP_INC_STATS_BH(net, IPSTATS_MIB_INADDRERRORS);
+	else if (err == -ENETUNREACH)
+		IP_INC_STATS_BH(net, IPSTATS_MIB_INNOROUTES);
+	else if (err == -EXDEV)
+		NET_INC_STATS_BH(net, LINUX_MIB_IPRPFILTER);
+}
+EXPORT_SYMBOL_GPL(ip_rcv_inc_route_err_stats);
+
 static int ip_rcv_finish(struct sk_buff *skb)
 {
 	const struct iphdr *iph = ip_hdr(skb);
@@ -327,15 +338,7 @@ static int ip_rcv_finish(struct sk_buff *skb)
 		int err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
 					       iph->tos, skb->dev);
 		if (unlikely(err)) {
-			if (err == -EHOSTUNREACH)
-				IP_INC_STATS_BH(dev_net(skb->dev),
-						IPSTATS_MIB_INADDRERRORS);
-			else if (err == -ENETUNREACH)
-				IP_INC_STATS_BH(dev_net(skb->dev),
-						IPSTATS_MIB_INNOROUTES);
-			else if (err == -EXDEV)
-				NET_INC_STATS_BH(dev_net(skb->dev),
-						 LINUX_MIB_IPRPFILTER);
+			ip_rcv_inc_route_err_stats(dev_net(skb->dev), err);
 			goto drop;
 		}
 	}
-- 
1.7.3.4


^ permalink raw reply related

* [RFC PATCH 4/5] ipv6: add ip6_route_lookup
From: Florian Westphal @ 2011-09-12 19:42 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, Florian Westphal
In-Reply-To: <1315856552-1422-1-git-send-email-fw@strlen.de>

like rt6_lookup, but allows caller to pass in flowi6 structure.
Will be used by the upcoming ipv6 netfilter reverse path filter
match.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/net/ip6_route.h |    2 ++
 net/ipv6/route.c        |    7 +++++++
 2 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
index 5e91b72..9c9399c 100644
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -70,6 +70,8 @@ extern void			ip6_route_input(struct sk_buff *skb);
 extern struct dst_entry *	ip6_route_output(struct net *net,
 						 const struct sock *sk,
 						 struct flowi6 *fl6);
+extern struct dst_entry *	ip6_route_lookup(struct net *net,
+						 struct flowi6 *fl6, int flags);
 
 extern int			ip6_route_init(void);
 extern void			ip6_route_cleanup(void);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 216ff31..183722c 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -629,6 +629,13 @@ out:
 
 }
 
+struct dst_entry * ip6_route_lookup(struct net *net, struct flowi6 *fl6,
+				    int flags)
+{
+	return fib6_rule_lookup(net, fl6, flags, ip6_pol_route_lookup);
+}
+EXPORT_SYMBOL_GPL(ip6_route_lookup);
+
 struct rt6_info *rt6_lookup(struct net *net, const struct in6_addr *daddr,
 			    const struct in6_addr *saddr, int oif, int strict)
 {
-- 
1.7.3.4


^ permalink raw reply related

* [RFC PATCH 5/5] netfilter: add ipv6 reverse path filter match
From: Florian Westphal @ 2011-09-12 19:42 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, Florian Westphal
In-Reply-To: <1315856552-1422-1-git-send-email-fw@strlen.de>

Differs from the ipv4 version:
The oif is not used as input interface, instead this only
tests if the saddr of the packet is reachable via the
interface the packet arrived on.

This is not merged with the ipv4 match into xt_rpfilter.c
to avoid introduce module dependency issues.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/ipv6/netfilter/Kconfig         |   10 +++
 net/ipv6/netfilter/Makefile        |    1 +
 net/ipv6/netfilter/ip6t_rpfilter.c |  124 ++++++++++++++++++++++++++++++++++++
 3 files changed, 135 insertions(+), 0 deletions(-)
 create mode 100644 net/ipv6/netfilter/ip6t_rpfilter.c

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 4484648..49ec98b 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -125,6 +125,16 @@ config IP6_NF_MATCH_MH
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_MATCH_RPFILTER
+	tristate '"rpfilter" reverse path filter match support'
+	depends on NETFILTER_ADVANCED
+	---help---
+	  This option allows you to match packets whose replies would
+	  go out via the interface the packet came in.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+	  The module will be called ip6t_rpfilter.
+
 config IP6_NF_MATCH_RT
 	tristate '"rt" Routing header match support'
 	depends on NETFILTER_ADVANCED
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index abfee91..2eaed96 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -27,6 +27,7 @@ obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
+obj-$(CONFIG_IP6_NF_MATCH_RPFILTER) += ip6t_rpfilter.o
 obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
 
 # targets
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
new file mode 100644
index 0000000..9fe84e4
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -0,0 +1,124 @@
+/*
+ *  Copyright (c) 2011 Florian Westphal <fw@strlen.de>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/route.h>
+#include <net/ip6_fib.h>
+#include <net/ip6_route.h>
+
+#include <linux/netfilter/xt_rpfilter.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
+MODULE_DESCRIPTION("Xtables: IPv6 reverse path filter match");
+
+static bool rpfilter_addr_unicast(const struct in6_addr *addr)
+{
+	int addr_type = ipv6_addr_type(addr);
+	return addr_type & IPV6_ADDR_UNICAST;
+}
+
+static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
+				     const struct net_device *dev, u8 flags)
+{
+	struct rt6_info *rt;
+	struct ipv6hdr *iph = ipv6_hdr(skb);
+	bool ret = false;
+	struct flowi6 fl6 = {
+		.flowlabel = (* (__be32 *) iph) & IPV6_FLOWINFO_MASK,
+		.flowi6_proto = iph->nexthdr,
+		.daddr = iph->saddr,
+	};
+	int lookup_flags;
+
+	if (rpfilter_addr_unicast(&iph->daddr)) {
+                ipv6_addr_copy(&fl6.saddr, &iph->daddr);
+		lookup_flags = RT6_LOOKUP_F_HAS_SADDR;
+	} else {
+		lookup_flags = 0;
+	}
+
+	fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+	if ((flags & XT_RPFILTER_LOOSE) == 0) {
+		fl6.flowi6_oif = dev->ifindex;
+		lookup_flags |= RT6_LOOKUP_F_IFACE;
+	}
+
+	rt = (void *) ip6_route_lookup(dev_net(dev), &fl6, lookup_flags);
+	if (rt->dst.error)
+		goto out;
+
+	if (rt->rt6i_flags & (RTF_REJECT|RTF_ANYCAST))
+		goto out;
+
+	if (rt->rt6i_flags & RTF_LOCAL) {
+		ret = flags & XT_RPFILTER_ACCEPT_LOCAL;
+		goto out;
+	}
+
+	if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE))
+		ret = true;
+ out:
+	dst_release(&rt->dst);
+	return ret;
+}
+
+static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_rpfilter_info *info = par->matchinfo;
+	int saddrtype;
+	struct ipv6hdr *iph;
+
+	if (par->in->flags & IFF_LOOPBACK)
+		return true;
+
+	iph = ipv6_hdr(skb);
+	saddrtype = ipv6_addr_type(&iph->saddr);
+	if (unlikely(saddrtype == IPV6_ADDR_ANY))
+		return true; /* not routable: forward path will drop it */
+
+	return rpfilter_lookup_reverse6(skb, par->in, info->flags);
+}
+
+static int rpfilter_check(const struct xt_mtchk_param *par)
+{
+	const struct xt_rpfilter_info *info = par->matchinfo;
+	unsigned int options = ~XT_RPFILTER_OPTION_MASK;
+
+	if (info->flags & options) {
+		pr_info("unknown options encountered");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static struct xt_match rpfilter_mt_reg __read_mostly = {
+	.name		= "rpfilter",
+	.family		= NFPROTO_IPV6,
+	.checkentry	= rpfilter_check,
+	.match		= rpfilter_mt,
+	.matchsize	= sizeof(struct xt_rpfilter_info),
+	.hooks		= (1 << NF_INET_PRE_ROUTING),
+	.me		= THIS_MODULE
+};
+
+static int __init rpfilter_mt_init(void)
+{
+	return xt_register_match(&rpfilter_mt_reg);
+}
+
+static void __exit rpfilter_mt_exit(void)
+{
+	xt_unregister_match(&rpfilter_mt_reg);
+}
+
+module_init(rpfilter_mt_init);
+module_exit(rpfilter_mt_exit);
-- 
1.7.3.4


^ permalink raw reply related

* [RFC PATCH 3/5] netfilter: add ipv4 reverse path filter match
From: Florian Westphal @ 2011-09-12 19:42 UTC (permalink / raw)
  To: netfilter-devel; +Cc: netdev, Florian Westphal
In-Reply-To: <1315856552-1422-1-git-send-email-fw@strlen.de>

Tries to mimic behaviour of fib_validate_source.

As fib_validate_source uses the oif as iif when performing reverse
lookup, we would need one additional fib lookup to get oif.

We can't wait until FORWARD chain because by the time FORWARD is invoked
ipv4 forward path may have already sent icmp messages is response
to to-be-discarded-via-rpfilter packets.

To avoid the additional lookup in PREROUTING, Patrick McHardy suggested
to attach the path information directly in the match.

This has a few caveats. Most importantly, when using marks in PREROUTING to
re-route traffic based on the nfmark, -m rpfilter has to be used after the
nfmark has been set; otherwise the nfmark will have no effect (because
the route is already attached to the skb).

Another problem is interaction with -j TPROXY, as this
target sets an nfmark and uses ACCEPT instead of CONTINUE, i.e.
-m rpfilter cannot be used for the initial to-be-intercepted packets.

Also, no result caching so far.

Unlike the current builtin ipv4 rpfilter, packets subject to ipsec
transformation are not automatically excluded; if you want this
combine with policy match.

Packets arriving on loopback interfaces always match.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter/xt_rpfilter.h |   21 ++++
 net/ipv4/netfilter/Kconfig            |   10 ++
 net/ipv4/netfilter/Makefile           |    1 +
 net/ipv4/netfilter/ipt_rpfilter.c     |  165 +++++++++++++++++++++++++++++++++
 4 files changed, 197 insertions(+), 0 deletions(-)
 create mode 100644 include/linux/netfilter/xt_rpfilter.h
 create mode 100644 net/ipv4/netfilter/ipt_rpfilter.c

diff --git a/include/linux/netfilter/xt_rpfilter.h b/include/linux/netfilter/xt_rpfilter.h
new file mode 100644
index 0000000..8d2d3f8
--- /dev/null
+++ b/include/linux/netfilter/xt_rpfilter.h
@@ -0,0 +1,21 @@
+#ifndef _XT_RPATH_H
+#define _XT_RPATH_H
+
+#include <linux/types.h>
+
+enum {
+	XT_RPFILTER_LOOSE = 1 << 0,
+	XT_RPFILTER_VALID_MARK = 1 << 1,
+	XT_RPFILTER_ACCEPT_LOCAL = 1 << 2,
+#ifdef __KERNEL__
+	XT_RPFILTER_OPTION_MASK = XT_RPFILTER_LOOSE |
+				  XT_RPFILTER_VALID_MARK |
+				  XT_RPFILTER_ACCEPT_LOCAL,
+#endif
+};
+
+struct xt_rpfilter_info {
+	__u8 flags;
+};
+
+#endif
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1dfc18a..ef8c1ab 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -82,6 +82,16 @@ config IP_NF_MATCH_ECN
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_MATCH_RPFILTER
+	tristate '"rpfilter" reverse path filter match support'
+	depends on NETFILTER_ADVANCED
+	---help---
+	  This option allows you to match packets whose replies would
+	  go out via the interface the packet came in.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+	  The module will be called ipt_rpfilter.
+
 config IP_NF_MATCH_TTL
 	tristate '"ttl" match support'
 	depends on NETFILTER_ADVANCED
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index dca2082..123dd88 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -50,6 +50,7 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
 # matches
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
+obj-$(CONFIG_IP_NF_MATCH_RPFILTER) += ipt_rpfilter.o
 
 # targets
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
new file mode 100644
index 0000000..14b5ff5
--- /dev/null
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -0,0 +1,165 @@
+/*
+ *  Copyright (c) 2011 Florian Westphal <fw@strlen.de>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ * based on fib_frontend.c; Author: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/ip.h>
+#include <net/ip.h>
+#include <net/ip_fib.h>
+#include <net/route.h>
+
+#include <linux/netfilter/xt_rpfilter.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
+MODULE_DESCRIPTION("iptables: ipv4 reverse path filter match");
+
+/* don't try to find route from mcast/bcast/zeronet */
+static __be32 rpfilter_get_saddr(__be32 addr)
+{
+	if (ipv4_is_multicast(addr) || ipv4_is_lbcast(addr) ||
+	    ipv4_is_zeronet(addr))
+		return 0;
+	return addr;
+}
+
+static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
+				const struct net_device *dev, u8 flags)
+{
+	struct fib_result res;
+	bool dev_match;
+	struct net *net = dev_net(dev);
+	int ret __maybe_unused;
+
+	if (fib_lookup(net, fl4, &res))
+		return false;
+
+	if (res.type != RTN_UNICAST) {
+		if (res.type != RTN_LOCAL || !(flags & XT_RPFILTER_ACCEPT_LOCAL))
+			return false;
+	}
+	dev_match = false;
+#ifdef CONFIG_IP_ROUTE_MULTIPATH
+	for (ret = 0; ret < res.fi->fib_nhs; ret++) {
+		struct fib_nh *nh = &res.fi->fib_nh[ret];
+
+		if (nh->nh_dev == dev) {
+			dev_match = true;
+			break;
+		}
+	}
+#else
+	if (FIB_RES_DEV(res) == dev)
+		dev_match = true;
+#endif
+	if (dev_match || flags & XT_RPFILTER_LOOSE)
+		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+	return dev_match;
+}
+
+static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+	const struct xt_rpfilter_info *info;
+	const struct iphdr *iph;
+	struct flowi4 flow;
+	struct rtable *rt;
+	int err;
+
+	if (par->in->flags & IFF_LOOPBACK)
+		return true;
+
+	iph = ip_hdr(skb);
+	if (!skb_dst(skb)) {
+		/*
+		 * This match will set skb dst, if it is unset.
+		 * Otherwise, the ipv4 stack would need to perform the same
+		 * lookup again.
+		 */
+		struct sk_buff *pskb;
+		pskb = (struct sk_buff *)skb;
+		err = ip_route_input_noref(pskb, iph->daddr, iph->saddr,
+					iph->tos, skb->dev);
+
+		if (unlikely(err)) {
+			ip_rcv_inc_route_err_stats(dev_net(skb->dev), err);
+			par->hotdrop = true;
+			return false;
+		}
+	}
+
+	info = par->matchinfo;
+	if (ipv4_is_multicast(iph->daddr)) {
+		if (ipv4_is_zeronet(iph->saddr))
+			return ipv4_is_local_multicast(iph->daddr);
+		flow.flowi4_iif = 0;
+		goto validate;
+	}
+
+	rt = skb_rtable(skb);
+	switch (rt->rt_type) {
+	case RTN_BROADCAST:
+		if (ipv4_is_zeronet(iph->saddr))
+			return true;
+		flow.flowi4_iif = 0;
+		break;
+	case RTN_LOCAL:
+		flow.flowi4_iif = dev_net(par->in)->loopback_dev->ifindex;
+		break;
+	default:
+		flow.flowi4_iif = rt->rt_oif;
+		break;
+	}
+
+ validate:
+	flow.daddr = iph->saddr;
+	flow.saddr = rpfilter_get_saddr(iph->daddr);
+	flow.flowi4_oif = 0;
+	flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+	flow.flowi4_tos = RT_TOS(iph->tos);
+	flow.flowi4_scope = RT_SCOPE_UNIVERSE;
+
+	return rpfilter_lookup_reverse(&flow, par->in, info->flags);
+}
+
+static int rpfilter_check(const struct xt_mtchk_param *par)
+{
+	const struct xt_rpfilter_info *info = par->matchinfo;
+	unsigned int options = ~XT_RPFILTER_OPTION_MASK;
+	if (info->flags & options) {
+		pr_info("unknown options encountered");
+		return -EINVAL;
+	}
+	return 0;
+}
+
+static struct xt_match rpfilter_mt_reg __read_mostly = {
+	.name		= "rpfilter",
+	.family		= NFPROTO_IPV4,
+	.checkentry	= rpfilter_check,
+	.match		= rpfilter_mt,
+	.matchsize	= sizeof(struct xt_rpfilter_info),
+	.hooks		= (1 << NF_INET_PRE_ROUTING),
+	.me		= THIS_MODULE
+};
+
+static int __init rpfilter_mt_init(void)
+{
+	return xt_register_match(&rpfilter_mt_reg);
+}
+
+static void __exit rpfilter_mt_exit(void)
+{
+	xt_unregister_match(&rpfilter_mt_reg);
+}
+
+module_init(rpfilter_mt_init);
+module_exit(rpfilter_mt_exit);
-- 
1.7.3.4

^ permalink raw reply related

* Re: [PATCH] ipv6: Create module parameter for use_tempaddr
From: Brian Haley @ 2011-09-12 19:51 UTC (permalink / raw)
  To: Paul Stewart; +Cc: netdev, davem
In-Reply-To: <CAMcMvsja6hmHj3-+vCYLnXXBbGznK9EJbx+mkBgT8gR6iwRoWg@mail.gmail.com>

On 09/12/2011 12:37 PM, Paul Stewart wrote:
> Hello, folks.  I've been trying to upstream (or open a discussion on)
> adding a module parameter to enable IPv6 address privacy as a module
> parameter.  The author listed for if_inet6.c is not a bouncing email
> address.  Does anyone else have a suggestion for where to get this
> change vetted?  I'm now CC'ing the author and reviewer of the last
> module parameter change for ipv6.

I think David would just tell you to be patient, your patch is listed in
patchwork, http://patchwork.ozlabs.org/project/netdev/list/ , and git.kernel.org
is still down...

>>>  static int disable_ipv6_mod = 0;
>>> @@ -89,6 +92,11 @@ MODULE_PARM_DESC(disable_ipv6, "Disable IPv6 on all interfaces");
>>>  module_param_named(autoconf, ipv6_defaults.autoconf, int, 0444);
>>>  MODULE_PARM_DESC(autoconf, "Enable IPv6 address autoconfiguration on all interfaces");
>>>
>>> +#ifdef CONFIG_IPV6_PRIVACY
>>> +module_param_named(use_tempaddr, ipv6_defaults.use_tempaddr, int, 0444);
>>> +MODULE_PARM_DESC(use_tempaddr, "Enable IPv6 address privacy for autoconfiguration by default");
>>> +#endif

I don't know if you want this under an #ifdef, since that could fail a module
load on certain kernel builds - people might want to put the same entry in a
conf file whether the kernel supports it or not (if it's accepted).

And you failed to update Documentation/networking/ipv6.txt

-Brian

^ permalink raw reply

* Re: [PATCH] Check net->nfnl for NULL in ctnetlink_conntrack_event to, avoid Oops on container destroy
From: Julian Anastasov @ 2011-09-12 20:40 UTC (permalink / raw)
  To: Tim Gardner
  Cc: kaber, linux-kernel, David Miller, netfilter-devel, netfilter,
	coreteam, netdev
In-Reply-To: <4E6E4961.9070802@canonical.com>


	Hello,

On Mon, 12 Sep 2011, Tim Gardner wrote:

> Patrick,
> 
> I received this patch from a developer that uses lxc and network name spaces.
> I don't know the locking semantics well enough for CT to judge whether this
> fix is sufficient. Bug info can be found at
> http://bugs.launchpad.net/bugs/843892 . See comment #7 for his analysis.

	We found same problems triggered by IPVS during
subsys cleanup:

http://marc.info/?l=netfilter-devel&m=130765388528399&w=2

	It is a general problem for modules that register
callbacks to the netfilter core. nfnetlink is such example
with a mix of global (ctnl_notifier) and per-net (nfnetlink_net_ops) 
registrations. During net cleanup the module must be prepared
to be called by core because the core cleanup happens later.

	So, may be rcu_dereference under rcu lock is needed for
some functions (nfnetlink_has_listeners, nfnetlink_send) but
such changes should be audited by nfnetlink developers.
Using rcu_assign_pointer for net->nfnl without corresponding 
rcu_dereference looks like a problem.

Regards

--
Julian Anastasov <ja@ssi.bg>

^ permalink raw reply

* [PATCHv2] ipv6: Create module parameter for use_tempaddr
From: Paul Stewart @ 2011-09-01  6:03 UTC (permalink / raw)
  To: netdev; +Cc: davem, brian.haley
In-Reply-To: <4E6E62D1.8010108@hp.com>

When ipv6 is used as a module, there is no good place to set
the default value for use_tempaddr.  Using sysctl.conf will
set this parameter too early -- before the module is loaded.
To solve this, create a module parameter that will set the
default value of use_tempaddr for all devices.

Signed-off-by: Paul Stewart <pstew@chromium.org>
Cc: davem@davemloft.net
Cc: brian.haley@hp.com
--
v2: Add documentation; move module parameter out of ifdef
---
 Documentation/networking/ipv6.txt |   20 ++++++++++++++++++++
 include/linux/ipv6.h              |    1 +
 net/ipv6/addrconf.c               |    3 +++
 net/ipv6/af_inet6.c               |    4 ++++
 4 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/Documentation/networking/ipv6.txt b/Documentation/networking/ipv6.txt
index 9fd7e21..d7f71e1 100644
--- a/Documentation/networking/ipv6.txt
+++ b/Documentation/networking/ipv6.txt
@@ -70,3 +70,23 @@ disable_ipv6
 
 		No IPv6 addresses will be added to interfaces.
 
+use_tempaddr
+
+	Specifies whether to enable Privacy Extensions for Stateless
+	Address Autoconfiguration (RFC3041) on all interfaces by default.
+
+	The possible values and their effects are:
+
+	0
+		Privacy addresses are not enabled by default.
+
+		This is the default value.
+
+	1
+		Privacy addresses are enabled by default on all interfaces
+		but do not prefer them over normal addresses.
+
+	2
+		Privacy addresses are enabled by default on all interfaces
+		and will be preferred over normal addresses.
+
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 0c99776..0d45a7c 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -178,6 +178,7 @@ struct ipv6_devconf {
 struct ipv6_params {
 	__s32 disable_ipv6;
 	__s32 autoconf;
+	__s32 use_tempaddr;
 };
 extern struct ipv6_params ipv6_defaults;
 #endif
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f012ebd..27314a2 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4609,6 +4609,9 @@ static int __net_init addrconf_init_net(struct net *net)
 		/* these will be inherited by all namespaces */
 		dflt->autoconf = ipv6_defaults.autoconf;
 		dflt->disable_ipv6 = ipv6_defaults.disable_ipv6;
+#ifdef CONFIG_IPV6_PRIVACY
+		dflt->use_tempaddr = ipv6_defaults.use_tempaddr;
+#endif
 	}
 
 	net->ipv6.devconf_all = all;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 3b5669a..36ee4a5 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -76,6 +76,7 @@ static DEFINE_SPINLOCK(inetsw6_lock);
 struct ipv6_params ipv6_defaults = {
 	.disable_ipv6 = 0,
 	.autoconf = 1,
+	.use_tempaddr = 0,
 };
 
 static int disable_ipv6_mod = 0;
@@ -89,6 +90,9 @@ MODULE_PARM_DESC(disable_ipv6, "Disable IPv6 on all interfaces");
 module_param_named(autoconf, ipv6_defaults.autoconf, int, 0444);
 MODULE_PARM_DESC(autoconf, "Enable IPv6 address autoconfiguration on all interfaces");
 
+module_param_named(use_tempaddr, ipv6_defaults.use_tempaddr, int, 0444);
+MODULE_PARM_DESC(use_tempaddr, "Enable IPv6 address privacy for autoconfiguration by default");
+
 static __inline__ struct ipv6_pinfo *inet6_sk_generic(struct sock *sk)
 {
 	const int offset = sk->sk_prot->obj_size - sizeof(struct ipv6_pinfo);
-- 
1.7.3.1

^ permalink raw reply related


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox