* [PATCH RESENT net-next] net: remove function sk_reset_txq()
From: ZHAO Gang @ 2013-10-22 8:23 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev
What sk_reset_txq() does is just calls function sk_tx_queue_reset(),
and sk_reset_txq() is used only in sock.h, by dst_negative_advice().
Let dst_negative_advice() calls sk_tx_queue_reset() directly so we
can remove unneeded sk_reset_txq().
Signed-off-by: ZHAO Gang <gamerh2o@gmail.com>
---
Hope this time I don't mess it up. Sorry for the inconvenience.
---
include/net/sock.h | 4 +---
net/core/sock.c | 6 ------
2 files changed, 1 insertion(+), 9 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index 86bb066..c93542f 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1746,8 +1746,6 @@ sk_dst_get(struct sock *sk)
return dst;
}
-void sk_reset_txq(struct sock *sk);
-
static inline void dst_negative_advice(struct sock *sk)
{
struct dst_entry *ndst, *dst = __sk_dst_get(sk);
@@ -1757,7 +1755,7 @@ static inline void dst_negative_advice(struct sock *sk)
if (ndst != dst) {
rcu_assign_pointer(sk->sk_dst_cache, ndst);
- sk_reset_txq(sk);
+ sk_tx_queue_clear(sk);
}
}
}
diff --git a/net/core/sock.c b/net/core/sock.c
index 440afdc..ab20ed9 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -475,12 +475,6 @@ discard_and_relse:
}
EXPORT_SYMBOL(sk_receive_skb);
-void sk_reset_txq(struct sock *sk)
-{
- sk_tx_queue_clear(sk);
-}
-EXPORT_SYMBOL(sk_reset_txq);
-
struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie)
{
struct dst_entry *dst = __sk_dst_get(sk);
--
1.8.3.1
^ permalink raw reply related
* Re: [PATCH net-next v2] bonding: move bond-specific init after enslave happens
From: Jiri Pirko @ 2013-10-22 7:50 UTC (permalink / raw)
To: Veaceslav Falico; +Cc: netdev, dingtianhong, Jay Vosburgh, Andy Gospodarek
In-Reply-To: <1382348910-32724-1-git-send-email-vfalico@redhat.com>
Mon, Oct 21, 2013 at 11:48:30AM CEST, vfalico@redhat.com wrote:
>As Jiri noted, currently we first do all bonding-specific initialization
>(specifically - bond_select_active_slave(bond)) before we actually attach
>the slave (so that it becomes visible through bond_for_each_slave() and
>friends). This might result in bond_select_active_slave() not seeing the
>first/new slave and, thus, not actually selecting an active slave.
>
>Fix this by moving all the bond-related init part after we've actually
>completely initialized and linked (via bond_master_upper_dev_link()) the
>new slave.
>
>Also, remove the bond_(de/a)ttach_slave(), it's useless to have functions
>to ++/-- one int.
>
>After this we have all the initialization of the new slave *before*
>linking, and all the stuff that needs to be done on bonding *after* it. It
>has also a bonus effect - we can remove the locking on the new slave init
>completely, and only use it for bond_select_active_slave().
>
>Reported-by: Jiri Pirko <jiri@resnulli.us>
>CC: Jay Vosburgh <fubar@us.ibm.com>
>CC: Andy Gospodarek <andy@greyhouse.net>
>Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
Reviewed-by: Jiri Pirko <jiri@resnulli.us>
^ permalink raw reply
* Re: [PATCH nf-next] netfilter: xtables: lightweight process control group matching
From: Daniel Wagner @ 2013-10-22 7:45 UTC (permalink / raw)
To: Ni, Xun, Daniel Borkmann
Cc: Eric W. Biederman, pablo@netfilter.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
Tejun Heo, cgroups@vger.kernel.org
In-Reply-To: <91E2D863603AD4478F101CE81E76E45D01828D59@SHSMSX103.ccr.corp.intel.com>
Hi Xun,
On 10/22/2013 08:15 AM, Ni, Xun wrote:
> Hello, Daniel:
> can all your examples block early before doing network operations?
I was referring to Linux Security Module which allows
to define access policies for an application e.g. which ports are
allowed to be used.
If the goal is just to block those ports you don't have to go through
half of the networking stack to figure out via an iptable rules that
this access is not allowed.
> What's the whole netfilter universe? Can you give us more clear
> examples?
I am not sure if I understood your question correctly. In case you
are asking what netfilter is I would like pointing you to the
http://www.netfilter.org/ project page.
cheers,
daniel
^ permalink raw reply
* Re: [PATCH nf-next] netfilter: xtables: lightweight process control group matching
From: Daniel Borkmann @ 2013-10-22 7:42 UTC (permalink / raw)
To: Ni, Xun
Cc: Daniel Wagner, Eric W. Biederman, pablo@netfilter.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
Tejun Heo, cgroups@vger.kernel.org
In-Reply-To: <91E2D863603AD4478F101CE81E76E45D01828D59@SHSMSX103.ccr.corp.intel.com>
On 10/22/2013 09:15 AM, Ni, Xun wrote:
> Hello, Daniel:
> can all your examples block early before doing network operations? What's the whole netfilter universe? Can you give us more clear examples?
As you can see from the code, the netfilter hooks are located
in NF_INET_LOCAL_OUT and NF_INET_POST_ROUTING.
> Thanks
> On 10/21/2013 05:09 PM, Daniel Wagner wrote:
>> On 10/19/2013 08:16 AM, Daniel Borkmann wrote:
>>> On 10/19/2013 01:21 AM, Eric W. Biederman wrote:
>>>
>>>> I am coming to this late. But two concrete suggestions.
>>>>
>>>> 1) process groups and sessions don't change as frequently as pids.
>>>>
>>>> 2) It is possible to put a set of processes in their own network
>>>> namespace and pipe just the packets you want those processes to
>>>> use into that network namespace. Using an ingress queueing filter
>>>> makes that process very efficient even if you have to filter by port.
>>>
>>> Actually in our case we're filtering outgoing traffic, based on which
>>> local socket that originated from; so you wouldn't need all of that
>>> construct. Also, you wouldn't even need to have an a-prio knowledge
>>> of the application internals regarding their use of particular use of
>>> ports or protocols. I don't think that such a setup will have the
>>> same efficiency, ease of use, and power to distinguish the
>>> application the traffic came from in such a lightweight, protocol independent and easy way.
>>
>> Sorry for beeing late as well (and also stupid question)
>>
>> Couldn't you use something from the LSM? I mean you allow the
>> application to create the socket etc and then block later the traffic
>> originated from that socket. Wouldn't it make more sense to block
>> early?
>
> I gave one simple example for blocking in the commit message, that's true, but it is not limited to that, meaning we can have much different scenarios/policies that netfilter allows us than just blocking, e.g. fine grained settings where applications are allowed to connect/send traffic to, application traffic marking/ conntracking, application-specific packet mangling, and so on, just think of the whole netfilter universe.
> --
> To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply
* Re: [PATCH net-next v2] bonding: move bond-specific init after enslave happens
From: Ding Tianhong @ 2013-10-22 7:38 UTC (permalink / raw)
To: Veaceslav Falico; +Cc: netdev, jiri, Jay Vosburgh, Andy Gospodarek
In-Reply-To: <1382348910-32724-1-git-send-email-vfalico@redhat.com>
On 2013/10/21 17:48, Veaceslav Falico wrote:
> As Jiri noted, currently we first do all bonding-specific initialization
> (specifically - bond_select_active_slave(bond)) before we actually attach
> the slave (so that it becomes visible through bond_for_each_slave() and
> friends). This might result in bond_select_active_slave() not seeing the
> first/new slave and, thus, not actually selecting an active slave.
>
> Fix this by moving all the bond-related init part after we've actually
> completely initialized and linked (via bond_master_upper_dev_link()) the
> new slave.
>
> Also, remove the bond_(de/a)ttach_slave(), it's useless to have functions
> to ++/-- one int.
>
> After this we have all the initialization of the new slave *before*
> linking, and all the stuff that needs to be done on bonding *after* it. It
> has also a bonus effect - we can remove the locking on the new slave init
> completely, and only use it for bond_select_active_slave().
>
> Reported-by: Jiri Pirko <jiri@resnulli.us>
> CC: Jay Vosburgh <fubar@us.ibm.com>
> CC: Andy Gospodarek <andy@greyhouse.net>
> Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
> ---
>
> Notes:
> v1 -> v2:
> Move the bond_(de/a)ttach_slave() functionality, and remove these
> functions.
>
> drivers/net/bonding/bond_main.c | 65 +++++++++--------------------------------
> 1 file changed, 14 insertions(+), 51 deletions(-)
>
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index d90734f..2daa066 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -967,33 +967,6 @@ void bond_select_active_slave(struct bonding *bond)
> }
> }
>
> -/*--------------------------- slave list handling ---------------------------*/
> -
> -/*
> - * This function attaches the slave to the end of list.
> - *
> - * bond->lock held for writing by caller.
> - */
> -static void bond_attach_slave(struct bonding *bond, struct slave *new_slave)
> -{
> - bond->slave_cnt++;
> -}
> -
> -/*
> - * This function detaches the slave from the list.
> - * WARNING: no check is made to verify if the slave effectively
> - * belongs to <bond>.
> - * Nothing is freed on return, structures are just unchained.
> - * If any slave pointer in bond was pointing to <slave>,
> - * it should be changed by the calling function.
> - *
> - * bond->lock held for writing by caller.
> - */
> -static void bond_detach_slave(struct bonding *bond, struct slave *slave)
> -{
> - bond->slave_cnt--;
> -}
> -
> #ifdef CONFIG_NET_POLL_CONTROLLER
> static inline int slave_enable_netpoll(struct slave *slave)
> {
> @@ -1471,22 +1444,13 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
> goto err_close;
> }
>
> - write_lock_bh(&bond->lock);
> -
> prev_slave = bond_last_slave(bond);
> - bond_attach_slave(bond, new_slave);
>
> new_slave->delay = 0;
> new_slave->link_failure_count = 0;
>
> - write_unlock_bh(&bond->lock);
> -
> - bond_compute_features(bond);
> -
> bond_update_speed_duplex(new_slave);
>
> - read_lock(&bond->lock);
> -
> new_slave->last_arp_rx = jiffies -
> (msecs_to_jiffies(bond->params.arp_interval) + 1);
> for (i = 0; i < BOND_MAX_ARP_TARGETS; i++)
> @@ -1547,12 +1511,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
> }
> }
>
> - write_lock_bh(&bond->curr_slave_lock);
> -
> switch (bond->params.mode) {
> case BOND_MODE_ACTIVEBACKUP:
> bond_set_slave_inactive_flags(new_slave);
> - bond_select_active_slave(bond);
> break;
> case BOND_MODE_8023AD:
> /* in 802.3ad mode, the internal mechanism
> @@ -1578,7 +1539,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
> case BOND_MODE_ALB:
> bond_set_active_slave(new_slave);
> bond_set_slave_inactive_flags(new_slave);
> - bond_select_active_slave(bond);
> break;
> default:
> pr_debug("This slave is always active in trunk mode\n");
> @@ -1596,10 +1556,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
> break;
> } /* switch(bond_mode) */
>
> - write_unlock_bh(&bond->curr_slave_lock);
> -
> - bond_set_carrier(bond);
> -
> #ifdef CONFIG_NET_POLL_CONTROLLER
> slave_dev->npinfo = bond->dev->npinfo;
> if (slave_dev->npinfo) {
> @@ -1614,8 +1570,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
> }
> #endif
>
> - read_unlock(&bond->lock);
> -
> res = netdev_rx_handler_register(slave_dev, bond_handle_frame,
> new_slave);
> if (res) {
> @@ -1629,6 +1583,17 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
> goto err_unregister;
> }
>
> + bond->slave_cnt++;
> + bond_compute_features(bond);
> + bond_set_carrier(bond);
> +
> + if (USES_PRIMARY(bond->params.mode)) {
> + read_lock(&bond->lock);
> + write_lock_bh(&bond->curr_slave_lock);
> + bond_select_active_slave(bond);
> + write_unlock_bh(&bond->curr_slave_lock);
> + read_unlock(&bond->lock);
> + }
>
> pr_info("%s: enslaving %s as a%s interface with a%s link.\n",
> bond_dev->name, slave_dev->name,
> @@ -1648,7 +1613,6 @@ err_detach:
>
> vlan_vids_del_by_dev(slave_dev, bond_dev);
> write_lock_bh(&bond->lock);
> - bond_detach_slave(bond, new_slave);
> if (bond->primary_slave == new_slave)
> bond->primary_slave = NULL;
> if (bond->curr_active_slave == new_slave) {
> @@ -1686,7 +1650,6 @@ err_free:
> kfree(new_slave);
>
> err_undo_flags:
> - bond_compute_features(bond);
> /* Enslave of first slave has failed and we need to fix master's mac */
> if (!bond_has_slaves(bond) &&
> ether_addr_equal(bond_dev->dev_addr, slave_dev->dev_addr))
> @@ -1740,6 +1703,9 @@ static int __bond_release_one(struct net_device *bond_dev,
>
> write_unlock_bh(&bond->lock);
>
> + /* release the slave from its bond */
> + bond->slave_cnt--;
> +
> bond_upper_dev_unlink(bond_dev, slave_dev);
> /* unregister rx_handler early so bond_handle_frame wouldn't be called
> * for this slave anymore.
> @@ -1764,9 +1730,6 @@ static int __bond_release_one(struct net_device *bond_dev,
>
> bond->current_arp_slave = NULL;
>
> - /* release the slave from its bond */
> - bond_detach_slave(bond, slave);
> -
> if (!all && !bond->params.fail_over_mac) {
> if (ether_addr_equal(bond_dev->dev_addr, slave->perm_hwaddr) &&
> bond_has_slaves(bond))
>
Acked-by: Ding Tianhong@huawei.com
^ permalink raw reply
* Re: [PATCH nf-next] netfilter: xtables: lightweight process control group matching
From: Daniel Wagner @ 2013-10-22 7:36 UTC (permalink / raw)
To: Daniel Borkmann
Cc: Eric W. Biederman, pablo-Cap9r6Oaw4JrovVCs/uTlw,
netfilter-devel-u79uwXL29TY76Z2rM5mHXA,
netdev-u79uwXL29TY76Z2rM5mHXA, Tejun Heo,
cgroups-u79uwXL29TY76Z2rM5mHXA
In-Reply-To: <52654CE6.7030706-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On 10/21/2013 04:48 PM, Daniel Borkmann wrote:
> On 10/21/2013 05:09 PM, Daniel Wagner wrote:
>> On 10/19/2013 08:16 AM, Daniel Borkmann wrote:
>>> On 10/19/2013 01:21 AM, Eric W. Biederman wrote:
>>>
>>>> I am coming to this late. But two concrete suggestions.
>>>>
>>>> 1) process groups and sessions don't change as frequently as pids.
>>>>
>>>> 2) It is possible to put a set of processes in their own network
>>>> namespace and pipe just the packets you want those processes to
>>>> use into that network namespace. Using an ingress queueing filter
>>>> makes that process very efficient even if you have to filter by
>>>> port.
>>>
>>> Actually in our case we're filtering outgoing traffic, based on which
>>> local socket that originated from; so you wouldn't need all of that
>>> construct. Also, you wouldn't even need to have an a-prio knowledge of
>>> the application internals regarding their use of particular use of ports
>>> or protocols. I don't think that such a setup will have the same
>>> efficiency, ease of use, and power to distinguish the application the
>>> traffic came from in such a lightweight, protocol independent and
>>> easy way.
>>
>> Sorry for beeing late as well (and also stupid question)
>>
>> Couldn't you use something from the LSM? I mean you allow the
>> application to create the socket etc and then block later
>> the traffic originated from that socket. Wouldn't it make
>> more sense to block early?
>
> I gave one simple example for blocking in the commit message,
> that's true, but it is not limited to that, meaning we can have
> much different scenarios/policies that netfilter allows us than
> just blocking, e.g. fine grained settings where applications are
> allowed to connect/send traffic to, application traffic marking/
> conntracking, application-specific packet mangling, and so on,
> just think of the whole netfilter universe.
Oh, I didn't pay enough attention to the commit message. Sorry
about that. Obviously, if fine grained settings is a must
then blocking the write is not good enough.
cheers,
daniel
^ permalink raw reply
* Re: [PATCH net 1/2] sit: allow to use rtnl ops on fb tunnel
From: Nicolas Dichtel @ 2013-10-22 7:34 UTC (permalink / raw)
To: Willem de Bruijn
Cc: David Miller, netdev, steffen.klassert, pshelar, gregkh, stable
In-Reply-To: <CA+FuTScA26dW8bO5YdKTKp9tjSM-xVqkdkq8xzu-wH0cT=Wh8Q@mail.gmail.com>
Le 22/10/2013 01:30, Willem de Bruijn a écrit :
> On Wed, Oct 2, 2013 at 3:15 AM, Nicolas Dichtel
> <nicolas.dichtel@6wind.com> wrote:
>> Le 01/10/2013 18:59, David Miller a écrit :
>>
>>> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>> Date: Tue, 1 Oct 2013 18:04:59 +0200
>>>
>>>> rtnl ops where introduced by ba3e3f50a0e5 ("sit: advertise tunnel param
>>>> via
>>>> rtnl"), but I forget to assign rtnl ops to fb tunnels.
>>>>
>>>> Now that it is done, we must remove the explicit call to
>>>> unregister_netdevice_queue(), because the fallback tunnel is added to
>>>> the queue
>>>> in sit_destroy_tunnels() when checking rtnl_link_ops of all netdevices
>>>> (this
>>>> is valid since commit 5e6700b3bf98 ("sit: add support of x-netns")).
>>>>
>>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>>
>>>
>>> Applied and queued up for -stable.
>>>
>>> But I imagine since the x-netns changes aren't in various -stable
>>> branches this will need to be adjusted a bit?
>>
>> Yes, it's what I've tried to say in the commit log ;-)
>>
>> In fact, before the x-netns changes, we must keep the
>> unregister_netdevice_queue() line.
>
> In 3.11 linux-stable, this patch was merged between 3.11.4 and 3.11.5
> in commit 3783100, after the x-netns changes in commit 5e6700b3bf, but
> the unregister_netdevice_queue was kept.
>
> I think that caused the following bug. In 3.11.6, a simple `modprobe
> sit && rmmod sit` hits the BUG at net/core/dev.c:5039:
>
> BUG_ON(dev->reg_state != NETREG_REGISTERED);
>
> The device is actually NETREG_RELEASED at one point because the device
> is now unregistered twice. The issue goes away by porting the
> remainder of the original commit: the one liner that removes the call
> to unregister_netdevice_queue.
>
> +++ b/net/ipv6/sit.c
> @@ -1708,7 +1708,6 @@ static void __net_exit sit_exit_net(struct net *net)
>
> sit_destroy_tunnels(sitn, &list);
> - unregister_netdevice_queue(sitn->fb_tunnel_dev, &list);
> unregister_netdevice_many(&list);
>
> If correct, let me know if I should send a proper one-line patch
> against 3.11.y. Since I haven't looked at this code before, I found it
> safer to report the issue first.
Yes, this line should be removed, like it was done in the original patch
(x-netns for sit is part of 3.11).
>
> 5e6700b3bf was not applied to 3.10 stable, so that branch is not affected.
Right.
^ permalink raw reply
* [PATCH 2/2] [PATCH] ax88179_178a: Add VID:DID for Samsung USB Ethernet Adapter
From: freddy @ 2013-10-22 7:32 UTC (permalink / raw)
To: davem, linux-usb, linux-kernel, netdev, allan, louis; +Cc: Freddy Xin
In-Reply-To: <1382427131-2429-1-git-send-email-freddy@asix.com.tw>
From: Freddy Xin <freddy@asix.com.tw>
Add VID:DID for Samsung USB Ethernet Adapter.
Signed-off-by: Freddy Xin <freddy@asix.com.tw>
---
drivers/net/usb/ax88179_178a.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
index 3bcd0d9..846cc19 100644
--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
@@ -1406,6 +1406,19 @@ static const struct driver_info sitecom_info = {
.tx_fixup = ax88179_tx_fixup,
};
+static const struct driver_info samsung_info = {
+ .description = "Samsung USB Ethernet Adapter",
+ .bind = ax88179_bind,
+ .unbind = ax88179_unbind,
+ .status = ax88179_status,
+ .link_reset = ax88179_link_reset,
+ .reset = ax88179_reset,
+ .stop = ax88179_stop,
+ .flags = FLAG_ETHER | FLAG_FRAMING_AX,
+ .rx_fixup = ax88179_rx_fixup,
+ .tx_fixup = ax88179_tx_fixup,
+};
+
static const struct usb_device_id products[] = {
{
/* ASIX AX88179 10/100/1000 */
@@ -1418,7 +1431,11 @@ static const struct usb_device_id products[] = {
}, {
/* Sitecom USB 3.0 to Gigabit Adapter */
USB_DEVICE(0x0df6, 0x0072),
- .driver_info = (unsigned long) &sitecom_info,
+ .driver_info = (unsigned long)&sitecom_info,
+}, {
+ /* Samsung USB Ethernet Adapter */
+ USB_DEVICE(0x04e8, 0xa100),
+ .driver_info = (unsigned long)&samsung_info,
},
{ },
};
--
1.7.10.4
^ permalink raw reply related
* [PATCH 1/2] [PATCH] ax88179_178a: Correct the RX error definition in RX header
From: freddy @ 2013-10-22 7:32 UTC (permalink / raw)
To: davem, linux-usb, linux-kernel, netdev, allan, louis; +Cc: Freddy Xin
From: Freddy Xin <freddy@asix.com.tw>
Correct the definition of AX_RXHDR_CRC_ERR and
AX_RXHDR_DROP_ERR. They are BIT29 and BIT31 in pkt_hdr
seperately.
Signed-off-by: Freddy Xin <freddy@asix.com.tw>
---
drivers/net/usb/ax88179_178a.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
index 3569293..3bcd0d9 100644
--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
@@ -36,8 +36,8 @@
#define AX_RXHDR_L4_TYPE_TCP 16
#define AX_RXHDR_L3CSUM_ERR 2
#define AX_RXHDR_L4CSUM_ERR 1
-#define AX_RXHDR_CRC_ERR ((u32)BIT(31))
-#define AX_RXHDR_DROP_ERR ((u32)BIT(30))
+#define AX_RXHDR_CRC_ERR ((u32)BIT(29))
+#define AX_RXHDR_DROP_ERR ((u32)BIT(31))
#define AX_ACCESS_MAC 0x01
#define AX_ACCESS_PHY 0x02
#define AX_ACCESS_EEPROM 0x04
--
1.7.10.4
^ permalink raw reply related
* RE: [PATCH nf-next] netfilter: xtables: lightweight process control group matching
From: Ni, Xun @ 2013-10-22 7:15 UTC (permalink / raw)
To: Daniel Borkmann, Daniel Wagner
Cc: Eric W. Biederman, pablo@netfilter.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
Tejun Heo, cgroups@vger.kernel.org
In-Reply-To: <52654CE6.7030706@redhat.com>
Hello, Daniel:
can all your examples block early before doing network operations? What's the whole netfilter universe? Can you give us more clear examples?
Thanks
On 10/21/2013 05:09 PM, Daniel Wagner wrote:
> On 10/19/2013 08:16 AM, Daniel Borkmann wrote:
>> On 10/19/2013 01:21 AM, Eric W. Biederman wrote:
>>
>>> I am coming to this late. But two concrete suggestions.
>>>
>>> 1) process groups and sessions don't change as frequently as pids.
>>>
>>> 2) It is possible to put a set of processes in their own network
>>> namespace and pipe just the packets you want those processes to
>>> use into that network namespace. Using an ingress queueing filter
>>> makes that process very efficient even if you have to filter by port.
>>
>> Actually in our case we're filtering outgoing traffic, based on which
>> local socket that originated from; so you wouldn't need all of that
>> construct. Also, you wouldn't even need to have an a-prio knowledge
>> of the application internals regarding their use of particular use of
>> ports or protocols. I don't think that such a setup will have the
>> same efficiency, ease of use, and power to distinguish the
>> application the traffic came from in such a lightweight, protocol independent and easy way.
>
> Sorry for beeing late as well (and also stupid question)
>
> Couldn't you use something from the LSM? I mean you allow the
> application to create the socket etc and then block later the traffic
> originated from that socket. Wouldn't it make more sense to block
> early?
I gave one simple example for blocking in the commit message, that's true, but it is not limited to that, meaning we can have much different scenarios/policies that netfilter allows us than just blocking, e.g. fine grained settings where applications are allowed to connect/send traffic to, application traffic marking/ conntracking, application-specific packet mangling, and so on, just think of the whole netfilter universe.
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* Re: [PATCH] 3c59x: fix incorrect use of spin_lock_bh in interrupts
From: David Miller @ 2013-10-22 6:55 UTC (permalink / raw)
To: mpatocka; +Cc: klassert, netdev
In-Reply-To: <alpine.LRH.2.02.1310211950360.5325@file01.intranet.prod.int.rdu2.redhat.com>
From: Mikulas Patocka <mpatocka@redhat.com>
Date: Mon, 21 Oct 2013 19:53:22 -0400 (EDT)
> The functions mdio_read and mdio_write may be called from interrupt
> context. Consequently, we must use spin_lock_irqsave instead of
> spin_lock_bh.
>
> This patch should be backported to stable kernels.
vortex_down() does a lot of other things which are really dangerous
from an interrupt handler, such as del_timer_sync().
The real fix for this bug is to defer the vortex_error() work into
a workqueue, and thus process context, like every other driver does.
^ permalink raw reply
* Re: [PATCH net] netpoll: linearize skb before accessing its data
From: David Miller @ 2013-10-22 6:50 UTC (permalink / raw)
To: antonio; +Cc: netdev
In-Reply-To: <20131022063714.GI1544@neomailbox.net>
From: Antonio Quartulli <antonio@meshcoding.com>
Date: Tue, 22 Oct 2013 08:37:14 +0200
> Ok I will do that. But I think this API change must go into
> net-next, right? Otherwise we would break every existing user.
Too bad, it's a necessary API change to fix the bug, the users
will need to change too.
It's not our problem if they are out-of-tree and can't be fixed
in-situ.
^ permalink raw reply
* Re: [PATCH net] netpoll: linearize skb before accessing its data
From: Antonio Quartulli @ 2013-10-22 6:37 UTC (permalink / raw)
To: David Miller; +Cc: netdev
In-Reply-To: <20131022.022525.2068838304168924147.davem@davemloft.net>
[-- Attachment #1: Type: text/plain, Size: 1014 bytes --]
On Tue, Oct 22, 2013 at 02:25:25AM -0400, David Miller wrote:
> From: Antonio Quartulli <antonio@meshcoding.com>
> Date: Tue, 22 Oct 2013 08:06:35 +0200
>
> > But rx_hook() does not receive any skb:
> >
> > 609 np->rx_hook(np, ntohs(uh->source),
> > 610 (char *)(uh+1),
> > 611 ulen - sizeof(struct udphdr));
> >
> > it just receives a pointer to the data and can't do anything to make it linear.
> > (uh is a pointer to the udp header). Am I missing something?
>
> Then this hook's API needs to be fixed, it's completely broken.
>
> Make it pass the SKB and the appropriate offset (from skb->data) in
> bytes.
>
Ok I will do that. But I think this API change must go into net-next, right?
Otherwise we would break every existing user.
What about resending this patch to net (after having removed the pskb_may_pull()
as pointed out by Eric) and then fixing the API in net-next?
--
Antonio Quartulli
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply
* Re: [PATCH net] netpoll: linearize skb before accessing its data
From: David Miller @ 2013-10-22 6:25 UTC (permalink / raw)
To: antonio; +Cc: netdev
In-Reply-To: <20131022060635.GF1544@neomailbox.net>
From: Antonio Quartulli <antonio@meshcoding.com>
Date: Tue, 22 Oct 2013 08:06:35 +0200
> But rx_hook() does not receive any skb:
>
> 609 np->rx_hook(np, ntohs(uh->source),
> 610 (char *)(uh+1),
> 611 ulen - sizeof(struct udphdr));
>
> it just receives a pointer to the data and can't do anything to make it linear.
> (uh is a pointer to the udp header). Am I missing something?
Then this hook's API needs to be fixed, it's completely broken.
Make it pass the SKB and the appropriate offset (from skb->data) in
bytes.
^ permalink raw reply
* Re: [PATCH 3/3] net: ksz884x: use DEFINE_PCI_DEVICE_TABLE
From: David Miller @ 2013-10-22 6:19 UTC (permalink / raw)
To: jg1.han; +Cc: netdev, buytenh
In-Reply-To: <001001ceced3$0bbdea20$2339be60$%han@samsung.com>
From: Jingoo Han <jg1.han@samsung.com>
Date: Tue, 22 Oct 2013 12:01:47 +0900
> This macro is used to create a struct pci_device_id array.
>
> Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Applied.
^ permalink raw reply
* Re: [PATCH 2/3] net: tulip: use DEFINE_PCI_DEVICE_TABLE
From: David Miller @ 2013-10-22 6:19 UTC (permalink / raw)
To: jg1.han; +Cc: netdev, grundler
In-Reply-To: <000f01ceced2$dde772b0$99b65810$%han@samsung.com>
From: Jingoo Han <jg1.han@samsung.com>
Date: Tue, 22 Oct 2013 12:00:30 +0900
> This macro is used to create a struct pci_device_id array.
>
> Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Applied.
^ permalink raw reply
* Re: [PATCH 1/3] net: cxgb4vf: use DEFINE_PCI_DEVICE_TABLE
From: David Miller @ 2013-10-22 6:19 UTC (permalink / raw)
To: jg1.han; +Cc: netdev, leedom
In-Reply-To: <000e01ceced2$a9e5d970$fdb18c50$%han@samsung.com>
From: Jingoo Han <jg1.han@samsung.com>
Date: Tue, 22 Oct 2013 11:59:02 +0900
> This macro is used to create a struct pci_device_id array.
>
> Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Applied.
^ permalink raw reply
* Re: [PATCH net-next] net: remove function sk_reset_txq()
From: David Miller @ 2013-10-22 6:18 UTC (permalink / raw)
To: gamerh2o; +Cc: netdev, linux-kernel
In-Reply-To: <20131022041124.GA14122@will>
From: ZHAO Gang <gamerh2o@gmail.com>
Date: Tue, 22 Oct 2013 12:11:24 +0800
> What sk_reset_txq() does is just calls function sk_tx_queue_reset(),
> and sk_reset_txq() is used only in sock.h, by dst_negative_advice().
> Let dst_negative_advice() calls sk_tx_queue_reset() directly so we
> can remove unneeded sk_reset_txq().
>
> Signed-off-by: ZHAO Gang <gamerh2o@gmail.com>
Still doesn't apply.
Email this patch to yourself, I bet the patch you receive won't
apply cleanly. Likely your email client is corrupting the patch.
You've already eaten enough of my time as a maintainer submitting
a patch that won't even apply. Absolutely do not resubmit this
patch until you can email the patch successfully to yourself
and successfuly apply the patch you receive in that email to
the current net-next tree.
^ permalink raw reply
* Re: [PATCH 1/1] [PATCH resubmit] ax88179_178a: Correct the RX error definition in RX header
From: David Miller @ 2013-10-22 6:15 UTC (permalink / raw)
To: freddy; +Cc: linux-usb, linux-kernel, netdev, allan, louis
In-Reply-To: <1382406449-2041-1-git-send-email-freddy@asix.com.tw>
Submit these, not individually as single patches, but as a patch set,
the first one with subject "[PATCH 1/2]" and the second with
subject "[PATCH 2/2]"
You have to do this, because it is absolutely essentially to let
me know which patch gets applies first and which one gets applied
second. The two patches are to the same file, so if you don't
tell me the order, they won't apply cleanly at all.
^ permalink raw reply
* Re: [PATCH 00/15] net: ethernet: remove unnecessary pci_set_drvdata() part 3
From: David Miller @ 2013-10-22 6:13 UTC (permalink / raw)
To: jg1.han; +Cc: netdev
In-Reply-To: <000601cecedd$1981e300$4c85a900$%han@samsung.com>
From: Jingoo Han <jg1.han@samsung.com>
Date: Tue, 22 Oct 2013 13:13:44 +0900
> Since commit 0998d0631001288a5974afc0b2a5f568bcdecb4d
> (device-core: Ensure drvdata = NULL when no driver is bound),
> the driver core clears the driver data to NULL after device_release
> or on probe failure. Thus, it is not needed to manually clear the
> device driver data to NULL.
Series applied, thanks.
^ permalink raw reply
* Re: [PATCH net] netpoll: linearize skb before accessing its data
From: Antonio Quartulli @ 2013-10-22 6:06 UTC (permalink / raw)
To: David Miller; +Cc: netdev
In-Reply-To: <20131021.182319.625146263287554088.davem@davemloft.net>
[-- Attachment #1: Type: text/plain, Size: 1442 bytes --]
On Mon, Oct 21, 2013 at 06:23:19PM -0400, David Miller wrote:
> From: Antonio Quartulli <antonio@meshcoding.com>
> Date: Mon, 21 Oct 2013 23:31:20 +0200
>
> > __netpoll_rx() assumes that the data buffer of the received
> > skb is linear and then passes it to rx_hook().
> > However this is not true because the skb has not been
> > linearized yet.
> >
> > This can cause rx_hook() to access non allocated memory
> > while parsing the received data.
> >
> > Fix __netpoll_rx() by explicitly linearising the skb.
> >
> > Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
>
> It is rx_hook's obligation to access the SKB properly and not
> assume that the SKB is linear. It is very expensive to
> linearize every SKB just for the sake of improperly implemented
> receive hooks.
>
> In particular the rx hooks must make use of interface such
> as pskb_may_pull(), just like every other protocol does
> on packet input processing, to make sure the area they want
> to access is in the linear area.
>
But rx_hook() does not receive any skb:
609 np->rx_hook(np, ntohs(uh->source),
610 (char *)(uh+1),
611 ulen - sizeof(struct udphdr));
it just receives a pointer to the data and can't do anything to make it linear.
(uh is a pointer to the udp header). Am I missing something?
Regards,
--
Antonio Quartulli
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply
* Re: [PATCH 01/15] net: pasemi: remove unnecessary pci_set_drvdata()
From: Olof Johansson @ 2013-10-22 6:07 UTC (permalink / raw)
To: Jingoo Han; +Cc: David S. Miller, Network Development
In-Reply-To: <000701cecedd$3d7f24c0$b87d6e40$%han@samsung.com>
On Mon, Oct 21, 2013 at 9:14 PM, Jingoo Han <jg1.han@samsung.com> wrote:
> The driver core clears the driver data to NULL after device_release
> or on probe failure. Thus, it is not needed to manually clear the
> device driver data to NULL.
>
> Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Acked-by: Olof Johansson <olof@lixom.net>
^ permalink raw reply
* [PATCH 15/15] net: cassini: remove unnecessary pci_set_drvdata()
From: Jingoo Han @ 2013-10-22 4:21 UTC (permalink / raw)
To: 'David S. Miller'; +Cc: netdev, 'Jingoo Han'
In-Reply-To: <000601cecedd$1981e300$4c85a900$%han@samsung.com>
The driver core clears the driver data to NULL after device_release
or on probe failure. Thus, it is not needed to manually clear the
device driver data to NULL.
Signed-off-by: Jingoo Han <jg1.han@samsung.com>
---
drivers/net/ethernet/sun/cassini.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c
index a72ecc4..b4d50d7 100644
--- a/drivers/net/ethernet/sun/cassini.c
+++ b/drivers/net/ethernet/sun/cassini.c
@@ -5168,7 +5168,6 @@ err_out_free_netdev:
err_out_disable_pdev:
pci_disable_device(pdev);
- pci_set_drvdata(pdev, NULL);
return -ENODEV;
}
@@ -5206,7 +5205,6 @@ static void cas_remove_one(struct pci_dev *pdev)
free_netdev(dev);
pci_release_regions(pdev);
pci_disable_device(pdev);
- pci_set_drvdata(pdev, NULL);
}
#ifdef CONFIG_PM
--
1.7.10.4
^ permalink raw reply related
* [PATCH 14/15] net: sunhme: remove unnecessary pci_set_drvdata()
From: Jingoo Han @ 2013-10-22 4:20 UTC (permalink / raw)
To: 'David S. Miller'; +Cc: netdev, 'Jingoo Han'
In-Reply-To: <000601cecedd$1981e300$4c85a900$%han@samsung.com>
The driver core clears the driver data to NULL after device_release
or on probe failure. Thus, it is not needed to manually clear the
device driver data to NULL.
Signed-off-by: Jingoo Han <jg1.han@samsung.com>
---
drivers/net/ethernet/sun/sunhme.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/sun/sunhme.c b/drivers/net/ethernet/sun/sunhme.c
index 99043b7..0dbf46f 100644
--- a/drivers/net/ethernet/sun/sunhme.c
+++ b/drivers/net/ethernet/sun/sunhme.c
@@ -3170,8 +3170,6 @@ static void happy_meal_pci_remove(struct pci_dev *pdev)
pci_release_regions(hp->happy_dev);
free_netdev(net_dev);
-
- pci_set_drvdata(pdev, NULL);
}
static DEFINE_PCI_DEVICE_TABLE(happymeal_pci_ids) = {
--
1.7.10.4
^ permalink raw reply related
* [PATCH 13/15] net: stmmac: remove unnecessary pci_set_drvdata()
From: Jingoo Han @ 2013-10-22 4:20 UTC (permalink / raw)
To: 'David S. Miller'
Cc: netdev, 'Jingoo Han', 'Giuseppe Cavallaro'
In-Reply-To: <000601cecedd$1981e300$4c85a900$%han@samsung.com>
The driver core clears the driver data to NULL after device_release
or on probe failure. Thus, it is not needed to manually clear the
device driver data to NULL.
Signed-off-by: Jingoo Han <jg1.han@samsung.com>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
index 023b7c2..644d80e 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -138,7 +138,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev)
stmmac_dvr_remove(ndev);
- pci_set_drvdata(pdev, NULL);
pci_iounmap(pdev, priv->ioaddr);
pci_release_regions(pdev);
pci_disable_device(pdev);
--
1.7.10.4
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox