- 14 Mar, 2016 22 commits
-
-
David S. Miller authored
Sabrina Dubroca says: ==================== MACsec IEEE 802.1AE implementation MACsec (IEEE 802.1AE [0]) is a protocol that provides security for wired ethernet LANs. MACsec offers two protection modes: authentication only, or authenticated encryption. MACsec defines "secure channels" that allow transmission from one node to one or more others. Communication on a channel is done over a succession of "secure associations", that each use a specific key. Secure associations are identified by their "association number" in the range 0..3. A secure association is retired when its 32-bit packet number would wrap, and the same association number can later be reused with a new key and packet number. The standard mode of encryption is GCM AES with 128 bits keys, although an extension allows 256 bits keys [1] (not implemented in this submission). When using MACsec, an extra header, called "SecTAG", is added between the ethernet header and the original payload: +---------------------------------+----------------+----------------+ | (MACsec ethertype) | TCI_AN | SL | +---------------------------------+----------------+----------------+ | Packet Number | +-------------------------------------------------------------------+ | Secure Channel Identifier | | (optional) | +-------------------------------------------------------------------+ TCI_AN: version end_station sci_present scb encrypted changed_text association_number (2 bits) SL: short_length (6 bits) unused (2 bits) The ethertype for the packet is set to 0x88E5, and the original ethertype becomes part of the secure payload, which may be encrypted. The ethernet header and the SecTAG are always transmitted in the clear, but are integrity-protected. MACsec supports optional replay protection with a configurable replay window. MACsec is designed to be used with the MKA extension to 802.1X (MACsec Key Agreement protocol) [2], which provides channel attribution and key distribution to the nodes, but can also be used with static keys getting fed manually by an administrator. Optional (not supported yet) features: - confidentiality offset: in encryption mode, part of the payload may be left unencrypted. - choice of cipher suite: GCM AES with 256 bits has been standardised [1]. Implementation A netdevice is created on top of a real device for each TX secure channel, like we do for VLANs. Multiple TX channels can be created on top of the same underlying device. Several other approaches were considered for the RX path: - dev_add_pack: doesn't work, because we want to filter out unprotected packets - transparent mode: MACsec would be enabled directly on the real netdevice. For this, we cannot use a rx_handler directly because MACsec must be available for underlying devices enslaved in a bridge or in a bond, so we need a hook directly in __netif_receive_skb_core. This approach makes it harder to filter non-encrypted packets on RX without forcing the user to setup some rules, so the "transparent" mode is not so transparent after all. It also makes TX more complex than with a dedicated netdevice. One issue with the proposed implementation is that the qdisc layer for the real device operates on already encrypted packets. Netlink API This is currently a mix of rtnetlink (to create the device and set up the TX channel) and genl (for RX channels, secure associations and their keys). genl provides clean demultiplexing of the {TX,RX}{SC,SA} commands. Use cases The normal use case is wired LANs, including veth and slave devices for bonding/teaming or bridges. MACsec can also be used on any device that makes a full ethernet header visible, for example VXLAN. The VXLAN+MACsec setup would be: hypervisor | virtual machine <real_dev>---<VXLAN>---|---<dev>---<macsec_dev> And the packets would look like this: | eth | IP | UDP | VXLAN | eth | MACsec | IP | ... | MACsec ICV | One benefit on this approach to encryption in the cloud is that the payload is encrypted by the tenant, not by the tunnel provider, thus the tenant has full control over the keys. Changes from v1: - rework netlink API after discussion with Johannes Berg - nest attributes, rename - export stats as separate attributes - add some comments - misc small fixes (rcu, constants, struct organization) Changes from RFCv2: - fix ENCODING_SA param validation - add parent link to netlink ifdumps Changes from RFCv1: - addressed comments from Florian and Paolo + kbuild robot - also perform post-decrypt handling after crypto callback - fixed ->dellink behavior Future plans: - offload to hardware, on nics that support it - implement optional features [0] http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf [1] http://standards.ieee.org/getieee802/download/802.1AEbn-2011.pdf [2] http://standards.ieee.org/getieee802/download/802.1X-2010.pdf [3] RFCv1: http://www.spinics.net/lists/netdev/msg358151.html [4] RFCv2: http://www.spinics.net/lists/netdev/msg362389.html [5] v1: http://www.spinics.net/lists/netdev/msg367959.html ==================== Signed-off-by:David S. Miller <davem@davemloft.net>
-
Sabrina Dubroca authored
This is an implementation of MACsec/IEEE 802.1AE. This driver provides authentication and encryption of traffic in a LAN, typically with GCM-AES-128, and optional replay protection. http://standards.ieee.org/getieee802/download/802.1AE-2006.pdfSigned-off-by:
Sabrina Dubroca <sd@queasysnail.net> Reviewed-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by:
-
Sabrina Dubroca authored
Signed-off-by:
-
Sabrina Dubroca authored
Signed-off-by:
-
liping.zhang authored
There is no need to use the static variable here, pr_info_once is more concise. Signed-off-by:
Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by:
-
Zefir Kurtisi authored
When operating the at803x in SGMII mode, resuming the chip from power down brings up the copper-side link but leaves the SGMII link in unconnected state (tested with at8031 attached to gianfar). In effect, this caused a permanent link loss once the related interface was put down. This patch ensures that power down handling in supspend() and resume() is also applied to the SGMII link. Signed-off-by:
Zefir Kurtisi <zefir.kurtisi@neratec.com> Signed-off-by:
-
David S. Miller authored
Jesper Dangaard Brouer says: ==================== net: bulk free adjustment and two driver use-cases I've split out the bulk free adjustments, from the bulk alloc patches, as I want the adjustment to napi_consume_skb be in same kernel cycle the API was introduced. Adjustments based on discussion: Subj: "mlx4: use napi_consume_skb API to get bulk free operations" http://thread.gmane.org/gmane.linux.network/402503/focus=403386 Patchset based on net-next at commit 3ebeac1d V4: more nitpicks from Sergei V3: spelling fixes from Sergei ==================== Signed-off-by:
-
Jesper Dangaard Brouer authored
Bulk free of SKBs happen transparently by the API call napi_consume_skb(). The napi budget parameter is needed by napi_consume_skb() to detect if called from netpoll. Signed-off-by:
Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by:
-
Jesper Dangaard Brouer authored
Bulk free of SKBs happen transparently by the API call napi_consume_skb(). The napi budget parameter is usually needed by napi_consume_skb() to detect if called from netpoll. In this patch it has an extra meaning. For mlx4 driver, the mlx4_en_stop_port() call is done outside NAPI/softirq context, and cleanup the entire TX ring via mlx4_en_free_tx_buf(). The code mlx4_en_free_tx_desc() for freeing SKBs are shared with NAPI calls. To handle this shared use the zero budget indication is reused, and handled appropriately in napi_consume_skb(). To reflect this, variable is called napi_mode for the function call that needed this distinction. Signed-off-by:
-
Jesper Dangaard Brouer authored
Some drivers reuse/share code paths that free SKBs between NAPI and non-NAPI calls. Adjust napi_consume_skb to handle this use-case. Before, calls from netpoll (w/ IRQs disabled) was handled and indicated with a budget zero indication. Use the same zero indication to handle calls not originating from NAPI/softirq. Simply handled by using dev_consume_skb_any(). This adds an extra branch+call for the netpoll case (checking in_irq() + irqs_disabled()), but that is okay as this is a slowpath. Suggested-by:
Alexander Duyck <aduyck@mirantis.com> Signed-off-by:
-
Chun-Hao Lin authored
For pcie nic, after setting link speed and there is no link driver does not need to do phy reset until link up. For some pcie nics, to do this will also reset phy speed down counter and prevent phy from auto speed down. This patch fix the issue reported in following link. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1547151Signed-off-by:
Chunhao Lin <hau@realtek.com> Signed-off-by:
-
Jiri Pirko authored
Firmware now tells us that the reset is done by passing a magic value via register. Use it to shorten the wait in case this is supported. With old firmware, we still wait until the timeout is reached. Signed-off-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
-
Marcelo Ricardo Leitner authored
Currently sctp_sendmsg() triggers some calls that will allocate memory with GFP_ATOMIC even when not necessary. In the case of sctp_packet_transmit it will allocate a linear skb that will be used to construct the packet and this may cause sends to fail due to ENOMEM more often than anticipated specially with big MTUs. This patch thus allows it to inherit gfp flags from upper calls so that it can use GFP_KERNEL if it was triggered by a sctp_sendmsg call or similar. All others, like retransmits or flushes started from BH, are still allocated using GFP_ATOMIC. In netperf tests this didn't result in any performance drawbacks when memory is not too fragmented and made it trigger ENOMEM way less often. Signed-off-by:
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by:
-
Samuel Gauthier authored
When we want to change a flow using netlink, we have to identify it to be able to perform a lookup. Both the flow key and unique flow ID (ufid) are valid identifiers, but we always have to specify the flow key in the netlink message. When both attributes are there, the ufid is used. The flow key is used to validate the actions provided by the userland. This commit allows to use the ufid without having to provide the flow key, as it is already done in the netlink 'flow get' and 'flow del' path. The flow key remains mandatory when an action is provided. Signed-off-by:
Samuel Gauthier <samuel.gauthier@6wind.com> Reviewed-by:
Simon Horman <simon.horman@netronome.com> Acked-by:
Pravin B Shelar <pshelar@ovn.org> Signed-off-by:
-
Nicolas Ferre authored
On AT91 SoCs, the User Register (USRIO) exposes a switch to configure the "Reduced" or "Traditional" version of the Media Independent Interface (RMII vs. MII or RGMII vs. GMII). As on the older EMAC version, on GMAC, this switch is set by default to the non-reduced type of interface, so use the existing capability and extend it to GMII as well. We then keep the current logic in the macb_init() function. The capabilities of sama5d2, sama5d4 and sama5d3 GEM interface are updated in the macb_config structure to be able to properly enable them with a traditional interface (GMII or MII). Reported-by:
Romain HENRIET <romain.henriet@l-acoustics.com> Signed-off-by:
Nicolas Ferre <nicolas.ferre@atmel.com> Signed-off-by:
-
LABBE Corentin authored
Commit e5a03bfd ("phy: Add an mdio_device structure") removed addr, bus and dev member of the phy_device structure. This patch remove the documentation about those members. Signed-off-by:
LABBE Corentin <clabbe.montjoie@gmail.com> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Acked-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
David S. Miller authored
Paul Durrant says: ==================== xen-netback: fix multiple extra info handling If a frontend passes multiple extra info fragments to netback on the guest transmit side, because xen-netback does not account for this properly, only a single ack response will be sent. This will eventually cause processing of the shared ring to wedge. This series re-imports the canonical netif.h from Xen, where the ring protocol documentation has been updated, fixes this issue in xen-netback and also adds a patch to reduce log spam. ==================== Signed-off-by: -
Paul Durrant authored
Remove the "prepare for reconnect" pr_info in xenbus.c. It's largely uninteresting and the states of the frontend and backend can easily be observed by watching the (o)xenstored log. Signed-off-by:
Paul Durrant <paul.durrant@citrix.com> Cc: Wei Liu <wei.liu2@citrix.com> Acked-by:
Wei Liu <wei.liu2@citrix.com> Signed-off-by:
-
Paul Durrant authored
The code does not currently support a frontend passing multiple extra info fragments to the backend in a tx request. The xenvif_get_extras() function handles multiple extra_info fragments but make_tx_response() assumes there is only ever a single extra info fragment. This patch modifies xenvif_get_extras() to pass back a count of extra info fragments, which is then passed to make_tx_response() (after possibly being stashed in pending_tx_info for deferred responses). Signed-off-by:
-
Paul Durrant authored
The canonical netif header (in the Xen source repo) and the Linux variant have diverged significantly. Recently much documentation has been added to the canonical header which is highly useful for developers making modifications to either xen-netfront or xen-netback. This patch therefore re-imports the canonical header in its entirity. To maintain compatibility and some style consistency with the old Linux variant, the header was stripped of its emacs boilerplate, and post-processed and copied into place with the following commands: ed -s netif.h << EOF H ,s/NETTXF_/XEN_NETTXF_/g ,s/NETRXF_/XEN_NETRXF_/g ,s/NETIF_/XEN_NETIF_/g ,s/XEN_XEN_/XEN_/g ,s/netif/xen_netif/g ,s/xen_xen_/xen_/g ,s/^typedef.*$//g ,s/^ /${TAB}/g w $ w EOF indent --line-length 80 --linux-style netif.h \ -o include/xen/interface/io/netif.h Signed-off-by: -
Zhang Shengju authored
This patch adds macro NETCONFA_ALL to represent all type of netconf attributes for IPv4 and IPv6. Signed-off-by:
Zhang Shengju <zhangshengju@cmss.chinamobile.com> Signed-off-by:
-
Xin Long authored
prior to this patch, at the beginning if we have two paths in one assoc, they may have the same params other than the last_time_heard, it will try the paths like this: 1st cycle try trans1 fail. then trans2 is selected.(cause it's last_time_heard is after trans1). 2nd cycle: try trans2 fail then trans2 is selected.(cause it's last_time_heard is after trans1). 3rd cycle: try trans2 fail then trans2 is selected.(cause it's last_time_heard is after trans1). .... trans1 will never have change to be selected, which is not what we expect. we should keeping round robin all the paths if they are just added at the beginning. So at first every tranport's last_time_heard should be initialized 0, so that we ensure they have the same value at the beginning, only by this, all the transports could get equal chance to be selected. Then for sctp_trans_elect_best, it should return the trans_next one when *trans == *trans_next, so that we can try next if it fails, but now it always return trans. so we can fix it by exchanging these two params when we calls sctp_trans_elect_tie(). Fixes: 4c47af4d ('net: sctp: rework multihoming retransmission path selection to rfc4960') Signed-off-by:
Xin Long <lucien.xin@gmail.com> Acked-by:
Daniel Borkmann <daniel@iogearbox.net> Acked-by:
-
- 13 Mar, 2016 6 commits
-
-
David Howells authored
Replace all "unsigned" types with "unsigned int" types. Reported-by:
David Howells <dhowells@redhat.com> Signed-off-by:
-
David S. Miller authored
Merge tag 'wireless-drivers-next-for-davem-2016-03-09' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next Kalle Valo says: ==================== wireless-drivers patches for 4.6 Major changes: ath10k * dt: add bindings for ipq4019 wifi block * start adding support for qca4019 chip ath9k * add device ID for Toshiba WLM-20U2/GN-1080 * allow more than one interface on DFS channels bcma * move flash detection code to ChipCommon core driver brcmfmac * IPv6 Neighbor discovery offload * driver settings that can be populated from different sources * country code setting in firmware * length checks to validate firmware events * new way to determine device memory size needed for BCM4366 * various offloads during Wake on Wireless LAN (WoWLAN) * full Management Frame Protection (MFP) support iwlwifi * add support for thermal device / cooling device * improvements in scheduled scan without profiles * new firmware support (-21.ucode) * add MSIX support for 9000 devices * enable MU-MIMO and take care of firmware restart * add support for large SKBs in mvm to reach A-MSDU * add support for filtering frames from a BA session * start implementing the new Rx path for 9000 devices * enable the new Radio Resource Management (RRM) nl80211 feature flag * add a new module paramater to disable VHT * build infrastructure for Dynamic Queue Allocation ==================== Signed-off-by:
-
David S. Miller authored
Alexander Duyck says: ==================== A couple of minor clean-ups and optimizations This patch series is basically just a v2 of a couple patches I recently submitted. The two patches aren't technically related but there are just items I found while cleaning up and prepping some further work to enable Tx checksums for tunnels. ==================== Signed-off-by: -
Alexander Duyck authored
The code for csum_block_add was doing a funky byteswap to swap the even and odd bytes of the checksum if the offset was odd. Instead of doing this we can save ourselves some trouble and just shift by 8 as this should have the same effect in terms of the final checksum value and only requires one instruction. In addition we can update csum_block_sub to just use csum_block_add with a inverse value for csum2. This way we follow the same code path as csum_block_add without having to duplicate it. Signed-off-by:
-
Alexander Duyck authored
This patch updates the GRO handlers for GRE, VXLAN, GENEVE, and FOU so that we do not clear the flush bit until after we have called the next level GRO handler. Previously this was being cleared before parsing through the list of frames, however this resulted in several paths where either the bit needed to be reset but wasn't as in the case of FOU, or cases where it was being set as in GENEVE. By just deferring the clearing of the bit until after the next level protocol has been parsed we can avoid any unnecessary bit twiddling and avoid bugs. Signed-off-by:
-
Jiri Pirko authored
This is OF-DPA specific, used only there, similar to ofdpa_port->ageing_time. So move it to OF-DPA code. Signed-off-by:
-
- 11 Mar, 2016 12 commits
-
-
David S. Miller authored
Yuval Mintz says: ==================== qed: Management firmware updates This series contains several changes to driver interaction with the management fw. The biggest [& most significant] change here is a change in the locking scheme and re-definition of the 'critical section' when accessing shared resources toward the goal of interacting with the management firmware. ==================== Signed-off-by: -
Yuval Mintz authored
In the scenario where slowpath configuration isn't passing due to various pause configurations affecting the chip, the theoretical time required in worst-case-scenario to empty hw fifos sufficiently to guarantee that slowpath configuration would flow is currently insufficient. This increases such a drain request to the theoretical maximum. Signed-off-by:
Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by:
-
Zvi Nachmani authored
Handle a new message from the MFW, one that indicate that the transciever state has changed, and log that into the system logs. Signed-off-by:
Zvi Nachmani <Zvi.Nachmani@qlogic.com> Signed-off-by:
-
Tomer Tayar authored
Driver interaction with the managemnt firmware is done via mailbox commands which the management firmware periodically sample, as well as placing of additional data in set places in the shared memory. Each PF has a single designated mailbox address, and all flows that require messaging to the management should use it. This patch does 2 things: 1. It re-defines the critical section surrounding the mailbox sending - that section should include the setting of the shared memory as well as the sending of the command [otherwise a race might send a command with the data of a different command]. 2. It moves the locking scheme from using mutices into using spinlocks. This lays the groundwork for sending MFW commands from non-sleepable contexts. Signed-off-by:
Tomer Tayar <Tomer.Tayar@qlogic.com> Signed-off-by:
-
Sudarsana Reddy Kalluru authored
When device is configured for Multi-function mode, some older management firmware might incorrectly notify interfaces of link changes while they haven't requested the physical link configuration to be set. This can create bizzare race conditions where unloading interfaces are getting notified that the link is up. Let the driver compensate - store the logical requested state of the link and don't propagate notifications after protocol driver explicitly requires the link to be unset. Signed-off-by:
Sudarsana Reddy Kalluru <sudarsana.kalluru@qlogic.com> Signed-off-by:
-
David S. Miller authored
Daniel Borkmann says: ==================== BPF support for flow labels This set adds support for tunnel key flow labels for vxlan and geneve devices in collect meta data mode and eBPF support for managing these. For details please see individual patches. ==================== Signed-off-by: -
Daniel Borkmann authored
This patch extends bpf_tunnel_key with a tunnel_label member, that maps to ip_tunnel_key's label so underlying backends like vxlan and geneve can propagate the label to udp_tunnel6_xmit_skb(), where it's being set in the IPv6 header. It allows for having 20 more bits to encode/decode flow related meta information programmatically. Tested with vxlan and geneve. Signed-off-by:
Alexei Starovoitov <ast@kernel.org> Signed-off-by:
-
Daniel Borkmann authored
This work adds support for setting the IPv6 flow label for geneve per device and through collect metadata (ip_tunnel_key) frontends. Also here, the geneve dst cache does not need any special considerations, for the cases where caches can be used, the label is static per cache. Signed-off-by:
-
Daniel Borkmann authored
This work adds support for setting the IPv6 flow label for vxlan per device and through collect metadata (ip_tunnel_key) frontends. The vxlan dst cache does not need any special considerations here, for the cases where caches can be used, the label is static per cache. Signed-off-by:
-
Daniel Borkmann authored
This patch extends udp_tunnel6_xmit_skb() to pass in the IPv6 flow label from call sites. Currently, there's no such option and it's always set to zero when writing ip6_flow_hdr(). Add a label member to ip_tunnel_key, so that flow-based tunnels via collect metadata frontends can make use of it. vxlan and geneve will be converted to add flow label support separately. Signed-off-by:
-
Joe Perches authored
Don't hide varibles used by the logging macros. Miscellanea: o Use the more common ##__VA_ARGS__ extension o Add missing newlines to formats o Realign arguments Signed-off-by:
Joe Perches <joe@perches.com> Signed-off-by:
-
David S. Miller authored
Stephen Hemminger says: ==================== bridge: ageing timer regression fix This fixes regression in how ageing timer is managed. Backing out the change required fixing switch drivers as well. ==================== Signed-off-by:
-
