1. 16 Jan, 2015 15 commits
  2. 15 Jan, 2015 15 commits
    • David S. Miller's avatar
      Merge branch 'cxgb4-next' · 615612dc
      David S. Miller authored
      Anish Bhatt says:
      
      ====================
      cxgb4/cxgb4i : Update & use ipv6 handling api
      
      This patch series consolidates and updates the ipv6 api, as well as exports
      it for use by upper level drivers dependent on cxgb4
      
      v2: Fix formatting issues in clip_tbl.c
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      615612dc
    • Anish Bhatt's avatar
      cxgb4i : Call into recently added cxgb4 ipv6 api · 211a84e3
      Anish Bhatt authored
      Get a reference on every ipv6 address we offload to hardware so that it cannot
      be prematurely cleared out before cleanup.
      Signed-off-by: default avatarAnish Bhatt <anish@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      211a84e3
    • Anish Bhatt's avatar
      cxgb4 : Update ipv6 address handling api · b5a02f50
      Anish Bhatt authored
      This patch improves on previously added support for ipv6 addresses. The code
      is consolidated to a single file and adds an api for use by dependent upper
      level drivers such as cxgb4i/iw_cxgb4 etc.
      Signed-off-by: default avatarAnish Bhatt <anish@chelsio.com>
      Signed-off-by: default avatarDeepak Singh <deepak.s@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b5a02f50
    • Eric Dumazet's avatar
      ipv4: per cpu uncached list · 5055c371
      Eric Dumazet authored
      RAW sockets with hdrinc suffer from contention on rt_uncached_lock
      spinlock.
      
      One solution is to use percpu lists, since most routes are destroyed
      by the cpu that created them.
      
      It is unclear why we even have to put these routes in uncached_list,
      as all outgoing packets should be freed when a device is dismantled.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: caacf05e ("ipv4: Properly purge netdev references on uncached routes.")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5055c371
    • Geert Uytterhoeven's avatar
      net: sh_eth: Use u32 for 32-bit register data · 0799c2d6
      Geert Uytterhoeven authored
      Replace "unsigned long" by "u32" when handling 32-bit register data.
      
      A.o., this saves 11 * 36 bytes in the static sh_eth_cpu_data structures
      when compiling for 64-bit.
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0799c2d6
    • Zubair Lutfullah Kakakhel's avatar
      dm9000: Add regulator and reset support to dm9000 · 7994fe55
      Zubair Lutfullah Kakakhel authored
      In boards, the dm9000 chip's power and reset can be controlled by gpio.
      
      It makes sense to add them to the dm9000 driver and let dt be used to
      enable power and reset the phy.
      Signed-off-by: default avatarZubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7994fe55
    • Nicolas Dichtel's avatar
      socket: use iov_length() · 7eb35b14
      Nicolas Dichtel authored
      Better to use available helpers.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7eb35b14
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 4e7a84b1
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      netfilter updates for net-next
      
      The following patchset contains netfilter updates for net-next, just a
      bunch of cleanups and small enhancement to selectively flush conntracks
      in ctnetlink, more specifically the patches are:
      
      1) Rise default number of buckets in conntrack from 16384 to 65536 in
         systems with >= 4GBytes, patch from Marcelo Leitner.
      
      2) Small refactor to save one level on indentation in xt_osf, from
         Joe Perches.
      
      3) Remove unnecessary sizeof(char) in nf_log, from Fabian Frederick.
      
      4) Another small cleanup to remove redundant variable in nfnetlink,
         from Duan Jiong.
      
      5) Fix compilation warning in nfnetlink_cthelper on parisc, from
         Chen Gang.
      
      6) Fix wrong format in debugging for ctseqadj, from Gao feng.
      
      7) Selective conntrack flushing through the mark for ctnetlink, patch
         from Kristian Evensen.
      
      8) Remove nf_ct_conntrack_flush_report() exported symbol now that is
         not required anymore after the selective flushing patch, again from
         Kristian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e7a84b1
    • David S. Miller's avatar
      Merge branch 'vxlan_group_policy_extension' · 2e62fa69
      David S. Miller authored
      Thomas Graf says:
      
      ====================
      VXLAN Group Policy Extension
      
      Implements supports for the Group Policy VXLAN extension [0] to provide
      a lightweight and simple security label mechanism across network peers
      based on VXLAN. The security context and associated metadata is mapped
      to/from skb->mark. This allows further mapping to a SELinux context
      using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
      tc, etc.
      
      The extension is disabled by default and should be run on a distinct
      port in mixed Linux VXLAN VTEP environments. Liberal VXLAN VTEPs
      which ignore unknown reserved bits will be able to receive VXLAN-GBP
      frames.
      
      Simple usage example:
      
      10.1.1.1:
         # ip link add vxlan0 type vxlan id 10 remote 10.1.1.2 gbp
         # iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
      
      10.1.1.2:
         # ip link add vxlan0 type vxlan id 10 remote 10.1.1.1 gbp
         # iptables -I INPUT -m mark --mark 0x200 -j DROP
      
      iproute2 [1] and OVS [2] support will be provided in separate patches.
      
      [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
      [1] https://github.com/tgraf/iproute2/tree/vxlan-gbp
      [2] https://github.com/tgraf/ovs/tree/vxlan-gbp
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e62fa69
    • Thomas Graf's avatar
      openvswitch: Support VXLAN Group Policy extension · 1dd144cf
      Thomas Graf authored
      Introduces support for the group policy extension to the VXLAN virtual
      port. The extension is disabled by default and only enabled if the user
      has provided the respective configuration.
      
        ovs-vsctl add-port br0 vxlan0 -- \
           set Interface vxlan0 type=vxlan options:exts=gbp
      
      The configuration interface to enable the extension is based on a new
      attribute OVS_VXLAN_EXT_GBP nested inside OVS_TUNNEL_ATTR_EXTENSION
      which can carry additional extensions as needed in the future.
      
      The group policy metadata is stored as binary blob (struct ovs_vxlan_opts)
      internally just like Geneve options but transported as nested Netlink
      attributes to user space.
      
      Renames the existing TUNNEL_OPTIONS_PRESENT to TUNNEL_GENEVE_OPT with the
      binary value kept intact, a new flag TUNNEL_VXLAN_OPT is introduced.
      
      The attributes OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS and existing
      OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS are implemented mutually exclusive.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1dd144cf
    • Thomas Graf's avatar
      openvswitch: Allow for any level of nesting in flow attributes · 81bfe3c3
      Thomas Graf authored
      nlattr_set() is currently hardcoded to two levels of nesting. This change
      introduces struct ovs_len_tbl to define minimal length requirements plus
      next level nesting tables to traverse the key attributes to arbitrary depth.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81bfe3c3
    • Thomas Graf's avatar
      openvswitch: Rename GENEVE_TUN_OPTS() to TUN_METADATA_OPTS() · d91641d9
      Thomas Graf authored
      Also factors out Geneve validation code into a new separate function
      validate_and_copy_geneve_opts().
      
      A subsequent patch will introduce VXLAN options. Rename the existing
      GENEVE_TUN_OPTS() to reflect its extended purpose of carrying generic
      tunnel metadata options.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d91641d9
    • Thomas Graf's avatar
      vxlan: Only bind to sockets with compatible flags enabled · ac5132d1
      Thomas Graf authored
      A VXLAN net_device looking for an appropriate socket may only consider
      a socket which has a matching set of flags/extensions enabled. If
      incompatible flags are enabled, return a conflict to have the caller
      create a distinct socket with distinct port.
      
      The OVS VXLAN port is kept unaware of extensions at this point.
      Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac5132d1
    • Thomas Graf's avatar
      vxlan: Group Policy extension · 3511494c
      Thomas Graf authored
      Implements supports for the Group Policy VXLAN extension [0] to provide
      a lightweight and simple security label mechanism across network peers
      based on VXLAN. The security context and associated metadata is mapped
      to/from skb->mark. This allows further mapping to a SELinux context
      using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
      tc, etc.
      
      The group membership is defined by the lower 16 bits of skb->mark, the
      upper 16 bits are used for flags.
      
      SELinux allows to manage label to secure local resources. However,
      distributed applications require ACLs to implemented across hosts. This
      is typically achieved by matching on L2-L4 fields to identify the
      original sending host and process on the receiver. On top of that,
      netlabel and specifically CIPSO [1] allow to map security contexts to
      universal labels.  However, netlabel and CIPSO are relatively complex.
      This patch provides a lightweight alternative for overlay network
      environments with a trusted underlay. No additional control protocol
      is required.
      
                 Host 1:                       Host 2:
      
            Group A        Group B        Group B     Group A
            +-----+   +-------------+    +-------+   +-----+
            | lxc |   | SELinux CTX |    | httpd |   | VM  |
            +--+--+   +--+----------+    +---+---+   +--+--+
      	  \---+---/                     \----+---/
      	      |                              |
      	  +---+---+                      +---+---+
      	  | vxlan |                      | vxlan |
      	  +---+---+                      +---+---+
      	      +------------------------------+
      
      Backwards compatibility:
      A VXLAN-GBP socket can receive standard VXLAN frames and will assign
      the default group 0x0000 to such frames. A Linux VXLAN socket will
      drop VXLAN-GBP  frames. The extension is therefore disabled by default
      and needs to be specifically enabled:
      
         ip link add [...] type vxlan [...] gbp
      
      In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
      must run on a separate port number.
      
      Examples:
       iptables:
        host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
        host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
      
       OVS:
        # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
        # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
      
      [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
      [1] http://lwn.net/Articles/204905/Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3511494c
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 3f3558bb
      David S. Miller authored
      Conflicts:
      	drivers/net/xen-netfront.c
      
      Minor overlapping changes in xen-netfront.c, mostly to do
      with some buffer management changes alongside the split
      of stats into TX and RX.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f3558bb
  3. 14 Jan, 2015 10 commits