aboutsummaryrefslogtreecommitdiff
path: root/include/net
AgeCommit message (Collapse)Author
2006-12-02NetLabel: convert to an extensibile/sparse category bitmapPaul Moore
The original NetLabel category bitmap was a straight char bitmap which worked fine for the initial release as it only supported 240 bits due to limitations in the CIPSO restricted bitmap tag (tag type 0x01). This patch converts that straight char bitmap into an extensibile/sparse bitmap in order to lay the foundation for other CIPSO tag types and protocols. This patch also has a nice side effect in that all of the security attributes passed by NetLabel into the LSM are now in a format which is in the host's native byte/bit ordering which makes the LSM specific code much simpler; look at the changes in security/selinux/ss/ebitmap.c as an example. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02[NETFILTER]: conntrack: add '_get' to {ip, nf}_conntrack_expect_findYasuyuki Kozakai
We usually uses 'xxx_find_get' for function which increments reference count. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: /proc compatibility with old connection trackingPatrick McHardy
This patch adds /proc/net/ip_conntrack, /proc/net/ip_conntrack_expect and /proc/net/stat/ip_conntrack files to keep old programs using them working. The /proc/net/ip_conntrack and /proc/net/ip_conntrack_expect files show only IPv4 entries, the /proc/net/stat/ip_conntrack shows global statistics. Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: sysctl compatibility with old connection trackingPatrick McHardy
This patch adds an option to keep the connection tracking sysctls visible under their old names. Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: automatic sysctl registation for conntrack protocolsPatrick McHardy
Add helper functions for sysctl registration with optional instantiating of common path elements (like net/netfilter) and use it for support for automatic registation of conntrack protocol sysctls. Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: move extern declaration to header filesPatrick McHardy
Using extern in a C file is a bad idea because the compiler can't catch type errors. Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: remove unused struct list_head from protocolsMartin Josefsson
Remove unused struct list_head from struct nf_conntrack_l3proto and nf_conntrack_l4proto as all protocols are kept in arrays, not linked lists. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: more sanity checks in protocol ↵Martin Josefsson
registration/unregistration Add some more sanity checks when registering/unregistering l3/l4 protocols. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: rename struct nf_conntrack_protocolMartin Josefsson
Rename 'struct nf_conntrack_protocol' to 'struct nf_conntrack_l4proto' in order to help distinguish it from 'struct nf_conntrack_l3proto'. It gets rather confusing with 'nf_conntrack_protocol'. Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: split out the event cacheMartin Josefsson
This patch splits out the event cache into its own file nf_conntrack_ecache.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: split out helper handlingMartin Josefsson
This patch splits out handling of helpers into its own file nf_conntrack_helper.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[NETFILTER]: nf_conntrack: split out expectation handlingMartin Josefsson
This patch splits out expectation handling into its own file nf_conntrack_expect.c Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se> Signed-off-by: Patrick McHardy <kaber@trash.net>
2006-12-02[INET]: Change protocol field in struct inet_protosw to u16Arnaldo Carvalho de Melo
[acme@newtoy net-2.6.20]$ pahole /tmp/tcp_ipv6.o inet_protosw /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/protocol.h:69 */ struct inet_protosw { struct list_head list; /* 0 8 */ short unsigned int type; /* 8 2 */ /* XXX 2 bytes hole, try to pack */ int protocol; /* 12 4 */ struct proto * prot; /* 16 4 */ const struct proto_ops * ops; /* 20 4 */ int capability; /* 24 4 */ char no_check; /* 28 1 */ unsigned char flags; /* 29 1 */ }; /* size: 32, sum members: 28, holes: 1, sum holes: 2, padding: 2 */ So that we can kill that hole, protocol can only go all the way to 255 (RAW). Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2006-12-02[XFRM]: Pack struct xfrm_policyArnaldo Carvalho de Melo
[acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o xfrm_policy /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */ struct xfrm_policy { struct xfrm_policy * next; /* 0 4 */ struct hlist_node bydst; /* 4 8 */ struct hlist_node byidx; /* 12 8 */ rwlock_t lock; /* 20 36 */ atomic_t refcnt; /* 56 4 */ struct timer_list timer; /* 60 24 */ u8 type; /* 84 1 */ /* XXX 3 bytes hole, try to pack */ u32 priority; /* 88 4 */ u32 index; /* 92 4 */ struct xfrm_selector selector; /* 96 56 */ struct xfrm_lifetime_cfg lft; /* 152 64 */ struct xfrm_lifetime_cur curlft; /* 216 32 */ struct dst_entry * bundles; /* 248 4 */ __u16 family; /* 252 2 */ __u8 action; /* 254 1 */ __u8 flags; /* 255 1 */ __u8 dead; /* 256 1 */ __u8 xfrm_nr; /* 257 1 */ /* XXX 2 bytes hole, try to pack */ struct xfrm_sec_ctx * security; /* 260 4 */ struct xfrm_tmpl xfrm_vec[6]; /* 264 360 */ }; /* size: 624, sum members: 619, holes: 2, sum holes: 5 */ So lets have just one hole instead of two, by moving 'type' to just before 'action', end result: [acme@newtoy net-2.6.20]$ codiff -s /tmp/tcp.o.before net/ipv4/tcp.o /pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c: struct xfrm_policy | -4 1 struct changed [acme@newtoy net-2.6.20]$ [acme@newtoy net-2.6.20]$ pahole -c 64 net/ipv4/tcp.o xfrm_policy /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */ struct xfrm_policy { struct xfrm_policy * next; /* 0 4 */ struct hlist_node bydst; /* 4 8 */ struct hlist_node byidx; /* 12 8 */ rwlock_t lock; /* 20 36 */ atomic_t refcnt; /* 56 4 */ struct timer_list timer; /* 60 24 */ u32 priority; /* 84 4 */ u32 index; /* 88 4 */ struct xfrm_selector selector; /* 92 56 */ struct xfrm_lifetime_cfg lft; /* 148 64 */ struct xfrm_lifetime_cur curlft; /* 212 32 */ struct dst_entry * bundles; /* 244 4 */ u16 family; /* 248 2 */ u8 type; /* 250 1 */ u8 action; /* 251 1 */ u8 flags; /* 252 1 */ u8 dead; /* 253 1 */ u8 xfrm_nr; /* 254 1 */ /* XXX 1 byte hole, try to pack */ struct xfrm_sec_ctx * security; /* 256 4 */ struct xfrm_tmpl xfrm_vec[6]; /* 260 360 */ }; /* size: 620, sum members: 619, holes: 1, sum holes: 1 */ Are there any fugly data dependencies here? None that I know. In the process changed the removed the __ prefixed types, that are just for userspace visible headers. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2006-12-02[INET_CONNECTION_SOCK]: Pack struct inet_connection_sock_af_opsArnaldo Carvalho de Melo
We have a hole in: [acme@newtoy net-2.6.20]$ pahole net/ipv6/tcp_ipv6.o inet_connection_sock_af_ops /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/inet_connection_sock.h:38 */ struct inet_connection_sock_af_ops { int (*queue_xmit)(); /* 0 4 */ void (*send_check)(); /* 4 4 */ int (*rebuild_header)(); /* 8 4 */ int (*conn_request)(); /* 12 4 */ struct sock * (*syn_recv_sock)(); /* 16 4 */ int (*remember_stamp)(); /* 20 4 */ __u16 net_header_len; /* 24 2 */ /* XXX 2 bytes hole, try to pack */ int (*setsockopt)(); /* 28 4 */ int (*getsockopt)(); /* 32 4 */ int (*compat_setsockopt)(); /* 36 4 */ int (*compat_getsockopt)(); /* 40 4 */ void (*addr2sockaddr)(); /* 44 4 */ int sockaddr_len; /* 48 4 */ }; /* size: 52, sum members: 50, holes: 1, sum holes: 2 */ But we don't need sockaddr_len to be an int: [acme@newtoy net-2.6.20]$ find net -name "*.[ch]" | xargs grep '\.sockaddr_len.\+=' | sort -u net/dccp/ipv4.c: .sockaddr_len = sizeof(struct sockaddr_in), net/dccp/ipv6.c: .sockaddr_len = sizeof(struct sockaddr_in6), net/ipv4/tcp_ipv4.c: .sockaddr_len = sizeof(struct sockaddr_in), net/ipv6/tcp_ipv6.c: .sockaddr_len = sizeof(struct sockaddr_in6), net/sctp/ipv6.c: .sockaddr_len = sizeof(struct sockaddr_in6), net/sctp/protocol.c: .sockaddr_len = sizeof(struct sockaddr_in), [acme@newtoy net-2.6.20]$ pahole --sizes net/ipv6/tcp_ipv6.o | grep sockaddr_in struct sockaddr_in: 16 0 struct sockaddr_in6: 28 0 [acme@newtoy net-2.6.20]$ So I turned sockaddr_len a 'u16', and now: [acme@newtoy net-2.6.20]$ pahole net/ipv6/tcp_ipv6.o inet_connection_sock_af_ops /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/net/inet_connection_sock.h:38 */ struct inet_connection_sock_af_ops { int (*queue_xmit)(); /* 0 4 */ void (*send_check)(); /* 4 4 */ int (*rebuild_header)(); /* 8 4 */ int (*conn_request)(); /* 12 4 */ struct sock * (*syn_recv_sock)(); /* 16 4 */ int (*remember_stamp)(); /* 20 4 */ u16 net_header_len; /* 24 2 */ u16 sockaddr_len; /* 26 2 */ int (*setsockopt)(); /* 28 4 */ int (*getsockopt)(); /* 32 4 */ int (*compat_setsockopt)(); /* 36 4 */ int (*compat_getsockopt)(); /* 40 4 */ void (*addr2sockaddr)(); /* 44 4 */ }; /* size: 48 */ So we've saved 4 bytes: [acme@newtoy net-2.6.20]$ codiff -sV /tmp/tcp_ipv6.o.before net/ipv6/tcp_ipv6.o /pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv6/tcp_ipv6.c: struct inet_connection_sock_af_ops | -4 net_header_len; from: __u16 /* 24(0) 2(0) */ to: u16 /* 24(0) 2(0) */ sockaddr_len; from: int /* 48(0) 4(0) */ to: u16 /* 26(0) 2(0) */ 1 struct changed [acme@newtoy net-2.6.20]$ Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2006-12-02[UDP(-Lite)]: consolidate v4 and v6 get|setsockopt codeGerrit Renker
This patch consolidates set/getsockopt code between UDP(-Lite) v4 and 6. The justification is that UDP(-Lite) is a transport-layer protocol and therefore the socket option code (at least in theory) should be AF-independent. Furthermore, there is the following code reduplication: * do_udp{,v6}_getsockopt is 100% identical between v4 and v6 * do_udp{,v6}_setsockopt is identical up to the following differerence --v4 in contrast to v4 additionally allows the experimental encapsulation types UDP_ENCAP_ESPINUDP and UDP_ENCAP_ESPINUDP_NON_IKE --the remainder is identical between v4 and v6 I believe that this difference is of little relevance. The advantages in not duplicating twice almost completely identical code. The patch further simplifies the interface of udp{,v6}_push_pending_frames, since for the second argument (struct udp_sock *up) it always holds that up = udp_sk(sk); where sk is the first function argument. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[DECNET] address: Convert to new netlink interfaceThomas Graf
Extends the netlink interface to support the __le16 type and converts address addition, deletion and, dumping to use the new netlink interface. Fixes multiple occasions of possible illegal memory references due to not validated netlink attributes. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: net/sched annotations.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: Fix assorted misannotations (from md5 and udplite merges).Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: SCTP_CMD_PROCESS_CTSN annotations.Al Viro
argument passed as __be32 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Annotate ->supported_addrs().Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: sctp_association ->peer.i is a host-endian analog of sctp_inthdr.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Annotate ->inaddr_any().Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: flip_to_{h,n}() are not needed anymore.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: ->a_h is gone now.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: ->a_h is gone now.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: ->source_h is not used anymore.Al Viro
kill it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Switch all remaining users of ->saddr_h to ->saddr.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Switch ->from_addr_param() to net-endian.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Annotate ->dst_saddr()Al Viro
switched to taking a pointer to net-endian sctp_addr and a net-endian port number. Instances and callers adjusted; interestingly enough, the only calls are direct calls of specific instances - the method is not used at all. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP] embedded sctp_addr: net-endian mirrorsAl Viro
Add sctp_chunk->source, sctp_sockaddr_entry->a, sctp_transport->ipaddr and sctp_transport->saddr, maintain them as net-endian mirrors of their host-endian counterparts. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Beginning of conversion to net-endian for embedded sctp_addr.Al Viro
Part 1: rename sctp_chunk->source, sctp_sockaddr_entry->a, sctp_transport->ipaddr and sctp_transport->saddr (to ..._h) The next patch will reintroduce these fields and keep them as net-endian mirrors of the original (renamed) ones. Split in two patches to make sure that we hadn't forgotten any instanes. Later in the series we'll eliminate uses of host-endian variants (basically switching users to net-endian counterparts as we progress through that mess). Then host-endian ones will die. Other embedded host-endian sctp_addr will be easier to switch directly, so we leave them alone for now. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Beginning of sin_port fixes.Al Viro
That's going to be a long series. Introduced temporary helpers doing copy-and-convert for sctp_addr; they are used to kill flip-in-place in global data structures and will be used to gradually push host-endian uses of sctp_addr out of existence. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Trivial sctp endianness annotations.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Annotate tsn_dups.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: SCTP_CMD_INIT_FAILED annotations.Al Viro
argument stored for SCTP_CMD_INIT_FAILED is always __be16 (protocol error). Introduced new field and accessor for it (SCTP_PERR()); switched to their use (from SCTP_U32() and .u32) Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: sctp_make_op_error() annotations.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[SCTP]: Annotate sctp_init_cause().Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[IPV6] net/ipv6/sit.c: make 2 functions staticAdrian Bunk
This patch makes two needlessly global functions static. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02NetLabel: use the correct CIPSOv4 MLS label limitsPaul Moore
The CIPSOv4 engine currently has MLS label limits which are slightly larger than what the draft allows. This is not a major problem due to the current implementation but we should fix this so it doesn't bite us later. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02NetLabel: make netlbl_lsm_secattr struct easier/quicker to understandPaul Moore
The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02NetLabel: change netlbl_secattr_init() to return voidPaul Moore
The netlbl_secattr_init() function would always return 0 making it pointless to have a return value. This patch changes the function to return void. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02NetLabel: use gfp_t instead of int where it makes sensePaul Moore
There were a few places in the NetLabel code where the int type was being used instead of the gfp_t type, this patch corrects this mistake. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2006-12-02[NET]: Conditionally use bh_lock_sock_nested in sk_receive_skbArnaldo Carvalho de Melo
Spotted by Ian McDonald, tentatively fixed by Gerrit Renker: http://www.mail-archive.com/dccp%40vger.kernel.org/msg00599.html Rewritten not to unroll sk_receive_skb, in the common case, i.e. no lock debugging, its optimized away. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2006-12-02[UDPLite]: udplite.h needs ip6_checksum.hDavid S. Miller
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: ipvs checksum annotations.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: IP header modifier helpers annotations.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: Make mangling a checksum (0 -> 0xffff on the wire) explicit.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: Annotate __skb_checksum_complete() and friends.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-02[NET]: Annotate ip_vs_checksum_complete() and callers.Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>