On Wed, Sep 4, 2019 at 4:45 AM David Ahern wrote:
>
> exactly. It was shortsighted of me to add the ADDRCONF flag and removing
> it reverts back to the previous behavior.
>
> When I enable radvd, I do see the flag set when it should be and not for
> other addresses. I believe the patch is correct.
On Tue, Sep 3, 2019 at 11:18 AM David Ahern wrote:
> addrconf_f6i_alloc is used for addresses added by userspace
> (ipv6_add_addr) and anycast. ie., from what I can see it is not used for RAs
Isn't ipv6_add_addr called by addrconf_prefix_rcv_add_addr, which is
called by addrconf_prefix_rcv, which
On Mon, Sep 2, 2019 at 2:55 AM Maciej Żenczykowski
wrote:
> It's not immediately clear to me what is the better approach as I'm
> not immediately certain what RTF_ADDRCONF truly means.
> However the in kernel header file comment does explicitly mention this
> being used to flag routes derived from
On Wed, Jun 5, 2019 at 12:58 PM David Ahern wrote:
> I think it is crazy to add multiple identical rules given the linear
> effect on performance.
Not sure if this is what you were implying or not, but our code
doesn't maintain multiple identical rules in steady state. It only
uses them for make-
On Wed, Jun 5, 2019 at 12:29 PM Hangbin Liu wrote:
> > We rely on being able to add a rule and either have a dup be created
> > (in which case we'll remove it later) or have it fail with EEXIST (in
> > which case we won't remove it later).
>
> With Maciej said, how about add NLM_F_EXCL flag when y
On Wed, Jun 5, 2019 at 11:15 AM Hangbin Liu wrote:
> How do you add the rules? with ip cmd it should has NLM_F_EXCL flag and
> you will get -EEXIST error out.
The fact that the code worked before this commit implies that it was
*not* using NLM_F_EXCL. :-)
The code is here if you want to take a lo
On Wed, Jun 5, 2019 at 10:43 AM Hangbin Liu wrote:
> Although I'm still not clear what's the difference between
>
> a) adding a dup rule and remove it later
> and
> b) return 0 directly if the rule exactally the same.
The Android code updates ip rules by adding the new rule and then
deleting the
On Tue, Nov 27, 2018 at 10:17 PM 배석진 wrote:
> >> we saw hundreds of not closed tcp session with FIN_WAIT1 and LAST_ACK.
> >
> > These sessions should have a timer, and eventually disappear.
>
> FIN_WAIT2 and TIME_WAIT have a timer.
> but FIN_WAIT1 and LAST_ACK are have too?
What harm is caused by
This patch documents the tcp_fwmark_accept sysctl that was
added in 3.15.
Signed-off-by: Lorenzo Colitti
---
Documentation/networking/ip-sysctl.txt | 11 +++
1 file changed, 11 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.txt
b/Documentation/networking/ip-sysctl.txt
x27;t have the same problem.
Fixes: a925aa00a55 ("udp_diag: Implement the get_exact dumping functionality")
Signed-off-by: Lorenzo Colitti
---
net/ipv4/udp_diag.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/udp_diag.c b/net/ipv4/udp_diag.c
index d9ad986c7b..5cbb9be052 1
.auth = {
> +#if IS_ENABLED(CONFIG_XFRM_HMAC_SHA256_RFC4868)
> + .icv_truncbits = 128,
> +#else
> .icv_truncbits = 96,
> +#endif
Also, consider adding a Tested: line saying that this allows
pf_key_test.py to pass on upstream kernels.
Other than that,
Acked-By: Lorenzo Colitti
On Fri, Sep 14, 2018 at 11:30 PM David Miller wrote:
> Unfortunately I think we are stuck with how things are now.
>
> Indisputably, your patch breaks userland components that have
> workarounds in order to work with existing kernels. [...]
> I cannot apply this, sorry.
Understood. We're about t
lement the get_exact dumping functionality")
Tested: https://android-review.googlesource.com/c/kernel/tests/+/755889/
Signed-off-by: Lorenzo Colitti
---
net/ipv4/udp_diag.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/udp_diag.c b/net/ipv4/udp_diag.c
i
On Sat, Jul 7, 2018 at 10:56 PM David Ahern wrote:
> > Here is a packetdrill test :
>
> So I have to either learn how to use packetdrill or install a web server
> and put load on it. If the Android tests are not publicly available then
> the reference should be removed from the commit log.
It is
On Sat, Jul 7, 2018 at 10:29 PM Eric Dumazet wrote:
> >> Tested: passes Android sock_diag_test.py, which exercises this codepath
> >
> > If this Android test case exercises this path, why didn't it trigger
> > the double free and thus cause this bug to be found much sooner?
> >
> > Just curious.
>
On Fri, Jul 6, 2018 at 7:24 PM Eric Dumazet wrote:
>
> Your patch makes sense to me, please submit it formally with :
>
> Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying
> socket")
> Cc: David Ahern
Submitted a patch against net: https://patchwork.ozlabs.org/patch/9407
just remove the free in that
function.
Cc: David Ahern
Tested: passes Android sock_diag_test.py, which exercises this codepath
Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying
socket")
Signed-off-by: Lorenzo Colitti
---
net/ipv4/tcp.c | 3 +--
1 file changed, 1
On Fri, Jul 6, 2018 at 11:37 AM Subash Abhinov Kasiviswanathan
wrote:
>
> From the call stack, a TCP socket is being destroyed using netlink_diag.
> The memory dump showed that the socket was an inet request socket (in
> state TCP_NEW_SYN_RECV) with refcount of 0.
> [...]
> 13232.479820: <2>
n");
> + fprintf(stderr, "[ output-mark OUTPUT-MARK]\n");
Nit: I think you want a space between OUTPUT-MARK and ].
Other than that,
Acked-by: Lorenzo Colitti
OUTPUT_MARK]);
> +
> + fprintf(fp, "\toutput-mark 0x%x %s", output_mark, _SL_);
> + }
> }
If you wanted to implement the suggestion above, I think you could do
that by moving this code into xfrm_xfrma_print.
Other than that, LGTM.
Acked-by: Lorenzo Col
On Mon, Jun 4, 2018 at 8:51 AM 吉藤英明 wrote:
>
> > + if (ipv6_get_lladdr(dev, &lladdr, IFA_F_TENTATIVE))
> > + get_random_bytes(eui, 8);
>
> Please be aware of I/G bit and G/L bit.
Actually, I think this is fine. RFC 7136 clarified this, and says:
==
Thus, we can conclu
On Sat, Apr 28, 2018 at 10:04 AM, Alexei Starovoitov
wrote:
> Another approach could be to use map-in-map and have almost atomic
> replace of the whole map with new potentially empty map. The prog
> can continue using the new map, while user space walks no longer
> accessed old map.
That sounds l
On Tue, Mar 20, 2018 at 12:57 AM, Chenbo Feng
wrote:
> - if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled)
> + if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
Acked-by: Lorenzo Colitti
Sh
On Thu, Feb 15, 2018 at 1:30 PM, Alexei Starovoitov
wrote:
> Specifically for android we added bpf_lsm hooks, cookie/uid helpers,
> and read-only maps.
> Lorenzo,
> there was a claim in this thread that bpf is disabled on android.
> Can you please clarify ?
It's not compiled out, at least at the
cu versions of
route lookup")
Tested:
https://android.googlesource.com/kernel/tests/+/master/net/test/multinetwork_test.py
passes again
Signed-off-by: Lorenzo Colitti
---
net/ipv4/route.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 43b69af242..4e153b23bc 10
On Wed, Jan 3, 2018 at 9:10 PM, Steffen Klassert
wrote:
> The fact that you need new keyed VTIs looks a bit like a workaround
> of the design limitations the VTI interfaces have. Unfortunately
> this is not the only limitation of VTI and I think we don't get what
> we really want by changing VTI w
On Tue, Dec 19, 2017 at 2:56 AM, David Miller wrote:
> > - ICMP errors are similar to input, except the search is for the
> > outbound XFRM state, because the only data that is available is
> > the outbound SPI. Thus, ICMP errors are only processed if the
> > ikey is the same as the same as
the ICMP packet cannot be processed
unless the packet is somehow already marked.
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 4
net/xfrm/xfrm_state.c | 33 +
2 files changed, 37 insertions(+)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
This change removes the tunnel parameter from xfrm6_rcv_spi and
deletes xfrm6_rcv_tnl. These were only used by the VTI code and
are now unused.
Tested: https://android-review.googlesource.com/571524
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h | 4 +---
net/ipv6/ip6_vti.c
tunnel pointer. The semantics
of the field are:
- When not running a handler that uses tunnels: always null.
- At the beginning of xfrm_input: lookup function pointer.
- After xfrm_input calls the lookup function: tunnel if found,
else null.
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h
eter.
This could also be done by expanding the existing flags parameter
from __be16 to __be32 and ensuring that the new flags are all
above the 16-bit boundary.
Signed-off-by: Lorenzo Colitti
---
include/net/ip_tunnels.h | 6 +-
net/ipv4/ip_gre.c| 6 +++---
net/ipv4/ip_tunnel.
design). So attempts to create such duplicate tunnels
- or to change one tunnel in such a way that it would duplicate
another - will fail with EEXIST.
Signed-off-by: Lorenzo Colitti
---
include/uapi/linux/if_tunnel.h | 4
net/ipv4/ip_tunnel.c | 10 +-
net/ipv4/ip_vti.c
s the mark to
select an XFRM state. The state transforms the packet.
Signed-off-by: Lorenzo Colitti
---
net/ipv4/ip_vti.c | 52 ++
net/ipv6/ip6_vti.c | 67 --
2 files changed, 88 insertions(+), 31 dele
at
is never set into tunnel parameters.
Signed-off-by: Lorenzo Colitti
---
net/ipv4/ip_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 5ddb1cb52b..539c8f22c4 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@
When using IPsec tunnel mode, VTIs provide many benefits compared
to direct configuration of xfrm policies / states. However, one
limitation is that there can only be one VTI between a given pair
of IP addresses. This does not allow configuring multiple IPsec
tunnels to the same security gateway. T
This change removes the tunnel parameter from xfrm6_rcv_spi and
deletes xfrm6_rcv_tnl. These were only used by the VTI code and
are now unused.
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h | 4 +---
net/ipv4/ip_vti.c | 4 ++--
net/ipv6/ip6_vti.c | 2 +-
net/ipv6
ff-by: Lorenzo Colitti
---
include/uapi/linux/if_tunnel.h | 3 ++
net/ipv4/ip_vti.c | 75 +++
net/ipv6/ip6_vti.c | 100 +++--
3 files changed, 136 insertions(+), 42 deletions(-)
diff --git a/include/uapi/
the ICMP packet cannot be processed
unless the packet is somehow already marked.
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 4
net/xfrm/xfrm_state.c | 32
2 files changed, 36 insertions(+)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
handler that uses tunnels: always null.
- At the beginning of xfrm_input: lookup function pointer.
- After xfrm_input calls the lookup function: tunnel if found,
else null.
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h | 2 ++
net/ipv4/ip_vti.c | 43
When using IPsec tunnel mode, VTIs provide many benefits compared
to direct configuration of xfrm policies / states. However, one
limitation is that there can only be one VTI between a given pair
of IP addresses. This does not allow configuring multiple IPsec
tunnels to the same security gateway. T
policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output
policy.
Tested: https://android-review.googlesource.com/539816
Signed-off-by: Lorenzo Colitti
---
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 7 +++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/xfrm
clean distclean; ./configure && make
-j64"
Tested: 4.14.1 builds on Android with Android-specific #ifndefs for missing
library code
Signed-off-by: Lorenzo Colitti
---
include/bpf_scm.h | 1 +
include/utils.h | 3 +++
2 files changed, 4 insertions(+)
diff --git a/include/bpf_scm.h b
On Wed, Oct 25, 2017 at 9:49 PM, Nanjappa, Gangadhar
wrote:
> Using linux kernel – 4.4.45 (Blurry Fish Butt), VPN test fails. If I revert
> the attached five patches, VPN test passes.
> [...]
>
> 1. 1-net-core-add-UID-to-flows-rules-and-routes.patch
Those patches don't exist in 4.4, they we
On Tue, Oct 3, 2017 at 5:23 AM, enh wrote:
>> Rather than moving everything, why not make kernel headers directory
>> configurable as part of the configure script setup process.
>
> the problem is that C libraries with their our own uapi headers still
> need your app-specific headers. to build ipr
tream change to
an include file causes a merge conflict with the delete.
This patch fixes the problem by moving the iproute2 linux headers
from include/linux to include/uapi/linux.
Tested: compiles on ubuntu trusty (glibc)
Signed-off-by: Elliott Hughes
Signed-off-by: Lorenzo Colitti
---
M
quot;)
Tested: https://android-review.googlesource.com/417481
Tested: https://android-review.googlesource.com/418659
Tested: https://android-review.googlesource.com/424463
Tested: https://android-review.googlesource.com/452776 passes on net-next
Signed-off-by: Lorenzo Colitti
---
net/xfrm/xfrm_policy.c |
On Wed, Aug 16, 2017 at 7:25 AM, Jonathan Basseri
wrote:
> If an IPv6 socket has a valid dst cache
Did you look into why IPv4 does not suffer from this problem?
That said, clearing the dst cache entry does seem prudent in general.
; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 9 ++---
include/uapi/linux/xfrm.h | 1 +
net/ipv4/xfrm4_policy.c | 14 +-
net/ipv6/xfrm6_policy.c | 9 ++---
net/xfrm/xfrm_device.c| 3
On Tue, Aug 8, 2017 at 4:51 PM, Steffen Klassert
wrote:
> I thought you can just split the 32 bit mark into two 16 bit marks
> by setting an appropriate mask at the xfrm and the routing mark.
> But this has the drawback that the socket needs to know how possibly
> tunneled packets should be routed
; make -j64
Tested: https://android-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 9 ++---
include/uapi/linux/xfrm.h | 1 +
net/ipv4/xfrm4_policy.c | 14 +-
net/ipv6/xfrm6_policy.c | 9 ++---
net/xfrm/xfrm_device.c| 3
On Mon, Aug 7, 2017 at 8:16 PM, Steffen Klassert
wrote:
> > XFRMA_OFFLOAD_DEV, /* struct xfrm_state_offload */
> > + XFRMA_OUTPUT_MARK, /* __u32 */
> > __XFRMA_MAX
>
> Hm, why don't you use the existing xfrm_mark for this?
> Having two different marks on one SA seems to b
-review.googlesource.com/452776
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 9 ++---
include/uapi/linux/xfrm.h | 1 +
net/ipv4/xfrm4_policy.c | 14 +-
net/ipv6/xfrm6_policy.c | 9 ++---
net/xfrm/xfrm_output.c| 3 +++
net/xfrm/xfrm_policy.c| 17
On Sat, Jul 8, 2017 at 12:39 AM, Stephen Hemminger
wrote:
> For the most of the address flags, use a table of bit values rather
> than open coding every value. This allows for easier inevitable
> expansion of flags.
Thanks for doing this.
> +static unsigned int get_ifa_flag_mask(const char *nam
Currently, this flag is only shown as "flags 800".
Signed-off-by: Lorenzo Colitti
---
ip/ipaddress.c | 4
1 file changed, 4 insertions(+)
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 4900dce09d..8fe2bacde8 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -1166,6 +1166
ark already takes that into account. Its semantics (see
inet_request_mark) are:
- If listen socket has a nonzero mark, use that
- Else if sysctl_tcp_fwmark_accept is set and inbound SYN packet has
mark, use that
- Else zero.
which is what you want.
Other than that,
Reviewed-By: Lorenzo Colitt
On Sun, Jun 11, 2017 at 8:58 PM, Jamal Hadi Salim wrote:
>> Maybe this should both be "inet_request_mark()"?
>>
>
> Challenge is making of a synack requires a new allocated skb;
> and sk is a listening socket - which should/has a mark of
> 0 meaning at ip_build_and_send_pkt() it overrides
> the va
On Sun, Jun 4, 2017 at 1:29 AM, Eric Dumazet wrote:
> The problem is that ping sockets should not use udp_poll() in the first
> place, and recent changes in UDP stack finally exposed this old bug.
Acked-By: Lorenzo Colitti
Tested-By: Lorenzo Colitti
On Fri, Dec 16, 2016 at 5:30 PM, Mantas Mikulėnas wrote:
> The protocol field is checked when deleting IPv4 routes, but ignored for
> IPv6, which causes problems with routing daemons accidentally deleting
> externally set routes (observed by multiple bird6 users).
>
> This can be verified using `i
On Wed, Mar 22, 2017 at 8:09 PM, Willem de Bruijn
wrote:
>> + if (!sk || !sk_fullsock(sk))
>> + return overflowuid;
>> + kuid = sock_net_uid(sock_net(sk), sk);
>> + return from_kuid_munged(&init_user_ns, kuid);
>
> Ideally, this would be the user namespace relative
On Wed, Mar 22, 2017 at 6:19 PM, Joel Scherpelz wrote:
> It is useful to prevent misconfigurations from
> unintentionally blackholing too much of the IPv6 address space
> (e.g., home routers announcing RIOs for fc00::/7, which is
> incorrect).
>
> Signed-off-by: Joel Scherpelz
On Tue, Mar 21, 2017 at 1:08 PM, Chenbo Feng
wrote:
> + if (!sk || !sk_fullsock(sk))
> + return overflowuid;
> + kuid = sock_net_uid(sock_net(sk), sk);
> + return from_kuid_munged(current_user_ns(), kuid);
Is current_user_ns() correct in all the contexts you'll wan
On Fri, Feb 3, 2017 at 10:51 AM, Eric Dumazet wrote:
> if (sk) {
> sk = sk_to_full_sk(sk);
> if (sk_fullsock(sk))
> return sk->sk_uid;
> }
Sure, though sk_to_full_sk is in inet_sock.h so I have to move some
core around. Options I see:
1. Move sk_to_full_sk from inet_sock.h to soc
On Mon, Feb 6, 2017 at 11:17 AM, Chenbo Feng
wrote:
> +BPF_CALL_1(bpf_get_socket_cookie, struct sk_buff *, skb)
> +{
> + return skb->sk ? sock_gen_cookie(skb->sk) : 0;
> +}
> +
Does this code need to increment the socket refcount, or call
ACCESS_ONCE to get skb->sk? The socket filter codepa
On Fri, Feb 3, 2017 at 9:13 AM, Alexei Starovoitov
wrote:
> I think sk_uid is self explanatory, but cookie is less so.
> Please explain how you plan to use it.
The cookie is the only way to uniquely identify a given socket on the
system (the 5-tuple is not sufficient in the presence of SO_REUSEPO
On Fri, Feb 3, 2017 at 9:31 AM, Eric Dumazet wrote:
>> It should be safe to call sock_net_uid on any type of socket
>> (including NULL). sk_uid was added to struct sock in 86741ec25462
>> ("net: core: Add a UID field to struct sock.")
>
> But a request socket or a timewait socket do not have this
On Fri, Feb 3, 2017 at 6:32 AM, Daniel Borkmann wrote:
>> + sk = skb->sk;
>> + kuid = sock_net_uid(dev_net(skb->dev), sk);
>
>
> Don't you need to test for fullsock? Do you mean something like below?
It should be safe to call sock_net_uid on any type of socket
(including NULL). sk_uid
On Wed, Jan 11, 2017 at 11:11 PM, David Miller wrote:
> I understand what you're saying, but if you look at how apps can be
> put into hierarchical control groups, and automatically bind to VRF's
> based upon where they are in that cgroup hierarchy, it matches your
> use case precisely.
I think w
On Tue, Jan 10, 2017 at 10:21 PM, Andrey Jr. Melnikov
wrote:
>
> > >>> I have no firsthand experience of this myself, but if the problems
> > >>> that Andrey reports above in this thread are real, then those would
> > >>> indicate that the code is not well-supported. Being unable to accept
> > >>>
On Tue, Jan 10, 2017 at 5:30 PM, Tobias Klauser wrote:
> -int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
> +static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
Acked-by: Lorenzo Colitti
On Tue, Jan 10, 2017 at 12:04 PM, David Ahern wrote:
> > I have no firsthand experience of this myself, but if the problems
> > that Andrey reports above in this thread are real, then those would
> > indicate that the code is not well-supported. Being unable to accept
> > DAD is a pretty serious i
On Tue, Jan 10, 2017 at 11:08 AM, David Ahern wrote:
> That's news to me. What about IPv6 and VRF is not working or well-supported?
I have no firsthand experience of this myself, but if the problems
that Andrey reports above in this thread are real, then those would
indicate that the code is not
On Sun, Jan 8, 2017 at 1:24 PM, David Ahern wrote:
> Why not use the VRF capability then? create a VRF and assign the interface to
> it. End result is the same -- separate tables and the need to use a
> bind-to-device API to hit those routes.
Requiring that VRFs for this creates additional comp
iles allnoconfig, allyesconfig, allmodconfig
Tested: passes existing Android kernel unit tests
Signed-off-by: Lorenzo Colitti
---
Documentation/networking/ip-sysctl.txt | 13 +++
include/linux/ipv6.h | 1 +
include/net/addrconf.h | 2 ++
include/uapi/linux/ipv6.h
id is
> actually only valid when ATTR_UID is set in ia_valid, indicating that
> the uid is being changed, e.g. by chown.
> [...]
> - if (!err) {
> + if (!err && (iattr->ia_valid & ATTR_UID)) {
Oops. Thanks for fixing this. Unit tested in
https://android-rev
cb5e ("net: inet: Support UID-based routing in IP protocols.")
Signed-off-by: Lorenzo Colitti
---
net/ipv4/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index fa5c037227..9eabf49013 100644
--- a/net/ipv4/route.c
++
On Sat, Dec 3, 2016 at 9:58 AM, Kees Cook wrote:
> - if (len > 0x)
> + if (len > 0x || len < icmph_len)
> return -EMSGSIZE;
EMSGSIZE usually means the message is too long. Maybe use EINVAL?
That's what the code will return if the passed-in ICMP header is
invali
On Tue, Nov 29, 2016 at 9:56 AM, Lorenzo Colitti wrote:
> Commit e2d118a1cb5e ("net: inet: Support UID-based routing in IP
> protocols.") made __build_flow_key call sock_net(sk) to determine
> the network namespace of the passed-in socket. This crashes if sk
> is NULL.
Sinc
ez Shitrit
Signed-off-by: Lorenzo Colitti
---
net/ipv4/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index d37fc6f..6402d74 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -531,13 +531,14 @@ static void __build_flow_key(co
On Thu, Nov 10, 2016 at 6:26 PM, David Lebrun wrote:
> That would be easier indeed, but then this behavior should be documented
> somewhere: how the user would know that it has to enable CONFIG_LWTUNNEL ?
True.
I guess whether that question is important or not depends on how many
kernels enable
On Thu, Nov 10, 2016 at 6:09 PM, David Lebrun wrote:
> Oops. The easiest fix I can think of is adding an option to
> enable/disable seg6's LWT which would select CONFIG_LWTUNNEL. That would
> still let the core SR processing be enabled by default.
So you'd split SRH functionality in three parts?
On Thu, Nov 10, 2016 at 10:40 AM, David Miller wrote:
>
> Series applied, but I wonder if using a Kconfig knob for the INLINE thing
> is overkill.
This breaks IPv6 completely if CONFIG_LWTUNNEL is disabled. When that
happens, seg6_iptunnel_init fails with EOPNOTSUPP and the stack fails
to initial
On Thu, Nov 10, 2016 at 2:07 AM, David Ahern wrote:
> Revert the change to ip_send_unicast_reply and tcp_v6_send_response such
> that the oif in the flow is set to the skb_iif only if skb_iif is an L3
> master.
This fixes the IPv4 and IPv6 tests, thanks!
Tested-by: Lorenzo Colitti
On Wed, Nov 9, 2016 at 7:50 AM, David Ahern wrote:
> @@ -1577,7 +1577,8 @@ void ip_send_unicast_reply(struct sock *sk, struct
> sk_buff *skb,
Tested-by: Lorenzo Colitti
This fixes the IPv4 test, thanks. I notice that 4.8 didn't have
e0d56fdd73, so if this patch can get into 4.9
On Sun, Sep 11, 2016 at 4:09 AM, David Ahern wrote:
> A previous patch added l3mdev flow update making these hooks
> redundant. Remove them.
> [...]
> @@ -1582,8 +1582,7 @@ void ip_send_unicast_reply(struct sock *sk, struct
> sk_buff *skb,
> }
>
> oif = arg->bound_dev_if;
> -
- Support adding, deleting and showing IP rules with UID ranges.
- Support querying per-UID routes via "ip route get uid ".
UID range routing was added to net-next in 4fb7450683 ("Merge
branch 'uid-routing'")
Signed-off-by: Lorenzo Colitti
---
include/linux/fi
prio 1000 uidrange 100-199 lookup 100
root@net-test:/# ip rule add prio 1000 uidrange 200-299 lookup 200
root@net-test:/# ip rule add prio 1000 uidrange 300-399 lookup 100
RTNETLINK answers: File exists
Tested: https://android-review.googlesource.com/#/c/299980/
Signed-off-by: Lorenzo Colitti
On Thu, Nov 3, 2016 at 2:18 AM, Eric Dumazet wrote:
> Lorenzo, have'nt you already fixed all these bugs ?
Not yet. There's still a fair bit of out-of-tree code left. Other than
per-UID routing, xt_qtaguid is the big one, but there's also xt_quota2
and xt_idletimer. to fix.
> if (skb && skb->sk)
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti
---
include/net/flow.h | 4 +++-
include/net/ip.h | 1 +
include/net/ip6_route.h | 5 +++--
include/net/route.h | 5 +++--
net/ipv4/icmp.c | 2
ICMP and TCP sockets, this is the user that created
the network namespace.
Signed-off-by: Lorenzo Colitti
---
include/net/sock.h | 7 +++
net/core/sock.c| 5 -
net/socket.c | 14 ++
3 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/include/net/sock.h
This patchset adds support for per-UID routing. It allows the
administrator to configure rules such as:
ip rule add uidrange 100-200 lookup 123
This functionality has been in use by all Android devices since
5.0. It is primarily used to impose per-app routing policies (on
Android, every app has
the flow structures.
Signed-off-by: Lorenzo Colitti
---
include/net/fib_rules.h| 9 -
include/net/flow.h | 5 +++
include/uapi/linux/fib_rules.h | 6
include/uapi/linux/rtnetlink.h | 1 +
net/core/fib_rules.c | 74
On Sun, Oct 30, 2016 at 5:29 AM, Daniel Borkmann wrote:
> Fwiw, not sure if swapping brings much, even after netfilter there could
> be complex processing that would potentially drop, mangle, redirect, etc
> from tc layer (egress or from qdisc itself). But also at even lower layers
I agree lots o
On Sat, Oct 29, 2016 at 3:24 PM, Alexei Starovoitov
wrote:
> it could be solved by swapping the order of cgroup_bpf_run_filter()
> and NF_INET_POST_ROUTING in patch 5. It was proposed some time back, but
> the current patch, I think, is more symmetrical.
> cgroup+bpf runs after nf hook on rx and r
On Sat, Oct 29, 2016 at 1:51 PM, Alexei Starovoitov
wrote:
>> What's the use case for egress?
>>
>> We (android networking) are currently looking at implementing network
>> accounting via eBPF in order to replace the out-of-tree xt_qtaguid
>> code. A per-cgroup eBPF program run on all traffic woul
On Thu, Oct 27, 2016 at 5:40 PM, Daniel Mack wrote:
> It's not anything new. These hooks live on the very same level as
> SO_ATTACH_FILTER. The only differences are that the BPF programs are
> stored in the cgroup, and not in the socket, and that they exist for
> egress as well.
What's the use ca
This patchset adds support for per-UID routing. It allows the
administrator to configure rules such as:
ip rule add uidrange 100-200 lookup 123
This functionality has been in use by all Android devices since
5.0, which was released in late 2014. It is primarily used to
impose per-app routing po
, a kernel
ICMP socket): UID 0 inside the user namespace corresponding
to the network namespace the socket belongs to. This is
arguably better than GLOBAL_ROOT_UID because it allows
"--owner-uid 0" to match kernel-originated packets in
non-root namespaces.
the flow structures.
Signed-off-by: Lorenzo Colitti
---
include/net/fib_rules.h| 9 -
include/net/flow.h | 5 +++
include/uapi/linux/fib_rules.h | 6
include/uapi/linux/rtnetlink.h | 1 +
net/core/fib_rules.c | 74
://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti
---
include/net/flow.h | 4 +++-
include/net/ip.h | 1 +
include/net/ip6_route.h | 2 +-
include/net/route.h | 5 +++--
net/ipv4/icmp.c | 9 ++---
net
On Sun, Sep 25, 2016 at 6:59 PM, Maciej Żenczykowski
wrote:
> + ifp->idev->cnf.rtr_solicits != 0 &&
Given that some of this patch checks for == -1, and some of it checks
for != 0... is it possible that setting the value to something
unexpected like -3 will cause any issues to the
1 - 100 of 210 matches
Mail list logo
