Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.10.3 2016-09-16T08:24:07Z 2016-09-16T08:24:07Z Mark Tomlinson mark.tomlinson@alliedtelesis.co.nz 2016-09-14T23:40:05Z urn:sha1:d6f64d725bac20df66b2eacd847fc41d7a1905e0 The function ip_rcv_finish() calls l3mdev_ip_rcv(). On any VRF except the global VRF, this replaces skb->dev with the VRF master interface. When calling ip_route_input_noref() from here, the checks for forwarding look at this master device instead of the initial ingress interface. This will allow packets to be routed which normally would be dropped. For example, an interface that is not assigned an IP address should drop packets, but because the checking is against the master device, the packet will be forwarded. The fix here is to still call l3mdev_ip_rcv(), but remember the initial net_device. This is passed to the other functions within ip_rcv_finish, so they still see the original interface. Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz> Acked-by: David Ahern <dsa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-05-11T23:31:40Z David Ahern dsa@cumulusnetworks.com 2016-05-10T18:19:51Z urn:sha1:0b922b7a829c06e3b0790c58cd9ca026de86096e Applications such as OSPF and BFD need the original ingress device not the VRF device; the latter can be derived from the former. To that end add the skb_iif to inet_skb_parm and set it in ipv4 code after clearing the skb control buffer similar to IPv6. From there the pktinfo can just pull it from cb with the PKTINFO_SKB_CB cast. The previous patch moving the skb->dev change to L3 means nothing else is needed for IPv6; it just works. Signed-off-by: David Ahern <dsa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-05-11T23:31:40Z David Ahern dsa@cumulusnetworks.com 2016-05-10T18:19:50Z urn:sha1:74b20582ac389ee9f18a6fcc0eef244658ce8de0 Currently the VRF driver uses the rx_handler to switch the skb device to the VRF device. Switching the dev prior to the ip / ipv6 layer means the VRF driver has to duplicate IP/IPv6 processing which adds overhead and makes features such as retaining the ingress device index more complicated than necessary. This patch moves the hook to the L3 layer just after the first NF_HOOK for PRE_ROUTING. This location makes exposing the original ingress device trivial (next patch) and allows adding other NF_HOOKs to the VRF driver in the future. dev_queue_xmit_nit is exported so that the VRF driver can cycle the skb with the switched device through the packet taps to maintain current behavior (tcpdump can be used on either the vrf device or the enslaved devices). Signed-off-by: David Ahern <dsa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-04-28T02:48:24Z Eric Dumazet edumazet@google.com 2016-04-27T23:44:39Z urn:sha1:02a1d6e7a6bb025a77da77012190e1efc1970f1c Rename NET_INC_STATS_BH() to __NET_INC_STATS() and NET_ADD_STATS_BH() to __NET_ADD_STATS() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-04-28T02:48:24Z Eric Dumazet edumazet@google.com 2016-04-27T23:44:38Z urn:sha1:b15084ec7d4c89000242d69b5f57b4d138bad1b9 Rename IP_UPD_PO_STATS_BH() to __IP_UPD_PO_STATS() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-04-28T02:48:24Z Eric Dumazet edumazet@google.com 2016-04-27T23:44:37Z urn:sha1:98f619957ec2717fea09b398957e130e4bf4b30c Rename IP_ADD_STATS_BH() to __IP_ADD_STATS() Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-04-28T02:48:23Z Eric Dumazet edumazet@google.com 2016-04-27T23:44:35Z urn:sha1:b45386efa2ec4533196a24d397ec5f9f0a42abc4 Rename IP_INC_STATS_BH() to __IP_INC_STATS(), to better express this is used in non preemptible context. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-02-17T01:42:54Z Nikolay Borisov kernel@kyup.com 2016-02-15T10:11:30Z urn:sha1:e21145a9871aa5ae07e01926105bb8e523d64095 Signed-off-by: Nikolay Borisov <kernel@kyup.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-02-11T09:27:35Z Johannes Berg johannes.berg@intel.com 2016-02-04T12:31:17Z urn:sha1:12b74dfadb5a7a23baf4db941dc9fd9d371f249a In order to solve a problem with 802.11, the so-called hole-196 attack, add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if enabled, causes the stack to drop IPv4 unicast packets encapsulated in link-layer multi- or broadcast frames. Such frames can (as an attack) be created by any member of the same wireless network and transmitted as valid encrypted frames since the symmetric key for broadcast frames is shared between all stations. Additionally, enabling this option provides compliance with a SHOULD clause of RFC 1122. Reviewed-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-01-29T20:14:20Z Eric Dumazet edumazet@google.com 2016-01-27T00:59:42Z urn:sha1:63e51b6a24f1bee5363056b7aee3a468b12c546b We should not assume a valid protocol header is present, as this is not the case for IPv4 fragments. Lets avoid extra cache line misses and potential bugs if we actually find a socket and incorrectly uses its dst. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>