aboutsummaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAge
* [SECMARK]: Add CONNSECMARK xtables targetJames Morris2006-06-18
| | | | | | | | | | | | | | | | | | Add a new xtables target, CONNSECMARK, which is used to specify rules for copying security marks from packets to connections, and for copyying security marks back from connections to packets. This is similar to the CONNMARK target, but is more limited in scope in that it only allows copying of security marks to and from packets, as this is all it needs to do. A typical scenario would be to apply a security mark to a 'new' packet with SECMARK, then copy that to its conntrack via CONNMARK, and then restore the security mark from the connection to established and related packets on that connection. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SECMARK]: Add secmark support to conntrackJames Morris2006-06-18
| | | | | | | | | | | | Add a secmark field to IP and NF conntracks, so that security markings on packets can be copied to their associated connections, and also copied back to packets as required. This is similar to the network mark field currently used with conntrack, although it is intended for enforcement of security policy rather than network policy. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SECMARK]: Add xtables SECMARK targetJames Morris2006-06-18
| | | | | | | | | | | | Add a SECMARK target to xtables, allowing the admin to apply security marks to packets via both iptables and ip6tables. The target currently handles SELinux security marking, but can be extended for other purposes as needed. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SECMARK]: Add secmark support to core networking.James Morris2006-06-18
| | | | | | | | | | | | | Add a secmark field to the skbuff structure, to allow security subsystems to place security markings on network packets. This is similar to the nfmark field, except is intended for implementing security policy, rather than than networking policy. This patch was already acked in principle by Dave Miller. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SECMARK]: Add SELinux exportsJames Morris2006-06-18
| | | | | | | | | Add and export new functions to the in-kernel SELinux API in support of the new secmark-based packet controls. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Fix warnings after LSM-IPSEC changes.David S. Miller2006-06-18
| | | | | | | | | | Assignment used as truth value in xfrm_del_sa() and xfrm_get_policy(). Wrong argument type declared for security_xfrm_state_delete() when SELINUX is disabled. Signed-off-by: David S. Miller <davem@davemloft.net>
* [LSM-IPsec]: SELinux AuthorizeCatherine Zhang2006-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch contains a fix for the previous patch that adds security contexts to IPsec policies and security associations. In the previous patch, no authorization (besides the check for write permissions to SAD and SPD) is required to delete IPsec policies and security assocations with security contexts. Thus a user authorized to change SAD and SPD can bypass the IPsec policy authorization by simply deleteing policies with security contexts. To fix this security hole, an additional authorization check is added for removing security policies and security associations with security contexts. Note that if no security context is supplied on add or present on policy to be deleted, the SELinux module allows the change unconditionally. The hook is called on deletion when no context is present, which we may want to change. At present, I left it up to the module. LSM changes: The patch adds two new LSM hooks: xfrm_policy_delete and xfrm_state_delete. The new hooks are necessary to authorize deletion of IPsec policies that have security contexts. The existing hooks xfrm_policy_free and xfrm_state_free lack the context to do the authorization, so I decided to split authorization of deletion and memory management of security data, as is typical in the LSM interface. Use: The new delete hooks are checked when xfrm_policy or xfrm_state are deleted by either the xfrm_user interface (xfrm_get_policy, xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete). SELinux changes: The new policy_delete and state_delete functions are added. Signed-off-by: Catherine Zhang <cxzhang@watson.ibm.com> Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4]: Right prototype of __raw_v4_lookup()Alexey Dobriyan2006-06-18
| | | | | | | | | All users pass 32-bit values as addresses and internally they're compared with 32-bit entities. So, change "laddr" and "raddr" types to __be32. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4] igmp: Fixup struct ip_mc_list::multiaddr typeAlexey Dobriyan2006-06-18
| | | | | | | | | | | All users except two expect 32-bit big-endian value. One is of ->multiaddr = ->multiaddr variety. And last one is "%08lX". Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP]: Minimum congestion window consolidation.Stephen Hemminger2006-06-18
| | | | | | | | | | | | | | Many of the TCP congestion methods all just use ssthresh as the minimum congestion window on decrease. Rather than duplicating the code, just have that be the default if that handle in the ops structure is not set. Minor behaviour change to TCP compound. It probably wants to use this (ssthresh) as lower bound, rather than ssthresh/2 because the latter causes undershoot on loss. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: Add SIP connection tracking helperPatrick McHardy2006-06-18
| | | | | | | | | Add SIP connection tracking helper. Originally written by Christian Hentschel <chentschel@arnet.com.ar>, some cleanup, minor fixes and bidirectional SIP support added by myself. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: H.323 helper: Add support for Call ForwardingJing Min Zhao2006-06-18
| | | | | | Signed-off-by: Jing Min Zhao <zhaojingmin@users.sourceforge.net> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: ctnetlink: fix NAT configurationPatrick McHardy2006-06-18
| | | | | | | | The current configuration only allows to configure one manip and overloads conntrack status flags with netlink semantic. Signed-off-by: Patrick Mchardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: conntrack: add fixed timeout flag in connection trackingEric Leblond2006-06-18
| | | | | | | | | | Add a flag in a connection status to have a non updated timeout. This permits to have connection that automatically die at a given time. Signed-off-by: Eric Leblond <eric@inl.fr> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: conntrack: add sysctl to disable checksummingPatrick McHardy2006-06-18
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: x_tables: add statistic matchPatrick McHardy2006-06-18
| | | | | | | Add statistic match which is a combination of the nth and random matches. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: x_tables: add quota matchPatrick McHardy2006-06-18
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC] xfrm: Use IPPROTO_MAX instead of 256Herbert Xu2006-06-18
| | | | | | | | The size of the type_map array (256) comes from the number of IP protocols, i.e., IPPROTO_MAX. This patch is based on a suggestion from Ingo Oeser. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC] xfrm: Abstract out encapsulation modesHerbert Xu2006-06-18
| | | | | | | | | | | | | | This patch adds the structure xfrm_mode. It is meant to represent the operations carried out by transport/tunnel modes. By doing this we allow additional encapsulation modes to be added without clogging up the xfrm_input/xfrm_output paths. Candidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and BEET modes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC] xfrm: Undo afinfo lock proliferationHerbert Xu2006-06-18
| | | | | | | | | | | | | | | | | | | The number of locks used to manage afinfo structures can easily be reduced down to one each for policy and state respectively. This is based on the observation that the write locks are only held by module insertion/removal which are very rare events so there is no need to further differentiate between the insertion of modules like ipv6 versus esp6. The removal of the read locks in xfrm4_policy.c/xfrm6_policy.c might look suspicious at first. However, after you realise that nobody ever takes the corresponding write lock you'll feel better :) As far as I can gather it's an attempt to guard against the removal of the corresponding modules. Since neither module can be unloaded at all we can leave it to whoever fixes up IPv6 unloading :) Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TG3]: Add 5786 PCI IDMichael Chan2006-06-18
| | | | | | | Add PCI ID for BCM5786 which is a variant of 5787. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [LLC]: add multicast support for datagramsStephen Hemminger2006-06-18
| | | | | | | | Allow mulitcast reception of datagrams (similar to UDP). All sockets bound to the same SAP receive a clone. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [LLC]: use more efficient ether address routinesStephen Hemminger2006-06-18
| | | | | | | Use more cache efficient Ethernet address manipulation functions in etherdevice.h. Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
* [I/OAT]: Add a sysctl for tuning the I/OAT offloaded I/O thresholdChris Leech2006-06-18
| | | | | | | Any socket recv of less than this ammount will not be offloaded Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: Make sk_eat_skb I/OAT aware.Chris Leech2006-06-18
| | | | | | | | Add an extra argument to sk_eat_skb, and make it move early copied packets to the async_wait_queue instead of freeing them. Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: Rename cleanup_rbuf to tcp_cleanup_rbuf and make non-staticChris Leech2006-06-18
| | | | | | | Needed to be able to call tcp_cleanup_rbuf in tcp_input.c for I/OAT Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: Structure changes for TCP recv offload to I/OATChris Leech2006-06-18
| | | | | | | | Adds an async_wait_queue and some additional fields to tcp_sock, and a dma_cookie_t to sk_buff. Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: Utility functions for offloading sk_buff to iovec copiesChris Leech2006-06-18
| | | | | | | | Provides for pinning user space pages in memory, copying to iovecs, and copying from sk_buffs including fragmented and chained sk_buffs. Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: Setup the networking subsystem as a DMA clientChris Leech2006-06-18
| | | | | | | Attempts to allocate per-CPU DMA channels Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: Move PCI_DEVICE_ID_INTEL_IOAT to linux/pci_ids.hDavid S. Miller2006-06-18
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: DMA memcpy subsystemChris Leech2006-06-18
| | | | | | | Provides an API for offloading memory copies to DMA devices Signed-off-by: Chris Leech <christopher.leech@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PATCH] powerpc: enable CPU_FTR_CI_LARGE_PAGE for cellArnd Bergmann2006-06-17
| | | | | | | | Reflect the fact that the Cell Broadband Engine supports 64k pages by adding the bit to the CPU features. Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* Merge master.kernel.org:/home/rmk/linux-2.6-armLinus Torvalds2006-06-12
|\ | | | | | | | | | | | | | | * master.kernel.org:/home/rmk/linux-2.6-arm: [ARM] Fix Integrator and Versatile interrupt initialisation [ARM] 3546/1: PATCH: subtle lost interrupts bug on i.MX [ARM] 3547/1: PXA-OHCI: Allow platforms to specify a power budget [ARM] Fix Neponset IRQ handling
| * [ARM] 3547/1: PXA-OHCI: Allow platforms to specify a power budgetRichard Purdie2006-06-08
| | | | | | | | | | | | | | | | | | | | | | Patch from Richard Purdie Add a power budget variable to the PXA OHCI platform data and add a default value for the spitz platform(s) which prevents known failures with certain USB devices. Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* | [PATCH] PCI: fix pciehp compile issue when CONFIG_ACPI is not enabledakpm@osdl.org2006-06-11
| | | | | | | | | | | | | | | | Fix build error when CONFIG_ACPI not defined Signed-off-by: Kristen Carlson Accardi <kristen.c.accardi@intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* | [PATCH] I2O: Bugfixes to get I2O working againMarkus Lidel2006-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From: Markus Lidel <Markus.Lidel@shadowconnect.com> - Fixed locking of struct i2o_exec_wait in Executive-OSM - Removed LCT Notify in i2o_exec_probe() which caused freeing memory and accessing freed memory during first enumeration of I2O devices - Added missing locking in i2o_exec_lct_notify() - removed put_device() of I2O controller in i2o_iop_remove() which caused the controller structure get freed to early - Fixed size of mempool in i2o_iop_alloc() - Fixed access to freed memory in i2o_msg_get() See http://bugzilla.kernel.org/show_bug.cgi?id=6561 Signed-off-by: Markus Lidel <Markus.Lidel@shadowconnect.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* | [PATCH] s390: fix in-user atomic futex operation.Martin Schwidefsky2006-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | From: Martin Schwidefsky <schwidefsky@de.ibm.com> __futex_atomic_op needs to do an atomic operation in the user address space, not the kernel address space. Add the missing sacf 256/sacf 0 to switch to the secondary mode before doing the compare-and-swap. In addition add another fixup for catch specification exceptions if the compare-and-swap address is not aligned. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* | [PATCH] elevator switching raceJens Axboe2006-06-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's a race between shutting down one io scheduler and firing up the next, in which a new io could enter and cause the io scheduler to be invoked with bad or NULL data. To fix this, we need to maintain the queue lock for a bit longer. Unfortunately we cannot do that, since the elevator init requires to be run without the lock held. This isn't easily fixable, without also changing the mempool API. So split the initialization into two parts, and alloc-init operation and an attach operation. Then we can preallocate the io scheduler and related structures, and run the attach inside the lock after we detach the old one. This patch has survived 30 minutes of 1 second io scheduler switching with a very busy io load. Signed-off-by: Jens Axboe <axboe@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* | [PATCH] Fix mempolicy.h build errorRalf Baechle2006-06-08
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | From: Ralf Baechle <ralf@linux-mips.org> <linux/mempolicy.h> uses struct mm_struct and relies on a definition or declaration somehow magically being dragged in which may result in a build: [...] CC mm/mempolicy.o In file included from mm/mempolicy.c:69: include/linux/mempolicy.h:150: warning: ‘struct mm_struct’ declared inside parameter list include/linux/mempolicy.h:150: warning: its scope is only this definition or declaration, which is probably not what you want include/linux/mempolicy.h:175: warning: ‘struct mm_struct’ declared inside parameter list mm/mempolicy.c:622: error: conflicting types for ‘do_migrate_pages’ include/linux/mempolicy.h:175: error: previous declaration of ‘do_migrate_pages’ was here mm/mempolicy.c:1661: error: conflicting types for ‘mpol_rebind_mm’ include/linux/mempolicy.h:150: error: previous declaration of ‘mpol_rebind_mm’ was here make[1]: *** [mm/mempolicy.o] Error 1 make: *** [mm] Error 2 [ralf@denk linux-ip35]$ Including <linux/sched.h> is a step into direction of include hell so fixed by adding a forward declaration of struct mm_struct instead. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* Merge master.kernel.org:/home/rmk/linux-2.6-serialLinus Torvalds2006-06-05
|\ | | | | | | | | * master.kernel.org:/home/rmk/linux-2.6-serial: [SERIAL] typo: buad -> baud
| * [SERIAL] typo: buad -> baudHorst Schirmeier2006-06-05
| | | | | | | | | | | | | | Replacing mistyped "buad" with "baud" where applicable. Signed-off-by: Horst Schirmeier <horst@schirmeier.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* | [MIPS] Fix sparsemem support.Chad Reese2006-06-05
| | | | | | | | | | | | | | | | | | | | | | | | Move memory_present() in arch/mips/kernel/setup.c. When using sparsemem extreme, this function does an allocate for bootmem. This would always fail since init_bootmem hasn't been called yet. Move memory_present after free_bootmem. This only marks actual memory ranges as present instead of the entire address space. Signed-off-by: Chad Reese <creese@caviumnetworks.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Fix 64-bit build for RM7000.Ralf Baechle2006-06-05
| | | | | | | | | | | | RM7000 has 40-bit virtual / 36-bit physical address space. Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Fix non-linear memory mapping on MIPSSergei Shtylyov2006-06-05
| | | | | | | | | | | | | | | | | | | | | | Fix the non-linear memory mapping done via remap_file_pages() -- it didn't work on any MIPS CPU because the page offset clashing with _PAGE_FILE and some other page protection bits which should have been left zeros for this kind of pages. Signed-off-by: Konstantin Baydarov <kbaidarov@ru.mvista.com> Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Fix swap entry for MIPS32 36-bit physical addressSergei Shtylyov2006-06-05
| | | | | | | | | | | | | | | | | | | | | | With 64-bit physical address enabled, 'swapon' was causing kernel oops on Alchemy CPUs (MIPS32) because of the swap entry type field corrupting the _PAGE_FILE bit in 'pte_low' field. So, switch to storing the swap entry in 'pte_high' field using all its bits except _PAGE_GLOBAL and _PAGE_VALID which gives 25 bits for the swap entry offset. Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Fix mprotect() syscall for MIPS32 w/36-bit physical address supportSergei Shtylyov2006-06-05
| | | | | | | | | | | | | | | | | | Fix mprotect() syscall for MIPS32 CPUs with 36-bit physical address support: pte_modify() macro didn't clear the hardware page protection bits before modifying... Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Fix declaration of smp_prepare_cpus() platform hook.Ralf Baechle2006-06-05
| | | | | | | | | | | | | | A while ago prom_prepare_cpus was replaced by plat_prepare_cpus but the declaration has stayed unchanged. Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Fix instable BogoMIPS on multi-issue processors.Ralf Baechle2006-06-05
| | | | | | | | | | | | | | Increase alignment of BogoMIPS loop to 8 bytes. Having the delay loop overlap cache line boundaries may cause instable delays. Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [MIPS] Remove duplicate declaration of cpu_online_map.Ralf Baechle2006-06-05
| | | | | | | | Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | [PATCH] uml: more __user annotationsAl Viro2006-06-05
| | | | | | | | | | | | | | | | | | | | | | | | From: Al Viro <viro@zeniv.linux.org.uk> uml __user annotations Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Jeff Dike <jdike@addtoit.com> Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>