From 560ee653b67074b805f1b661988a72a0e58811a5 Mon Sep 17 00:00:00 2001 From: James Morris Date: Mon, 9 Jun 2008 15:57:24 -0700 Subject: netfilter: ip_tables: add iptables security table for mandatory access control rules The following patch implements a new "security" table for iptables, so that MAC (SELinux etc.) networking rules can be managed separately to standard DAC rules. This is to help with distro integration of the new secmark-based network controls, per various previous discussions. The need for a separate table arises from the fact that existing tools and usage of iptables will likely clash with centralized MAC policy management. The SECMARK and CONNSECMARK targets will still be valid in the mangle table to prevent breakage of existing users. Signed-off-by: James Morris Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 34ee348a2cf2..6ef90b5fafb3 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -36,6 +36,7 @@ struct netns_ipv4 { struct xt_table *iptable_mangle; struct xt_table *iptable_raw; struct xt_table *arptable_filter; + struct xt_table *iptable_security; #endif int sysctl_icmp_echo_ignore_all; -- cgit v1.2.3 From 17e6e59f0a1d7188d783c15dc3ccebd95a0840cd Mon Sep 17 00:00:00 2001 From: James Morris Date: Mon, 9 Jun 2008 15:58:05 -0700 Subject: netfilter: ip6_tables: add ip6tables security table This is a port of the IPv4 security table for IPv6. Signed-off-by: James Morris Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netns/ipv6.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h index ac053be6c256..5bacd838e88b 100644 --- a/include/net/netns/ipv6.h +++ b/include/net/netns/ipv6.h @@ -35,6 +35,7 @@ struct netns_ipv6 { struct xt_table *ip6table_filter; struct xt_table *ip6table_mangle; struct xt_table *ip6table_raw; + struct xt_table *ip6table_security; #endif struct rt6_info *ip6_null_entry; struct rt6_statistics *rt6_stats; -- cgit v1.2.3 From 0b4419162aa6c4204843f3a13b48d9ab821d3167 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Mon, 16 Jun 2008 17:14:11 -0700 Subject: netns: introduce the net_hash_mix "salt" for hashes There are many possible ways to add this "salt", thus I made this patch to be the last in the series to change it if required. Currently I propose to use the struct net pointer itself as this salt, but since this pointer is most often cache-line aligned, shift this right to eliminate the bits, that are most often zeroed. After this, simply add this mix to prepared hashfn-s. For CONFIG_NET_NS=n case this salt is 0 and no changes in hashfn appear. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/hash.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 include/net/netns/hash.h (limited to 'include/net/netns') diff --git a/include/net/netns/hash.h b/include/net/netns/hash.h new file mode 100644 index 000000000000..548d78f2cc47 --- /dev/null +++ b/include/net/netns/hash.h @@ -0,0 +1,21 @@ +#ifndef __NET_NS_HASH_H__ +#define __NET_NS_HASH_H__ + +#include + +struct net; + +static inline unsigned net_hash_mix(struct net *net) +{ +#ifdef CONFIG_NET_NS + /* + * shift this right to eliminate bits, that are + * always zeroed + */ + + return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT); +#else + return 0; +#endif +} +#endif -- cgit v1.2.3 From 39a23e75087ce815abbddbd565b9a2e567ac47da Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Sat, 5 Jul 2008 19:02:33 -0700 Subject: netns: register net.ipv4.route.flush in each namespace Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 6ef90b5fafb3..a29adf1ba0ff 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -18,6 +18,7 @@ struct netns_ipv4 { struct ctl_table_header *forw_hdr; struct ctl_table_header *frags_hdr; struct ctl_table_header *ipv4_hdr; + struct ctl_table_header *route_hdr; #endif struct ipv4_devconf *devconf_all; struct ipv4_devconf *devconf_dflt; -- cgit v1.2.3 From 9f5e97e53675caeda48e9988122a30470f4d309d Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Sat, 5 Jul 2008 19:02:59 -0700 Subject: netns: make rt_secret_rebuild timer per namespace Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/net/netns') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index a29adf1ba0ff..356617f81beb 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -46,5 +46,7 @@ struct netns_ipv4 { int sysctl_icmp_ratelimit; int sysctl_icmp_ratemask; int sysctl_icmp_errors_use_inbound_ifaddr; + + struct timer_list rt_secret_timer; }; #endif -- cgit v1.2.3 From e84f84f276473dcc673f360e8ff3203148bdf0e2 Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Sat, 5 Jul 2008 19:04:32 -0700 Subject: netns: place rt_genid into struct net Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 356617f81beb..a6ed83853dcc 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -48,5 +48,6 @@ struct netns_ipv4 { int sysctl_icmp_errors_use_inbound_ifaddr; struct timer_list rt_secret_timer; + atomic_t rt_genid; }; #endif -- cgit v1.2.3 From 852566f53ccdc9d1c149ffa28daa9778e13fa3da Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:01:24 -0700 Subject: mib: add netns/mib.h file The only structure declared within is the netns_mib, which will carry all our mibs within. I didn't put the mibs in the existing netns_xxx structures to make it possible to mark this one as properly aligned and get in a separate "read-mostly" cache-line. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 include/net/netns/mib.h (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h new file mode 100644 index 000000000000..9f4b31ed18c3 --- /dev/null +++ b/include/net/netns/mib.h @@ -0,0 +1,9 @@ +#ifndef __NETNS_MIB_H__ +#define __NETNS_MIB_H__ + +#include + +struct netns_mib { +}; + +#endif -- cgit v1.2.3 From 57ef42d59d1c1d79be59fc3c6380ae14234e38c3 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:02:08 -0700 Subject: mib: put tcp statistics on struct net Proc temporary uses stats from init_net. BTW, TCP_XXX_STATS are beautiful (w/o do { } while (0) facing) again :) Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index 9f4b31ed18c3..8f96079bf0e3 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -4,6 +4,7 @@ #include struct netns_mib { + DEFINE_SNMP_STAT(struct tcp_mib, tcp_statistics); }; #endif -- cgit v1.2.3 From a20f5799ca7ceb24d63c74b6fdad4b0c0ee91f4f Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:02:42 -0700 Subject: mib: put ip statistics on struct net Similar to tcp one. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index 8f96079bf0e3..1094ebbf0b42 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -5,6 +5,7 @@ struct netns_mib { DEFINE_SNMP_STAT(struct tcp_mib, tcp_statistics); + DEFINE_SNMP_STAT(struct ipstats_mib, ip_statistics); }; #endif -- cgit v1.2.3 From 61a7e26028b94805fd686a6dc9dbd9941f8f19b0 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:03:08 -0700 Subject: mib: put net statistics on struct net Similar to ip and tcp ones :) Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index 1094ebbf0b42..b5b1115adfa8 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -6,6 +6,7 @@ struct netns_mib { DEFINE_SNMP_STAT(struct tcp_mib, tcp_statistics); DEFINE_SNMP_STAT(struct ipstats_mib, ip_statistics); + DEFINE_SNMP_STAT(struct linux_mib, net_statistics); }; #endif -- cgit v1.2.3 From 2f275f91a438abd8eec5321798d66a4ffe6869fa Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:03:27 -0700 Subject: mib: put udp statistics on struct net Similar to... ouch, I repeat myself. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index b5b1115adfa8..738c87ce183d 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -7,6 +7,7 @@ struct netns_mib { DEFINE_SNMP_STAT(struct tcp_mib, tcp_statistics); DEFINE_SNMP_STAT(struct ipstats_mib, ip_statistics); DEFINE_SNMP_STAT(struct linux_mib, net_statistics); + DEFINE_SNMP_STAT(struct udp_mib, udp_statistics); }; #endif -- cgit v1.2.3 From 386019d3514b3ed9de8d0b05b67e638a7048375b Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:03:45 -0700 Subject: mib: put udplite statistics on struct net Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index 738c87ce183d..23e699fdb5cc 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -8,6 +8,7 @@ struct netns_mib { DEFINE_SNMP_STAT(struct ipstats_mib, ip_statistics); DEFINE_SNMP_STAT(struct linux_mib, net_statistics); DEFINE_SNMP_STAT(struct udp_mib, udp_statistics); + DEFINE_SNMP_STAT(struct udp_mib, udplite_statistics); }; #endif -- cgit v1.2.3 From b60538a0d737609213e4b758881913498d3ff0b4 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:04:02 -0700 Subject: mib: put icmp statistics on struct net Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index 23e699fdb5cc..03f5abdf58e5 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -9,6 +9,7 @@ struct netns_mib { DEFINE_SNMP_STAT(struct linux_mib, net_statistics); DEFINE_SNMP_STAT(struct udp_mib, udp_statistics); DEFINE_SNMP_STAT(struct udp_mib, udplite_statistics); + DEFINE_SNMP_STAT(struct icmp_mib, icmp_statistics); }; #endif -- cgit v1.2.3 From 923c6586b0dc0a00df07a1608185437145a0c68b Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Fri, 18 Jul 2008 04:04:22 -0700 Subject: mib: put icmpmsg statistics on struct net Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- include/net/netns/mib.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns') diff --git a/include/net/netns/mib.h b/include/net/netns/mib.h index 03f5abdf58e5..449147604642 100644 --- a/include/net/netns/mib.h +++ b/include/net/netns/mib.h @@ -10,6 +10,7 @@ struct netns_mib { DEFINE_SNMP_STAT(struct udp_mib, udp_statistics); DEFINE_SNMP_STAT(struct udp_mib, udplite_statistics); DEFINE_SNMP_STAT(struct icmp_mib, icmp_statistics); + DEFINE_SNMP_STAT(struct icmpmsg_mib, icmpmsg_statistics); }; #endif -- cgit v1.2.3