Al Viro [Tue, 21 Nov 2006 01:22:08 +0000 (17:22 -0800)]
[SCTP]: sctp_make_asconf_update_ip() and sctp_find_unmatch_addr().
... switched to taking and returning pointers to net-endian
sctp_addr resp. Together, since the only user of sctp_find_unmatch_addr()
just passes its value to sctp_make_asconf_update_ip().
sctp_make_asconf_update_ip() is actually endian-agnostic.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:12:25 +0000 (17:12 -0800)]
[SCTP]: sctp_process_init() and sctp_source() switched to net-endian.
both are done in one go since almost always we have result of
the latter immediately passed to the former. Possibly non-obvious
note: sctp_process_param() is endian-agnostic
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:08:41 +0000 (17:08 -0800)]
[SCTP]: Switch sctp_assoc_is_match to net-endian.
Along with it, statics in input.c that end up calling it
(__sctp_lookup_association, sctp_lookup_association,
__sctp_rcv_init_lookup, __sctp_rcv_lookup). Callers
are adjusted.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:06:24 +0000 (17:06 -0800)]
[SCTP]: Annotate ->dst_saddr()
switched to taking a pointer to net-endian sctp_addr
and a net-endian port number. Instances and callers
adjusted; interestingly enough, the only calls are
direct calls of specific instances - the method is not
used at all.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:05:23 +0000 (17:05 -0800)]
[SCTP]: Switch ->cmp_addr() and sctp_cmp_addr_exact() to net-endian.
instances of ->cmp_addr() are fine with switching both arguments
to net-endian; callers other than in sctp_cmp_addr_exact() (both
as ->cmp_addr(...) and direct calls of instances) adjusted;
sctp_cmp_addr_exact() switched to net-endian itself and adjustment
is done in its callers
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:04:42 +0000 (17:04 -0800)]
[SCTP] embedded sctp_addr: net-endian mirrors
Add sctp_chunk->source, sctp_sockaddr_entry->a, sctp_transport->ipaddr
and sctp_transport->saddr, maintain them as net-endian mirrors of
their host-endian counterparts.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:04:10 +0000 (17:04 -0800)]
[SCTP]: Beginning of conversion to net-endian for embedded sctp_addr.
Part 1: rename sctp_chunk->source, sctp_sockaddr_entry->a,
sctp_transport->ipaddr and sctp_transport->saddr (to ..._h)
The next patch will reintroduce these fields and keep them as
net-endian mirrors of the original (renamed) ones. Split in
two patches to make sure that we hadn't forgotten any instanes.
Later in the series we'll eliminate uses of host-endian variants
(basically switching users to net-endian counterparts as we
progress through that mess). Then host-endian ones will die.
Other embedded host-endian sctp_addr will be easier to switch
directly, so we leave them alone for now.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
a) struct sockaddr_storage * passed to sctp_ulpevent_make_peer_addr_change()
actually points at union sctp_addr field in a structure. Then that sucker
gets copied to userland, with whatever junk we might have there.
b) it's actually having host-endian sin_port.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:02:22 +0000 (17:02 -0800)]
[SCTP] bug: sctp_assoc_lookup_laddr() is broken with ipv6.
It expects (and gets) laddr with net-endian sin_port. And then it calls
sctp_bind_addr_match(), which *does* care about port numbers in case of
ipv6 and expects them to be host-endian.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:02:01 +0000 (17:02 -0800)]
[SCTP]: Beginning of sin_port fixes.
That's going to be a long series. Introduced temporary helpers
doing copy-and-convert for sctp_addr; they are used to kill
flip-in-place in global data structures and will be used
to gradually push host-endian uses of sctp_addr out of existence.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Al Viro [Tue, 21 Nov 2006 01:00:44 +0000 (17:00 -0800)]
[SCTP]: SCTP_CMD_INIT_FAILED annotations.
argument stored for SCTP_CMD_INIT_FAILED is always __be16
(protocol error). Introduced new field and accessor for
it (SCTP_PERR()); switched to their use (from SCTP_U32() and
.u32)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Gerrit Renker [Mon, 20 Nov 2006 20:39:23 +0000 (18:39 -0200)]
[DCCP]: Simplified conditions due to use of enum:8 states
This reaps the benefit of the earlier patch, which changed the type of
CCID 3 states to use enums, in that many conditions are now simplified
and the number of possible (unexpected) values is greatly reduced.
In a few instances, this also allowed to simplify pre-conditions; where
care has been taken to retain logical equivalence.
[DCCP]: Introduce a consistent BUG/WARN message scheme
This refines the existing set of DCCP messages so that
* BUG(), BUG_ON(), WARN_ON() have meaningful DCCP-specific counterparts
* DCCP_CRIT (for severe warnings) is not rate-limited
* DCCP_WARN() is introduced as rate-limited wrapper
Using these allows a faster and cleaner transition to their original
counterparts once the code has matured into a full DCCP implementation.
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Ian McDonald [Mon, 20 Nov 2006 20:30:17 +0000 (18:30 -0200)]
[DCCP]: Set TX Queue Length Bounds via Sysctl
Previously the transmit queue was unbounded.
This patch:
* puts a limit on transmit queue length
and sends back EAGAIN if the buffer is full
* sets the TX queue length to a sensible default
* implements tx buffer sysctls for DCCP
Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Gerrit Renker [Mon, 20 Nov 2006 20:26:03 +0000 (18:26 -0200)]
[DCCP]: enable debug messages also for static builds
This patch
* makes debugging (when configured) work both for static / module build
* provides generic debugging macros for use in other DCCP / CCID modules
* adds missing information about debug parameters to Kconfig
* performs some code tidy-up
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
Michael Chan [Sun, 19 Nov 2006 22:06:40 +0000 (14:06 -0800)]
[BNX2]: Fix Xen problem.
This fixes the problem of not receiving packets in the Xen bridging
environment. The Xen script sets the device's MAC address to
FE:FF:FF:FF:FF:FF and puts the device in promiscuous mode. The
firmware had problem receiving all packets in this configuration.
New firmware and setting the PROM_VLAN bit when in promiscuous mode
will fix this problem.
Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Moore [Fri, 17 Nov 2006 22:38:55 +0000 (17:38 -0500)]
NetLabel: honor the audit_enabled flag
The audit_enabled flag is used to signal when syscall auditing is to be
performed. While NetLabel uses a Netlink interface instead of syscalls, it is
reasonable to consider the NetLabel Netlink interface as a form of syscall so
pay attention to the audit_enabled flag when generating audit messages in
NetLabel.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:54 +0000 (17:38 -0500)]
SELinux: peer secid consolidation for external network labeling
Now that labeled IPsec makes use of the peer_sid field in the
sk_security_struct we can remove a lot of the special cases between labeled
IPsec and NetLabel. In addition, create a new function,
security_skb_extlbl_sid(), which we can use in several places to get the
security context of the packet's external label which allows us to further
simplify the code in a few places.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:53 +0000 (17:38 -0500)]
NetLabel: SELinux cleanups
This patch does a lot of cleanup in the SELinux NetLabel support code. A
summary of the changes include:
* Use RCU locking for the NetLabel state variable in the skk_security_struct
instead of using the inode_security_struct mutex.
* Remove unnecessary parameters in selinux_netlbl_socket_post_create().
* Rename selinux_netlbl_sk_clone_security() to
selinux_netlbl_sk_security_clone() to better fit the other NetLabel
sk_security functions.
* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
the common case.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:52 +0000 (17:38 -0500)]
NetLabel: use cipso_v4_doi_search() for local CIPSOv4 functions
The cipso_v4_doi_search() function behaves the same as cipso_v4_doi_getdef()
but is a local, static function so use it whenever possibile in the CIPSOv4
code base.
Signed-of-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:51 +0000 (17:38 -0500)]
NetLabel: use the correct CIPSOv4 MLS label limits
The CIPSOv4 engine currently has MLS label limits which are slightly larger
than what the draft allows. This is not a major problem due to the current
implementation but we should fix this so it doesn't bite us later.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Fri, 17 Nov 2006 22:38:50 +0000 (17:38 -0500)]
NetLabel: return the correct error for translated CIPSOv4 tags
The CIPSOv4 translated tag #1 mapping does not always return the correct error
code if the desired mapping does not exist; instead of returning -EPERM it
returns -ENOSPC indicating that the buffer is not large enough to hold the
translated value. This was caused by failing to check a specific error
condition. This patch fixes this so that unknown mappings return
-EPERM which is consistent with the rest of the related CIPSOv4 code.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>