<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv4/devinet.c, branch linux-3.9.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: ipv4: fix schedule while atomic bug in check_lifetime()</title>
<updated>2013-04-08T16:04:51+00:00</updated>
<author>
<name>Jiri Pirko</name>
<email>jiri@resnulli.us</email>
</author>
<published>2013-04-04T23:39:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c988d1e8cbf722e34ee6124b8b89d47fec655b51'/>
<id>c988d1e8cbf722e34ee6124b8b89d47fec655b51</id>
<content type='text'>
move might_sleep operations out of the rcu_read_lock() section.
Also fix iterating over ifa_dev-&gt;ifa_list

Introduced by: commit 5c766d642bcaf "ipv4: introduce address lifetime"

Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
move might_sleep operations out of the rcu_read_lock() section.
Also fix iterating over ifa_dev-&gt;ifa_list

Introduced by: commit 5c766d642bcaf "ipv4: introduce address lifetime"

Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv4: reset check_lifetime_work after changing lifetime</title>
<updated>2013-04-08T16:04:51+00:00</updated>
<author>
<name>Jiri Pirko</name>
<email>jiri@resnulli.us</email>
</author>
<published>2013-04-04T23:39:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=05a324b9c50c3edbe0ce48ee3e37b210859ef1ae'/>
<id>05a324b9c50c3edbe0ce48ee3e37b210859ef1ae</id>
<content type='text'>
This will result in calling check_lifetime in nearest opportunity and
that function will adjust next time to call check_lifetime correctly.
Without this, check_lifetime is called in time computed by previous run,
not affecting modified lifetime.

Introduced by: commit 5c766d642bcaf "ipv4: introduce address lifetime"

Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This will result in calling check_lifetime in nearest opportunity and
that function will adjust next time to call check_lifetime correctly.
Without this, check_lifetime is called in time computed by previous run,
not affecting modified lifetime.

Introduced by: commit 5c766d642bcaf "ipv4: introduce address lifetime"

Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv4: notify when address lifetime changes</title>
<updated>2013-04-05T04:51:12+00:00</updated>
<author>
<name>Jiri Pirko</name>
<email>jiri@resnulli.us</email>
</author>
<published>2013-04-04T08:33:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=34e2ed34a035de07277cca817fe8264324398141'/>
<id>34e2ed34a035de07277cca817fe8264324398141</id>
<content type='text'>
if userspace changes lifetime of address, send netlink notification and
call notifier.

Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
if userspace changes lifetime of address, send netlink notification and
call notifier.

Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>hlist: drop the node parameter from iterators</title>
<updated>2013-02-28T03:10:24+00:00</updated>
<author>
<name>Sasha Levin</name>
<email>sasha.levin@oracle.com</email>
</author>
<published>2013-02-28T01:06:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b67bfe0d42cac56c512dd5da4b1b347a23f4b70a'/>
<id>b67bfe0d42cac56c512dd5da4b1b347a23f4b70a</id>
<content type='text'>
I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj-&gt;member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    &lt;+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+&gt;

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin &lt;peter.senna@gmail.com&gt;
Acked-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Cc: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Cc: Gleb Natapov &lt;gleb@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
I'm not sure why, but the hlist for each entry iterators were conceived

        list_for_each_entry(pos, head, member)

The hlist ones were greedy and wanted an extra parameter:

        hlist_for_each_entry(tpos, pos, head, member)

Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.

Besides the semantic patch, there was some manual work required:

 - Fix up the actual hlist iterators in linux/list.h
 - Fix up the declaration of other iterators based on the hlist ones.
 - A very small amount of places were using the 'node' parameter, this
 was modified to use 'obj-&gt;member' instead.
 - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
 properly, so those had to be fixed up manually.

The semantic patch which is mostly the work of Peter Senna Tschudin is here:

@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

type T;
expression a,c,d,e;
identifier b;
statement S;
@@

-T b;
    &lt;+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
    ...+&gt;

[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin &lt;peter.senna@gmail.com&gt;
Acked-by: Paul E. McKenney &lt;paulmck@linux.vnet.ibm.com&gt;
Signed-off-by: Sasha Levin &lt;sasha.levin@oracle.com&gt;
Cc: Wu Fengguang &lt;fengguang.wu@intel.com&gt;
Cc: Marcelo Tosatti &lt;mtosatti@redhat.com&gt;
Cc: Gleb Natapov &lt;gleb@redhat.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: introduce address lifetime</title>
<updated>2013-01-29T18:59:57+00:00</updated>
<author>
<name>Jiri Pirko</name>
<email>jiri@resnulli.us</email>
</author>
<published>2013-01-24T09:41:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5c766d642bcaffd0c2a5b354db2068515b3846cf'/>
<id>5c766d642bcaffd0c2a5b354db2068515b3846cf</id>
<content type='text'>
There are some usecase when lifetime of ipv4 addresses might be helpful.
For example:
1) initramfs networkmanager uses a DHCP daemon to learn network
configuration parameters
2) initramfs networkmanager addresses, routes and DNS configuration
3) initramfs networkmanager is requested to stop
4) initramfs networkmanager stops all daemons including dhclient
5) there are addresses and routes configured but no daemon running. If
the system doesn't start networkmanager for some reason, addresses and
routes will be used forever, which violates RFC 2131.

This patch is essentially a backport of ivp6 address lifetime mechanism
for ipv4 addresses.

Current "ip" tool supports this without any patch (since it does not
distinguish between ipv4 and ipv6 addresses in this perspective.

Also, this should be back-compatible with all current netlink users.

Reported-by: Pavel Šimerda &lt;psimerda@redhat.com&gt;
Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There are some usecase when lifetime of ipv4 addresses might be helpful.
For example:
1) initramfs networkmanager uses a DHCP daemon to learn network
configuration parameters
2) initramfs networkmanager addresses, routes and DNS configuration
3) initramfs networkmanager is requested to stop
4) initramfs networkmanager stops all daemons including dhclient
5) there are addresses and routes configured but no daemon running. If
the system doesn't start networkmanager for some reason, addresses and
routes will be used forever, which violates RFC 2131.

This patch is essentially a backport of ivp6 address lifetime mechanism
for ipv4 addresses.

Current "ip" tool supports this without any patch (since it does not
distinguish between ipv4 and ipv6 addresses in this perspective.

Also, this should be back-compatible with all current netlink users.

Reported-by: Pavel Šimerda &lt;psimerda@redhat.com&gt;
Signed-off-by: Jiri Pirko &lt;jiri@resnulli.us&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: fix NULL checking in devinet_ioctl()</title>
<updated>2013-01-07T05:11:18+00:00</updated>
<author>
<name>Xi Wang</name>
<email>xi.wang@gmail.com</email>
</author>
<published>2013-01-05T11:19:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c7e2e1d72ed7707239d20525e0ebcad7e3303659'/>
<id>c7e2e1d72ed7707239d20525e0ebcad7e3303659</id>
<content type='text'>
The NULL pointer check `!ifa' should come before its first use.

[ Bug origin : commit fd23c3b31107e2fc483301ee923d8a1db14e53f4
  (ipv4: Add hash table of interface addresses) in linux-2.6.39 ]

Signed-off-by: Xi Wang &lt;xi.wang@gmail.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The NULL pointer check `!ifa' should come before its first use.

[ Bug origin : commit fd23c3b31107e2fc483301ee923d8a1db14e53f4
  (ipv4: Add hash table of interface addresses) in linux-2.6.39 ]

Signed-off-by: Xi Wang &lt;xi.wang@gmail.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netconf: advertise mc_forwarding status</title>
<updated>2012-12-04T18:08:10+00:00</updated>
<author>
<name>Nicolas Dichtel</name>
<email>nicolas.dichtel@6wind.com</email>
</author>
<published>2012-12-04T01:13:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d67b8c616b48df30e2836d797795f2420d109bc9'/>
<id>d67b8c616b48df30e2836d797795f2420d109bc9</id>
<content type='text'>
This patch advertise the MC_FORWARDING status for IPv4 and IPv6.
This field is readonly, only multicast engine in the kernel updates it.

Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch advertise the MC_FORWARDING status for IPv4 and IPv6.
This field is readonly, only multicast engine in the kernel updates it.

Signed-off-by: Nicolas Dichtel &lt;nicolas.dichtel@6wind.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Enable a userns root rtnl calls that are safe for unprivilged users</title>
<updated>2012-11-19T01:33:36+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2012-11-16T03:03:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b51642f6d77b131dc85d1d71029c3cbb5b07c262'/>
<id>b51642f6d77b131dc85d1d71029c3cbb5b07c262</id>
<content type='text'>
- Only allow moving network devices to network namespaces you have
  CAP_NET_ADMIN privileges over.

- Enable creating/deleting/modifying interfaces
- Enable adding/deleting addresses
- Enable adding/setting/deleting neighbour entries
- Enable adding/removing routes
- Enable adding/removing fib rules
- Enable setting the forwarding state
- Enable adding/removing ipv6 address labels
- Enable setting bridge parameter

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- Only allow moving network devices to network namespaces you have
  CAP_NET_ADMIN privileges over.

- Enable creating/deleting/modifying interfaces
- Enable adding/deleting addresses
- Enable adding/setting/deleting neighbour entries
- Enable adding/removing routes
- Enable adding/removing fib rules
- Enable setting the forwarding state
- Enable adding/removing ipv6 address labels
- Enable setting bridge parameter

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Enable some sysctls that are safe for the userns root</title>
<updated>2012-11-19T01:33:00+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2012-11-16T03:03:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c027aab4a6b1fe2541090ac04bee8ad246aeef70'/>
<id>c027aab4a6b1fe2541090ac04bee8ad246aeef70</id>
<content type='text'>
- Enable the per device ipv4 sysctls:
   net/ipv4/conf/&lt;if&gt;/forwarding
   net/ipv4/conf/&lt;if&gt;/mc_forwarding
   net/ipv4/conf/&lt;if&gt;/accept_redirects
   net/ipv4/conf/&lt;if&gt;/secure_redirects
   net/ipv4/conf/&lt;if&gt;/shared_media
   net/ipv4/conf/&lt;if&gt;/rp_filter
   net/ipv4/conf/&lt;if&gt;/send_redirects
   net/ipv4/conf/&lt;if&gt;/accept_source_route
   net/ipv4/conf/&lt;if&gt;/accept_local
   net/ipv4/conf/&lt;if&gt;/src_valid_mark
   net/ipv4/conf/&lt;if&gt;/proxy_arp
   net/ipv4/conf/&lt;if&gt;/medium_id
   net/ipv4/conf/&lt;if&gt;/bootp_relay
   net/ipv4/conf/&lt;if&gt;/log_martians
   net/ipv4/conf/&lt;if&gt;/tag
   net/ipv4/conf/&lt;if&gt;/arp_filter
   net/ipv4/conf/&lt;if&gt;/arp_announce
   net/ipv4/conf/&lt;if&gt;/arp_ignore
   net/ipv4/conf/&lt;if&gt;/arp_accept
   net/ipv4/conf/&lt;if&gt;/arp_notify
   net/ipv4/conf/&lt;if&gt;/proxy_arp_pvlan
   net/ipv4/conf/&lt;if&gt;/disable_xfrm
   net/ipv4/conf/&lt;if&gt;/disable_policy
   net/ipv4/conf/&lt;if&gt;/force_igmp_version
   net/ipv4/conf/&lt;if&gt;/promote_secondaries
   net/ipv4/conf/&lt;if&gt;/route_localnet

- Enable the global ipv4 sysctl:
   net/ipv4/ip_forward

- Enable the per device ipv6 sysctls:
   net/ipv6/conf/&lt;if&gt;/forwarding
   net/ipv6/conf/&lt;if&gt;/hop_limit
   net/ipv6/conf/&lt;if&gt;/mtu
   net/ipv6/conf/&lt;if&gt;/accept_ra
   net/ipv6/conf/&lt;if&gt;/accept_redirects
   net/ipv6/conf/&lt;if&gt;/autoconf
   net/ipv6/conf/&lt;if&gt;/dad_transmits
   net/ipv6/conf/&lt;if&gt;/router_solicitations
   net/ipv6/conf/&lt;if&gt;/router_solicitation_interval
   net/ipv6/conf/&lt;if&gt;/router_solicitation_delay
   net/ipv6/conf/&lt;if&gt;/force_mld_version
   net/ipv6/conf/&lt;if&gt;/use_tempaddr
   net/ipv6/conf/&lt;if&gt;/temp_valid_lft
   net/ipv6/conf/&lt;if&gt;/temp_prefered_lft
   net/ipv6/conf/&lt;if&gt;/regen_max_retry
   net/ipv6/conf/&lt;if&gt;/max_desync_factor
   net/ipv6/conf/&lt;if&gt;/max_addresses
   net/ipv6/conf/&lt;if&gt;/accept_ra_defrtr
   net/ipv6/conf/&lt;if&gt;/accept_ra_pinfo
   net/ipv6/conf/&lt;if&gt;/accept_ra_rtr_pref
   net/ipv6/conf/&lt;if&gt;/router_probe_interval
   net/ipv6/conf/&lt;if&gt;/accept_ra_rt_info_max_plen
   net/ipv6/conf/&lt;if&gt;/proxy_ndp
   net/ipv6/conf/&lt;if&gt;/accept_source_route
   net/ipv6/conf/&lt;if&gt;/optimistic_dad
   net/ipv6/conf/&lt;if&gt;/mc_forwarding
   net/ipv6/conf/&lt;if&gt;/disable_ipv6
   net/ipv6/conf/&lt;if&gt;/accept_dad
   net/ipv6/conf/&lt;if&gt;/force_tllao

- Enable the global ipv6 sysctls:
   net/ipv6/bindv6only
   net/ipv6/icmp/ratelimit

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
- Enable the per device ipv4 sysctls:
   net/ipv4/conf/&lt;if&gt;/forwarding
   net/ipv4/conf/&lt;if&gt;/mc_forwarding
   net/ipv4/conf/&lt;if&gt;/accept_redirects
   net/ipv4/conf/&lt;if&gt;/secure_redirects
   net/ipv4/conf/&lt;if&gt;/shared_media
   net/ipv4/conf/&lt;if&gt;/rp_filter
   net/ipv4/conf/&lt;if&gt;/send_redirects
   net/ipv4/conf/&lt;if&gt;/accept_source_route
   net/ipv4/conf/&lt;if&gt;/accept_local
   net/ipv4/conf/&lt;if&gt;/src_valid_mark
   net/ipv4/conf/&lt;if&gt;/proxy_arp
   net/ipv4/conf/&lt;if&gt;/medium_id
   net/ipv4/conf/&lt;if&gt;/bootp_relay
   net/ipv4/conf/&lt;if&gt;/log_martians
   net/ipv4/conf/&lt;if&gt;/tag
   net/ipv4/conf/&lt;if&gt;/arp_filter
   net/ipv4/conf/&lt;if&gt;/arp_announce
   net/ipv4/conf/&lt;if&gt;/arp_ignore
   net/ipv4/conf/&lt;if&gt;/arp_accept
   net/ipv4/conf/&lt;if&gt;/arp_notify
   net/ipv4/conf/&lt;if&gt;/proxy_arp_pvlan
   net/ipv4/conf/&lt;if&gt;/disable_xfrm
   net/ipv4/conf/&lt;if&gt;/disable_policy
   net/ipv4/conf/&lt;if&gt;/force_igmp_version
   net/ipv4/conf/&lt;if&gt;/promote_secondaries
   net/ipv4/conf/&lt;if&gt;/route_localnet

- Enable the global ipv4 sysctl:
   net/ipv4/ip_forward

- Enable the per device ipv6 sysctls:
   net/ipv6/conf/&lt;if&gt;/forwarding
   net/ipv6/conf/&lt;if&gt;/hop_limit
   net/ipv6/conf/&lt;if&gt;/mtu
   net/ipv6/conf/&lt;if&gt;/accept_ra
   net/ipv6/conf/&lt;if&gt;/accept_redirects
   net/ipv6/conf/&lt;if&gt;/autoconf
   net/ipv6/conf/&lt;if&gt;/dad_transmits
   net/ipv6/conf/&lt;if&gt;/router_solicitations
   net/ipv6/conf/&lt;if&gt;/router_solicitation_interval
   net/ipv6/conf/&lt;if&gt;/router_solicitation_delay
   net/ipv6/conf/&lt;if&gt;/force_mld_version
   net/ipv6/conf/&lt;if&gt;/use_tempaddr
   net/ipv6/conf/&lt;if&gt;/temp_valid_lft
   net/ipv6/conf/&lt;if&gt;/temp_prefered_lft
   net/ipv6/conf/&lt;if&gt;/regen_max_retry
   net/ipv6/conf/&lt;if&gt;/max_desync_factor
   net/ipv6/conf/&lt;if&gt;/max_addresses
   net/ipv6/conf/&lt;if&gt;/accept_ra_defrtr
   net/ipv6/conf/&lt;if&gt;/accept_ra_pinfo
   net/ipv6/conf/&lt;if&gt;/accept_ra_rtr_pref
   net/ipv6/conf/&lt;if&gt;/router_probe_interval
   net/ipv6/conf/&lt;if&gt;/accept_ra_rt_info_max_plen
   net/ipv6/conf/&lt;if&gt;/proxy_ndp
   net/ipv6/conf/&lt;if&gt;/accept_source_route
   net/ipv6/conf/&lt;if&gt;/optimistic_dad
   net/ipv6/conf/&lt;if&gt;/mc_forwarding
   net/ipv6/conf/&lt;if&gt;/disable_ipv6
   net/ipv6/conf/&lt;if&gt;/accept_dad
   net/ipv6/conf/&lt;if&gt;/force_tllao

- Enable the global ipv6 sysctls:
   net/ipv6/bindv6only
   net/ipv6/icmp/ratelimit

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: Allow userns root to control ipv4</title>
<updated>2012-11-19T01:32:45+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2012-11-16T03:03:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=52e804c6dfaa5df1e4b0e290357b82ad4e4cda2c'/>
<id>52e804c6dfaa5df1e4b0e290357b82ad4e4cda2c</id>
<content type='text'>
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net-&gt;user_ns,
CAP_NET_ADMIN), or capable(net-&gt;user_ns, CAP_NET_RAW) calls.

Settings that merely control a single network device are allowed.
Either the network device is a logical network device where
restrictions make no difference or the network device is hardware NIC
that has been explicity moved from the initial network namespace.

In general policy and network stack state changes are allowed
while resource control is left unchanged.

Allow creating raw sockets.
Allow the SIOCSARP ioctl to control the arp cache.
Allow the SIOCSIFFLAG ioctl to allow setting network device flags.
Allow the SIOCSIFADDR ioctl to allow setting a netdevice ipv4 address.
Allow the SIOCSIFBRDADDR ioctl to allow setting a netdevice ipv4 broadcast address.
Allow the SIOCSIFDSTADDR ioctl to allow setting a netdevice ipv4 destination address.
Allow the SIOCSIFNETMASK ioctl to allow setting a netdevice ipv4 netmask.
Allow the SIOCADDRT and SIOCDELRT ioctls to allow adding and deleting ipv4 routes.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for
adding, changing and deleting gre tunnels.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for
adding, changing and deleting ipip tunnels.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for
adding, changing and deleting ipsec virtual tunnel interfaces.

Allow setting the MRT_INIT, MRT_DONE, MRT_ADD_VIF, MRT_DEL_VIF, MRT_ADD_MFC,
MRT_DEL_MFC, MRT_ASSERT, MRT_PIM, MRT_TABLE socket options on multicast routing
sockets.

Allow setting and receiving IPOPT_CIPSO, IP_OPT_SEC, IP_OPT_SID and
arbitrary ip options.

Allow setting IP_SEC_POLICY/IP_XFRM_POLICY ipv4 socket option.
Allow setting the IP_TRANSPARENT ipv4 socket option.
Allow setting the TCP_REPAIR socket option.
Allow setting the TCP_CONGESTION socket option.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net-&gt;user_ns,
CAP_NET_ADMIN), or capable(net-&gt;user_ns, CAP_NET_RAW) calls.

Settings that merely control a single network device are allowed.
Either the network device is a logical network device where
restrictions make no difference or the network device is hardware NIC
that has been explicity moved from the initial network namespace.

In general policy and network stack state changes are allowed
while resource control is left unchanged.

Allow creating raw sockets.
Allow the SIOCSARP ioctl to control the arp cache.
Allow the SIOCSIFFLAG ioctl to allow setting network device flags.
Allow the SIOCSIFADDR ioctl to allow setting a netdevice ipv4 address.
Allow the SIOCSIFBRDADDR ioctl to allow setting a netdevice ipv4 broadcast address.
Allow the SIOCSIFDSTADDR ioctl to allow setting a netdevice ipv4 destination address.
Allow the SIOCSIFNETMASK ioctl to allow setting a netdevice ipv4 netmask.
Allow the SIOCADDRT and SIOCDELRT ioctls to allow adding and deleting ipv4 routes.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for
adding, changing and deleting gre tunnels.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for
adding, changing and deleting ipip tunnels.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL and SIOCDELTUNNEL ioctls for
adding, changing and deleting ipsec virtual tunnel interfaces.

Allow setting the MRT_INIT, MRT_DONE, MRT_ADD_VIF, MRT_DEL_VIF, MRT_ADD_MFC,
MRT_DEL_MFC, MRT_ASSERT, MRT_PIM, MRT_TABLE socket options on multicast routing
sockets.

Allow setting and receiving IPOPT_CIPSO, IP_OPT_SEC, IP_OPT_SID and
arbitrary ip options.

Allow setting IP_SEC_POLICY/IP_XFRM_POLICY ipv4 socket option.
Allow setting the IP_TRANSPARENT ipv4 socket option.
Allow setting the TCP_REPAIR socket option.
Allow setting the TCP_CONGESTION socket option.

Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
