From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-we0-f171.google.com (mail-we0-f171.google.com
	[74.125.82.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 025BA20024C
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun,  1 Apr 2012 10:19:59 -0700 (PDT)
Received: by werm1 with SMTP id m1so2437307wer.16
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 01 Apr 2012 10:19:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type; bh=wz2fxVSRYSVZwTow/XtDZCHTbzqueRwYtDkEzZeGYbU=;
	b=So3YHwMP5Nb2LCTvrQBeiFZhLy5c5ygppF0Av1ESHI3NFg7tyVU7EqkxeerwKOk+n+
	l7hH6fMFotDyBu3b6erYGhnDajvBdl4vb4aYGE64JX2GQZz0CZJxPmno2lVjgEB+bQTO
	nbCD6y9JOM/tUsc6ugcAo9KSjkYjHetKwVmpG+yFsxHwLzTimnYxTJ2YnI3ZnHfyraWe
	ndzP9YcYTuL5WqqIE6wKq3unkk/5HeXfxdclMb+i8TghvTkn7Ri5HtkoQ3szDsts0/d4
	hPAASdiGZj9EsqnyDc+mnX7BT1MOxS4lV0QBFFHrn16aOMVnsNkA/EyrfTqKmkQzHiAN
	VZMA==
MIME-Version: 1.0
Received: by 10.180.94.33 with SMTP id cz1mr16701448wib.13.1333300797659; Sun,
	01 Apr 2012 10:19:57 -0700 (PDT)
Received: by 10.223.127.194 with HTTP; Sun, 1 Apr 2012 10:19:57 -0700 (PDT)
In-Reply-To: <1333284791-5363-1-git-send-email-martin@lucina.net>
References: <1333284791-5363-1-git-send-email-martin@lucina.net>
Date: Sun, 1 Apr 2012 18:19:57 +0100
Message-ID: <CAA93jw5cYav-7t+sJwD5Qf8G6e9xW+ygvbTBK53VW-1O1kE-ww@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: cerowrt-devel@lists.bufferbloat.net
Content-Type: multipart/alternative; boundary=f46d044268e66c59b104bca14870
Subject: [Cerowrt-devel] Fwd: [PATCH] Implement IP_EVIL socket option (RFC
	3514)
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 01 Apr 2012 17:20:00 -0000

--f46d044268e66c59b104bca14870
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

You know, I really, really hate not having used up all the bits in the ip
header.

There is some encouraging work in the conex working group

http://datatracker.ietf.org/wg/conex/charter/

that needs this bit in order to implement at least part of their core idea.

So I think today would be a good day to commit to using up that last bit in
cerowrt.

---------- Forwarded message ----------
From: Martin Lucina <martin@lucina.net>
Date: Sun, Apr 1, 2012 at 1:53 PM
Subject: [PATCH] Implement IP_EVIL socket option (RFC 3514)
To: linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Cc: Martin Lucina <martin@lucina.net>


This patch implements the IP_EVIL socket option, allowing user-space
applications to set the Security Flag in the IPv4 Header, aka "evil" bit,
as defined in RFC 3514.

Signed-off-by: Martin Lucina <martin@lucina.net>
---
 include/linux/in.h      |    1 +
 include/net/inet_sock.h |    1 +
 net/ipv4/af_inet.c      |    1 +
 net/ipv4/ip_output.c    |    2 ++
 net/ipv4/ip_sockglue.c  |    9 ++++++++-
 5 files changed, 13 insertions(+), 1 deletions(-)

diff --git a/include/linux/in.h b/include/linux/in.h
index e0337f1..6814c0f 100644
--- a/include/linux/in.h
+++ b/include/linux/in.h
@@ -86,6 +86,7 @@ struct in_addr {

 #define IP_MINTTL       21
 #define IP_NODEFRAG     22
+#define IP_EVIL         23

 /* IP_MTU_DISCOVER values */
 #define IP_PMTUDISC_DONT               0       /* Never send DF frames */
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index ae17e13..37aaf9b 100644
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -168,6 +168,7 @@ struct inet_sock {
                               transparent:1,
                               mc_all:1,
                               nodefrag:1;
+       __u8                    evil;
       __u8                    rcv_tos;
       int                     uc_index;
       int                     mc_index;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 10e3751..b165dfb 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -356,6 +356,7 @@ lookup_protocol:
       inet->is_icsk =3D (INET_PROTOSW_ICSK & answer_flags) !=3D 0;

       inet->nodefrag =3D 0;
+       inet->evil =3D 0; /* Don't be evil */

       if (SOCK_RAW =3D=3D sock->type) {
               inet->inet_num =3D protocol;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 4910176..c1b4b15 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -157,6 +157,8 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct
sock *sk,
               iph->frag_off =3D htons(IP_DF);
       else
               iph->frag_off =3D 0;
+       if (inet->evil)
+               iph->frag_off |=3D 1<<15;
       iph->ttl      =3D ip_select_ttl(inet, &rt->dst);
       iph->daddr    =3D (opt && opt->opt.srr ? opt->opt.faddr : daddr);
       iph->saddr    =3D saddr;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 2fd0fba..f26d45c 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -463,7 +463,8 @@ static int do_ip_setsockopt(struct sock *sk, int level,
                            (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
                            (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
                            (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
-                            (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) ||
+                            (1<<IP_MINTTL) | (1<<IP_NODEFRAG) |
+                            (1<<IP_EVIL))) ||
           optname =3D=3D IP_UNICAST_IF ||
           optname =3D=3D IP_MULTICAST_TTL ||
           optname =3D=3D IP_MULTICAST_ALL ||
@@ -598,6 +599,9 @@ static int do_ip_setsockopt(struct sock *sk, int level,
               }
               inet->nodefrag =3D val ? 1 : 0;
               break;
+       case IP_EVIL:
+               inet->evil =3D val ? 1 : 0;
+               break;
       case IP_MTU_DISCOVER:
               if (val < IP_PMTUDISC_DONT || val > IP_PMTUDISC_PROBE)
                       goto e_inval;
@@ -1176,6 +1180,9 @@ static int do_ip_getsockopt(struct sock *sk, int
level, int optname,
       case IP_NODEFRAG:
               val =3D inet->nodefrag;
               break;
+       case IP_EVIL:
+               val =3D inet->evil;
+               break;
       case IP_MTU_DISCOVER:
               val =3D inet->pmtudisc;
               break;
--
1.7.9.1

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



--=20
Dave T=E4ht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net

--f46d044268e66c59b104bca14870
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

You know, I really, really hate not having used up all the bits in the ip h=
eader.<br><br>There is some encouraging work in the conex working group <br=
><br><a href=3D"http://datatracker.ietf.org/wg/conex/charter/">http://datat=
racker.ietf.org/wg/conex/charter/</a><br>
<br>that needs this bit in order to implement at least part of their core i=
dea.<br><br>So I think today would be a good day to commit to using up that=
 last bit in cerowrt.<br><br><div class=3D"gmail_quote">---------- Forwarde=
d message ----------<br>
From: <b class=3D"gmail_sendername">Martin Lucina</b> <span dir=3D"ltr">&lt=
;<a href=3D"mailto:martin@lucina.net">martin@lucina.net</a>&gt;</span><br>D=
ate: Sun, Apr 1, 2012 at 1:53 PM<br>Subject: [PATCH] Implement IP_EVIL sock=
et option (RFC 3514)<br>
To: <a href=3D"mailto:linux-kernel@vger.kernel.org">linux-kernel@vger.kerne=
l.org</a>, <a href=3D"mailto:netdev@vger.kernel.org">netdev@vger.kernel.org=
</a><br>Cc: Martin Lucina &lt;<a href=3D"mailto:martin@lucina.net">martin@l=
ucina.net</a>&gt;<br>
<br><br>This patch implements the IP_EVIL socket option, allowing user-spac=
e<br>
applications to set the Security Flag in the IPv4 Header, aka &quot;evil&qu=
ot; bit,<br>
as defined in RFC 3514.<br>
<br>
Signed-off-by: Martin Lucina &lt;<a href=3D"mailto:martin@lucina.net">marti=
n@lucina.net</a>&gt;<br>
---<br>
=A0include/linux/in.h =A0 =A0 =A0| =A0 =A01 +<br>
=A0include/net/inet_sock.h | =A0 =A01 +<br>
=A0net/ipv4/af_inet.c =A0 =A0 =A0| =A0 =A01 +<br>
=A0net/ipv4/ip_output.c =A0 =A0| =A0 =A02 ++<br>
=A0net/ipv4/ip_sockglue.c =A0| =A0 =A09 ++++++++-<br>
=A05 files changed, 13 insertions(+), 1 deletions(-)<br>
<br>
diff --git a/include/linux/in.h b/include/linux/in.h<br>
index e0337f1..6814c0f 100644<br>
--- a/include/linux/in.h<br>
+++ b/include/linux/in.h<br>
@@ -86,6 +86,7 @@ struct in_addr {<br>
<br>
=A0#define IP_MINTTL =A0 =A0 =A0 21<br>
=A0#define IP_NODEFRAG =A0 =A0 22<br>
+#define IP_EVIL =A0 =A0 =A0 =A0 23<br>
<br>
=A0/* IP_MTU_DISCOVER values */<br>
=A0#define IP_PMTUDISC_DONT =A0 =A0 =A0 =A0 =A0 =A0 =A0 0 =A0 =A0 =A0 /* Ne=
ver send DF frames */<br>
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h<br>
index ae17e13..37aaf9b 100644<br>
--- a/include/net/inet_sock.h<br>
+++ b/include/net/inet_sock.h<br>
@@ -168,6 +168,7 @@ struct inet_sock {<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0transparent=
:1,<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0mc_all:1,<b=
r>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0nodefrag:1;=
<br>
+ =A0 =A0 =A0 __u8 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0evil;<br>
 =A0 =A0 =A0 =A0__u8 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0rcv_tos;<br>
 =A0 =A0 =A0 =A0int =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 uc_index;<br>
 =A0 =A0 =A0 =A0int =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 mc_index;<br>
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c<br>
index 10e3751..b165dfb 100644<br>
--- a/net/ipv4/af_inet.c<br>
+++ b/net/ipv4/af_inet.c<br>
@@ -356,6 +356,7 @@ lookup_protocol:<br>
 =A0 =A0 =A0 =A0inet-&gt;is_icsk =3D (INET_PROTOSW_ICSK &amp; answer_flags)=
 !=3D 0;<br>
<br>
 =A0 =A0 =A0 =A0inet-&gt;nodefrag =3D 0;<br>
+ =A0 =A0 =A0 inet-&gt;evil =3D 0; /* Don&#39;t be evil */<br>
<br>
 =A0 =A0 =A0 =A0if (SOCK_RAW =3D=3D sock-&gt;type) {<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0inet-&gt;inet_num =3D protocol;<br>
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c<br>
index 4910176..c1b4b15 100644<br>
--- a/net/ipv4/ip_output.c<br>
+++ b/net/ipv4/ip_output.c<br>
@@ -157,6 +157,8 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct s=
ock *sk,<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0iph-&gt;frag_off =3D htons(IP_DF);<br>
 =A0 =A0 =A0 =A0else<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0iph-&gt;frag_off =3D 0;<br>
+ =A0 =A0 =A0 if (inet-&gt;evil)<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 iph-&gt;frag_off |=3D 1&lt;&lt;15;<br>
 =A0 =A0 =A0 =A0iph-&gt;ttl =A0 =A0 =A0=3D ip_select_ttl(inet, &amp;rt-&gt;=
dst);<br>
 =A0 =A0 =A0 =A0iph-&gt;daddr =A0 =A0=3D (opt &amp;&amp; opt-&gt;opt.srr ? =
opt-&gt;opt.faddr : daddr);<br>
 =A0 =A0 =A0 =A0iph-&gt;saddr =A0 =A0=3D saddr;<br>
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c<br>
index 2fd0fba..f26d45c 100644<br>
--- a/net/ipv4/ip_sockglue.c<br>
+++ b/net/ipv4/ip_sockglue.c<br>
@@ -463,7 +463,8 @@ static int do_ip_setsockopt(struct sock *sk, int level,=
<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 (1&lt;&lt;IP_MTU_D=
ISCOVER) | (1&lt;&lt;IP_RECVERR) |<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 (1&lt;&lt;IP_ROUTE=
R_ALERT) | (1&lt;&lt;IP_FREEBIND) |<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 (1&lt;&lt;IP_PASSS=
EC) | (1&lt;&lt;IP_TRANSPARENT) |<br>
- =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(1&lt;&lt;IP_MINTT=
L) | (1&lt;&lt;IP_NODEFRAG))) ||<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(1&lt;&lt;IP_MINTT=
L) | (1&lt;&lt;IP_NODEFRAG) |<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0(1&lt;&lt;IP_EVIL)=
)) ||<br>
 =A0 =A0 =A0 =A0 =A0 =A0optname =3D=3D IP_UNICAST_IF ||<br>
 =A0 =A0 =A0 =A0 =A0 =A0optname =3D=3D IP_MULTICAST_TTL ||<br>
 =A0 =A0 =A0 =A0 =A0 =A0optname =3D=3D IP_MULTICAST_ALL ||<br>
@@ -598,6 +599,9 @@ static int do_ip_setsockopt(struct sock *sk, int level,=
<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0inet-&gt;nodefrag =3D val ? 1 : 0;<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break;<br>
+ =A0 =A0 =A0 case IP_EVIL:<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 inet-&gt;evil =3D val ? 1 : 0;<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 break;<br>
 =A0 =A0 =A0 =A0case IP_MTU_DISCOVER:<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (val &lt; IP_PMTUDISC_DONT || val &gt; I=
P_PMTUDISC_PROBE)<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0goto e_inval;<br>
@@ -1176,6 +1180,9 @@ static int do_ip_getsockopt(struct sock *sk, int leve=
l, int optname,<br>
 =A0 =A0 =A0 =A0case IP_NODEFRAG:<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0val =3D inet-&gt;nodefrag;<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break;<br>
+ =A0 =A0 =A0 case IP_EVIL:<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 val =3D inet-&gt;evil;<br>
+ =A0 =A0 =A0 =A0 =A0 =A0 =A0 break;<br>
 =A0 =A0 =A0 =A0case IP_MTU_DISCOVER:<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0val =3D inet-&gt;pmtudisc;<br>
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break;<br>
<span class=3D"HOEnZb"><font color=3D"#888888">--<br>
1.7.9.1<br>
<br>
--<br>
To unsubscribe from this list: send the line &quot;unsubscribe netdev&quot;=
 in<br>
the body of a message to <a href=3D"mailto:majordomo@vger.kernel.org">major=
domo@vger.kernel.org</a><br>
More majordomo info at =A0<a href=3D"http://vger.kernel.org/majordomo-info.=
html" target=3D"_blank">http://vger.kernel.org/majordomo-info.html</a><br>
</font></span></div><br><br clear=3D"all"><br>-- <br>Dave T=E4ht<br>SKYPE: =
davetaht<br>US Tel: 1-239-829-5608<br><a href=3D"http://www.bufferbloat.net=
" target=3D"_blank">http://www.bufferbloat.net</a><br>

--f46d044268e66c59b104bca14870--