aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
Commit message (Collapse)AuthorAge
...
* | netns xfrm: per-netns policy countsAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_policy_bydst hashAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns inexact policiesAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_policy_byidx hashmaskAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | Per-netns hashes are independently resizeable. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_policy_byidx hashAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns policy listAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: add struct xfrm_policy::xp_netAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | | | Again, to avoid complications with passing netns when not necessary. Again, ->xp_net is set-once field, once set it never changes. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns km_waitqAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | Disallow spurious wakeups in __xfrm_lookup(). Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns state GC workAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | State GC is per-netns, and this is part of it. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns state GC listAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | | | | | | | | | km_waitq is going to be made per-netns to disallow spurious wakeups in __xfrm_lookup(). To not wakeup after every garbage-collected xfrm_state (which potentially can be from different netns) make state GC list per-netns. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_hash_workAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | All of this is implicit passing which netns's hashes should be resized. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_state countsAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_state_hmaskAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | Since hashtables are per-netns, they can be independently resized. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_state_byspi hashAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_state_bysrc hashAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_state_bydst hashAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: per-netns xfrm_state_all listAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | | | | | | | | | This is done to get a) simple "something leaked" check b) cover possible DoSes when other netns puts many, many xfrm_states onto a list. c) not miss "alien xfrm_state" check in some of list iterators in future. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: add struct xfrm_state::xs_netAlexey Dobriyan2008-11-25
| | | | | | | | | | | | | | | | | | | | | | | | To avoid unnecessary complications with passing netns around. * set once, very early after allocating * once set, never changes For a while create every xfrm_state in init_net. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | netns xfrm: add netns boilerplateAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: initialise xfrm_policy_gc_work staticallyAlexey Dobriyan2008-11-25
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Remove unused parameter of xfrm_gen_index()Arnaud Ebalard2008-11-13
| | | | | | | | | | | | | | | | | | | | | | In commit 2518c7c2b3d7f0a6b302b4efe17c911f8dd4049f ("[XFRM]: Hash policies when non-prefixed."), the last use of xfrm_gen_policy() first argument was removed, but the argument was left behind in the prototype. Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2008-11-07
|\| | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/ath5k/base.c net/8021q/vlan_core.c
| * xfrm: Fix xfrm_policy_gc_lock handling.Alexey Dobriyan2008-11-03
| | | | | | | | | | | | | | | | | | | | | | | | From: Alexey Dobriyan <adobriyan@gmail.com> Based upon a lockdep trace by Simon Arlott. xfrm_policy_kill() can be called from both BH and non-BH contexts, so we have to grab xfrm_policy_gc_lock with BH disabling. Signed-off-by: David S. Miller <davem@davemloft.net>
| * XFRM: copy_to_user_kmaddress() reports local address twiceArnaud Ebalard2008-11-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While adding support for MIGRATE/KMADDRESS in strongSwan (as specified in draft-ebalard-mext-pfkey-enhanced-migrate-00), Andreas Steffen noticed that XFRMA_KMADDRESS attribute passed to userland contains the local address twice (remote provides local address instead of remote one). This bug in copy_to_user_kmaddress() affects only key managers that use native XFRM interface (key managers that use PF_KEY are not affected). For the record, the bug was in the initial changeset I posted which added support for KMADDRESS (13c1d18931ebb5cf407cb348ef2cd6284d68902d 'xfrm: MIGRATE enhancements (draft-ebalard-mext-pfkey-enhanced-migrate)'). Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Reported-by: Andreas Steffen <andreas.steffen@strongswan.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: replace NIPQUAD() in net/*/Harvey Harrison2008-10-31
| | | | | | | | | | | | | | | | Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u can be replaced with %pI4 Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: C99 for xfrm_dev_notifierAlexey Dobriyan2008-10-31
| | | | | | | | | | Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2008-10-31
|\| | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/p54/p54common.c
| * xfrm: do not leak ESRCH to user spacefernando@oss.ntt.co2008-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I noticed that, under certain conditions, ESRCH can be leaked from the xfrm layer to user space through sys_connect. In particular, this seems to happen reliably when the kernel fails to resolve a template either because the AF_KEY receive buffer being used by racoon is full or because the SA entry we are trying to use is in XFRM_STATE_EXPIRED state. However, since this could be a transient issue it could be argued that EAGAIN would be more appropriate. Besides this error code is not even documented in the man page for sys_connect (as of man-pages 3.07). Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: replace %p6 with %pI6Harvey Harrison2008-10-29
| | | | | | | | | | Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net, misc: replace uses of NIP6_FMT with %p6Harvey Harrison2008-10-29
| | | | | | | | | | Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | xfrm: Notify changes in UDP encapsulation via netlinkMartin Willi2008-10-28
|/ | | | | | | | Add new_mapping() implementation to the netlink xfrm_mgr to notify address/port changes detected in UDP encapsulated ESP packets. Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: MIGRATE enhancements (draft-ebalard-mext-pfkey-enhanced-migrate)Arnaud Ebalard2008-10-05
| | | | | | | | | | Provides implementation of the enhancements of XFRM/PF_KEY MIGRATE mechanism specified in draft-ebalard-mext-pfkey-enhanced-migrate-00. Defines associated PF_KEY SADB_X_EXT_KMADDRESS extension and XFRM/netlink XFRMA_KMADDRESS attribute. Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipsec: Put dumpers on the dump listHerbert Xu2008-10-01
| | | | | | | | | | | | | | | | | | | | | | | Herbert Xu came up with the idea and the original patch to make xfrm_state dump list contain also dumpers: As it is we go to extraordinary lengths to ensure that states don't go away while dumpers go to sleep. It's much easier if we just put the dumpers themselves on the list since they can't go away while they're going. I've also changed the order of addition on new states to prevent a never-ending dump. Timo Teräs improved the patch to apply cleanly to latest tree, modified iteration code to be more readable by using a common struct for entries in the list, implemented the same idea for xfrm_policy dumping and moved the af_key specific "last" entry caching to af_key. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2008-10-01
|\ | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/wireless/ath9k/core.c drivers/net/wireless/ath9k/main.c net/core/dev.c
| * ipsec: Fix pskb_expand_head corruption in xfrm_state_check_spaceHerbert Xu2008-09-30
| | | | | | | | | | | | | | | | We're never supposed to shrink the headroom or tailroom. In fact, shrinking the headroom is a fatal action. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipsec: Fix xfrm_state_walk raceHerbert Xu2008-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As discovered by Timo Teräs, the currently xfrm_state_walk scheme is racy because if a second dump finishes before the first, we may free xfrm states that the first dump would walk over later. This patch fixes this by storing the dumps in a list in order to calculate the correct completion counter which cures this problem. I've expanded netlink_cb in order to accomodate the extra state related to this. It shouldn't be a big deal since netlink_cb is kmalloced for each dump and we're just increasing it by 4 or 8 bytes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipsec: Add missing list_del() in xfrm_state_gc_task().David S. Miller2008-09-10
| | | | | | | | | | | | | | Otherwise entries stay on the GC todo list forever, even after we free them. Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipsec: Use RCU-like construct for saved state within a walkHerbert Xu2008-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that we save states within a walk we need synchronisation so that the list the saved state is on doesn't disappear from under us. As it stands this is done by keeping the state on the list which is bad because it gets in the way of the management of the state life-cycle. An alternative is to make our own pseudo-RCU system where we use counters to indicate which state can't be freed immediately as it may be referenced by an ongoing walk when that resumes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2008-09-09
|\| | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
| * ipsec: Restore larval states and socket policies in dumpHerbert Xu2008-09-09
| | | | | | | | | | | | | | | | | | | | The commit commit 4c563f7669c10a12354b72b518c2287ffc6ebfb3 ("[XFRM]: Speed up xfrm_policy and xfrm_state walking") inadvertently removed larval states and socket policies from netlink dumps. This patch restores them. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipsec: Make xfrm_larval_drop default to 1.David S. Miller2008-09-09
|/ | | | | | | | | The previous default behavior is definitely the least user friendly. Hanging there forever just because the keying daemon is wedged or the refreshing of the policy can't move forward is anti-social to say the least. Signed-off-by: David S. Miller <davem@davemloft.net>
* ipsec: Fix deadlock in xfrm_state management.David S. Miller2008-09-02
| | | | | | | | | | | | | | Ever since commit 4c563f7669c10a12354b72b518c2287ffc6ebfb3 ("[XFRM]: Speed up xfrm_policy and xfrm_state walking") it is illegal to call __xfrm_state_destroy (and thus xfrm_state_put()) with xfrm_state_lock held. If we do, we'll deadlock since we have the lock already and __xfrm_state_destroy() tries to take it again. Fix this by pushing the xfrm_state_put() calls after the lock is dropped. Signed-off-by: David S. Miller <davem@davemloft.net>
* net/xfrm: Use an IS_ERR test rather than a NULL testJulien Brunel2008-09-02
| | | | | | | | | | | | | | | | | | | | | | | | In case of error, the function xfrm_bundle_create returns an ERR pointer, but never returns a NULL pointer. So a NULL test that comes after an IS_ERR test should be deleted. The semantic match that finds this problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @match_bad_null_test@ expression x, E; statement S1,S2; @@ x = xfrm_bundle_create(...) ... when != x = E * if (x != NULL) S1 else S2 // </smpl> Signed-off-by: Julien Brunel <brunel@diku.dk> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: remove unnecessary variable in xfrm_output_resume() 2nd tryJean-Christophe DUBOIS2008-08-13
| | | | | | | Small fix removing an unnecessary intermediate variable. Signed-off-by: Jean-Christophe DUBOIS <jcd@tribudubois.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: convert BUG_TRAP to generic WARN_ONIlpo Järvinen2008-07-26
| | | | | | | | | | | | | | Removes legacy reinvent-the-wheel type thing. The generic machinery integrates much better to automated debugging aids such as kerneloops.org (and others), and is unambiguous due to better naming. Non-intuively BUG_TRAP() is actually equal to WARN_ON() rather than BUG_ON() though some might actually be promoted to BUG_ON() but I left that to future. I could make at least one BUILD_BUG_ON conversion. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipsec: ipcomp - Decompress into frags if necessaryHerbert Xu2008-07-25
| | | | | | | | | When decompressing extremely large packets allocating them through kmalloc is prone to failure. Therefore it's better to use page frags instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipsec: ipcomp - Merge IPComp implementationsHerbert Xu2008-07-25
| | | | | | | | | This patch merges the IPv4/IPv6 IPComp implementations since most of the code is identical. As a result future enhancements will no longer need to be duplicated. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* netns: Use net_eq() to compare net-namespaces for optimization.YOSHIFUJI Hideaki2008-07-20
| | | | | | | | Without CONFIG_NET_NS, namespace is always &init_net. Compiler will be able to omit namespace comparisons with this patch. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Add a XFRM_STATE_AF_UNSPEC flag to xfrm_usersa_infoSteffen Klassert2008-07-10
| | | | | | | | | | | | Add a XFRM_STATE_AF_UNSPEC flag to handle the AF_UNSPEC behavior for the selector family. Userspace applications can set this flag to leave the selector family of the xfrm_state unspecified. This can be used to to handle inter family tunnels if the selector is not set from userspace. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: xfrm_algo: correct usage of RIPEMD-160Adrian-Ken Rueegsegger2008-06-04
| | | | | | | | | | This patch fixes the usage of RIPEMD-160 in xfrm_algo which in turn allows hmac(rmd160) to be used as authentication mechanism in IPsec ESP and AH (see RFC 2857). Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>