Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2013-12-19 1) Use the user supplied policy index instead of a generated one if present. From Fan Du. 2) Make xfrm migration namespace aware. From Fan Du. 3) Make the xfrm state and policy locks namespace aware. From Fan Du. 4) Remove ancient sleeping when the SA is in acquire state, we now queue packets to the policy instead. This replaces the sleeping code. 5) Remove FLOWI_FLAG_CAN_SLEEP. This was used to notify xfrm about the posibility to sleep. The sleeping code is gone, so remove it. 6) Check user specified spi for IPComp. Thr spi for IPcomp is only 16 bit wide, so check for a valid value. From Fan Du. 7) Export verify_userspi_info to check for valid user supplied spi ranges with pfkey and netlink. From Fan Du. 8) RFC3173 states that if the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload, the IP datagram must be sent in the original non-compressed form. These packets are dropped by the inbound policy check because they are not transformed. Document the need to set 'level use' for IPcomp to receive such packets anyway. From Fan Du. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-12-19 18:37:49 -0500
committer: David S. Miller <davem@davemloft.net> 2013-12-19 18:37:49 -0500
commit: 1669cb9855050fe9d2a13391846f9aceccf42559 (patch)
tree: 80a2f1229902e9db7fd1552ee770372b351f2036 /include
parent: cb4eae3d525abbe408e7e0efd7841b5c3c13cd0f (diff)
parent: b3c6efbc36e2c5ac820b1a800ac17cc3e040de0c (diff)
5 files changed, 17 insertions, 20 deletions
diff --git a/include/net/flow.h b/include/net/flow.h
index 65ce471d2ab5..d23e7fa2042e 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -20,8 +20,7 @@ struct flowi_common {
        __u8    flowic_proto;
        __u8    flowic_flags;
 #define FLOWI_FLAG_ANYSRC               0x01
-#define FLOWI_FLAG_CAN_SLEEP            0x02
+#define FLOWI_FLAG_KNOWN_NH             0x02
-#define FLOWI_FLAG_KNOWN_NH             0x04
        __u32   flowic_secid;
 };
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index d0bfe3eeb824..e600b89811aa 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -718,11 +718,9 @@ void ip6_flush_pending_frames(struct sock *sk);
 int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi6 *fl6);
 struct dst_entry *ip6_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
-                                      const struct in6_addr *final_dst,
+                                      const struct in6_addr *final_dst);
-                                      bool can_sleep);
 struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
-                                         const struct in6_addr *final_dst,
+                                         const struct in6_addr *final_dst);
-                                         bool can_sleep);
 struct dst_entry *ip6_blackhole_route(struct net *net,
                                      struct dst_entry *orig_dst);
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
index 5299e69a32af..1006a265beb3 100644
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -33,8 +33,6 @@ struct netns_xfrm {
        struct hlist_head       state_gc_list;
        struct work_struct      state_gc_work;
-        wait_queue_head_t       km_waitq;
        struct list_head        policy_all;
        struct hlist_head       *policy_byidx;
        unsigned int            policy_idx_hmask;
@@ -59,6 +57,10 @@ struct netns_xfrm {
 #if IS_ENABLED(CONFIG_IPV6)
        struct dst_ops          xfrm6_dst_ops;
 #endif
+        spinlock_t xfrm_state_lock;
+        spinlock_t xfrm_policy_sk_bundle_lock;
+        rwlock_t xfrm_policy_lock;
+        struct mutex xfrm_cfg_mutex;
 };
 #endif
diff --git a/include/net/route.h b/include/net/route.h
index f68c167280a7..638e3ebf76f3 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -239,14 +239,12 @@ static inline char rt_tos2priority(u8 tos)
 static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, __be32 src,
                                         u32 tos, int oif, u8 protocol,
                                         __be16 sport, __be16 dport,
-                                         struct sock *sk, bool can_sleep)
+                                         struct sock *sk)
 {
        __u8 flow_flags = 0;
        if (inet_sk(sk)->transparent)
                flow_flags |= FLOWI_FLAG_ANYSRC;
-        if (can_sleep)
-                flow_flags |= FLOWI_FLAG_CAN_SLEEP;
        flowi4_init_output(fl4, oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE,
                           protocol, flow_flags, dst, src, dport, sport);
@@ -256,13 +254,13 @@ static inline struct rtable *ip_route_connect(struct flowi4 *fl4,
                                              __be32 dst, __be32 src, u32 tos,
                                              int oif, u8 protocol,
                                              __be16 sport, __be16 dport,
-                                              struct sock *sk, bool can_sleep)
+                                              struct sock *sk)
 {
        struct net *net = sock_net(sk);
        struct rtable *rt;
        ip_route_connect_init(fl4, dst, src, tos, oif, protocol,
-                              sport, dport, sk, can_sleep);
+                              sport, dport, sk);
        if (!dst || !src) {
                rt = __ip_route_output_key(net, fl4);
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 6b82fdf4ba71..b7635ef4d436 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -53,7 +53,6 @@
 #define XFRM_INC_STATS_USER(net, field) ((void)(net))
 #endif
-extern struct mutex xfrm_cfg_mutex;
 /* Organization of SPD aka "XFRM rules"
   ------------------------------------
@@ -1409,7 +1408,7 @@ static inline void xfrm_sysctl_fini(struct net *net)
 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
                    int (*func)(struct xfrm_state *, int, void*), void *);
-void xfrm_state_walk_done(struct xfrm_state_walk *walk);
+void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
 struct xfrm_state *xfrm_state_alloc(struct net *net);
 struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
                                   const xfrm_address_t *saddr,
@@ -1436,12 +1435,12 @@ struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
                                            unsigned short family);
 #ifdef CONFIG_XFRM_SUB_POLICY
 int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
-                   unsigned short family);
+                   unsigned short family, struct net *net);
 int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
                    unsigned short family);
 #else
 static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
-                                 int n, unsigned short family)
+                                 int n, unsigned short family, struct net *net)
 {
        return -ENOSYS;
 }
@@ -1553,7 +1552,7 @@ void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
 int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
                     int (*func)(struct xfrm_policy *, int, int, void*),
                     void *);
-void xfrm_policy_walk_done(struct xfrm_policy_walk *walk);
+void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
 int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
 struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
                                          u8 type, int dir,
@@ -1564,6 +1563,7 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir,
                                     u32 id, int delete, int *err);
 int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
 u32 xfrm_get_acqseq(void);
+int verify_spi_info(u8 proto, u32 min, u32 max);
 int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
 struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
                                 u8 mode, u32 reqid, u8 proto,
@@ -1576,12 +1576,12 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
               const struct xfrm_migrate *m, int num_bundles,
               const struct xfrm_kmaddress *k);
-struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m);
+struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
                                      struct xfrm_migrate *m);
 int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
                 struct xfrm_migrate *m, int num_bundles,
-                 struct xfrm_kmaddress *k);
+                 struct xfrm_kmaddress *k, struct net *net);
 #endif
 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
author	David S. Miller <davem@davemloft.net>	2013-12-19 18:37:49 -0500
committer	David S. Miller <davem@davemloft.net>	2013-12-19 18:37:49 -0500
commit	1669cb9855050fe9d2a13391846f9aceccf42559 (patch)
tree	80a2f1229902e9db7fd1552ee770372b351f2036 /include
parent	cb4eae3d525abbe408e7e0efd7841b5c3c13cd0f (diff)
parent	b3c6efbc36e2c5ac820b1a800ac17cc3e040de0c (diff)