diff options
| author | David S. Miller <davem@davemloft.net> | 2014-02-24 18:13:33 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-02-24 18:13:33 -0500 |
| commit | 1f5a7407e4307bfaa465fbaece985a72e4bc4752 (patch) | |
| tree | dee858795c6541bd387215445b7b05c49bb673f6 /include | |
| parent | 3b5c8ab11553d0f5b2f6182f02e2e70f5dcf4dc6 (diff) | |
| parent | cc9ab60e57964d463ff31b9621c8d7e786aee042 (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
Steffen Klassert says:
====================
1) Introduce skb_to_sgvec_nomark function to add further data to the sg list
without calling sg_unmark_end first. Needed to add extended sequence
number informations. From Fan Du.
2) Add IPsec extended sequence numbers support to the Authentication Header
protocol for ipv4 and ipv6. From Fan Du.
3) Make the IPsec flowcache namespace aware, from Fan Du.
4) Avoid creating temporary SA for every packet when no key manager is
registered. From Horia Geanta.
5) Support filtering of SA dumps to show only the SAs that match a
given filter. From Nicolas Dichtel.
6) Remove caching of xfrm_policy_sk_bundles. The cached socket policy bundles
are never used, instead we create a new cache entry whenever xfrm_lookup()
is called on a socket policy. Most protocols cache the used routes to the
socket, so this caching is not needed.
7) Fix a forgotten SADB_X_EXT_FILTER length check in pfkey, from Nicolas
Dichtel.
8) Cleanup error handling of xfrm_state_clone.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/skbuff.h | 2 | ||||
| -rw-r--r-- | include/net/flow.h | 5 | ||||
| -rw-r--r-- | include/net/flowcache.h | 25 | ||||
| -rw-r--r-- | include/net/netns/xfrm.h | 12 | ||||
| -rw-r--r-- | include/net/xfrm.h | 25 | ||||
| -rw-r--r-- | include/uapi/linux/pfkeyv2.h | 15 | ||||
| -rw-r--r-- | include/uapi/linux/xfrm.h | 10 |
7 files changed, 85 insertions, 9 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 3ebbbe7b6d05..11b6925f0e96 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h | |||
| @@ -691,6 +691,8 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb, | |||
| 691 | unsigned int headroom); | 691 | unsigned int headroom); |
| 692 | struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom, | 692 | struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom, |
| 693 | int newtailroom, gfp_t priority); | 693 | int newtailroom, gfp_t priority); |
| 694 | int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, | ||
| 695 | int offset, int len); | ||
| 694 | int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, | 696 | int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, |
| 695 | int len); | 697 | int len); |
| 696 | int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer); | 698 | int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer); |
diff --git a/include/net/flow.h b/include/net/flow.h index d23e7fa2042e..bee3741e5a6f 100644 --- a/include/net/flow.h +++ b/include/net/flow.h | |||
| @@ -218,9 +218,10 @@ struct flow_cache_object *flow_cache_lookup(struct net *net, | |||
| 218 | const struct flowi *key, u16 family, | 218 | const struct flowi *key, u16 family, |
| 219 | u8 dir, flow_resolve_t resolver, | 219 | u8 dir, flow_resolve_t resolver, |
| 220 | void *ctx); | 220 | void *ctx); |
| 221 | int flow_cache_init(struct net *net); | ||
| 221 | 222 | ||
| 222 | void flow_cache_flush(void); | 223 | void flow_cache_flush(struct net *net); |
| 223 | void flow_cache_flush_deferred(void); | 224 | void flow_cache_flush_deferred(struct net *net); |
| 224 | extern atomic_t flow_cache_genid; | 225 | extern atomic_t flow_cache_genid; |
| 225 | 226 | ||
| 226 | #endif | 227 | #endif |
diff --git a/include/net/flowcache.h b/include/net/flowcache.h new file mode 100644 index 000000000000..c8f665ec6e0d --- /dev/null +++ b/include/net/flowcache.h | |||
| @@ -0,0 +1,25 @@ | |||
| 1 | #ifndef _NET_FLOWCACHE_H | ||
| 2 | #define _NET_FLOWCACHE_H | ||
| 3 | |||
| 4 | #include <linux/interrupt.h> | ||
| 5 | #include <linux/types.h> | ||
| 6 | #include <linux/timer.h> | ||
| 7 | #include <linux/notifier.h> | ||
| 8 | |||
| 9 | struct flow_cache_percpu { | ||
| 10 | struct hlist_head *hash_table; | ||
| 11 | int hash_count; | ||
| 12 | u32 hash_rnd; | ||
| 13 | int hash_rnd_recalc; | ||
| 14 | struct tasklet_struct flush_tasklet; | ||
| 15 | }; | ||
| 16 | |||
| 17 | struct flow_cache { | ||
| 18 | u32 hash_shift; | ||
| 19 | struct flow_cache_percpu __percpu *percpu; | ||
| 20 | struct notifier_block hotcpu_notifier; | ||
| 21 | int low_watermark; | ||
| 22 | int high_watermark; | ||
| 23 | struct timer_list rnd_timer; | ||
| 24 | }; | ||
| 25 | #endif /* _NET_FLOWCACHE_H */ | ||
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h index 1006a265beb3..51f0dce7b643 100644 --- a/include/net/netns/xfrm.h +++ b/include/net/netns/xfrm.h | |||
| @@ -6,6 +6,7 @@ | |||
| 6 | #include <linux/workqueue.h> | 6 | #include <linux/workqueue.h> |
| 7 | #include <linux/xfrm.h> | 7 | #include <linux/xfrm.h> |
| 8 | #include <net/dst_ops.h> | 8 | #include <net/dst_ops.h> |
| 9 | #include <net/flowcache.h> | ||
| 9 | 10 | ||
| 10 | struct ctl_table_header; | 11 | struct ctl_table_header; |
| 11 | 12 | ||
| @@ -58,9 +59,18 @@ struct netns_xfrm { | |||
| 58 | struct dst_ops xfrm6_dst_ops; | 59 | struct dst_ops xfrm6_dst_ops; |
| 59 | #endif | 60 | #endif |
| 60 | spinlock_t xfrm_state_lock; | 61 | spinlock_t xfrm_state_lock; |
| 61 | spinlock_t xfrm_policy_sk_bundle_lock; | ||
| 62 | rwlock_t xfrm_policy_lock; | 62 | rwlock_t xfrm_policy_lock; |
| 63 | struct mutex xfrm_cfg_mutex; | 63 | struct mutex xfrm_cfg_mutex; |
| 64 | |||
| 65 | /* flow cache part */ | ||
| 66 | struct flow_cache flow_cache_global; | ||
| 67 | struct kmem_cache *flow_cachep; | ||
| 68 | atomic_t flow_cache_genid; | ||
| 69 | struct list_head flow_cache_gc_list; | ||
| 70 | spinlock_t flow_cache_gc_lock; | ||
| 71 | struct work_struct flow_cache_gc_work; | ||
| 72 | struct work_struct flow_cache_flush_work; | ||
| 73 | struct mutex flow_flush_sem; | ||
| 64 | }; | 74 | }; |
| 65 | 75 | ||
| 66 | #endif | 76 | #endif |
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index afa5730fb3bd..45332acac022 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
| @@ -118,11 +118,10 @@ | |||
| 118 | struct xfrm_state_walk { | 118 | struct xfrm_state_walk { |
| 119 | struct list_head all; | 119 | struct list_head all; |
| 120 | u8 state; | 120 | u8 state; |
| 121 | union { | 121 | u8 dying; |
| 122 | u8 dying; | 122 | u8 proto; |
| 123 | u8 proto; | ||
| 124 | }; | ||
| 125 | u32 seq; | 123 | u32 seq; |
| 124 | struct xfrm_filter *filter; | ||
| 126 | }; | 125 | }; |
| 127 | 126 | ||
| 128 | /* Full description of state of transformer. */ | 127 | /* Full description of state of transformer. */ |
| @@ -594,6 +593,7 @@ struct xfrm_mgr { | |||
| 594 | const struct xfrm_migrate *m, | 593 | const struct xfrm_migrate *m, |
| 595 | int num_bundles, | 594 | int num_bundles, |
| 596 | const struct xfrm_kmaddress *k); | 595 | const struct xfrm_kmaddress *k); |
| 596 | bool (*is_alive)(const struct km_event *c); | ||
| 597 | }; | 597 | }; |
| 598 | 598 | ||
| 599 | int xfrm_register_km(struct xfrm_mgr *km); | 599 | int xfrm_register_km(struct xfrm_mgr *km); |
| @@ -1405,7 +1405,8 @@ static inline void xfrm_sysctl_fini(struct net *net) | |||
| 1405 | } | 1405 | } |
| 1406 | #endif | 1406 | #endif |
| 1407 | 1407 | ||
| 1408 | void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto); | 1408 | void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto, |
| 1409 | struct xfrm_filter *filter); | ||
| 1409 | int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, | 1410 | int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, |
| 1410 | int (*func)(struct xfrm_state *, int, void*), void *); | 1411 | int (*func)(struct xfrm_state *, int, void*), void *); |
| 1411 | void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net); | 1412 | void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net); |
| @@ -1646,6 +1647,20 @@ static inline int xfrm_aevent_is_on(struct net *net) | |||
| 1646 | rcu_read_unlock(); | 1647 | rcu_read_unlock(); |
| 1647 | return ret; | 1648 | return ret; |
| 1648 | } | 1649 | } |
| 1650 | |||
| 1651 | static inline int xfrm_acquire_is_on(struct net *net) | ||
| 1652 | { | ||
| 1653 | struct sock *nlsk; | ||
| 1654 | int ret = 0; | ||
| 1655 | |||
| 1656 | rcu_read_lock(); | ||
| 1657 | nlsk = rcu_dereference(net->xfrm.nlsk); | ||
| 1658 | if (nlsk) | ||
| 1659 | ret = netlink_has_listeners(nlsk, XFRMNLGRP_ACQUIRE); | ||
| 1660 | rcu_read_unlock(); | ||
| 1661 | |||
| 1662 | return ret; | ||
| 1663 | } | ||
| 1649 | #endif | 1664 | #endif |
| 1650 | 1665 | ||
| 1651 | static inline int xfrm_alg_len(const struct xfrm_algo *alg) | 1666 | static inline int xfrm_alg_len(const struct xfrm_algo *alg) |
diff --git a/include/uapi/linux/pfkeyv2.h b/include/uapi/linux/pfkeyv2.h index 0b80c806631f..ada7f0171ccc 100644 --- a/include/uapi/linux/pfkeyv2.h +++ b/include/uapi/linux/pfkeyv2.h | |||
| @@ -235,6 +235,18 @@ struct sadb_x_kmaddress { | |||
| 235 | } __attribute__((packed)); | 235 | } __attribute__((packed)); |
| 236 | /* sizeof(struct sadb_x_kmaddress) == 8 */ | 236 | /* sizeof(struct sadb_x_kmaddress) == 8 */ |
| 237 | 237 | ||
| 238 | /* To specify the SA dump filter */ | ||
| 239 | struct sadb_x_filter { | ||
| 240 | __u16 sadb_x_filter_len; | ||
| 241 | __u16 sadb_x_filter_exttype; | ||
| 242 | __u32 sadb_x_filter_saddr[4]; | ||
| 243 | __u32 sadb_x_filter_daddr[4]; | ||
| 244 | __u16 sadb_x_filter_family; | ||
| 245 | __u8 sadb_x_filter_splen; | ||
| 246 | __u8 sadb_x_filter_dplen; | ||
| 247 | } __attribute__((packed)); | ||
| 248 | /* sizeof(struct sadb_x_filter) == 40 */ | ||
| 249 | |||
| 238 | /* Message types */ | 250 | /* Message types */ |
| 239 | #define SADB_RESERVED 0 | 251 | #define SADB_RESERVED 0 |
| 240 | #define SADB_GETSPI 1 | 252 | #define SADB_GETSPI 1 |
| @@ -358,7 +370,8 @@ struct sadb_x_kmaddress { | |||
| 358 | #define SADB_X_EXT_SEC_CTX 24 | 370 | #define SADB_X_EXT_SEC_CTX 24 |
| 359 | /* Used with MIGRATE to pass @ to IKE for negotiation */ | 371 | /* Used with MIGRATE to pass @ to IKE for negotiation */ |
| 360 | #define SADB_X_EXT_KMADDRESS 25 | 372 | #define SADB_X_EXT_KMADDRESS 25 |
| 361 | #define SADB_EXT_MAX 25 | 373 | #define SADB_X_EXT_FILTER 26 |
| 374 | #define SADB_EXT_MAX 26 | ||
| 362 | 375 | ||
| 363 | /* Identity Extension values */ | 376 | /* Identity Extension values */ |
| 364 | #define SADB_IDENTTYPE_RESERVED 0 | 377 | #define SADB_IDENTTYPE_RESERVED 0 |
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h index a8cd6a4a2970..6550c679584f 100644 --- a/include/uapi/linux/xfrm.h +++ b/include/uapi/linux/xfrm.h | |||
| @@ -298,6 +298,8 @@ enum xfrm_attr_type_t { | |||
| 298 | XFRMA_TFCPAD, /* __u32 */ | 298 | XFRMA_TFCPAD, /* __u32 */ |
| 299 | XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_esn */ | 299 | XFRMA_REPLAY_ESN_VAL, /* struct xfrm_replay_esn */ |
| 300 | XFRMA_SA_EXTRA_FLAGS, /* __u32 */ | 300 | XFRMA_SA_EXTRA_FLAGS, /* __u32 */ |
| 301 | XFRMA_PROTO, /* __u8 */ | ||
| 302 | XFRMA_FILTER, /* struct xfrm_filter */ | ||
| 301 | __XFRMA_MAX | 303 | __XFRMA_MAX |
| 302 | 304 | ||
| 303 | #define XFRMA_MAX (__XFRMA_MAX - 1) | 305 | #define XFRMA_MAX (__XFRMA_MAX - 1) |
| @@ -474,6 +476,14 @@ struct xfrm_user_mapping { | |||
| 474 | __be16 new_sport; | 476 | __be16 new_sport; |
| 475 | }; | 477 | }; |
| 476 | 478 | ||
| 479 | struct xfrm_filter { | ||
| 480 | xfrm_address_t saddr; | ||
| 481 | xfrm_address_t daddr; | ||
| 482 | __u16 family; | ||
| 483 | __u8 splen; | ||
| 484 | __u8 dplen; | ||
| 485 | }; | ||
| 486 | |||
| 477 | #ifndef __KERNEL__ | 487 | #ifndef __KERNEL__ |
| 478 | /* backwards compatibility for userspace */ | 488 | /* backwards compatibility for userspace */ |
| 479 | #define XFRMGRP_ACQUIRE 1 | 489 | #define XFRMGRP_ACQUIRE 1 |