aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_user.c
Commit message (Collapse)AuthorAge
* xfrm: Add security check before flushing SAD/SPDJoy Latten2007-06-07
| | | | | | | | | | | | | | | | | | | | | | | Currently we check for permission before deleting entries from SAD and SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete()) However we are not checking for authorization when flushing the SPD and the SAD completely. It was perhaps missed in the original security hooks patch. This patch adds a security check when flushing entries from the SAD and SPD. It runs the entire database and checks each entry for a denial. If the process attempting the flush is unable to remove all of the entries a denial is logged the the flush function returns an error without removing anything. This is particularly useful when a process may need to create or delete its own xfrm entries used for things like labeled networking but that same process should not be able to delete other entries or flush the entire database. Signed-off-by: Joy Latten<latten@austin.ibm.com> Signed-off-by: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* [XFRM] SPD info TLV aggregationJamal Hadi Salim2007-05-04
| | | | | | | | Aggregate the SPD info TLVs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] SAD info TLV aggregationxJamal Hadi Salim2007-05-04
| | | | | | | | Aggregate the SAD info TLVs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Export SPD infoJamal Hadi Salim2007-04-29
| | | | | | | | With this patch you can use iproute2 in user space to efficiently see how many policies exist in different directions. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Missing bits to SAD info.Jamal Hadi Salim2007-04-26
| | | | | | | This brings the SAD info in sync with net-2.6.22/net-2.6 Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Export SAD info.Jamal Hadi Salim2007-04-26
| | | | | | | | | | | | | | | | On a system with a lot of SAs, counting SAD entries chews useful CPU time since you need to dump the whole SAD to user space; i.e something like ip xfrm state ls | grep -i src | wc -l I have seen taking literally minutes on a 40K SAs when the system is swapping. With this patch, some of the SAD info (that was already being tracked) is exposed to user space. i.e you do: ip xfrm state count And you get the count; you can also pass -s to the command line and get the hash info. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: cleanup extra semicolonsStephen Hemminger2007-04-26
| | | | | | | | | | | Spring cleaning time... There seems to be a lot of places in the network code that have extra bogus semicolons after conditionals. Most commonly is a bogus semicolon after: switch() { } Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Switch cb_lock spinlock to mutex and allow to override itPatrick McHardy2007-04-26
| | | | | | | | | | Switch cb_lock to mutex and allow netlink kernel users to override it with a subsystem specific mutex for consistent locking in dump callbacks. All netlink_dump_start users have been audited not to rely on any side-effects of the previously used spinlock. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Directly return -EINTR from netlink_dump_start()Thomas Graf2007-04-26
| | | | | | | | | Now that all users of netlink_dump_start() use netlink_run_queue() to process the receive queue, it is possible to return -EINTR from netlink_dump_start() directly, therefore simplying the callers. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Remove error pointer from netlink message handlerThomas Graf2007-04-26
| | | | | | | | | | | | | | | | | | The error pointer argument in netlink message handlers is used to signal the special case where processing has to be interrupted because a dump was started but no error happened. Instead it is simpler and more clear to return -EINTR and have netlink_run_queue() deal with getting the queue right. nfnetlink passed on this error pointer to its subsystem handlers but only uses it to signal the start of a netlink dump. Therefore it can be removed there as well. This patch also cleans up the error handling in the affected message handlers to be consistent since it had to be touched anyway. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Ignore control messages directly in netlink_run_queue()Thomas Graf2007-04-26
| | | | | | | | Changes netlink_rcv_skb() to skip netlink controll messages and don't pass them on to the message handler. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Ignore !NLM_F_REQUEST messages directly in netlink_run_queue()Thomas Graf2007-04-26
| | | | | | | | | netlink_rcv_skb() is changed to skip messages which don't have the NLM_F_REQUEST bit to avoid every netlink family having to perform this check on their own. Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Use nlmsg_trim() where appropriateArnaldo Carvalho de Melo2007-04-26
| | | | | Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SK_BUFF]: Convert skb->tail to sk_buff_data_tArnaldo Carvalho de Melo2007-04-26
| | | | | | | | | | | | | | | So that it is also an offset from skb->head, reduces its size from 8 to 4 bytes on 64bit architectures, allowing us to combine the 4 bytes hole left by the layer headers conversion, reducing struct sk_buff size to 256 bytes, i.e. 4 64byte cachelines, and since the sk_buff slab cache is SLAB_HWCACHE_ALIGN... :-) Many calculations that previously required that skb->{transport,network, mac}_header be first converted to a pointer now can be done directly, being meaningful as offsets or pointers. Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC] XFRM_USER: kernel panic when large security contexts in ACQUIREJoy Latten2007-04-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When sending a security context of 50+ characters in an ACQUIRE message, following kernel panic occurred. kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! cpu 0x3: Vector: 700 (Program Check) at [c0000000421bb2e0] pc: c00000000033b074: .xfrm_send_acquire+0x240/0x2c8 lr: c00000000033b014: .xfrm_send_acquire+0x1e0/0x2c8 sp: c0000000421bb560 msr: 8000000000029032 current = 0xc00000000fce8f00 paca = 0xc000000000464b00 pid = 2303, comm = ping kernel BUG in xfrm_send_acquire at net/xfrm/xfrm_user.c:1781! enter ? for help 3:mon> t [c0000000421bb650] c00000000033538c .km_query+0x6c/0xec [c0000000421bb6f0] c000000000337374 .xfrm_state_find+0x7f4/0xb88 [c0000000421bb7f0] c000000000332350 .xfrm_tmpl_resolve+0xc4/0x21c [c0000000421bb8d0] c0000000003326e8 .xfrm_lookup+0x1a0/0x5b0 [c0000000421bba00] c0000000002e6ea0 .ip_route_output_flow+0x88/0xb4 [c0000000421bbaa0] c0000000003106d8 .ip4_datagram_connect+0x218/0x374 [c0000000421bbbd0] c00000000031bc00 .inet_dgram_connect+0xac/0xd4 [c0000000421bbc60] c0000000002b11ac .sys_connect+0xd8/0x120 [c0000000421bbd90] c0000000002d38d0 .compat_sys_socketcall+0xdc/0x214 [c0000000421bbe30] c00000000000869c syscall_exit+0x0/0x40 --- Exception: c00 (System Call) at 0000000007f0ca9c SP (fc0ef8f0) is in userspace We are using size of security context from xfrm_policy to determine how much space to alloc skb and then putting security context from xfrm_state into skb. Should have been using size of security context from xfrm_state to alloc skb. Following fix does that Signed-off-by: Joy Latten <latten@austin.ibm.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: fix up misplaced inlines.Dave Jones2007-03-22
| | | | | | | | | Turning up the warnings on gcc makes it emit warnings about the placement of 'inline' in function declarations. Here's everything that was under net/ Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_saEric Paris2007-03-07
| | | | | | | | | | | | | Inside pfkey_delete and xfrm_del_sa the audit hooks were not called if there was any permission/security failures in attempting to do the del operation (such as permission denied from security_xfrm_state_delete). This patch moves the audit hook to the exit path such that all failures (and successes) will actually get audited. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: xfrm_policy delete security check misplacedEric Paris2007-03-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The security hooks to check permissions to remove an xfrm_policy were actually done after the policy was removed. Since the unlinking and deletion are done in xfrm_policy_by* functions this moves the hooks inside those 2 functions. There we have all the information needed to do the security check and it can be done before the deletion. Since auditing requires the result of that security check err has to be passed back and forth from the xfrm_policy_by* functions. This patch also fixes a bug where a deletion that failed the security check could cause improper accounting on the xfrm_policy (xfrm_get_policy didn't have a put on the exit path for the hold taken by xfrm_policy_by*) It also fixes the return code when no policy is found in xfrm_add_pol_expire. In old code (at least back in the 2.6.18 days) err wasn't used before the return when no policy is found and so the initialization would cause err to be ENOENT. But since err has since been used above when we don't get a policy back from the xfrm_policy_by* function we would always return 0 instead of the intended ENOENT. Also fixed some white space damage in the same area. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Fix kfree(skb)Patrick McHardy2007-02-28
| | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] xfrm_user: Fix return values of xfrm_add_sa_expire.David S. Miller2007-02-28
| | | | | | | As noted by Kent Yoder, this function will always return an error. Make sure it returns zero on success. Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Fix OOPSes in xfrm_audit_log().David S. Miller2007-02-12
| | | | | | | | | Make sure that this function is called correctly, and add BUG() checking to ensure the arguments are sane. Based upon a patch by Joy Latten. Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET] XFRM: Fix whitespace errors.YOSHIFUJI Hideaki2007-02-11
| | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: User interface for handling XFRM_MSG_MIGRATEShinta Sugimoto2007-02-08
| | | | | | | | | | | Add user interface for handling XFRM_MSG_MIGRATE. The message is issued by user application. When kernel receives the message, procedure of updating XFRM databases will take place. Signed-off-by: Shinta Sugimoto <shinta.sugimoto@ericsson.com> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM_USER]: avoid pointless void ** castsChristoph Hellwig2007-01-03
| | | | | | | | All ->doit handlers want a struct rtattr **, so pass down the right type. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* audit: Add auditing to ipsecJoy Latten2006-12-06
| | | | | | | | | An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] xfrm_user: Better validation of user templates.David S. Miller2006-12-03
| | | | | | | | | | | Since we never checked the ->family value of templates before, many applications simply leave it at zero. Detect this and fix it up to be the pol->family value. Also, do not clobber xp->family while reading in templates, that is not necessary. Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Fix aevent structuring to be more complete.Jamal Hadi Salim2006-12-03
| | | | | | | | | aevents can not uniquely identify an SA. We break the ABI with this patch, but consensus is that since it is not yet utilized by any (known) application then it is fine (better do it now than later). Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add netlink interface for the encapsulation family.Miika Komu2006-12-03
| | | | | | | Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Convert a few __u8 to proper u8Jamal Hadi Salim2006-12-03
| | | | | | | Caught by the EyeBalls(tm) of Thomas Graf Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Make flush notifier prettier when subpolicy usedJamal Hadi Salim2006-12-03
| | | | | | | Might as well make flush notifier prettier when subpolicy used Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETLINK]: Remove unused dst_pid field in netlink_skb_parmsThomas Graf2006-12-03
| | | | | | | | The destination PID is passed directly to netlink_unicast() respectively netlink_multicast(). Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Use kmemdup where appropriateArnaldo Carvalho de Melo2006-12-03
| | | | Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
* [XFRM]: Make copy_to_user_policy_type take a typeJamal Hadi Salim2006-12-03
| | | | | | | | Make copy_to_user_policy_type take a type instead a policy and fix its users to pass the type Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] STATE: Fix to respond error to get operation if no matching entry exists.Masahide NAKAMURA2006-11-25
| | | | | | | | | | | | | | | | | | When application uses XFRM_MSG_GETSA to get state entry through netlink socket and kernel has no matching one, the application expects reply message with error status by kernel. Kernel doesn't send the message back in the case of Mobile IPv6 route optimization protocols (i.e. routing header or destination options header). This is caused by incorrect return code "0" from net/xfrm/xfrm_user.c(xfrm_user_state_lookup) and it makes kernel skip to acknowledge at net/netlink/af_netlink.c(netlink_rcv_skb). This patch fix to reply ESRCH to application. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: TAKAMIYA Noriaki <takamiya@po.ntts.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: nlmsg length not computed correctly in the presence of subpoliciesJamal Hadi Salim2006-11-21
| | | | | | | | | | I actually dont have a test case for these; i just found them by inspection. Refer to patch "[XFRM]: Sub-policies broke policy events" for more info Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Acked-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Sub-policies broke policy eventsJamal Hadi Salim2006-11-21
| | | | | | | | | | | XFRM policy events are broken when sub-policy feature is turned on. A simple test to verify this: run ip xfrm mon on one window and add then delete a policy on another window .. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Acked-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] xfrm_user: Fix unaligned accesses.David S. Miller2006-10-30
| | | | | | | | | Use memcpy() to move xfrm_address_t objects in and out of netlink messages. The vast majority of xfrm_user was doing this properly, except for copy_from_user_state() and copy_to_user_state(). Signed-off-by: David S. Miller <davem@davemloft.net>
* IPsec: correct semantics for SELinux policy matchingVenkat Yekkirala2006-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently when an IPSec policy rule doesn't specify a security context, it is assumed to be "unlabeled" by SELinux, and so the IPSec policy rule fails to match to a flow that it would otherwise match to, unless one has explicitly added an SELinux policy rule allowing the flow to "polmatch" to the "unlabeled" IPSec policy rules. In the absence of such an explicitly added SELinux policy rule, the IPSec policy rule fails to match and so the packet(s) flow in clear text without the otherwise applicable xfrm(s) applied. The above SELinux behavior violates the SELinux security notion of "deny by default" which should actually translate to "encrypt by default" in the above case. This was first reported by Evgeniy Polyakov and the way James Morris was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. With this patch applied, SELinux "polmatching" of flows Vs. IPSec policy rules will only come into play when there's a explicit context specified for the IPSec policy rule (which also means there's corresponding SELinux policy allowing appropriate domains/flows to polmatch to this context). Secondly, when a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return errors other than access denied, such as -EINVAL. We were not handling that correctly, and in fact inverting the return logic and propagating a false "ok" back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The solution for this is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). This patch: Fix the selinux side of things. This makes sure SELinux polmatching of flow contexts to IPSec policy rules comes into play only when an explicit context is associated with the IPSec policy rule. Also, this no longer defaults the context of a socket policy to the context of the socket since the "no explicit context" case is now handled properly. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
* [XFRM]: BEET modeDiego Beltrami2006-10-04
| | | | | | | | | | | | | | | | | This patch introduces the BEET mode (Bound End-to-End Tunnel) with as specified by the ietf draft at the following link: http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-06.txt The patch provides only single family support (i.e. inner family = outer family). Signed-off-by: Diego Beltrami <diego.beltrami@gmail.com> Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Abhinav Pathak <abhinav.pathak@hiit.fi> Signed-off-by: Jeff Ahrenholz <ahrenholz@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] POLICY: Support netlink socket interface for sub policy.Masahide NAKAMURA2006-09-22
| | | | | | | | | Sub policy can be used through netlink socket. PF_KEY uses main only and it is TODO to support sub. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Introduce XFRM_MSG_REPORT.Masahide NAKAMURA2006-09-22
| | | | | | | | | | | | | | XFRM_MSG_REPORT is a message as notification of state protocol and selector from kernel to user-space. Mobile IPv6 will use it when inbound reject is occurred at route optimization to make user-space know a binding error requirement. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] STATE: Add Mobile IPv6 route optimization protocols to netlink interface.Masahide NAKAMURA2006-09-22
| | | | | | | | | | Add Mobile IPv6 route optimization protocols to netlink interface. Route optimization states carry care-of address. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Fix message about transformation user interface.Masahide NAKAMURA2006-09-22
| | | | | | | | | Transformation user interface is not only for IPsec. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] IPV6: Update outbound state timestamp for each sending.Masahide NAKAMURA2006-09-22
| | | | | | | | | | | | | | | | | With this patch transformation state is updated last used time for each sending. Xtime is used for it like other state lifetime expiration. Mobile IPv6 enabled nodes will want to know traffic status of each binding (e.g. judgement to request binding refresh by correspondent node, or to keep home/care-of nonce alive by mobile node). The last used timestamp is an important hint about it. Based on MIPL2 kernel patch. This patch was also written by: Henrik Petander <petander@tcs.hut.fi> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] STATE: Introduce care-of address.Noriaki TAKAMIYA2006-09-22
| | | | | | | | | | | Care-of address is carried by state as a transformation option like IPsec encryption/authentication algorithm. Based on MIPL2 kernel patch. Signed-off-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
* [XFRM] STATE: Search by address using source address list.Masahide NAKAMURA2006-09-22
| | | | | | | | | | | | This is a support to search transformation states by its addresses by using source address list for Mobile IPv6 usage. To use it from user-space, it is also added a message type for source address as a xfrm state option. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] STATE: Allow non IPsec protocol.Masahide NAKAMURA2006-09-22
| | | | | | | | | | | | It will be added two more transformation protocols (routing header and destination options header) for Mobile IPv6. xfrm_id_proto_match() can be handle zero as all, IPSEC_PROTO_ANY as all IPsec and otherwise as exact one. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Add XFRM_MODE_xxx for future use.Masahide NAKAMURA2006-09-22
| | | | | | | | | | | | | Transformation mode is used as either IPsec transport or tunnel. It is required to add two more items, route optimization and inbound trigger for Mobile IPv6. Based on MIPL2 kernel patch. This patch was also written by: Ville Nuorvala <vnuorval@tcs.hut.fi> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Default labeling of socket specific IPSec policiesVenkat Yekkirala2006-09-22
| | | | | | | | This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MLSXFRM]: Add security context to acquire messages using netlinkSerge Hallyn2006-09-22
| | | | | | | | | | | This includes the security context of a security association created for use by IKE in the acquire messages sent to IKE daemons using netlink/xfrm_user. This would allow the daemons to include the security context in the negotiation, so that the resultant association is unique to that security context. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>