26 Nov, 2008
2 commits
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
25 Mar, 2008
1 commit
-
| % size old/net/ipv6/xfrm6_input.o new/net/ipv6/xfrm6_input.o
| text data bss dec hex filename
| 1026 0 0 1026 402 old/net/ipv6/xfrm6_input.o
| 947 0 0 947 3b3 new/net/ipv6/xfrm6_input.oSigned-off-by: YOSHIFUJI Hideaki
29 Jan, 2008
10 commits
-
When netfilter is off the transport-mode async resumption doesn't work
because we don't push back the IP header. This patch fixes that by
moving most of the code outside of ifdef NETFILTER since the only part
that's not common is the short-circuit in the protocol handler.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
Disable spin_lock during xfrm_type.input() function.
Follow design as IPsec inbound does.Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
When merging the input paths of IPsec I accidentally left a hard-coded
AF_INET for the state lookup call. This broke IPv6 obviously. This
patch fixes by getting the input callers to specify the family through
skb->cb.Credit goes to Kazunori Miyazawa for diagnosing this and providing an
initial patch.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch adds support for async resumptions on input. To do so, the
transform would return -EINPROGRESS and subsequently invoke the
function xfrm_input_resume to resume processing.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The nhoff field isn't actually necessary in xfrm_input. For tunnel
mode transforms we now throw away the output IP header so it makes no
sense to fill in the nexthdr field. For transport mode we can now let
the function transport_finish do the setting and it knows where the
nexthdr field is.The only other thing that needs the nexthdr field to be set is the
header extraction code. However, we can simply move the protocol
extraction out of the generic header extraction.We want to minimise the amount of info we have to carry around between
transforms as this simplifies the resumption process for async crypto.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
As part of the work on asynchronous cryptographic operations, we need
to be able to resume from the spot where they occur. As such, it
helps if we isolate them to one spot.This patch moves most of the remaining family-specific processing into
the common input code.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
With inter-family transforms the inner mode differs from the outer
mode. Attempting to handle both sides from the same function means
that it needs to handle both IPv4 and IPv6 which creates duplication
and confusion.This patch separates the two parts on the input path so that each
function deals with one family only.In particular, the functions xfrm4_extract_inut/xfrm6_extract_inut
moves the pertinent fields from the IPv4/IPv6 IP headers into a
neutral format stored in skb->cb. This is then used by the inner mode
input functions to modify the inner IP header. In this way the input
function no longer has to know about the outer address family.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
18 Oct, 2007
4 commits
-
This patch adds a new field to xfrm states called inner_mode. The existing
mode object is renamed to outer_mode.This is the first part of an attempt to fix inter-family transforms. As it
is we always use the outer family when determining which mode to use. As a
result we may end up shoving IPv4 packets into netfilter6 and vice versa.What we really want is to use the inner family for the first part of outbound
processing and the outer family for the second part. For inbound processing
we'd use the opposite pairing.I've also added a check to prevent silly combinations such as transport mode
with inter-family transforms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Currently BEET mode does not reinject the packet back into the stack
like tunnel mode does. Since BEET should behave just like tunnel mode
this is incorrect.This patch fixes this by introducing a flags field to xfrm_mode that
tells the IPsec code whether it should terminate and reinject the packet
back into the stack.It then sets the flag for BEET and tunnel mode.
I've also added a number of missing BEET checks elsewhere where we check
whether a given mode is a tunnel or not.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Not every transform needs to zap ip_summed. For example, a pure tunnel
mode encapsulation does not affect the hardware checksum at all. In fact,
every algorithm (that needs this) other than AH6 already does its own
ip_summed zapping.This patch moves the zapping into AH6 which is in line with what IPv4 does.
Possible future optimisation: Checksum the data as we copy them in IPComp.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Currently xfrm6_rcv_spi gets the nexthdr value itself from the packet.
This means that we need to fix up the value in case we have a 4-on-6
tunnel. Moving this logic into the caller simplifies things and allows
us to merge the code with IPv4.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed from the IPv6 input path,
this patch converts all occurances of sk_buff ** to sk_buff * in IPv6 input
handlers.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
31 May, 2007
1 commit
-
Signed-off-by: Kazunori MIYAZAWA
Signed-off-by: David S. Miller
26 Apr, 2007
4 commits
-
Signed-off-by: YOSHIFUJI Hideaki
-
Now the skb->nh union has just one member, .raw, i.e. it is just like the
skb->mac union, strange, no? I'm just leaving it like that till the transport
layer is done with, when we'll rename skb->mac.raw to skb->mac_header (or
->mac_header_offset?), ditto for ->{h,nh}.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the places where we need a pointer to the network header, it is still legal
to touch skb->nh.raw directly if just adding to, subtracting from or setting it
to another layer header.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
14 Feb, 2007
1 commit
-
This patch changes xfrm6_tunnel register and deregister
interface to prepare for solving the conflict of device
tunnels with inter address family IPsec tunnel.
There is no device which conflicts with IPv4 over IPv6
IPsec tunnel.Signed-off-by: Kazunori MIYAZAWA
Signed-off-by: David S. Miller
11 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
29 Sep, 2006
2 commits
-
seq argument is net-endian
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
23 Sep, 2006
2 commits
-
XFRM_STATE_WILDRECV flag is introduced; the last resort state is set
it and receives packet which is not route optimized but uses such
extension headers i.e. Mobile IPv6 signaling (binding update and
acknowledgement). A node enabled Mobile IPv6 adds the state.Based on MIPL2 kernel patch.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Transformation mode is used as either IPsec transport or tunnel.
It is required to add two more items, route optimization and inbound trigger
for Mobile IPv6.
Based on MIPL2 kernel patch.This patch was also written by: Ville Nuorvala
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
18 Jun, 2006
1 commit
-
This patch adds the structure xfrm_mode. It is meant to represent
the operations carried out by transport/tunnel modes.By doing this we allow additional encapsulation modes to be added
without clogging up the xfrm_input/xfrm_output paths.Candidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and
BEET modes.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
01 Apr, 2006
2 commits
-
This patch removes the *_decap_state structures which were previously
used to share state between input/post_input. This is no longer
needed.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch removes the decap_state argument from the xfrm input hook.
Previously this function allowed the input hook to share state with
the post_input hook. The latter has since been removed.The only purpose for it now is to check the encap type. However, it
is easier and better to move the encap type check to the generic
xfrm_rcv function. This allows us to get rid of the decap state
argument altogether.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
29 Mar, 2006
1 commit
-
Basically this patch moves the generic tunnel protocol stuff out of
xfrm4_tunnel/xfrm6_tunnel and moves it into the new files of tunnel4.c
and tunnel6 respectively.The reason for this is that the problem that Hugo uncovered is only
the tip of the iceberg. The real problem is that when we removed the
dependency of ipip on xfrm4_tunnel we didn't really consider the module
case at all.For instance, as it is it's possible to build both ipip and xfrm4_tunnel
as modules and if the latter is loaded then ipip simply won't load.After considering the alternatives I've decided that the best way out of
this is to restore the dependency of ipip on the non-xfrm-specific part
of xfrm4_tunnel. This is acceptable IMHO because the intention of the
removal was really to be able to use ipip without the xfrm subsystem.
This is still preserved by this patch.So now both ipip/xfrm4_tunnel depend on the new tunnel4.c which handles
the arbitration between the two. The order of processing is determined
by a simple integer which ensures that ipip gets processed before
xfrm4_tunnel.The situation for ICMP handling is a little bit more complicated since
we may not have enough information to determine who it's for. It's not
a big deal at the moment since the xfrm ICMP handlers are basically
no-ops. In future we can deal with this when we look at ICMP caching
in general.The user-visible change to this is the removal of the TUNNEL Kconfig
prompts. This makes sense because it can only be used through IPCOMP
as it stands.The addition of the new modules shouldn't introduce any problems since
module dependency will cause them to be loaded.Oh and I also turned some unnecessary pskb's in IPv6 related to this
patch to skb's.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
08 Jan, 2006
2 commits
-
When the innermost transform uses transport mode the decapsulated packet
is not visible to netfilter. Pass the packet through the PRE_ROUTING and
LOCAL_IN hooks again before handing it to upper layer protocols to make
netfilter-visibility symetrical to the output path.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Move nextheader offset to the IP6CB to make it possible to pass a
packet to ip6_input_finish multiple times and have it skip already
parsed headers. As a nice side effect this gets rid of the manual
hopopts skipping in ip6_input_finish.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
17 Apr, 2005
1 commit
-
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.Let it rip!
