Doug / smarc-fsl-linux-kernel

18 Oct, 2013

1 commit

  • 12e359469   xfrm: prevent ipcomp scratch buffer race condition ... Browse Code »

    In ipcomp_compress(), sortirq is enabled too early, allowing the
    per-cpu scratch buffer to be rewritten by ipcomp_decompress()
    (called on the same CPU in softirq context) between populating
    the buffer and copying the compressed data to the skb.

    v2: as pointed out by Steffen Klassert, if we also move the
    local_bh_disable() before reading the per-cpu pointers, we can
    get rid of get_cpu()/put_cpu().

    v3: removed ipcomp_decompress part (as explained by Herbert Xu,
    it cannot be called from process context), get rid of cpu
    variable (thanks to Eric Dumazet)

    Signed-off-by: Michal Kubecek
    Reviewed-by: Eric Dumazet
    Acked-by: Herbert Xu
    Signed-off-by: Steffen Klassert

    Michal Kubecek
     

08 Oct, 2013

2 commits

25 Sep, 2013

1 commit

  • cd808fc9a   xfrm: Fix aevent generation for each received packet ... Browse Code »

    If asynchronous events are enabled for a particular netlink socket,
    the notify function is called by the advance function. The notify
    function creates and dispatches a km_event if a replay timeout occurred,
    or at least replay_maxdiff packets have been received since the last
    asynchronous event has been sent. The function is supposed to return if
    neither of the two events were detected for a state, or replay_maxdiff
    is equal to zero.
    Replay_maxdiff is initialized in xfrm_state_construct to the value of
    the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state
    if the netlink attribute XFRMA_REPLAY_THRESH is set.
    If, however, replay_maxdiff is set to zero, then all of the three notify
    implementations perform a break from the switch statement instead of
    checking whether a timeout occurred, and -- if not -- return. As a
    result an asynchronous event is generated for every replay update of a
    state that has a zero replay_maxdiff value.
    This patch modifies the notify functions such that they immediately
    return if replay_maxdiff has the value zero, unless a timeout occurred.

    Signed-off-by: Thomas Egerer
    Signed-off-by: Steffen Klassert

    Thomas Egerer
     

17 Sep, 2013

1 commit

  • 33fce60d6   xfrm: Guard IPsec anti replay window against replay bitmap ... Browse Code »

    For legacy IPsec anti replay mechanism:

    bitmap in struct xfrm_replay_state could only provide a 32 bits
    window size limit in current design, thus user level parameter
    sadb_sa_replay should honor this limit, otherwise misleading
    outputs("replay=244") by setkey -D will be:

    192.168.25.2 192.168.22.2
    esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000)
    E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2
    A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331
    seq=0x00000000 replay=244 flags=0x00000000 state=mature
    created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
    diff: 22(s) hard: 30(s) soft: 26(s)
    last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
    current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 22 hard: 0 soft: 0
    sadb_seq=1 pid=4854 refcnt=0
    192.168.22.2 192.168.25.2
    esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000)
    E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282
    A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88
    seq=0x00000000 replay=244 flags=0x00000000 state=mature
    created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013
    diff: 22(s) hard: 30(s) soft: 26(s)
    last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s)
    current: 1408(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 22 hard: 0 soft: 0
    sadb_seq=0 pid=4854 refcnt=0

    And also, optimizing xfrm_replay_check window checking by setting the
    desirable x->props.replay_window with only doing the comparison once
    for all when xfrm_state is first born.

    Signed-off-by: Fan Du
    Signed-off-by: Steffen Klassert

    Fan Du
     

16 Sep, 2013

1 commit

  • 4479ff76c   xfrm: Fix replay size checking on async events ... Browse Code »

    We pass the wrong netlink attribute to xfrm_replay_verify_len().
    It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as
    we currently doing. This causes memory corruptions if the
    replay esn attribute has incorrect length. Fix this by passing
    the right attribute to xfrm_replay_verify_len().

    Reported-by: Michael Rossberg
    Signed-off-by: Steffen Klassert

    Steffen Klassert
     

06 Sep, 2013

1 commit

  • 06c54055b   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
    net/bridge/br_multicast.c
    net/ipv6/sit.c

    The conflicts were minor:

    1) sit.c changes overlap with change to ip_tunnel_xmit() signature.

    2) br_multicast.c had an overlap between computing max_delay using
    msecs_to_jiffies and turning MLDV2_MRC() into an inline function
    with a name using lowercase instead of uppercase letters.

    3) stmmac had two overlapping changes, one which conditionally allocated
    and hooked up a dma_cfg based upon the presence of the pbl OF property,
    and another one handling store-and-forward DMA made. The latter of
    which should not go into the new of_find_property() basic block.

    Signed-off-by: David S. Miller

    David S. Miller
     

28 Aug, 2013

1 commit

  • 302a50bc9   xfrm: Fix potential null pointer dereference in xdst_queue_output ... Browse Code »

    The net_device might be not set on the skb when we try refcounting.
    This leads to a null pointer dereference in xdst_queue_output().
    It turned out that the refcount to the net_device is not needed
    after all. The dst_entry has a refcount to the net_device before
    we queue the skb, so it can't go away. Therefore we can remove the
    refcount on queueing to fix the null pointer dereference.

    Signed-off-by: Steffen Klassert

    Steffen Klassert
     

19 Aug, 2013

2 commits

  • e3fec5a1c   xfrm: remove irrelevant comment in xfrm_input(). ... Browse Code »

    This patch removes a comment in xfrm_input() which became irrelevant
    due to commit 2774c13, "xfrm: Handle blackhole route creation via afinfo".
    That commit removed returning -EREMOTE in the xfrm_lookup() method when the
    packet should be discarded and also removed the correspoinding -EREMOTE
    handlers. This was replaced by calling the make_blackhole() method. Therefore
    the comment about -EREMOTE is not relevant anymore.

    Signed-off-by: Rami Rosen
    Signed-off-by: Steffen Klassert

    Rami Rosen
     
  • 844d48746   xfrm: choose protocol family by skb protocol ... Browse Code »

    We need to choose the protocol family by skb->protocol. Otherwise we
    call the wrong xfrm{4,6}_local_error handler in case an ipv6 sockets is
    used in ipv4 mode, in which case we should call down to xfrm4_local_error
    (ip6 sockets are a superset of ip4 ones).

    We are called before before ip_output functions, so skb->protocol is
    not reset.

    Cc: Steffen Klassert
    Acked-by: Eric Dumazet
    Signed-off-by: Hannes Frederic Sowa
    Signed-off-by: Steffen Klassert

    Hannes Frederic Sowa
     

16 Aug, 2013

1 commit

  • 99565a6c4   xfrm: Make xfrm_state timer monotonic ... Browse Code »

    xfrm_state timer should be independent of system clock change,
    so switch to CLOCK_BOOTTIME base which is not only monotonic but
    also counting suspend time.

    Thus issue reported in commit: 9e0d57fd6dad37d72a3ca6db00ca8c76f2215454
    ("xfrm: SAD entries do not expire correctly after suspend-resume")
    could ALSO be avoided.

    v2: Use CLOCK_BOOTTIME to count suspend time, but still monotonic.

    Signed-off-by: Fan Du
    Acked-by: David S. Miller
    Signed-off-by: Steffen Klassert

    Fan Du
     

14 Aug, 2013

1 commit

  • 628e341f3   xfrm: make local error reporting more robust ... Browse Code »

    In xfrm4 and xfrm6 we need to take care about sockets of the other
    address family. This could happen because a 6in4 or 4in6 tunnel could
    get protected by ipsec.

    Because we don't want to have a run-time dependency on ipv6 when only
    using ipv4 xfrm we have to embed a pointer to the correct local_error
    function in xfrm_state_afinet and look it up when returning an error
    depending on the socket address family.

    Thanks to vi0ss for the great bug report:

    v2:
    a) fix two more unsafe interpretations of skb->sk as ipv6 socket
    (xfrm6_local_dontfrag and __xfrm6_output)
    v3:
    a) add an EXPORT_SYMBOL_GPL(xfrm_local_error) to fix a link error when
    building ipv6 as a module (thanks to Steffen Klassert)

    Reported-by:
    Cc: Steffen Klassert
    Signed-off-by: Hannes Frederic Sowa
    Signed-off-by: Steffen Klassert

    Hannes Frederic Sowa
     

06 Aug, 2013

1 commit

05 Aug, 2013

1 commit

01 Aug, 2013

1 commit

  • ca4c3fc24   net: split rt_genid for ipv4 and ipv6 ... Browse Code »

    Current net name space has only one genid for both IPv4 and IPv6, it has below
    drawbacks:

    - Add/delete an IPv4 address will invalidate all IPv6 routing table entries.
    - Insert/remove XFRM policy will also invalidate both IPv4/IPv6 routing table
    entries even when the policy is only applied for one address family.

    Thus, this patch attempt to split one genid for two to cater for IPv4 and IPv6
    separately in a fine granularity.

    Signed-off-by: Fan Du
    Acked-by: Hannes Frederic Sowa
    Signed-off-by: David S. Miller

    fan.du
     

27 Jun, 2013

1 commit

06 Jun, 2013

2 commits

  • 4c4d41f20   xfrm: add LINUX_MIB_XFRMACQUIREERROR statistic counter ... Browse Code »

    When host ping its peer, ICMP echo request packet triggers IPsec
    policy, then host negotiates SA secret with its peer. After IKE
    installed SA for OUT direction, but before SA for IN direction
    installed, host get ICMP echo reply from its peer. At the time
    being, the SA state for IN direction could be XFRM_STATE_ACQ,
    then the received packet will be dropped after adding
    LINUX_MIB_XFRMINSTATEINVALID statistic.

    Adding a LINUX_MIB_XFRMACQUIREERROR statistic counter for such
    scenario when SA in larval state is much clearer for user than
    LINUX_MIB_XFRMINSTATEINVALID which indicates the SA is totally
    bad.

    Signed-off-by: Fan Du
    Signed-off-by: Steffen Klassert

    Fan Du
     
  • 6bc19fb82   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Merge 'net' bug fixes into 'net-next' as we have patches
    that will build on top of them.

    This merge commit includes a change from Emil Goode
    (emilgoode@gmail.com) that fixes a warning that would
    have been introduced by this merge. Specifically it
    fixes the pingv6_ops method ipv6_chk_addr() to add a
    "const" to the "struct net_device *dev" argument and
    likewise update the dummy_ipv6_chk_addr() declaration.

    Signed-off-by: David S. Miller

    David S. Miller
     

05 Jun, 2013

1 commit

01 Jun, 2013

1 commit

  • e4c172164   xfrm: force a garbage collection after deleting a policy ... Browse Code »

    In some cases after deleting a policy from the SPD the policy would
    remain in the dst/flow/route cache for an extended period of time
    which caused problems for SELinux as its dynamic network access
    controls key off of the number of XFRM policy and state entries.
    This patch corrects this problem by forcing a XFRM garbage collection
    whenever a policy is sucessfully removed.

    Reported-by: Ondrej Moris
    Signed-off-by: Paul Moore
    Signed-off-by: David S. Miller

    Paul Moore
     

29 May, 2013

1 commit

  • 351638e7d   net: pass info struct via netdevice notifier ... Browse Code »

    So far, only net_device * could be passed along with netdevice notifier
    event. This patch provides a possibility to pass custom structure
    able to provide info that event listener needs to know.

    Signed-off-by: Jiri Pirko

    v2->v3: fix typo on simeth
    shortened dev_getter
    shortened notifier_info struct name
    v1->v2: fix notifier_call parameter in call_netdevice_notifier()
    Signed-off-by: David S. Miller

    Jiri Pirko
     

23 May, 2013

1 commit

  • 497574c72   xfrm: properly handle invalid states as an error ... Browse Code »

    The error exit path needs err explicitly set. Otherwise it
    returns success and the only caller, xfrm_output_resume(),
    would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
    NULL.

    Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
    check and add a statistic).

    Signed-off-by: Timo Teräs
    Cc: Li RongQing
    Cc: Steffen Klassert
    Signed-off-by: David S. Miller

    Timo Teräs
     

03 May, 2013

1 commit

  • 797994f81   Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 ... Browse Code »

    Pull crypto update from Herbert Xu:

    - XTS mode optimisation for twofish/cast6/camellia/aes on x86

    - AVX2/x86_64 implementation for blowfish/twofish/serpent/camellia

    - SSSE3/AVX/AVX2 optimisations for sha256/sha512

    - Added driver for SAHARA2 crypto accelerator

    - Fix for GMAC when used in non-IPsec secnarios

    - Added generic CMAC implementation (including IPsec glue)

    - IP update for crypto/atmel

    - Support for more than one device in hwrng/timeriomem

    - Added Broadcom BCM2835 RNG driver

    - Misc fixes

    * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (59 commits)
    crypto: caam - fix job ring cleanup code
    crypto: camellia - add AVX2/AES-NI/x86_64 assembler implementation of camellia cipher
    crypto: serpent - add AVX2/x86_64 assembler implementation of serpent cipher
    crypto: twofish - add AVX2/x86_64 assembler implementation of twofish cipher
    crypto: blowfish - add AVX2/x86_64 implementation of blowfish cipher
    crypto: tcrypt - add async cipher speed tests for blowfish
    crypto: testmgr - extend camellia test-vectors for camellia-aesni/avx2
    crypto: aesni_intel - fix Kconfig problem with CRYPTO_GLUE_HELPER_X86
    crypto: aesni_intel - add more optimized XTS mode for x86-64
    crypto: x86/camellia-aesni-avx - add more optimized XTS code
    crypto: cast6-avx: use new optimized XTS code
    crypto: x86/twofish-avx - use optimized XTS code
    crypto: x86 - add more optimized XTS-mode for serpent-avx
    xfrm: add rfc4494 AES-CMAC-96 support
    crypto: add CMAC support to CryptoAPI
    crypto: testmgr - add empty test vectors for null ciphers
    crypto: testmgr - add AES GMAC test vectors
    crypto: gcm - fix rfc4543 to handle async crypto correctly
    crypto: gcm - make GMAC work when dst and src are different
    hwrng: timeriomem - added devicetree hooks
    ...

    Linus Torvalds
     

25 Apr, 2013

1 commit

12 Apr, 2013

1 commit

02 Apr, 2013

1 commit

28 Mar, 2013

1 commit

  • 0fb031f03   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec ... Browse Code »

    Steffen Klassert says:

    ====================
    1) Initialize the satype field in key_notify_policy_flush(),
    this was left uninitialized. From Nicolas Dichtel.

    2) The sequence number difference for replay notifications
    was misscalculated on ESN sequence number wrap. We need
    a separate replay notify function for esn.

    3) Fix an off by one in the esn replay notify function.
    From Mathias Krause.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

25 Mar, 2013

1 commit

20 Mar, 2013

1 commit

  • 0017c0b57   xfrm: Fix replay notification for esn. ... Browse Code »

    We may miscalculate the sequence number difference from the
    last time we send a notification if a sequence number wrap
    occured in the meantime. We fix this by adding a separate
    replay notify function for esn. Here we take the high bits
    of the sequence number into account to calculate the
    difference.

    Signed-off-by: Steffen Klassert

    Steffen Klassert
     

19 Mar, 2013

1 commit

  • b5fb82c48   xfrm: use xfrm direction when lookup policy ... Browse Code »

    because xfrm policy direction has same value with corresponding
    flow direction, so this problem is covered.

    In xfrm_lookup and __xfrm_policy_check, flow_cache_lookup is used to
    accelerate the lookup.

    Flow direction is given to flow_cache_lookup by policy_to_flow_dir.

    When the flow cache is mismatched, callback 'resolver' is called.

    'resolver' requires xfrm direction,
    so convert direction back to xfrm direction.

    Signed-off-by: Baker Zhang
    Signed-off-by: David S. Miller

    Baker Zhang
     

06 Mar, 2013

2 commits

  • 05600a799   xfrm_user: constify netlink dispatch table ... Browse Code »

    There is no need to modify the netlink dispatch table at runtime.

    Signed-off-by: Mathias Krause
    Signed-off-by: Steffen Klassert

    Mathias Krause
     
  • a947b0a93   xfrm: allow to avoid copying DSCP during encapsulation ... Browse Code »

    By default, DSCP is copying during encapsulation.
    Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
    different DSCP may get reordered relative to each other in the network and then
    dropped by the remote IPsec GW if the reordering becomes too big compared to the
    replay window.

    It is possible to avoid this copy with netfilter rules, but it's very convenient
    to be able to configure it for each SA directly.

    This patch adds a toogle for this purpose. By default, it's not set to maintain
    backward compatibility.

    Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.

    Signed-off-by: Nicolas Dichtel
    Signed-off-by: Steffen Klassert

    Nicolas Dichtel
     

28 Feb, 2013

1 commit

  • b67bfe0d4   hlist: drop the node parameter from iterators ... Browse Code »

    I'm not sure why, but the hlist for each entry iterators were conceived

    list_for_each_entry(pos, head, member)

    The hlist ones were greedy and wanted an extra parameter:

    hlist_for_each_entry(tpos, pos, head, member)

    Why did they need an extra pos parameter? I'm not quite sure. Not only
    they don't really need it, it also prevents the iterator from looking
    exactly like the list iterator, which is unfortunate.

    Besides the semantic patch, there was some manual work required:

    - Fix up the actual hlist iterators in linux/list.h
    - Fix up the declaration of other iterators based on the hlist ones.
    - A very small amount of places were using the 'node' parameter, this
    was modified to use 'obj->member' instead.
    - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
    properly, so those had to be fixed up manually.

    The semantic patch which is mostly the work of Peter Senna Tschudin is here:

    @@
    iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

    type T;
    expression a,c,d,e;
    identifier b;
    statement S;
    @@

    -T b;

    [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
    [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
    [akpm@linux-foundation.org: checkpatch fixes]
    [akpm@linux-foundation.org: fix warnings]
    [akpm@linux-foudnation.org: redo intrusive kvm changes]
    Tested-by: Peter Senna Tschudin
    Acked-by: Paul E. McKenney
    Signed-off-by: Sasha Levin
    Cc: Wu Fengguang
    Cc: Marcelo Tosatti
    Cc: Gleb Natapov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Sasha Levin
     

22 Feb, 2013

1 commit

  • 06991c28f   Merge tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core ... Browse Code »

    Pull driver core patches from Greg Kroah-Hartman:
    "Here is the big driver core merge for 3.9-rc1

    There are two major series here, both of which touch lots of drivers
    all over the kernel, and will cause you some merge conflicts:

    - add a new function called devm_ioremap_resource() to properly be
    able to check return values.

    - remove CONFIG_EXPERIMENTAL

    Other than those patches, there's not much here, some minor fixes and
    updates"

    Fix up trivial conflicts

    * tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (221 commits)
    base: memory: fix soft/hard_offline_page permissions
    drivercore: Fix ordering between deferred_probe and exiting initcalls
    backlight: fix class_find_device() arguments
    TTY: mark tty_get_device call with the proper const values
    driver-core: constify data for class_find_device()
    firmware: Ignore abort check when no user-helper is used
    firmware: Reduce ifdef CONFIG_FW_LOADER_USER_HELPER
    firmware: Make user-mode helper optional
    firmware: Refactoring for splitting user-mode helper code
    Driver core: treat unregistered bus_types as having no devices
    watchdog: Convert to devm_ioremap_resource()
    thermal: Convert to devm_ioremap_resource()
    spi: Convert to devm_ioremap_resource()
    power: Convert to devm_ioremap_resource()
    mtd: Convert to devm_ioremap_resource()
    mmc: Convert to devm_ioremap_resource()
    mfd: Convert to devm_ioremap_resource()
    media: Convert to devm_ioremap_resource()
    iommu: Convert to devm_ioremap_resource()
    drm: Convert to devm_ioremap_resource()
    ...

    Linus Torvalds
     

19 Feb, 2013

2 commits

  • ece31ffd5   net: proc: change proc_net_remove to remove_proc_entry ... Browse Code »

    proc_net_remove is only used to remove proc entries
    that under /proc/net,it's not a general function for
    removing proc entries of netns. if we want to remove
    some proc entries which under /proc/net/stat/, we still
    need to call remove_proc_entry.

    this patch use remove_proc_entry to replace proc_net_remove.
    we can remove proc_net_remove after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     
  • d4beaa66a   net: proc: change proc_net_fops_create to proc_create ... Browse Code »

    Right now, some modules such as bonding use proc_create
    to create proc entries under /proc/net/, and other modules
    such as ipv4 use proc_net_fops_create.

    It looks a little chaos.this patch changes all of
    proc_net_fops_create to proc_create. we can remove
    proc_net_fops_create after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     

15 Feb, 2013

1 commit

  • e0376d004   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next ... Browse Code »

    Steffen Klassert says:

    ====================
    1) Remove a duplicated call to skb_orphan() in pf_key, from Cong Wang.

    2) Prepare xfrm and pf_key for algorithms without pf_key support,
    from Jussi Kivilinna.

    3) Fix an unbalanced lock in xfrm_output_one(), from Li RongQing.

    4) Add an IPsec state resolution packet queue to handle
    packets that are send before the states are resolved.

    5) xfrm4_policy_fini() is unused since 2.6.11, time to remove it.
    From Michal Kubecek.

    6) The xfrm gc threshold was configurable just in the initial
    namespace, make it configurable in all namespaces. From
    Michal Kubecek.

    7) We currently can not insert policies with mark and mask
    such that some flows would be matched from both policies.
    Allow this if the priorities of these policies are different,
    the one with the higher priority is used in this case.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

11 Feb, 2013

1 commit

06 Feb, 2013

1 commit

  • a0073fe18   xfrm: Add a state resolution packet queue ... Browse Code »

    As the default, we blackhole packets until the key manager resolves
    the states. This patch implements a packet queue where IPsec packets
    are queued until the states are resolved. We generate a dummy xfrm
    bundle, the output routine of the returned route enqueues the packet
    to a per policy queue and arms a timer that checks for state resolution
    when dst_output() is called. Once the states are resolved, the packets
    are sent out of the queue. If the states are not resolved after some
    time, the queue is flushed.

    This patch keeps the defaut behaviour to blackhole packets as long
    as we have no states. To enable the packet queue the sysctl
    xfrm_larval_drop must be switched off.

    Signed-off-by: Steffen Klassert

    Steffen Klassert
     

01 Feb, 2013

1 commit