28 Apr, 2008
1 commit
-
Flowlabel text format was not correct and thus ambiguous.
For example, 0x00123 or 0x01203 are formatted as 0x123.
This is not what audit tools want.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
Conflicts:
drivers/net/usb/rndis_host.c
drivers/net/wireless/b43/dma.c
net/ipv6/ndisc.c
25 Mar, 2008
1 commit
-
Signed-off-by: Kazunori MIYAZAWA
Signed-off-by: David S. Miller
29 Feb, 2008
1 commit
-
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
This is achieved adding the entries to one more list which is used
solely for walking the entries.This also fixes some races where the dump can have duplicate or missing
entries when the SPD/SADB is modified during an ongoing dump.Dumping SADB with 20000 entries using "time ip xfrm state" the sys
time dropped from 1.012s to 0.080s.Signed-off-by: Timo Teras
Signed-off-by: David S. Miller
02 Feb, 2008
1 commit
-
all callers pass something->audit_context
Signed-off-by: Al Viro
01 Feb, 2008
2 commits
-
This patch removes the following no longer used EXPORT_SYMBOL's:
- xfrm_input.c: xfrm_parse_spi
- xfrm_state.c: xfrm_replay_check
- xfrm_state.c: xfrm_replay_advanceSigned-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
29 Jan, 2008
8 commits
-
xfrm_state_clone() is not used outside of net/xfrm/xfrm_state.c
There is no need to export it.Spoted by sparse checker.
CHECK net/xfrm/xfrm_state.c
net/xfrm/xfrm_state.c:1103:19: warning: symbol 'xfrm_state_clone' was not
declared. Should it be static?Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
net/xfrm/xfrm_state.c:
xfrm_audit_state_delete | -589
xfrm_replay_check | -542
xfrm_audit_state_icvfail | -520
xfrm_audit_state_add | -589
xfrm_audit_state_replay_overflow | -523
xfrm_audit_state_notfound_simple | -509
xfrm_audit_state_notfound | -521
7 functions changed, 3793 bytes removed, diff: -3793net/xfrm/xfrm_state.c:
xfrm_audit_helper_pktinfo | +522
xfrm_audit_helper_sainfo | +598
2 functions changed, 1120 bytes added, diff: +1120net/xfrm/xfrm_state.o:
9 functions changed, 1120 bytes added, 3793 bytes removed, diff: -2673Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller -
Add __acquires() and __releases() annotations to suppress some sparse
warnings.example of warnings :
net/ipv4/udp.c:1555:14: warning: context imbalance in 'udp_seq_start' - wrong
count at exit
net/ipv4/udp.c:1571:13: warning: context imbalance in 'udp_seq_stop' -
unexpected unlockSigned-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
This patch adds a number of new IPsec audit events to meet the auditing
requirements of RFC4303. This includes audit hooks for the following events:* Could not find a valid SA [sections 2.1, 3.4.2]
. xfrm_audit_state_notfound()
. xfrm_audit_state_notfound_simple()* Sequence number overflow [section 3.3.3]
. xfrm_audit_state_replay_overflow()* Replayed packet [section 3.4.3]
. xfrm_audit_state_replay()* Integrity check failure [sections 3.4.4.1, 3.4.4.2]
. xfrm_audit_state_icvfail()While RFC4304 deals only with ESP most of the changes in this patch apply to
IPsec in general, i.e. both AH and ESP. The one case, integrity check
failure, where ESP specific code had to be modified the same was done to the
AH code for the sake of consistency.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:* Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction* Convert 'sid' to 'secid' everywhere we can
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels,
unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
we risk breaking userspace* Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also also
includes the removal of some unnecessary memcpy() calls* Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the "less is more" book on software development* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the codeSigned-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller -
The _find calls calculate the hash value using the
xfrm_state_hmask, without the xfrm_state_lock. But the
value of this mask can change in the _resize call under
the state_lock, so we risk to fail in finding the desired
entry in hash.I think, that the hash value is better to calculate
under the state lock.Signed-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
single list_head variable initialized with LIST_HEAD_INIT could almost
always can be replaced with LIST_HEAD declaration, this shrinks the code
and looks better.Signed-off-by: Denis Cheng
Signed-off-by: David S. Miller -
Many-many code in the kernel initialized the timer->function
and timer->data together with calling init_timer(timer). There
is already a helper for this. Use it for networking code.The patch is HUGE, but makes the code 130 lines shorter
(98 insertions(+), 228 deletions(-)).Signed-off-by: Pavel Emelyanov
Acked-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
04 Jan, 2008
1 commit
-
In include/net/xfrm.h we find :
#ifdef CONFIG_XFRM_MIGRATE
extern int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
struct xfrm_migrate *m, int num_bundles);
...
#endifWe can also guard the function body itself in net/xfrm/xfrm_state.c
with same condition.(Problem spoted by sparse checker)
make C=2 net/xfrm/xfrm_state.o
...
net/xfrm/xfrm_state.c:1765:5: warning: symbol 'km_migrate' was not declared. Should it be static?
...Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
20 Dec, 2007
1 commit
-
In several places the arguments to the xfrm_audit_start() function are
in the wrong order resulting in incorrect user information being
reported. This patch corrects this by pacing the arguments in the
correct order.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
15 Dec, 2007
1 commit
-
Currently the IPsec protocol SPI values are written to the audit log in
network byte order which is different from almost all other values which
are recorded in host byte order. This patch corrects this inconsistency
by writing the SPI values to the audit record in host byte order.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
27 Nov, 2007
1 commit
-
The xfrm_timer calls __xfrm_state_delete, which drops the final reference
manually without triggering destruction of the state. Change it to use
xfrm_state_put to add the state to the gc list when we're dropping the
last reference. The timer function may still continue to use the state
safely since the final destruction does a del_timer_sync().Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
18 Oct, 2007
3 commits
-
This patch adds a new field to xfrm states called inner_mode. The existing
mode object is renamed to outer_mode.This is the first part of an attempt to fix inter-family transforms. As it
is we always use the outer family when determining which mode to use. As a
result we may end up shoving IPv4 packets into netfilter6 and vice versa.What we really want is to use the inner family for the first part of outbound
processing and the outer family for the second part. For inbound processing
we'd use the opposite pairing.I've also added a check to prevent silly combinations such as transport mode
with inter-family transforms.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
It is convenient to have a pointer from xfrm_state to address-specific
functions such as the output function for a family. Currently the
address-specific policy code calls out to the xfrm state code to get
those pointers when we could get it in an easier way via the state
itself.This patch adds an xfrm_state_afinfo to xfrm_mode (since they're
address-specific) and changes the policy code to use it. I've also
added an owner field to do reference counting on the module providing
the afinfo even though it isn't strictly necessary today since IPv6
can't be unloaded yet.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The type and mode maps are only used by SAs, not policies. So it makes
sense to move them from xfrm_policy.c into xfrm_state.c. This also allows
us to mark xfrm_get_type/xfrm_put_type/xfrm_get_mode/xfrm_put_mode as
static.The only other change I've made in the move is to get rid of the casts
on the request_module call for types. They're unnecessary because C
will promote them to ints anyway.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Oct, 2007
5 commits
-
This patch moves some common code that conceptually belongs to the xfrm core
from af_key/xfrm_user into xfrm_alloc_spi.In particular, the spin lock on the state is now taken inside xfrm_alloc_spi.
Previously it also protected the construction of the response PF_KEY/XFRM
messages to user-space. This is inconsistent as other identical constructions
are not protected by the state lock. This is bad because they in fact should
be protected but only in certain spots (so as not to hold the lock for too
long which may cause packet drops).The SPI byte order conversion has also been moved.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
There is no point in waking people up when creating/updating larval states
because they'll just go back to sleep again as larval states by definition
cannot be found by xfrm_state_find.We should only wake them up when the larvals mature or die.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Now that the only callers of xfrm_replay_notify are in xfrm, we can remove
the export.This patch also removes xfrm_aevent_doreplay since it's now called in just
one spot.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The functions xfrm_state_check and xfrm_state_check_space are only used by
the output code in xfrm_output.c so we can move them over.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.Signed-off-by: Joy Latten
Signed-off-by: David S. Miller
14 Aug, 2007
1 commit
-
This patch cleans up duplicate includes in
net/xfrm/Signed-off-by: Jesper Juhl
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
31 Jul, 2007
1 commit
-
This patch modifies the xfrm state selection logic to use the inner
addresses where the outer have been (incorrectly) used. This is
required for beet mode in general and interfamily setups in both
tunnel and beet mode.Signed-off-by: Joakim Koskela
Signed-off-by: Herbert Xu
Signed-off-by: Diego Beltrami
Signed-off-by: Miika Komu
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller
19 Jul, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
11 Jul, 2007
1 commit
-
This allows other in-kernel functions to do SAD lookups.
The only known user at the moment is pktgen.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
19 Jun, 2007
1 commit
-
My IPsec MTU optimization patch introduced a regression in MTU calculation
for non-ESP SAs, the SA's header_len needs to be subtracted from the MTU if
the transform doesn't provide a ->get_mtu() function.Reported-and-tested-by: Marco Berizzi
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Jun, 2007
1 commit
-
Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.This patch adds a security check when flushing entries from the SAD and
SPD. It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.Signed-off-by: Joy Latten
Signed-off-by: Eric Paris
Signed-off-by: James Morris
31 May, 2007
1 commit
-
Signed-off-by: David S. Miller
05 May, 2007
1 commit
-
Aggregate the SAD info TLVs.
Signed-off-by: Jamal Hadi Salim
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2007
4 commits
-
On a system with a lot of SAs, counting SAD entries chews useful
CPU time since you need to dump the whole SAD to user space;
i.e something like ip xfrm state ls | grep -i src | wc -l
I have seen taking literally minutes on a 40K SAs when the system
is swapping.
With this patch, some of the SAD info (that was already being tracked)
is exposed to user space. i.e you do:
ip xfrm state count
And you get the count; you can also pass -s to the command line and
get the hash info.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Spring cleaning time...
There seems to be a lot of places in the network code that have
extra bogus semicolons after conditionals. Most commonly is a
bogus semicolon after: switch() { }Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Replace the probing based MTU estimation, which usually takes 2-3 iterations
to find a fitting value and may underestimate the MTU, by an exact calculation.Also fix underestimation of the XFRM trailer_len, which causes unnecessary
reallocations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Where appropriate, convert references to xtime.tv_sec to the
get_seconds() helper function.Signed-off-by: James Morris
Signed-off-by: David S. Miller
05 Apr, 2007
1 commit
-
Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets. Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.This patch causes those packets to be rejected instead.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller