11 Dec, 2010
1 commit
-
The XFRMA_TFCPAD attribute for XFRM state installation configures
Traffic Flow Confidentiality by padding ESP packets to a specified
length.Signed-off-by: Martin Willi
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
23 Feb, 2010
1 commit
-
Add basic structuring and accessors for xfrm mark
Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
26 Nov, 2009
1 commit
-
The new XFRMA_ALG_AUTH_TRUNC attribute taking a xfrm_algo_auth as
argument allows the installation of authentication algorithms with
a truncation length specified in userspace, i.e. SHA256 with 128 bit
instead of 96 bit truncation.Signed-off-by: Martin Willi
Signed-off-by: David S. Miller
05 Nov, 2009
1 commit
-
This cleanup patch puts struct/union/enum opening braces,
in first line to ease grep games.struct something
{becomes :
struct something {
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
27 Mar, 2009
1 commit
-
A number of standard posix types are used in exported headers, which
is not allowed if __STRICT_KERNEL_NAMES is defined. In order to
get rid of the non-__STRICT_KERNEL_NAMES part and to make sane headers
the default, we have to change them all to safe types.There are also still some leftovers in reiserfs_fs.h, elfcore.h
and coda.h, but these files have not compiled in user space for
a long time.This leaves out the various integer types ({u_,u,}int{8,16,32,64}_t),
which we take care of separately.Signed-off-by: Arnd Bergmann
Acked-by: Mauro Carvalho Chehab
Cc: David Airlie
Cc: Arnaldo Carvalho de Melo
Cc: YOSHIFUJI Hideaki
Cc: netdev@vger.kernel.org
Cc: linux-ppp@vger.kernel.org
Cc: Jaroslav Kysela
Cc: Takashi Iwai
Cc: David Woodhouse
Signed-off-by: H. Peter Anvin
Signed-off-by: Ingo Molnar
29 Oct, 2008
1 commit
-
Add new_mapping() implementation to the netlink xfrm_mgr to notify
address/port changes detected in UDP encapsulated ESP packets.Signed-off-by: Martin Willi
Signed-off-by: David S. Miller
06 Oct, 2008
1 commit
-
Provides implementation of the enhancements of XFRM/PF_KEY MIGRATE mechanism
specified in draft-ebalard-mext-pfkey-enhanced-migrate-00. Defines associated
PF_KEY SADB_X_EXT_KMADDRESS extension and XFRM/netlink XFRMA_KMADDRESS
attribute.Signed-off-by: Arnaud Ebalard
Signed-off-by: David S. Miller
11 Jul, 2008
1 commit
-
Add a XFRM_STATE_AF_UNSPEC flag to handle the AF_UNSPEC behavior for
the selector family. Userspace applications can set this flag to leave
the selector family of the xfrm_state unspecified. This can be used
to to handle inter family tunnels if the selector is not set from
userspace.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
25 Apr, 2008
1 commit
-
In commit ba749ae98d5aa9d2ce9a7facde0deed454f92230 ([XFRM]: alg_key_len
should be unsigned to avoid integer divides
)
alg_key_len field of struct xfrm_algo was converted to unsigned int to
avoid integer divides.Then Herbert in commit 1a6509d991225ad210de54c63314fd9542922095
([IPSEC]: Add support for combined mode algorithms) added a new
structure xfrm_algo_aead, that resurrected a signed int for alg_key_len
and re-introduce integer divides.This patch avoids these divides and saves 64 bytes of text on i386.
Signed-off-by: Eric Dumazet
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
29 Feb, 2008
1 commit
-
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
This is achieved adding the entries to one more list which is used
solely for walking the entries.This also fixes some races where the dump can have duplicate or missing
entries when the SPD/SADB is modified during an ongoing dump.Dumping SADB with 20000 entries using "time ip xfrm state" the sys
time dropped from 1.012s to 0.080s.Signed-off-by: Timo Teras
Signed-off-by: David S. Miller
01 Feb, 2008
1 commit
-
This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms
is identified by its name and the ICV length.For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms. This is in line with how they are negotiated using IKE.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
29 Jan, 2008
4 commits
-
Realign struct members.
Signed-off-by: David S. Miller
-
alg_key_len is currently defined as 'signed int'. This unfortunatly
leads to integer divides in several paths.Converting it to unsigned is safe and saves 208 bytes of text on i386.
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch implements this
for ICMP traffic that originates from or terminates on localhost.This is activated on outbound with the new policy flag XFRM_POLICY_ICMP,
and on inbound by the new state flag XFRM_STATE_ICMP.On inbound the policy check is now performed by the ICMP protocol so
that it can repeat the policy check where necessary.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch adds the functions
xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get
the reverse flow to perform such a lookup.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
05 May, 2007
2 commits
-
Aggregate the SPD info TLVs.
Signed-off-by: Jamal Hadi Salim
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Aggregate the SAD info TLVs.
Signed-off-by: Jamal Hadi Salim
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Apr, 2007
1 commit
-
With this patch you can use iproute2 in user space to efficiently see
how many policies exist in different directions.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
26 Apr, 2007
1 commit
-
On a system with a lot of SAs, counting SAD entries chews useful
CPU time since you need to dump the whole SAD to user space;
i.e something like ip xfrm state ls | grep -i src | wc -l
I have seen taking literally minutes on a 40K SAs when the system
is swapping.
With this patch, some of the SAD info (that was already being tracked)
is exposed to user space. i.e you do:
ip xfrm state count
And you get the count; you can also pass -s to the command line and
get the hash info.Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
09 Feb, 2007
1 commit
-
Extend the XFRM framework so that endpoint address(es) in the XFRM
databases could be dynamically updated according to a request (MIGRATE
message) from user application. Target XFRM policy is first identified
by the selector in the MIGRATE message. Next, the endpoint addresses
of the matching templates and XFRM states are updated according to
the MIGRATE message.Signed-off-by: Shinta Sugimoto
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
09 Dec, 2006
1 commit
-
XFRMGRP_REPORT uses 0x10 which is a group that belongs
to events. The correct value is 0x20.
We should really be using xfrm_nlgroups going forward; it was tempting
to delete the definition of XFRMGRP_REPORT but it would break at
least iproute2.Signed-off-by: J Hadi Salim
Signed-off-by: David S. Miller
03 Dec, 2006
2 commits
-
aevents can not uniquely identify an SA. We break the ABI with this
patch, but consensus is that since it is not yet utilized by any
(known) application then it is fine (better do it now than later).Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
04 Oct, 2006
1 commit
-
This patch introduces the BEET mode (Bound End-to-End Tunnel) with as
specified by the ietf draft at the following link:http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-06.txt
The patch provides only single family support (i.e. inner family =
outer family).Signed-off-by: Diego Beltrami
Signed-off-by: Miika Komu
Signed-off-by: Herbert Xu
Signed-off-by: Abhinav Pathak
Signed-off-by: Jeff Ahrenholz
Signed-off-by: David S. Miller
29 Sep, 2006
4 commits
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
23 Sep, 2006
8 commits
-
Sub policy can be used through netlink socket.
PF_KEY uses main only and it is TODO to support sub.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Sub policy is introduced. Main and sub policy are applied the same flow.
(Policy that current kernel uses is named as main.)
It is required another transformation policy management to keep IPsec
and Mobile IPv6 lives separate.
Policy which lives shorter time in kernel should be a sub i.e. normally
main is for IPsec and sub is for Mobile IPv6.
(Such usage as two IPsec policies on different database can be used, too.)Limitation or TODOs:
- Sub policy is not supported for per socket one (it is always inserted as main).
- Current kernel makes cached outbound with flowi to skip searching database.
However this patch makes it disabled only when "two policies are used and
the first matched one is bypass case" because neither flowi nor bundle
information knows about transformation template size.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
XFRM_MSG_REPORT is a message as notification of state protocol and
selector from kernel to user-space.Mobile IPv6 will use it when inbound reject is occurred at route
optimization to make user-space know a binding error requirement.Based on MIPL2 kernel patch.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
With this patch transformation state is updated last used time
for each sending. Xtime is used for it like other state lifetime
expiration.
Mobile IPv6 enabled nodes will want to know traffic status of each
binding (e.g. judgement to request binding refresh by correspondent node,
or to keep home/care-of nonce alive by mobile node).
The last used timestamp is an important hint about it.
Based on MIPL2 kernel patch.This patch was also written by: Henrik Petander
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Care-of address is carried by state as a transformation option like
IPsec encryption/authentication algorithm.Based on MIPL2 kernel patch.
Signed-off-by: Noriaki TAKAMIYA
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
XFRM_STATE_WILDRECV flag is introduced; the last resort state is set
it and receives packet which is not route optimized but uses such
extension headers i.e. Mobile IPv6 signaling (binding update and
acknowledgement). A node enabled Mobile IPv6 adds the state.Based on MIPL2 kernel patch.
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
This is a support to search transformation states by its addresses
by using source address list for Mobile IPv6 usage.
To use it from user-space, it is also added a message type for
source address as a xfrm state option.
Based on MIPL2 kernel patch.Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Transformation mode is used as either IPsec transport or tunnel.
It is required to add two more items, route optimization and inbound trigger
for Mobile IPv6.
Based on MIPL2 kernel patch.This patch was also written by: Ville Nuorvala
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
18 Jun, 2006
1 commit
-
This patch adds the structure xfrm_mode. It is meant to represent
the operations carried out by transport/tunnel modes.By doing this we allow additional encapsulation modes to be added
without clogging up the xfrm_input/xfrm_output paths.Candidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and
BEET modes.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
21 Mar, 2006
2 commits
-
struct xfrm_aevent_id needs to be 32-bit + 64-bit align friendly.
Based upon suggestions from Yoshifuji.
Signed-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
This patch provides the core functionality needed for sync events
for ipsec. Derived work of Krisztian KOVACSSigned-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
04 Jan, 2006
1 commit
-
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.Signed-off-by: Trent Jaeger
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
