27 Dec, 2013
1 commit
-
Signed-off-by: Weilong Chen
Signed-off-by: David S. Miller
24 Feb, 2012
1 commit
-
Niccolo Belli reported ipsec crashes in case we handle a frame without
mac header (atm in his case)Before copying mac header, better make sure it is present.
Bugzilla reference: https://bugzilla.kernel.org/show_bug.cgi?id=42809
Reported-by: Niccolò Belli
Tested-by: Niccolò Belli
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
06 Aug, 2008
1 commit
-
Here's a revised version, based on Herbert's comments, of a fix for
the ipv6-inner, ipv4-outer interfamily ipsec beet mode. It fixes the
network header adjustment in interfamily, and doesn't reserve space
for the pseudo header anymore when we have ipv6 as the inner family.Signed-off-by: Joakim Koskela
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
27 Mar, 2008
1 commit
-
The IPv6 BEET output function is incorrectly including the inner
header in the payload to be protected. This causes a crash as
the packet doesn't actually have that many bytes for a second
header.The IPv4 BEET output on the other hand is broken when it comes
to handling an inner IPv6 header since it always assumes an
inner IPv4 header.This patch fixes both by making sure that neither BEET output
function touches the inner header at all. All access is now
done through the protocol-independent cb structure. Two new
attributes are added to make this work, the IP header length
and the IPv4 option length. They're filled in by the inner
mode's output function.Thanks to Joakim Koskela for finding this problem.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
05 Feb, 2008
1 commit
-
A bug every C programmer makes at some point in time...
Signed-off-by: Adrian Bunk
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
29 Jan, 2008
2 commits
-
With inter-family transforms the inner mode differs from the outer
mode. Attempting to handle both sides from the same function means
that it needs to handle both IPv4 and IPv6 which creates duplication
and confusion.This patch separates the two parts on the input path so that each
function deals with one family only.In particular, the functions xfrm4_extract_inut/xfrm6_extract_inut
moves the pertinent fields from the IPv4/IPv6 IP headers into a
neutral format stored in skb->cb. This is then used by the inner mode
input functions to modify the inner IP header. In this way the input
function no longer has to know about the outer address family.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
With inter-family transforms the inner mode differs from the outer
mode. Attempting to handle both sides from the same function means
that it needs to handle both IPv4 and IPv6 which creates duplication
and confusion.This patch separates the two parts on the output path so that each
function deals with one family only.In particular, the functions xfrm4_extract_output/xfrm6_extract_output
moves the pertinent fields from the IPv4/IPv6 IP headers into a
neutral format stored in skb->cb. This is then used by the outer mode
output functions to write the outer IP header. In this way the output
function no longer has to know about the inner address family.Since the extract functions are only called by tunnel modes (the only
modes that can support inter-family transforms), I've also moved the
xfrm*_tunnel_check_size calls into them. This allows the correct ICMP
message to be sent as opposed to now where you might call icmp_send
with an IPv6 packet and vice versa.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
18 Oct, 2007
1 commit
-
Currently BEET mode does not reinject the packet back into the stack
like tunnel mode does. Since BEET should behave just like tunnel mode
this is incorrect.This patch fixes this by introducing a flags field to xfrm_mode that
tells the IPsec code whether it should terminate and reinject the packet
back into the stack.It then sets the flag for BEET and tunnel mode.
I've also added a number of missing BEET checks elsewhere where we check
whether a given mode is a tunnel or not.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Oct, 2007
3 commits
-
This patch moves the setting of the IP length and checksum fields out of
the transforms and into the xfrmX_output functions. This would help future
efforts in merging the transforms themselves.It also adds an optimisation to ipcomp due to the fact that the transport
offset is guaranteed to be zero.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The IPv6 calling convention for x->mode->output is more general and could
help an eventual protocol-generic x->type->output implementation. This
patch adopts it for IPv4 as well and modifies the IPv4 type output functions
accordingly.It also rewrites the IPv6 mac/transport header calculation to be based off
the network header where practical.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch changes the calling convention so that on entry from
x->mode->output and before entry into x->type->output skb->data
will point to the payload instead of the IP header.This is essentially a redistribution of skb_push/skb_pull calls
with the aim of minimising them on the common path of tunnel +
ESP.It'll also let us use the same calling convention between IPv4
and IPv6 with the next patch.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
26 Apr, 2007
9 commits
-
esp_init_state doesn't account for the beet pseudo header in the header_len
calculation, which may result in undersized skbs hitting xfrm4_beet_output,
causing unnecessary reallocations in ip_finish_output2.The skbs should still always have enough room to avoid causing
skb_under_panic in skb_push since we have at least 16 bytes available
from LL_RESERVED_SPACE in xfrm_state_check_space.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Remove unnecessary initialization/variable.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Renaming skb->h to skb->transport_header, skb->nh to skb->network_header and
skb->mac to skb->mac_header, to match the names of the associated helpers
(skb[_[re]set]_{transport,network,mac}_header).Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: David S. Miller
-
For the places where we need a pointer to the transport header, it is
still legal to touch skb->h.raw directly if just adding to,
subtracting from or setting it to another layer header.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the places where we need a pointer to the network header, it is still legal
to touch skb->nh.raw directly if just adding to, subtracting from or setting it
to another layer header.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
skb_push updates and returns skb->data, so we can just call
skb_reset_network_header after the call to skb_push.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
24 Apr, 2007
1 commit
-
draft-nikander-esp-beet-mode-07.txt is not entirely clear on how the length
value of the pseudo header should be calculated, it states "The Header Length
field contains the length of the pseudo header, IPv4 options, and padding in
8 octets units.", but also states "Length in octets (Header Len + 1) * 8".
draft-nikander-esp-beet-mode-08-pre1.txt [1] clarifies this, the header length
should not include the first 8 byte.This change affects backwards compatibility, but option encapsulation didn't
work until very recently anyway.[1] http://users.piuha.net/jmelen/BEET/draft-nikander-esp-beet-mode-08-pre1.txt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
06 Apr, 2007
4 commits
-
Beet mode looks for the beet pseudo header after the outer IP header,
which is wrong since that is followed by the ESP header. Additionally
it needs to adjust the packet length after removing the pseudo header
and point the data pointer to the real data location.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Beet mode decapsulation fails to properly set up the skb pointers, which
only works by accident in combination with CONFIG_NETFILTER, since in that
case the skb is fixed up in xfrm4_input before passing it to the netfilter
hooks.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
draft-nikander-esp-beet-mode-07.txt states "The padding MUST be filled
with NOP options as defined in Internet Protocol [1] section 3.1
Internet header format.", so do that.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Beet mode calculates an incorrect value for the transport header location
when IP options are present, resulting in encapsulation errors.The correct location is 4 or 8 bytes before the end of the original IP
header, depending on whether the pseudo header is padded.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
04 Oct, 2006
1 commit
-
This patch introduces the BEET mode (Bound End-to-End Tunnel) with as
specified by the ietf draft at the following link:http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-06.txt
The patch provides only single family support (i.e. inner family =
outer family).Signed-off-by: Diego Beltrami
Signed-off-by: Miika Komu
Signed-off-by: Herbert Xu
Signed-off-by: Abhinav Pathak
Signed-off-by: Jeff Ahrenholz
Signed-off-by: David S. Miller
