11 Jul, 2007
1 commit
-
It is clean-up for XFRM type modules and adds aliases with its
protocol:
ESP, AH, IPCOMP, IPIP and IPv6 for IPsec
ROUTING and DSTOPTS for MIPv6It is almost the same thing as XFRM mode alias, but it is added
new defines XFRM_PROTO_XXX for preprocessing since some protocols
are defined as enum.Signed-off-by: Masahide NAKAMURA
Acked-by: Ingo Oeser
Signed-off-by: David S. Miller
26 Apr, 2007
9 commits
-
esp_init_state doesn't account for the beet pseudo header in the header_len
calculation, which may result in undersized skbs hitting xfrm4_beet_output,
causing unnecessary reallocations in ip_finish_output2.The skbs should still always have enough room to avoid causing
skb_under_panic in skb_push since we have at least 16 bytes available
from LL_RESERVED_SPACE in xfrm_state_check_space.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Replace the probing based MTU estimation, which usually takes 2-3 iterations
to find a fitting value and may underestimate the MTU, by an exact calculation.Also fix underestimation of the XFRM trailer_len, which causes unnecessary
reallocations.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Fix incorrect switch of "trailer" skb by "skb" during skb_tail_pointer
conversion:- *(u8*)(trailer->tail - 1) = top_iph->protocol;
+ *(skb_tail_pointer(skb) - 1) = top_iph->protocol;- *(u8 *)(trailer->tail - 1) = *skb_network_header(skb);
+ *(skb_tail_pointer(skb) - 1) = *skb_network_header(skb);Signed-off-by: Patrick McHardy
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
So that it is also an offset from skb->head, reduces its size from 8 to 4 bytes
on 64bit architectures, allowing us to combine the 4 bytes hole left by the
layer headers conversion, reducing struct sk_buff size to 256 bytes, i.e. 4
64byte cachelines, and since the sk_buff slab cache is SLAB_HWCACHE_ALIGN...
:-)Many calculations that previously required that skb->{transport,network,
mac}_header be first converted to a pointer now can be done directly, being
meaningful as offsets or pointers.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the cases where the transport header is being set to a offset from
skb->data.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the quite common 'skb->h.raw - skb->data' sequence.
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
For the places where we need a pointer to the network header, it is still legal
to touch skb->nh.raw directly if just adding to, subtracting from or setting it
to another layer header.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
11 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
03 Dec, 2006
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: David S. Miller
04 Oct, 2006
1 commit
-
This patch introduces the BEET mode (Bound End-to-End Tunnel) with as
specified by the ietf draft at the following link:http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-06.txt
The patch provides only single family support (i.e. inner family =
outer family).Signed-off-by: Diego Beltrami
Signed-off-by: Miika Komu
Signed-off-by: Herbert Xu
Signed-off-by: Abhinav Pathak
Signed-off-by: Jeff Ahrenholz
Signed-off-by: David S. Miller
23 Sep, 2006
2 commits
-
First of all, if the xfrm_state only gets used for input
packets this entropy is a complete waste.Secondly, it is often the case that a configuration loads
many rules (perhaps even dynamically) and they don't all
necessarily ever get used.This get_random_bytes() call was showing up in the profiles
for xfrm_state inserts which is how I noticed this.Signed-off-by: David S. Miller
-
Transformation mode is used as either IPsec transport or tunnel.
It is required to add two more items, route optimization and inbound trigger
for Mobile IPv6.
Based on MIPL2 kernel patch.This patch was also written by: Ville Nuorvala
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
21 Sep, 2006
2 commits
-
This patch converts IPsec to use the new HMAC template. The names of
existing simple digest algorithms may still be used to refer to their
HMAC composites.The same structure can be used by other MACs such as AES-XCBC-MAC.
This patch also switches from the digest interface to hash.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch converts IPSec/ESP to use the new block cipher type where
applicable. Similar to the HMAC conversion, existing algorithm names
have been kept for compatibility.Signed-off-by: Herbert Xu
22 Jul, 2006
1 commit
-
Signed-off-by: Panagiotis Issaris
Signed-off-by: David S. Miller
01 Jul, 2006
1 commit
-
Signed-off-by: Jörn Engel
Signed-off-by: Adrian Bunk
18 Jun, 2006
1 commit
-
Now that we have xfrm_mode objects we can move the transport mode specific
input decapsulation code into xfrm_mode_transport. This removes duplicate
code as well as unnecessary header movement in case of tunnel mode SAs
since we will discard the original IP header immediately.This also fixes a minor bug for transport-mode ESP where the IP payload
length is set to the correct value minus the header length (with extension
headers for IPv6).Of course the other neat thing is that we no longer have to allocate
temporary buffers to hold the IP headers for ESP and IPComp.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
01 Apr, 2006
1 commit
-
This patch removes the decap_state argument from the xfrm input hook.
Previously this function allowed the input hook to share state with
the post_input hook. The latter has since been removed.The only purpose for it now is to check the encap type. However, it
is easier and better to move the encap type check to the generic
xfrm_rcv function. This allows us to get rid of the decap state
argument altogether.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
21 Mar, 2006
1 commit
-
Fast path sequence updates that will generate ipsec async
eventsSigned-off-by: Jamal Hadi Salim
Signed-off-by: David S. Miller
28 Feb, 2006
2 commits
-
The only reason post_input exists at all is that it gives us the
potential to adjust the checksums incrementally in future which
we ought to do.However, after thinking about it for a bit we can adjust the
checksums without using this post_input stuff at all. The crucial
point is that only the inner-most NAT-T SA needs to be considered
when adjusting checksums. What's more, the checksum adjustment
comes down to a single u32 due to the linearity of IP checksums.We just happen to have a spare u32 lying around in our skb structure :)
When ip_summed is set to CHECKSUM_NONE on input, the value of skb->csum
is currently unused. All we have to do is to make that the checksum
adjustment and voila, there goes all the post_input and decap structures!I've left in the decap data structures for now since it's intricately
woven into the sec_path stuff. We can kill them later too.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
We used to keep sg on the stack which is why the extra block was useful.
We've long since stopped doing that so let's kill the block and save
some indentation.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
04 Jan, 2006
1 commit
-
To help in reducing the number of include dependencies, several files were
touched as they were getting needed headers indirectly for stuff they use.Thanks also to Alan Menegotto for pointing out that net/dccp/proto.c had
linux/dccp.h include twice.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
11 Oct, 2005
2 commits
-
This patch fixes the following bugs in ESP:
* Fix transport mode MTU overestimate. This means that the inner MTU
is smaller than it needs be. Worse yet, given an input MTU which
is a multiple of 4 it will always produce an estimate which is not
a multiple of 4.For example, given a standard ESP/3DES/MD5 transform and an MTU of
1500, the resulting MTU for transport mode is 1462 when it should
be 1464.The reason for this is because IP header lengths are always a multiple
of 4 for IPv4 and 8 for IPv6.* Ensure that the block size is at least 4. This is required by RFC2406
and corresponds to what the esp_output function does. At the moment
this only affects crypto_null as its block size is 1.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch uses the macro ALIGN in all the applicable spots for ESP.
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
02 Sep, 2005
1 commit
-
Since the patch to add a NULL short-circuit to crypto_free_tfm() went in,
there's no longer any need for callers of that function to check for NULL.
This patch removes the redundant NULL checks and also a few similar checks
for NULL before calls to kfree() that I ran into while doing the
crypto_free_tfm bits.I've succesfuly compile tested this patch, and a kernel with the patch
applied boots and runs just fine.When I posted the patch to LKML (and other lists/people on Cc) it drew the
following comments :J. Bruce Fields commented
"I've no problem with the auth_gss or nfsv4 bits.--b."Sridhar Samudrala said
"sctp change looks fine."Herbert Xu signed off on the patch.
So, I guess this is ready to be dropped into -mm and eventually mainline.
Signed-off-by: Jesper Juhl
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
30 Aug, 2005
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
21 Jun, 2005
1 commit
-
This patch adds xfrm_init_state which is simply a wrapper that calls
xfrm_get_type and subsequently x->type->init_state. It also gets rid
of the unused args argument.Abstracting it out allows us to add common initialisation code, e.g.,
to set family-specific flags.The add_time setting in xfrm_user.c was deleted because it's already
set by xfrm_state_alloc.Signed-off-by: Herbert Xu
Acked-by: James Morris
Signed-off-by: David S. Miller
01 Jun, 2005
1 commit
-
Signed-off-by: Edgar E Iglesias
Signed-off-by: David S. Miller
17 Apr, 2005
1 commit
-
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.Let it rip!
