1. 24 2月, 2011 1 次提交
  2. 23 2月, 2011 8 次提交
  3. 09 2月, 2011 1 次提交
    • N
      ipsec: allow to align IPv4 AH on 32 bits · fa9921e4
      Nicolas Dichtel 提交于
      The Linux IPv4 AH stack aligns the AH header on a 64 bit boundary
      (like in IPv6). This is not RFC compliant (see RFC4302, Section
      3.3.3.2.1), it should be aligned on 32 bits.
      
      For most of the authentication algorithms, the ICV size is 96 bits.
      The AH header alignment on 32 or 64 bits gives the same results.
      
      However for SHA-256-128 for instance, the wrong 64 bit alignment results
      in adding useless padding in IPv4 AH, which is forbidden by the RFC.
      
      To avoid breaking backward compatibility, we use a new flag
      (XFRM_STATE_ALIGN4) do change original behavior.
      
      Initial patch from Dang Hongwu <hongwu.dang@6wind.com> and
      Christophe Gouault <christophe.gouault@6wind.com>.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fa9921e4
  4. 11 12月, 2010 1 次提交
  5. 29 11月, 2010 1 次提交
  6. 16 11月, 2010 1 次提交
  7. 28 10月, 2010 1 次提交
  8. 26 10月, 2010 1 次提交
  9. 21 10月, 2010 2 次提交
  10. 21 9月, 2010 1 次提交
    • T
      xfrm: Allow different selector family in temporary state · 8444cf71
      Thomas Egerer 提交于
      The family parameter xfrm_state_find is used to find a state matching a
      certain policy. This value is set to the template's family
      (encap_family) right before xfrm_state_find is called.
      The family parameter is however also used to construct a temporary state
      in xfrm_state_find itself which is wrong for inter-family scenarios
      because it produces a selector for the wrong family. Since this selector
      is included in the xfrm_user_acquire structure, user space programs
      misinterpret IPv6 addresses as IPv4 and vice versa.
      This patch splits up the original init_tempsel function into a part that
      initializes the selector respectively the props and id of the temporary
      state, to allow for differing ip address families whithin the state.
      Signed-off-by: NThomas Egerer <thomas.egerer@secunet.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8444cf71
  11. 01 7月, 2010 1 次提交
  12. 09 4月, 2010 1 次提交
  13. 07 4月, 2010 2 次提交
    • T
      xfrm: cache bundles instead of policies for outgoing flows · 80c802f3
      Timo Teräs 提交于
      __xfrm_lookup() is called for each packet transmitted out of
      system. The xfrm_find_bundle() does a linear search which can
      kill system performance depending on how many bundles are
      required per policy.
      
      This modifies __xfrm_lookup() to store bundles directly in
      the flow cache. If we did not get a hit, we just create a new
      bundle instead of doing slow search. This means that we can now
      get multiple xfrm_dst's for same flow (on per-cpu basis).
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      80c802f3
    • T
      flow: virtualize flow cache entry methods · fe1a5f03
      Timo Teräs 提交于
      This allows to validate the cached object before returning it.
      It also allows to destruct object properly, if the last reference
      was held in flow cache. This is also a prepartion for caching
      bundles in the flow cache.
      
      In return for virtualizing the methods, we save on:
      - not having to regenerate the whole flow cache on policy removal:
        each flow matching a killed policy gets refreshed as the getter
        function notices it smartly.
      - we do not have to call flow_cache_flush from policy gc, since the
        flow cache now properly deletes the object if it had any references
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fe1a5f03
  14. 30 3月, 2010 1 次提交
    • T
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo 提交于
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Guess-its-ok-by: NChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  15. 03 3月, 2010 1 次提交
  16. 23 2月, 2010 3 次提交
  17. 13 2月, 2010 1 次提交
  18. 28 1月, 2010 1 次提交
  19. 24 1月, 2010 1 次提交
  20. 26 11月, 2009 1 次提交
  21. 09 11月, 2009 1 次提交
    • Y
      xfrm: SAD entries do not expire correctly after suspend-resume · 9e0d57fd
      Yury Polyanskiy 提交于
        This fixes the following bug in the current implementation of
      net/xfrm: SAD entries timeouts do not count the time spent by the machine 
      in the suspended state. This leads to the connectivity problems because 
      after resuming local machine thinks that the SAD entry is still valid, while 
      it has already been expired on the remote server.
      
        The cause of this is very simple: the timeouts in the net/xfrm are bound to 
      the old mod_timer() timers. This patch reassigns them to the
      CLOCK_REALTIME hrtimer.
      
        I have been using this version of the patch for a few months on my
      machines without any problems. Also run a few stress tests w/o any
      issues.
      
        This version of the patch uses tasklet_hrtimer by Peter Zijlstra
      (commit 9ba5f0).
      
        This patch is against 2.6.31.4. Please CC me.
      Signed-off-by: NYury Polyanskiy <polyanskiy@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e0d57fd
  22. 04 11月, 2009 1 次提交
  23. 19 10月, 2009 1 次提交
  24. 31 7月, 2009 1 次提交
    • N
      xfrm: select sane defaults for xfrm[4|6] gc_thresh · a33bc5c1
      Neil Horman 提交于
      Choose saner defaults for xfrm[4|6] gc_thresh values on init
      
      Currently, the xfrm[4|6] code has hard-coded initial gc_thresh values
      (set to 1024).  Given that the ipv4 and ipv6 routing caches are sized
      dynamically at boot time, the static selections can be non-sensical.
      This patch dynamically selects an appropriate gc threshold based on
      the corresponding main routing table size, using the assumption that
      we should in the worst case be able to handle as many connections as
      the routing table can.
      
      For ipv4, the maximum route cache size is 16 * the number of hash
      buckets in the route cache.  Given that xfrm4 starts garbage
      collection at the gc_thresh and prevents new allocations at 2 *
      gc_thresh, we set gc_thresh to half the maximum route cache size.
      
      For ipv6, its a bit trickier.  there is no maximum route cache size,
      but the ipv6 dst_ops gc_thresh is statically set to 1024.  It seems
      sane to select a simmilar gc_thresh for the xfrm6 code that is half
      the number of hash buckets in the v6 route cache times 16 (like the v4
      code does).
      Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a33bc5c1
  25. 23 6月, 2009 1 次提交
  26. 03 6月, 2009 1 次提交
  27. 26 11月, 2008 3 次提交