1. 26 11月, 2008 18 次提交
  2. 31 10月, 2008 1 次提交
  3. 29 10月, 2008 1 次提交
  4. 06 10月, 2008 1 次提交
  5. 01 10月, 2008 1 次提交
    • H
      ipsec: Put dumpers on the dump list · 12a169e7
      Herbert Xu 提交于
      Herbert Xu came up with the idea and the original patch to make
      xfrm_state dump list contain also dumpers:
      
      As it is we go to extraordinary lengths to ensure that states
      don't go away while dumpers go to sleep.  It's much easier if
      we just put the dumpers themselves on the list since they can't
      go away while they're going.
      
      I've also changed the order of addition on new states to prevent
      a never-ending dump.
      
      Timo Teräs improved the patch to apply cleanly to latest tree,
      modified iteration code to be more readable by using a common
      struct for entries in the list, implemented the same idea for
      xfrm_policy dumping and moved the af_key specific "last" entry
      caching to af_key.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      12a169e7
  6. 23 9月, 2008 1 次提交
    • H
      ipsec: Fix xfrm_state_walk race · 5c182458
      Herbert Xu 提交于
      As discovered by Timo Teräs, the currently xfrm_state_walk scheme
      is racy because if a second dump finishes before the first, we
      may free xfrm states that the first dump would walk over later.
      
      This patch fixes this by storing the dumps in a list in order
      to calculate the correct completion counter which cures this
      problem.
      
      I've expanded netlink_cb in order to accomodate the extra state
      related to this.  It shouldn't be a big deal since netlink_cb
      is kmalloced for each dump and we're just increasing it by 4 or
      8 bytes.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5c182458
  7. 10 9月, 2008 1 次提交
  8. 04 5月, 2008 1 次提交
    • M
      xfrm: convert empty xfrm_audit_* macros to functions · 41fef0ee
      Marcin Slusarz 提交于
      it removes these warnings when CONFIG_AUDITSYSCALL is unset:
      
      net/xfrm/xfrm_user.c: In function 'xfrm_add_sa':
      net/xfrm/xfrm_user.c:412: warning: unused variable 'sid'
      net/xfrm/xfrm_user.c:411: warning: unused variable 'sessionid'
      net/xfrm/xfrm_user.c:410: warning: unused variable 'loginuid'
      net/xfrm/xfrm_user.c: In function 'xfrm_del_sa':
      net/xfrm/xfrm_user.c:485: warning: unused variable 'sid'
      net/xfrm/xfrm_user.c:484: warning: unused variable 'sessionid'
      net/xfrm/xfrm_user.c:483: warning: unused variable 'loginuid'
      net/xfrm/xfrm_user.c: In function 'xfrm_add_policy':
      net/xfrm/xfrm_user.c:1132: warning: unused variable 'sid'
      net/xfrm/xfrm_user.c:1131: warning: unused variable 'sessionid'
      net/xfrm/xfrm_user.c:1130: warning: unused variable 'loginuid'
      net/xfrm/xfrm_user.c: In function 'xfrm_get_policy':
      net/xfrm/xfrm_user.c:1382: warning: unused variable 'sid'
      net/xfrm/xfrm_user.c:1381: warning: unused variable 'sessionid'
      net/xfrm/xfrm_user.c:1380: warning: unused variable 'loginuid'
      net/xfrm/xfrm_user.c: In function 'xfrm_add_pol_expire':
      net/xfrm/xfrm_user.c:1620: warning: unused variable 'sid'
      net/xfrm/xfrm_user.c:1619: warning: unused variable 'sessionid'
      net/xfrm/xfrm_user.c:1618: warning: unused variable 'loginuid'
      net/xfrm/xfrm_user.c: In function 'xfrm_add_sa_expire':
      net/xfrm/xfrm_user.c:1658: warning: unused variable 'sid'
      net/xfrm/xfrm_user.c:1657: warning: unused variable 'sessionid'
      net/xfrm/xfrm_user.c:1656: warning: unused variable 'loginuid'
      Signed-off-by: NMarcin Slusarz <marcin.slusarz@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      41fef0ee
  9. 28 4月, 2008 1 次提交
  10. 22 4月, 2008 1 次提交
    • H
      [IPSEC]: Fix catch-22 with algorithm IDs above 31 · c5d18e98
      Herbert Xu 提交于
      As it stands it's impossible to use any authentication algorithms
      with an ID above 31 portably.  It just happens to work on x86 but
      fails miserably on ppc64.
      
      The reason is that we're using a bit mask to check the algorithm
      ID but the mask is only 32 bits wide.
      
      After looking at how this is used in the field, I have concluded
      that in the long term we should phase out state matching by IDs
      because this is made superfluous by the reqid feature.  For current
      applications, the best solution IMHO is to allow all algorithms when
      the bit masks are all ~0.
      
      The following patch does exactly that.
      
      This bug was identified by IBM when testing on the ppc64 platform
      using the NULL authentication algorithm which has an ID of 251.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5d18e98
  11. 27 3月, 2008 1 次提交
    • H
      [IPSEC]: Fix BEET output · 732c8bd5
      Herbert Xu 提交于
      The IPv6 BEET output function is incorrectly including the inner
      header in the payload to be protected.  This causes a crash as
      the packet doesn't actually have that many bytes for a second
      header.
      
      The IPv4 BEET output on the other hand is broken when it comes
      to handling an inner IPv6 header since it always assumes an
      inner IPv4 header.
      
      This patch fixes both by making sure that neither BEET output
      function touches the inner header at all.  All access is now
      done through the protocol-independent cb structure.  Two new
      attributes are added to make this work, the IP header length
      and the IPv4 option length.  They're filled in by the inner
      mode's output function.
      
      Thanks to Joakim Koskela for finding this problem.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      732c8bd5
  12. 25 3月, 2008 2 次提交
  13. 18 3月, 2008 1 次提交
  14. 29 2月, 2008 1 次提交
    • T
      [XFRM]: Speed up xfrm_policy and xfrm_state walking · 4c563f76
      Timo Teras 提交于
      Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
      This is achieved adding the entries to one more list which is used
      solely for walking the entries.
      
      This also fixes some races where the dump can have duplicate or missing
      entries when the SPD/SADB is modified during an ongoing dump.
      
      Dumping SADB with 20000 entries using "time ip xfrm state" the sys
      time dropped from 1.012s to 0.080s.
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c563f76
  15. 13 2月, 2008 1 次提交
  16. 01 2月, 2008 2 次提交
  17. 29 1月, 2008 5 次提交
    • W
      [XFRM] xfrm_policy_destroy: Rename and relative fixes. · 64c31b3f
      WANG Cong 提交于
      Since __xfrm_policy_destroy is used to destory the resources
      allocated by xfrm_policy_alloc. So using the name
      __xfrm_policy_destroy is not correspond with xfrm_policy_alloc.
      Rename it to xfrm_policy_destroy.
      
      And along with some instances that call xfrm_policy_alloc
      but not using xfrm_policy_destroy to destroy the resource,
      fix them.
      Signed-off-by: NWANG Cong <xiyou.wangcong@gmail.com>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64c31b3f
    • H
      [IPSEC]: Kill duplicate xfrm_policy_flush prototype · 9ef32d0d
      Herbert Xu 提交于
      For five years we had two xfrm_policy_flush prototypes and every time that
      function's signature changed people have been diligently updating both of
      them without noticing :)
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ef32d0d
    • P
      [XFRM]: RFC4303 compliant auditing · afeb14b4
      Paul Moore 提交于
      This patch adds a number of new IPsec audit events to meet the auditing
      requirements of RFC4303.  This includes audit hooks for the following events:
      
       * Could not find a valid SA [sections 2.1, 3.4.2]
         . xfrm_audit_state_notfound()
         . xfrm_audit_state_notfound_simple()
      
       * Sequence number overflow [section 3.3.3]
         . xfrm_audit_state_replay_overflow()
      
       * Replayed packet [section 3.4.3]
         . xfrm_audit_state_replay()
      
       * Integrity check failure [sections 3.4.4.1, 3.4.4.2]
         . xfrm_audit_state_icvfail()
      
      While RFC4304 deals only with ESP most of the changes in this patch apply to
      IPsec in general, i.e. both AH and ESP.  The one case, integrity check
      failure, where ESP specific code had to be modified the same was done to the
      AH code for the sake of consistency.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      afeb14b4
    • P
      [XFRM]: Assorted IPsec fixups · 68277acc
      Paul Moore 提交于
      This patch fixes a number of small but potentially troublesome things in the
      XFRM/IPsec code:
      
       * Use the 'audit_enabled' variable already in include/linux/audit.h
         Removed the need for extern declarations local to each XFRM audit fuction
      
       * Convert 'sid' to 'secid' everywhere we can
         The 'sid' name is specific to SELinux, 'secid' is the common naming
         convention used by the kernel when refering to tokenized LSM labels,
         unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
         we risk breaking userspace
      
       * Convert address display to use standard NIP* macros
         Similar to what was recently done with the SPD audit code, this also also
         includes the removal of some unnecessary memcpy() calls
      
       * Move common code to xfrm_audit_common_stateinfo()
         Code consolidation from the "less is more" book on software development
      
       * Proper spacing around commas in function arguments
         Minor style tweak since I was already touching the code
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      68277acc
    • M
      [XFRM]: Define packet dropping statistics. · 558f82ef
      Masahide NAKAMURA 提交于
      This statistics is shown factor dropped by transformation
      at /proc/net/xfrm_stat for developer.
      It is a counter designed from current transformation source code
      and defined as linux private MIB.
      
      See Documentation/networking/xfrm_proc.txt for the detail.
      Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      558f82ef