1. 31 10月, 2008 2 次提交
  2. 30 10月, 2008 1 次提交
  3. 29 10月, 2008 1 次提交
  4. 06 10月, 2008 1 次提交
  5. 01 10月, 2008 1 次提交
    • H
      ipsec: Put dumpers on the dump list · 12a169e7
      Herbert Xu 提交于
      Herbert Xu came up with the idea and the original patch to make
      xfrm_state dump list contain also dumpers:
      
      As it is we go to extraordinary lengths to ensure that states
      don't go away while dumpers go to sleep.  It's much easier if
      we just put the dumpers themselves on the list since they can't
      go away while they're going.
      
      I've also changed the order of addition on new states to prevent
      a never-ending dump.
      
      Timo Teräs improved the patch to apply cleanly to latest tree,
      modified iteration code to be more readable by using a common
      struct for entries in the list, implemented the same idea for
      xfrm_policy dumping and moved the af_key specific "last" entry
      caching to af_key.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      12a169e7
  6. 10 9月, 2008 1 次提交
  7. 09 9月, 2008 1 次提交
  8. 03 9月, 2008 1 次提交
  9. 20 7月, 2008 1 次提交
  10. 28 4月, 2008 1 次提交
  11. 22 4月, 2008 1 次提交
    • H
      [IPSEC]: Fix catch-22 with algorithm IDs above 31 · c5d18e98
      Herbert Xu 提交于
      As it stands it's impossible to use any authentication algorithms
      with an ID above 31 portably.  It just happens to work on x86 but
      fails miserably on ppc64.
      
      The reason is that we're using a bit mask to check the algorithm
      ID but the mask is only 32 bits wide.
      
      After looking at how this is used in the field, I have concluded
      that in the long term we should phase out state matching by IDs
      because this is made superfluous by the reqid feature.  For current
      applications, the best solution IMHO is to allow all algorithms when
      the bit masks are all ~0.
      
      The following patch does exactly that.
      
      This bug was identified by IBM when testing on the ppc64 platform
      using the NULL authentication algorithm which has an ID of 251.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5d18e98
  12. 13 4月, 2008 1 次提交
  13. 26 3月, 2008 1 次提交
  14. 25 3月, 2008 1 次提交
    • Y
      [XFRM] MIP6: Fix address keys for routing search. · 9bb182a7
      YOSHIFUJI Hideaki 提交于
      Each MIPv6 XFRM state (DSTOPT/RH2) holds either destination or source
      address to be mangled in the IPv6 header (that is "CoA").
      On Inter-MN communication after both nodes binds each other,
      they use route optimized traffic two MIPv6 states applied, and
      both source and destination address in the IPv6 header
      are replaced by the states respectively.
      The packet format is correct, however, next-hop routing search
      are not.
      This patch fixes it by remembering address pairs for later states.
      
      Based on patch from Masahide NAKAMURA <nakam@linux-ipv6.org>.
      Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
      Signed-off-by: NYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      9bb182a7
  15. 29 2月, 2008 1 次提交
    • T
      [XFRM]: Speed up xfrm_policy and xfrm_state walking · 4c563f76
      Timo Teras 提交于
      Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
      This is achieved adding the entries to one more list which is used
      solely for walking the entries.
      
      This also fixes some races where the dump can have duplicate or missing
      entries when the SPD/SADB is modified during an ongoing dump.
      
      Dumping SADB with 20000 entries using "time ip xfrm state" the sys
      time dropped from 1.012s to 0.080s.
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c563f76
  16. 18 2月, 2008 1 次提交
  17. 29 1月, 2008 17 次提交
  18. 20 12月, 2007 1 次提交
  19. 11 12月, 2007 1 次提交
  20. 29 11月, 2007 1 次提交
    • H
      [IPSEC]: Fix uninitialised dst warning in __xfrm_lookup · 5e5234ff
      Herbert Xu 提交于
      Andrew Morton reported that __xfrm_lookup generates this warning:
      
      net/xfrm/xfrm_policy.c: In function '__xfrm_lookup':
      net/xfrm/xfrm_policy.c:1449: warning: 'dst' may be used uninitialized in this function
      
      This is because if policy->action is of an unexpected value then dst will
      not be initialised.  Of course, in practice this should never happen since
      the input layer xfrm_user/af_key will filter out all illegal values.  But
      the compiler doesn't know that of course.
      
      So this patch fixes this by taking the conservative approach and treat all
      unknown actions the same as a blocking action.
      
      Thanks to Andrew for finding this and providing an initial fix.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      5e5234ff
  21. 18 10月, 2007 3 次提交
    • H
      [IPSEC]: Rename mode to outer_mode and add inner_mode · 13996378
      Herbert Xu 提交于
      This patch adds a new field to xfrm states called inner_mode.  The existing
      mode object is renamed to outer_mode.
      
      This is the first part of an attempt to fix inter-family transforms.  As it
      is we always use the outer family when determining which mode to use.  As a
      result we may end up shoving IPv4 packets into netfilter6 and vice versa.
      
      What we really want is to use the inner family for the first part of outbound
      processing and the outer family for the second part.  For inbound processing
      we'd use the opposite pairing.
      
      I've also added a check to prevent silly combinations such as transport mode
      with inter-family transforms.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      13996378
    • H
      [IPSEC]: Add missing BEET checks · 1bfcb10f
      Herbert Xu 提交于
      Currently BEET mode does not reinject the packet back into the stack
      like tunnel mode does.  Since BEET should behave just like tunnel mode
      this is incorrect.
      
      This patch fixes this by introducing a flags field to xfrm_mode that
      tells the IPsec code whether it should terminate and reinject the packet
      back into the stack.
      
      It then sets the flag for BEET and tunnel mode.
      
      I've also added a number of missing BEET checks elsewhere where we check
      whether a given mode is a tunnel or not.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1bfcb10f
    • H
      [IPSEC]: Move type and mode map into xfrm_state.c · aa5d62cc
      Herbert Xu 提交于
      The type and mode maps are only used by SAs, not policies.  So it makes
      sense to move them from xfrm_policy.c into xfrm_state.c.  This also allows
      us to mark xfrm_get_type/xfrm_put_type/xfrm_get_mode/xfrm_put_mode as
      static.
      
      The only other change I've made in the move is to get rid of the casts
      on the request_module call for types.  They're unnecessary because C
      will promote them to ints anyway.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aa5d62cc