1. 01 6月, 2013 1 次提交
  2. 06 3月, 2013 1 次提交
    • N
      xfrm: allow to avoid copying DSCP during encapsulation · a947b0a9
      Nicolas Dichtel 提交于
      By default, DSCP is copying during encapsulation.
      Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
      different DSCP may get reordered relative to each other in the network and then
      dropped by the remote IPsec GW if the reordering becomes too big compared to the
      replay window.
      
      It is possible to avoid this copy with netfilter rules, but it's very convenient
      to be able to configure it for each SA directly.
      
      This patch adds a toogle for this purpose. By default, it's not set to maintain
      backward compatibility.
      
      Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      a947b0a9
  3. 06 2月, 2013 1 次提交
    • S
      xfrm: Add a state resolution packet queue · a0073fe1
      Steffen Klassert 提交于
      As the default, we blackhole packets until the key manager resolves
      the states. This patch implements a packet queue where IPsec packets
      are queued until the states are resolved. We generate a dummy xfrm
      bundle, the output routine of the returned route enqueues the packet
      to a per policy queue and arms a timer that checks for state resolution
      when dst_output() is called. Once the states are resolved, the packets
      are sent out of the queue. If the states are not resolved after some
      time, the queue is flushed.
      
      This patch keeps the defaut behaviour to blackhole packets as long
      as we have no states. To enable the packet queue the sysctl
      xfrm_larval_drop must be switched off.
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      a0073fe1
  4. 01 2月, 2013 1 次提交
  5. 30 1月, 2013 2 次提交
  6. 21 1月, 2013 1 次提交
  7. 13 11月, 2012 1 次提交
  8. 18 9月, 2012 1 次提交
    • E
      userns: Convert the audit loginuid to be a kuid · e1760bd5
      Eric W. Biederman 提交于
      Always store audit loginuids in type kuid_t.
      
      Print loginuids by converting them into uids in the appropriate user
      namespace, and then printing the resulting uid.
      
      Modify audit_get_loginuid to return a kuid_t.
      
      Modify audit_set_loginuid to take a kuid_t.
      
      Modify /proc/<pid>/loginuid on read to convert the loginuid into the
      user namespace of the opener of the file.
      
      Modify /proc/<pid>/loginud on write to convert the loginuid
      rom the user namespace of the opener of the file.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Paul Moore <paul@paul-moore.com> ?
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      e1760bd5
  9. 11 9月, 2012 1 次提交
  10. 05 9月, 2012 1 次提交
  11. 20 8月, 2012 1 次提交
    • P
      net: ipv6: fix oops in inet_putpeer() · 9d7b0fc1
      Patrick McHardy 提交于
      Commit 97bab73f (inet: Hide route peer accesses behind helpers.) introduced
      a bug in xfrm6_policy_destroy(). The xfrm_dst's _rt6i_peer member is not
      initialized, causing a false positive result from inetpeer_ptr_is_peer(),
      which in turn causes a NULL pointer dereference in inet_putpeer().
      
      Pid: 314, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #17 To Be Filled By O.E.M. To Be Filled By O.E.M./P4S800D-X
      EIP: 0060:[<c03abf93>] EFLAGS: 00010246 CPU: 0
      EIP is at inet_putpeer+0xe/0x16
      EAX: 00000000 EBX: f3481700 ECX: 00000000 EDX: 000dd641
      ESI: f3481700 EDI: c05e949c EBP: f551def4 ESP: f551def4
       DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
      CR0: 8005003b CR2: 00000070 CR3: 3243d000 CR4: 00000750
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
       f551df04 c0423de1 00000000 f3481700 f551df18 c038d5f7 f254b9f8 f551df28
       f34f85d8 f551df20 c03ef48d f551df3c c0396870 f30697e8 f24e1738 c05e98f4
       f5509540 c05cd2b4 f551df7c c0142d2b c043feb5 f5509540 00000000 c05cd2e8
       [<c0423de1>] xfrm6_dst_destroy+0x42/0xdb
       [<c038d5f7>] dst_destroy+0x1d/0xa4
       [<c03ef48d>] xfrm_bundle_flo_delete+0x2b/0x36
       [<c0396870>] flow_cache_gc_task+0x85/0x9f
       [<c0142d2b>] process_one_work+0x122/0x441
       [<c043feb5>] ? apic_timer_interrupt+0x31/0x38
       [<c03967eb>] ? flow_cache_new_hashrnd+0x2b/0x2b
       [<c0143e2d>] worker_thread+0x113/0x3cc
      
      Fix by adding a init_dst() callback to struct xfrm_policy_afinfo to
      properly initialize the dst's peer pointer.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9d7b0fc1
  12. 16 8月, 2012 1 次提交
  13. 02 8月, 2012 1 次提交
  14. 19 7月, 2012 1 次提交
  15. 28 6月, 2012 1 次提交
  16. 16 5月, 2012 1 次提交
  17. 02 4月, 2012 1 次提交
  18. 26 2月, 2012 1 次提交
  19. 23 11月, 2011 2 次提交
  20. 11 5月, 2011 1 次提交
    • S
      xfrm: Assign the inner mode output function to the dst entry · 43a4dea4
      Steffen Klassert 提交于
      As it is, we assign the outer modes output function to the dst entry
      when we create the xfrm bundle. This leads to two problems on interfamily
      scenarios. We might insert ipv4 packets into ip6_fragment when called
      from xfrm6_output. The system crashes if we try to fragment an ipv4
      packet with ip6_fragment. This issue was introduced with git commit
      ad0081e4 (ipv6: Fragment locally generated tunnel-mode IPSec6 packets
      as needed). The second issue is, that we might insert ipv4 packets in
      netfilter6 and vice versa on interfamily scenarios.
      
      With this patch we assign the inner mode output function to the dst entry
      when we create the xfrm bundle. So xfrm4_output/xfrm6_output from the inner
      mode is used and the right fragmentation and netfilter functions are called.
      We switch then to outer mode with the output_finish functions.
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      43a4dea4
  21. 23 4月, 2011 1 次提交
  22. 11 4月, 2011 1 次提交
    • M
      Disable rp_filter for IPsec packets · 990078af
      Michael Smith 提交于
      The reverse path filter interferes with IPsec subnet-to-subnet tunnels,
      especially when the link to the IPsec peer is on an interface other than
      the one hosting the default route.
      
      With dynamic routing, where the peer might be reachable through eth0
      today and eth1 tomorrow, it's difficult to keep rp_filter enabled unless
      fake routes to the remote subnets are configured on the interface
      currently used to reach the peer.
      
      IPsec provides a much stronger anti-spoofing policy than rp_filter, so
      this patch disables the rp_filter for packets with a security path.
      Signed-off-by: NMichael Smith <msmith@cbnco.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      990078af
  23. 29 3月, 2011 1 次提交
  24. 22 3月, 2011 1 次提交
    • W
      xfrm: Fix initialize repl field of struct xfrm_state · a454f0cc
      Wei Yongjun 提交于
      Commit 'xfrm: Move IPsec replay detection functions to a separate file'
        (9fdc4883)
      introduce repl field to struct xfrm_state, and only initialize it
      under SA's netlink create path, the other path, such as pf_key,
      ipcomp/ipcomp6 etc, the repl field remaining uninitialize. So if
      the SA is created by pf_key, any input packet with SA's encryption
      algorithm will cause panic.
      
          int xfrm_input()
          {
              ...
              x->repl->advance(x, seq);
              ...
          }
      
      This patch fixed it by introduce new function __xfrm_init_state().
      
      Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs
      EIP: 0060:[<c078e5d5>] EFLAGS: 00010206 CPU: 0
      EIP is at xfrm_input+0x31c/0x4cc
      EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000
      ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000)
      Stack:
       00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0
       00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000
       dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32
      Call Trace:
       [<c0786848>] xfrm4_rcv_encap+0x22/0x27
       [<c0786868>] xfrm4_rcv+0x1b/0x1d
       [<c074ee56>] ip_local_deliver_finish+0x112/0x1b1
       [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
       [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
       [<c074ef77>] ip_local_deliver+0x3e/0x44
       [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
       [<c074ec03>] ip_rcv_finish+0x30a/0x332
       [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
       [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
       [<c074f188>] ip_rcv+0x20b/0x247
       [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
       [<c072797d>] __netif_receive_skb+0x373/0x399
       [<c0727bc1>] netif_receive_skb+0x4b/0x51
       [<e0817e2a>] cp_rx_poll+0x210/0x2c4 [8139cp]
       [<c072818f>] net_rx_action+0x9a/0x17d
       [<c0445b5c>] __do_softirq+0xa1/0x149
       [<c0445abb>] ? __do_softirq+0x0/0x149
      Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a454f0cc
  25. 14 3月, 2011 4 次提交
  26. 13 3月, 2011 3 次提交
  27. 02 3月, 2011 1 次提交
  28. 28 2月, 2011 4 次提交
  29. 24 2月, 2011 2 次提交