1. 10 9月, 2008 1 次提交
  2. 09 9月, 2008 1 次提交
  3. 03 9月, 2008 1 次提交
    • D
      ipsec: Fix deadlock in xfrm_state management. · 37b08e34
      David S. Miller 提交于
      Ever since commit 4c563f76
      ("[XFRM]: Speed up xfrm_policy and xfrm_state walking") it is
      illegal to call __xfrm_state_destroy (and thus xfrm_state_put())
      with xfrm_state_lock held.  If we do, we'll deadlock since we
      have the lock already and __xfrm_state_destroy() tries to take
      it again.
      
      Fix this by pushing the xfrm_state_put() calls after the lock
      is dropped.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37b08e34
  4. 26 7月, 2008 1 次提交
  5. 28 4月, 2008 2 次提交
  6. 25 3月, 2008 1 次提交
  7. 29 2月, 2008 1 次提交
    • T
      [XFRM]: Speed up xfrm_policy and xfrm_state walking · 4c563f76
      Timo Teras 提交于
      Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
      This is achieved adding the entries to one more list which is used
      solely for walking the entries.
      
      This also fixes some races where the dump can have duplicate or missing
      entries when the SPD/SADB is modified during an ongoing dump.
      
      Dumping SADB with 20000 entries using "time ip xfrm state" the sys
      time dropped from 1.012s to 0.080s.
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c563f76
  8. 02 2月, 2008 1 次提交
  9. 01 2月, 2008 2 次提交
  10. 29 1月, 2008 8 次提交
  11. 04 1月, 2008 1 次提交
  12. 20 12月, 2007 1 次提交
  13. 15 12月, 2007 1 次提交
  14. 27 11月, 2007 1 次提交
  15. 18 10月, 2007 3 次提交
    • H
      [IPSEC]: Rename mode to outer_mode and add inner_mode · 13996378
      Herbert Xu 提交于
      This patch adds a new field to xfrm states called inner_mode.  The existing
      mode object is renamed to outer_mode.
      
      This is the first part of an attempt to fix inter-family transforms.  As it
      is we always use the outer family when determining which mode to use.  As a
      result we may end up shoving IPv4 packets into netfilter6 and vice versa.
      
      What we really want is to use the inner family for the first part of outbound
      processing and the outer family for the second part.  For inbound processing
      we'd use the opposite pairing.
      
      I've also added a check to prevent silly combinations such as transport mode
      with inter-family transforms.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      13996378
    • H
      [IPSEC]: Store afinfo pointer in xfrm_mode · 17c2a42a
      Herbert Xu 提交于
      It is convenient to have a pointer from xfrm_state to address-specific
      functions such as the output function for a family.  Currently the
      address-specific policy code calls out to the xfrm state code to get
      those pointers when we could get it in an easier way via the state
      itself.
      
      This patch adds an xfrm_state_afinfo to xfrm_mode (since they're
      address-specific) and changes the policy code to use it.  I've also
      added an owner field to do reference counting on the module providing
      the afinfo even though it isn't strictly necessary today since IPv6
      can't be unloaded yet.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      17c2a42a
    • H
      [IPSEC]: Move type and mode map into xfrm_state.c · aa5d62cc
      Herbert Xu 提交于
      The type and mode maps are only used by SAs, not policies.  So it makes
      sense to move them from xfrm_policy.c into xfrm_state.c.  This also allows
      us to mark xfrm_get_type/xfrm_put_type/xfrm_get_mode/xfrm_put_mode as
      static.
      
      The only other change I've made in the move is to get rid of the casts
      on the request_module call for types.  They're unnecessary because C
      will promote them to ints anyway.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aa5d62cc
  16. 11 10月, 2007 5 次提交
  17. 14 8月, 2007 1 次提交
  18. 31 7月, 2007 1 次提交
  19. 19 7月, 2007 1 次提交
  20. 11 7月, 2007 1 次提交
  21. 19 6月, 2007 1 次提交
  22. 08 6月, 2007 1 次提交
    • J
      xfrm: Add security check before flushing SAD/SPD · 4aa2e62c
      Joy Latten 提交于
      Currently we check for permission before deleting entries from SAD and
      SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
      However we are not checking for authorization when flushing the SPD and
      the SAD completely. It was perhaps missed in the original security hooks
      patch.
      
      This patch adds a security check when flushing entries from the SAD and
      SPD.  It runs the entire database and checks each entry for a denial.
      If the process attempting the flush is unable to remove all of the
      entries a denial is logged the the flush function returns an error
      without removing anything.
      
      This is particularly useful when a process may need to create or delete
      its own xfrm entries used for things like labeled networking but that
      same process should not be able to delete other entries or flush the
      entire database.
      
      Signed-off-by: Joy Latten<latten@austin.ibm.com>
      Signed-off-by: NEric Paris <eparis@parisplace.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      4aa2e62c
  23. 31 5月, 2007 1 次提交
  24. 05 5月, 2007 1 次提交
  25. 26 4月, 2007 1 次提交
    • J
      [XFRM]: Export SAD info. · 28d8909b
      Jamal Hadi Salim 提交于
      On a system with a lot of SAs, counting SAD entries chews useful
      CPU time since you need to dump the whole SAD to user space;
      i.e something like ip xfrm state ls | grep -i src | wc -l
      I have seen taking literally minutes on a 40K SAs when the system
      is swapping.
      With this patch, some of the SAD info (that was already being tracked)
      is exposed to user space. i.e you do:
      ip xfrm state count
      And you get the count; you can also pass -s to the command line and
      get the hash info.
      Signed-off-by: NJamal Hadi Salim <hadi@cyberus.ca>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      28d8909b