aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
Commit message (Collapse)AuthorAgeFilesLines
* xfrm: Add user interface for esn and big anti-replay windowsSteffen Klassert2011-03-132-14/+87
| | | | | | | | | | | | | | This patch adds a netlink based user interface to configure esn and big anti-replay windows. The new netlink attribute XFRMA_REPLAY_ESN_VAL is used to configure the new implementation. If the XFRM_STATE_ESN flag is set, we use esn and support for big anti-replay windows for the configured state. If this flag is not set we use the new implementation with 32 bit sequence numbers. A big anti-replay window can be configured in this case anyway. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Add support for IPsec extended sequence numbersSteffen Klassert2011-03-132-1/+193
| | | | | | | | | | This patch adds support for IPsec extended sequence numbers (esn) as defined in RFC 4303. The bits to manage the anti-replay window are based on a patch from Alex Badea. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Support anti-replay window size bigger than 32 packetsSteffen Klassert2011-03-131-1/+206
| | | | | | | | | | | | | | | | | As it is, the anti-replay bitmap in struct xfrm_replay_state can only accomodate 32 packets. Even though it is possible to configure anti-replay window sizes up to 255 packets from userspace. So we reject any packet with a sequence number within the configured window but outside the bitmap. With this patch, we represent the anti-replay window as a bitmap of variable length that can be accessed via the new struct xfrm_replay_state_esn. Thus, we have no limit on the window size anymore. To use the new anti-replay window implementantion, new userspace tools are required. We leave the old implementation untouched to stay in sync with old userspace tools. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Move IPsec replay detection functions to a separate fileSteffen Klassert2011-03-136-124/+154
| | | | | | | | | | To support multiple versions of replay detection, we move the replay detection functions to a separate file and make them accessible via function pointers contained in the struct xfrm_replay. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Use separate low and high order bits of the sequence numbers in ↵Steffen Klassert2011-03-132-3/+3
| | | | | | | | | | | | | xfrm_skb_cb To support IPsec extended sequence numbers, we split the output sequence numbers of xfrm_skb_cb in low and high order 32 bits and we add the high order 32 bits to the input sequence numbers. All users are updated accordingly. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Use flowi4 and flowi6 in xfrm layer.David S. Miller2011-03-121-12/+16
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Break struct flowi out into AF specific instances.David S. Miller2011-03-121-4/+4
| | | | | | | | | | | Now we have struct flowi4, flowi6, and flowidn for each address family. And struct flowi is just a union of them all. It might have been troublesome to convert flow_cache_uli_match() but as it turns out this function is completely unused and therefore can be simply removed. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flowi ports AF dependent.David S. Miller2011-03-121-4/+4
| | | | | | | | | | | | Create two sets of port member accessors, one set prefixed by fl4_* and the other prefixed by fl6_* This will let us to create AF optimal flow instances. It will work because every context in which we access the ports, we have to be fully aware of which AF the flowi is anyways. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Put flowi_* prefix on AF independent members of struct flowiDavid S. Miller2011-03-122-10/+10
| | | | | | | | | | I intend to turn struct flowi into a union of AF specific flowi structs. There will be a common structure that each variant includes first, much like struct sock_common. This is the first step to move in that direction. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Eliminate "fl" and "pol" args to xfrm_bundle_ok().David S. Miller2011-03-121-19/+3
| | | | | | | There is only one caller of xfrm_bundle_ok(), and that always passes these parameters as NULL. Signed-off-by: David S. Miller <davem@davemloft.net>
* netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parmsPatrick McHardy2011-03-031-24/+32
| | | | | | | | Netlink message processing in the kernel is synchronous these days, the session information can be collected when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Return dst directly from xfrm_lookup()David S. Miller2011-03-021-17/+17
| | | | | | Instead of on the stack. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Handle blackhole route creation via afinfo.David S. Miller2011-03-011-20/+26
| | | | | | | That way we don't have to potentially do this in every xfrm_lookup() caller. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Kill XFRM_LOOKUP_WAIT flag.David S. Miller2011-03-011-1/+1
| | | | | | This can be determined from the flow flags instead. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Pass const xfrm_address_t objects to xfrm_state_lookup* and xfrm_find_acq.David S. Miller2011-02-271-4/+8
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Pass name as const to xfrm_*_get_byname().David S. Miller2011-02-272-5/+5
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_address_t args to xfrm_state_find.David S. Miller2011-02-231-2/+2
| | | | | | This required a const'ification in xfrm_init_tempstate() too. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Remove unused 'saddr' and 'daddr' args to xfrm_state_look_at.David S. Miller2011-02-231-3/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_address_t args to __xfrm_state_lookup{,_byaddr}.David S. Miller2011-02-231-2/+8
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_tmpl arg to xfrm_init_tempstate.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify xfrm_address_t args to xfrm_*_hash.David S. Miller2011-02-231-5/+6
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify sec_path arg to secpath_has_nontransport.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify ptr args to xfrm_policy_ok.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify ptr args to xfrm_state_ok.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector arg to xfrm_dst_update_parent.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify policy arg to clone_policy.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify policy arg and local selector in xfrm_policy_match.David S. Miller2011-02-231-2/+3
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify local xfrm_address_t pointers in xfrm_policy_lookup_bytype.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector args in xfrm_migrate paths.David S. Miller2011-02-231-4/+4
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify address args to hash helpers.David S. Miller2011-02-232-15/+26
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify pointer args to km_migrate() and implementations.David S. Miller2011-02-232-15/+15
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify pointer args to migrate_tmpl_match and xfrm_migrate_checkDavid S. Miller2011-02-231-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify address arguments to __xfrm_dst_lookup()David S. Miller2011-02-231-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector argument to xfrm_selector_match()David S. Miller2011-02-231-3/+3
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Pass km_event pointers around as const when possible.David S. Miller2011-02-232-14/+14
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flow cache paths use a const struct flowi.David S. Miller2011-02-221-5/+8
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_resolve_and_create_bundle() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_dst_{alloc_copy,update_origin}() const.David S. Miller2011-02-221-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_bundle_create() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_tmpl_resolve{,_one}() const.David S. Miller2011-02-221-6/+4
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_expand_policies() const.David S. Miller2011-02-221-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_policy_{lookup_by_type,match}() const.David S. Miller2011-02-221-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Kill strict arg to xfrm_bundle_ok().David S. Miller2011-02-221-8/+3
| | | | | | Always set to "0". Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_state_find() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_init_tempstate() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_state_look_at() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_selector_match() const.David S. Miller2011-02-221-4/+4
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_type->reject() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to ->fill_dst() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to ->get_tos() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
generated by cgit v1.1 at 2024-12-26 22:35:44 +0000