aboutsummaryrefslogtreecommitdiffstats
path: root/include/net/xfrm.h
Commit message (Collapse)AuthorAgeFilesLines
* [IPSEC]: Kill afinfo->nf_post_routingDavid S. Miller2008-01-281-1/+0
| | | | | | | | | | After changeset: [NETFILTER]: Introduce NF_INET_ hook values It always evaluates to NF_INET_POST_ROUTING. Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add async resume support on inputHerbert Xu2008-01-281-0/+1
| | | | | | | | | This patch adds support for async resumptions on input. To do so, the transform would return -EINPROGRESS and subsequently invoke the function xfrm_input_resume to resume processing. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Remove nhoff from xfrm_inputHerbert Xu2008-01-281-1/+0
| | | | | | | | | | | | | | | | | | The nhoff field isn't actually necessary in xfrm_input. For tunnel mode transforms we now throw away the output IP header so it makes no sense to fill in the nexthdr field. For transport mode we can now let the function transport_finish do the setting and it knows where the nexthdr field is. The only other thing that needs the nexthdr field to be set is the header extraction code. However, we can simply move the protocol extraction out of the generic header extraction. We want to minimise the amount of info we have to carry around between transforms as this simplifies the resumption process for async crypto. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Make x->lastused an unsigned longHerbert Xu2008-01-281-1/+1
| | | | | | | | | | | | | | Currently x->lastused is u64 which means that it cannot be read/written atomically on all architectures. David Miller observed that the value stored in it is only an unsigned long which is always atomic. So based on his suggestion this patch changes the internal representation from u64 to unsigned long while the user-interface still refers to it as u64. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Merge most of the input pathHerbert Xu2008-01-281-0/+22
| | | | | | | | | | | | As part of the work on asynchronous cryptographic operations, we need to be able to resume from the spot where they occur. As such, it helps if we isolate them to one spot. This patch moves most of the remaining family-specific processing into the common input code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add async resume support on outputHerbert Xu2008-01-281-0/+1
| | | | | | | | | This patch adds support for async resumptions on output. To do so, the transform would return -EINPROGRESS and subsequently invoke the function xfrm_output_resume to resume processing. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Merge most of the output pathHerbert Xu2008-01-281-0/+1
| | | | | | | | | | | | As part of the work on asynchrnous cryptographic operations, we need to be able to resume from the spot where they occur. As such, it helps if we isolate them to one spot. This patch moves most of the remaining family-specific processing into the common output code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Separate inner/outer mode processing on inputHerbert Xu2008-01-281-0/+27
| | | | | | | | | | | | | | | | | | | With inter-family transforms the inner mode differs from the outer mode. Attempting to handle both sides from the same function means that it needs to handle both IPv4 and IPv6 which creates duplication and confusion. This patch separates the two parts on the input path so that each function deals with one family only. In particular, the functions xfrm4_extract_inut/xfrm6_extract_inut moves the pertinent fields from the IPv4/IPv6 IP headers into a neutral format stored in skb->cb. This is then used by the inner mode input functions to modify the inner IP header. In this way the input function no longer has to know about the outer address family. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Separate inner/outer mode processing on outputHerbert Xu2008-01-281-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | With inter-family transforms the inner mode differs from the outer mode. Attempting to handle both sides from the same function means that it needs to handle both IPv4 and IPv6 which creates duplication and confusion. This patch separates the two parts on the output path so that each function deals with one family only. In particular, the functions xfrm4_extract_output/xfrm6_extract_output moves the pertinent fields from the IPv4/IPv6 IP headers into a neutral format stored in skb->cb. This is then used by the outer mode output functions to write the outer IP header. In this way the output function no longer has to know about the inner address family. Since the extract functions are only called by tunnel modes (the only modes that can support inter-family transforms), I've also moved the xfrm*_tunnel_check_size calls into them. This allows the correct ICMP message to be sent as opposed to now where you might call icmp_send with an IPv6 packet and vice versa. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Merge common code into xfrm_bundle_createHerbert Xu2008-01-281-7/+4
| | | | | | | | | | | | | | | | Half of the code in xfrm4_bundle_create and xfrm6_bundle_create are common. This patch extracts that logic and puts it into xfrm_bundle_create. The rest of it are then accessed through afinfo. As a result this fixes the problem with inter-family transforms where we treat every xfrm dst in the bundle as if it belongs to the top family. This patch also fixes a long-standing error-path bug where we may free the xfrm states twice. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move flow construction into xfrm_dst_lookupHerbert Xu2008-01-281-7/+3
| | | | | | | | | | | | | | This patch moves the flow construction from the callers of xfrm_dst_lookup into that function. It also changes xfrm_dst_lookup so that it takes an xfrm state as its argument instead of explicit addresses. This removes any address-specific logic from the callers of xfrm_dst_lookup which is needed to correctly support inter-family transforms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Replace x->type->{local,remote}_addr with flagsHerbert Xu2008-01-281-2/+2
| | | | | | | | | | The functions local_addr and remote_addr are more than what they're needed for. The same thing can be done easily with flags on the type object. This patch does that and simplifies the wrapper functions in xfrm6_policy accordingly. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: xfrm_algo_clone() allocates too much memoryEric Dumazet2008-01-081-1/+6
| | | | | | | | | | | | | alg_key_len is the length in bits of the key, not in bytes. Best way to fix this is to move alg_len() function from net/xfrm/xfrm_user.c to include/net/xfrm.h, and to use it in xfrm_algo_clone() alg_len() is renamed to xfrm_alg_len() because of its global exposition. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Don't declare extern variables in net/core/sysctl_net_core.cPavel Emelyanov2007-10-231-0/+2
| | | | | | | | | | | Some are already declared in include/linux/netdevice.h, while some others (xfrm ones) need to be declared. The driver/net/rrunner.c just uses same extern as well, so cleanup it also. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Rename mode to outer_mode and add inner_modeHerbert Xu2007-10-171-1/+2
| | | | | | | | | | | | | | | | | | | This patch adds a new field to xfrm states called inner_mode. The existing mode object is renamed to outer_mode. This is the first part of an attempt to fix inter-family transforms. As it is we always use the outer family when determining which mode to use. As a result we may end up shoving IPv4 packets into netfilter6 and vice versa. What we really want is to use the inner family for the first part of outbound processing and the outer family for the second part. For inbound processing we'd use the opposite pairing. I've also added a check to prevent silly combinations such as transport mode with inter-family transforms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Store afinfo pointer in xfrm_modeHerbert Xu2007-10-171-3/+3
| | | | | | | | | | | | | | | | | It is convenient to have a pointer from xfrm_state to address-specific functions such as the output function for a family. Currently the address-specific policy code calls out to the xfrm state code to get those pointers when we could get it in an easier way via the state itself. This patch adds an xfrm_state_afinfo to xfrm_mode (since they're address-specific) and changes the policy code to use it. I've also added an owner field to do reference counting on the module providing the afinfo even though it isn't strictly necessary today since IPv6 can't be unloaded yet. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add missing BEET checksHerbert Xu2007-10-171-0/+6
| | | | | | | | | | | | | | | | | | Currently BEET mode does not reinject the packet back into the stack like tunnel mode does. Since BEET should behave just like tunnel mode this is incorrect. This patch fixes this by introducing a flags field to xfrm_mode that tells the IPsec code whether it should terminate and reinject the packet back into the stack. It then sets the flag for BEET and tunnel mode. I've also added a number of missing BEET checks elsewhere where we check whether a given mode is a tunnel or not. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move type and mode map into xfrm_state.cHerbert Xu2007-10-171-6/+2
| | | | | | | | | | | | | | The type and mode maps are only used by SAs, not policies. So it makes sense to move them from xfrm_policy.c into xfrm_state.c. This also allows us to mark xfrm_get_type/xfrm_put_type/xfrm_get_mode/xfrm_put_mode as static. The only other change I've made in the move is to get rid of the casts on the request_module call for types. They're unnecessary because C will promote them to ints anyway. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Get nexthdr from caller in xfrm6_rcv_spiHerbert Xu2007-10-171-1/+1
| | | | | | | | | | Currently xfrm6_rcv_spi gets the nexthdr value itself from the packet. This means that we need to fix up the value in case we have a 4-on-6 tunnel. Moving this logic into the caller simplifies things and allows us to merge the code with IPv4. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move tunnel parsing for IPv4 out of xfrm4_inputHerbert Xu2007-10-171-0/+8
| | | | | | | | | This patch moves the tunnel parsing for IPv4 out of xfrm4_input and into xfrm4_tunnel. This change is in line with what IPv6 does and will allow us to merge the two input functions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: Replace sk_buff ** with sk_buff * in input handlersHerbert Xu2007-10-151-1/+1
| | | | | | | | | With all the users of the double pointers removed from the IPv6 input path, this patch converts all occurances of sk_buff ** to sk_buff * in IPv6 input handlers. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Use IPv6 calling convention as the convention for x->mode->outputHerbert Xu2007-10-101-0/+12
| | | | | | | | | | | | | The IPv6 calling convention for x->mode->output is more general and could help an eventual protocol-generic x->type->output implementation. This patch adopts it for IPv4 as well and modifies the IPv4 type output functions accordingly. It also rewrites the IPv6 mac/transport header calculation to be based off the network header where practical. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move common code into xfrm_alloc_spiHerbert Xu2007-10-101-1/+1
| | | | | | | | | | | | | | | | | This patch moves some common code that conceptually belongs to the xfrm core from af_key/xfrm_user into xfrm_alloc_spi. In particular, the spin lock on the state is now taken inside xfrm_alloc_spi. Previously it also protected the construction of the response PF_KEY/XFRM messages to user-space. This is inconsistent as other identical constructions are not protected by the state lock. This is bad because they in fact should be protected but only in certain spots (so as not to hold the lock for too long which may cause packet drops). The SPI byte order conversion has also been moved. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Unexport xfrm_replay_notifyHerbert Xu2007-10-101-6/+0
| | | | | | | | | | | Now that the only callers of xfrm_replay_notify are in xfrm, we can remove the export. This patch also removes xfrm_aevent_doreplay since it's now called in just one spot. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move output replay code into xfrm_outputHerbert Xu2007-10-101-1/+19
| | | | | | | | | | The replay counter is one of only two remaining things in the output code that requires a lock on the xfrm state (the other being the crypto). This patch moves it into the generic xfrm_output so we can remove the lock from the transforms themselves. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move xfrm_state_check into xfrm_output.cHerbert Xu2007-10-101-1/+0
| | | | | | | | The functions xfrm_state_check and xfrm_state_check_space are only used by the output code in xfrm_output.c so we can move them over. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Move common output code to xfrm_outputHerbert Xu2007-10-101-0/+1
| | | | | | | | | | | | Most of the code in xfrm4_output_one and xfrm6_output_one are identical so this patch moves them into a common xfrm_output function which will live in net/xfrm. In fact this would seem to fix a bug as on IPv4 we never reset the network header after a transform which may upset netfilter later on. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: xfrm audit callsJoy Latten2007-10-101-4/+36
| | | | | | | | | | | | | | | | This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Fix crash introduced by struct dst_entry reorderingPatrick McHardy2007-07-181-1/+0
| | | | | | | | | | | XFRM expects xfrm_dst->u.next to be same pointer as dst->next, which was broken by the dst_entry reordering in commit 1e19e02c~, causing an oops in xfrm_bundle_ok when walking the bundle upwards. Kill xfrm_dst->u.next and change the only user to use dst->next instead. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [UDP]: Cleanup UDP encapsulation codeJames Chapman2007-07-101-2/+3
| | | | | | | | | | | | | This cleanup fell out after adding L2TP support where a new encap_rcv funcptr was added to struct udp_sock. Have XFRM use the new encap_rcv funcptr, which allows us to move the XFRM encap code from udp.c into xfrm4_input.c. Make xfrm4_rcv_encap() static since it is no longer called externally. Signed-off-by: James Chapman <jchapman@katalix.com> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] Introduce standalone SAD lookupJamal Hadi Salim2007-07-101-0/+4
| | | | | | | | This allows other in-kernel functions to do SAD lookups. The only known user at the moment is pktgen. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Add module alias for transformation type.Masahide NAKAMURA2007-07-101-0/+10
| | | | | | | | | | | | | | | It is clean-up for XFRM type modules and adds aliases with its protocol: ESP, AH, IPCOMP, IPIP and IPv6 for IPsec ROUTING and DSTOPTS for MIPv6 It is almost the same thing as XFRM mode alias, but it is added new defines XFRM_PROTO_XXX for preprocessing since some protocols are defined as enum. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Acked-by: Ingo Oeser <netdev@axxeo.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6] MIP6: Kill unnecessary ifdefs.Masahide NAKAMURA2007-07-101-2/+0
| | | | | | | | | | | Kill unnecessary CONFIG_IPV6_MIP6. o It is redundant for RAW socket to keep MH out with the config then it can handle any protocol. o Clean-up at AH. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Add security check before flushing SAD/SPDJoy Latten2007-06-071-3/+3
| | | | | | | | | | | | | | | | | | | | | | | Currently we check for permission before deleting entries from SAD and SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete()) However we are not checking for authorization when flushing the SPD and the SAD completely. It was perhaps missed in the original security hooks patch. This patch adds a security check when flushing entries from the SAD and SPD. It runs the entire database and checks each entry for a denial. If the process attempting the flush is unable to remove all of the entries a denial is logged the the flush function returns an error without removing anything. This is particularly useful when a process may need to create or delete its own xfrm entries used for things like labeled networking but that same process should not be able to delete other entries or flush the entire database. Signed-off-by: Joy Latten<latten@austin.ibm.com> Signed-off-by: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* [XFRM]: Allow XFRM_ACQ_EXPIRES to be tunable via sysctl.David S. Miller2007-05-311-1/+0
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] SPD info TLV aggregationJamal Hadi Salim2007-05-041-12/+12
| | | | | | | | Aggregate the SPD info TLVs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM] SAD info TLV aggregationxJamal Hadi Salim2007-05-041-9/+8
| | | | | | | | Aggregate the SAD info TLVs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Restrict upper layer information by bundle.Masahide NAKAMURA2007-04-301-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | On MIPv6 usage, XFRM sub policy is enabled. When main (IPsec) and sub (MIPv6) policy selectors have the same address set but different upper layer information (i.e. protocol number and its ports or type/code), multiple bundle should be created. However, currently we have issue to use the same bundle created for the first time with all flows covered by the case. It is useful for the bundle to have the upper layer information to be restructured correctly if it does not match with the flow. 1. Bundle was created by two policies Selector from another policy is added to xfrm_dst. If the flow does not match the selector, it goes to slow path to restructure new bundle by single policy. 2. Bundle was created by one policy Flow cache is added to xfrm_dst as originated one. If the flow does not match the cache, it goes to slow path to try searching another policy. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Export SPD infoJamal Hadi Salim2007-04-281-0/+13
| | | | | | | | With this patch you can use iproute2 in user space to efficiently see how many policies exist in different directions. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Export SAD info.Jamal Hadi Salim2007-04-261-0/+8
| | | | | | | | | | | | | | | | On a system with a lot of SAs, counting SAD entries chews useful CPU time since you need to dump the whole SAD to user space; i.e something like ip xfrm state ls | grep -i src | wc -l I have seen taking literally minutes on a 40K SAs when the system is swapping. With this patch, some of the SAD info (that was already being tracked) is exposed to user space. i.e you do: ip xfrm state count And you get the count; you can also pass -s to the command line and get the hash info. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Optimize MTU calculationPatrick McHardy2007-04-251-1/+1
| | | | | | | | | | | Replace the probing based MTU estimation, which usually takes 2-3 iterations to find a fitting value and may underestimate the MTU, by an exact calculation. Also fix underestimation of the XFRM trailer_len, which causes unnecessary reallocations. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: xfrm_policy delete security check misplacedEric Paris2007-03-071-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The security hooks to check permissions to remove an xfrm_policy were actually done after the policy was removed. Since the unlinking and deletion are done in xfrm_policy_by* functions this moves the hooks inside those 2 functions. There we have all the information needed to do the security check and it can be done before the deletion. Since auditing requires the result of that security check err has to be passed back and forth from the xfrm_policy_by* functions. This patch also fixes a bug where a deletion that failed the security check could cause improper accounting on the xfrm_policy (xfrm_get_policy didn't have a put on the exit path for the hold taken by xfrm_policy_by*) It also fixes the return code when no policy is found in xfrm_add_pol_expire. In old code (at least back in the 2.6.18 days) err wasn't used before the return when no policy is found and so the initialization would cause err to be ENOENT. But since err has since been used above when we don't get a policy back from the xfrm_policy_by* function we would always return 0 instead of the intended ENOENT. Also fixed some white space damage in the same area. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Venkat Yekkirala <vyekkirala@trustedcs.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: changing API of xfrm6_tunnel_registerKazunori MIYAZAWA2007-02-131-2/+2
| | | | | | | | | | | This patch changes xfrm6_tunnel register and deregister interface to prepare for solving the conflict of device tunnels with inter address family IPsec tunnel. There is no device which conflicts with IPv4 over IPv6 IPsec tunnel. Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Changing API of xfrm4_tunnel_register.Kazunori MIYAZAWA2007-02-131-2/+2
| | | | | | | | | This patch changes xfrm4_tunnel register and deregister interface to prepare for solving the conflict of device tunnels with inter address family IPsec tunnel. Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Extension for dynamic update of endpoint address(es)Shinta Sugimoto2007-02-081-0/+44
| | | | | | | | | | | | | | Extend the XFRM framework so that endpoint address(es) in the XFRM databases could be dynamically updated according to a request (MIGRATE message) from user application. Target XFRM policy is first identified by the selector in the MIGRATE message. Next, the endpoint addresses of the matching templates and XFRM states are updated according to the MIGRATE message. Signed-off-by: Shinta Sugimoto <shinta.sugimoto@ericsson.com> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: exporting xfrm_state_afinfoMiika Komu2007-02-081-0/+3
| | | | | | | | | This patch exports xfrm_state_afinfo. Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* audit: disable ipsec auditing when CONFIG_AUDITSYSCALL=nJoy Latten2006-12-061-1/+6
| | | | | | | | | | | | Disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. Also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* audit: Add auditing to ipsecJoy Latten2006-12-061-5/+14
| | | | | | | | | An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPSEC]: Add encapsulation family.Miika Komu2006-12-021-0/+2
| | | | | | | Signed-off-by: Miika Komu <miika@iki.fi> Signed-off-by: Diego Beltrami <Diego.Beltrami@hiit.fi> Signed-off-by: Kazunori Miyazawa <miyazawa@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [XFRM]: Pack struct xfrm_policyArnaldo Carvalho de Melo2006-12-021-6/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o xfrm_policy /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */ struct xfrm_policy { struct xfrm_policy * next; /* 0 4 */ struct hlist_node bydst; /* 4 8 */ struct hlist_node byidx; /* 12 8 */ rwlock_t lock; /* 20 36 */ atomic_t refcnt; /* 56 4 */ struct timer_list timer; /* 60 24 */ u8 type; /* 84 1 */ /* XXX 3 bytes hole, try to pack */ u32 priority; /* 88 4 */ u32 index; /* 92 4 */ struct xfrm_selector selector; /* 96 56 */ struct xfrm_lifetime_cfg lft; /* 152 64 */ struct xfrm_lifetime_cur curlft; /* 216 32 */ struct dst_entry * bundles; /* 248 4 */ __u16 family; /* 252 2 */ __u8 action; /* 254 1 */ __u8 flags; /* 255 1 */ __u8 dead; /* 256 1 */ __u8 xfrm_nr; /* 257 1 */ /* XXX 2 bytes hole, try to pack */ struct xfrm_sec_ctx * security; /* 260 4 */ struct xfrm_tmpl xfrm_vec[6]; /* 264 360 */ }; /* size: 624, sum members: 619, holes: 2, sum holes: 5 */ So lets have just one hole instead of two, by moving 'type' to just before 'action', end result: [acme@newtoy net-2.6.20]$ codiff -s /tmp/tcp.o.before net/ipv4/tcp.o /pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c: struct xfrm_policy | -4 1 struct changed [acme@newtoy net-2.6.20]$ [acme@newtoy net-2.6.20]$ pahole -c 64 net/ipv4/tcp.o xfrm_policy /* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */ struct xfrm_policy { struct xfrm_policy * next; /* 0 4 */ struct hlist_node bydst; /* 4 8 */ struct hlist_node byidx; /* 12 8 */ rwlock_t lock; /* 20 36 */ atomic_t refcnt; /* 56 4 */ struct timer_list timer; /* 60 24 */ u32 priority; /* 84 4 */ u32 index; /* 88 4 */ struct xfrm_selector selector; /* 92 56 */ struct xfrm_lifetime_cfg lft; /* 148 64 */ struct xfrm_lifetime_cur curlft; /* 212 32 */ struct dst_entry * bundles; /* 244 4 */ u16 family; /* 248 2 */ u8 type; /* 250 1 */ u8 action; /* 251 1 */ u8 flags; /* 252 1 */ u8 dead; /* 253 1 */ u8 xfrm_nr; /* 254 1 */ /* XXX 1 byte hole, try to pack */ struct xfrm_sec_ctx * security; /* 256 4 */ struct xfrm_tmpl xfrm_vec[6]; /* 260 360 */ }; /* size: 620, sum members: 619, holes: 1, sum holes: 1 */ Are there any fugly data dependencies here? None that I know. In the process changed the removed the __ prefixed types, that are just for userspace visible headers. Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>