1. 23 Jan, 2018 1 commit
  2. 14 Apr, 2017 2 commits
  3. 15 Jan, 2016 1 commit
  4. 11 Aug, 2015 1 commit
    • Thomas Egerer's avatar
      xfrm6: Fix IPv6 ECN decapsulation · eae8dee9
      Thomas Egerer authored
      Using ipv6_get_dsfield on the outer IP header implies that inner and
      outer header are of the the same address family. For interfamily
      tunnels, particularly 646, the code reading the DSCP field obtains the
      wrong values (IHL and the upper four bits of the DSCP field).
      This can cause the code to detect a congestion encoutered state in the
      outer header and enable the corresponding bits in the inner header, too.
      
      Since the DSCP field is stored in the xfrm mode common buffer
      independently from the IP version of the outer header, it's safe (and
      correct) to take this value from there.
      Signed-off-by: default avatarThomas Egerer <thomas.egerer@secunet.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      eae8dee9
  5. 14 Mar, 2014 1 commit
  6. 09 Oct, 2013 1 commit
  7. 06 Mar, 2013 1 commit
    • Nicolas Dichtel's avatar
      xfrm: allow to avoid copying DSCP during encapsulation · a947b0a9
      Nicolas Dichtel authored
      By default, DSCP is copying during encapsulation.
      Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
      different DSCP may get reordered relative to each other in the network and then
      dropped by the remote IPsec GW if the reordering becomes too big compared to the
      replay window.
      
      It is possible to avoid this copy with netfilter rules, but it's very convenient
      to be able to configure it for each SA directly.
      
      This patch adds a toogle for this purpose. By default, it's not set to maintain
      backward compatibility.
      
      Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      a947b0a9
  8. 18 Feb, 2013 1 commit
  9. 15 Feb, 2013 1 commit
  10. 23 Feb, 2012 1 commit
  11. 22 Nov, 2011 1 commit
  12. 22 Apr, 2011 1 commit
  13. 13 Dec, 2010 1 commit
  14. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      
        http://userweb.kernel.org/~tj/misc/slabh-sweep.py
      
      The script does the followings.
      
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
        file.
      
      The conversion was done in the following steps.
      
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
         files.
      
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
         necessary.
      
      6. percpu.h was updated not to include slab.h.
      
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
      
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
      5a0e3ad6
  15. 03 Jun, 2009 1 commit
  16. 24 Mar, 2008 1 commit
  17. 28 Jan, 2008 4 commits
    • Herbert Xu's avatar
      [IPSEC]: Rename tunnel-mode functions to avoid collisions with tunnels · 195ad6a3
      Herbert Xu authored
      It appears that I've managed to create two different functions both
      called xfrm6_tunnel_output.  This is because we have the plain tunnel
      encapsulation named xfrmX_tunnel as well as the tunnel-mode encapsulation
      which lives in the files xfrmX_mode_tunnel.c.
      
      This patch renames functions from the latter to use the xfrmX_mode_tunnel
      prefix to avoid name-space conflicts.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      195ad6a3
    • Herbert Xu's avatar
      [IPSEC]: Separate inner/outer mode processing on input · 227620e2
      Herbert Xu authored
      With inter-family transforms the inner mode differs from the outer
      mode.  Attempting to handle both sides from the same function means
      that it needs to handle both IPv4 and IPv6 which creates duplication
      and confusion.
      
      This patch separates the two parts on the input path so that each
      function deals with one family only.
      
      In particular, the functions xfrm4_extract_inut/xfrm6_extract_inut
      moves the pertinent fields from the IPv4/IPv6 IP headers into a
      neutral format stored in skb->cb.  This is then used by the inner mode
      input functions to modify the inner IP header.  In this way the input
      function no longer has to know about the outer address family.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      227620e2
    • Herbert Xu's avatar
      [IPSEC]: Separate inner/outer mode processing on output · 36cf9acf
      Herbert Xu authored
      With inter-family transforms the inner mode differs from the outer
      mode.  Attempting to handle both sides from the same function means
      that it needs to handle both IPv4 and IPv6 which creates duplication
      and confusion.
      
      This patch separates the two parts on the output path so that each
      function deals with one family only.
      
      In particular, the functions xfrm4_extract_output/xfrm6_extract_output
      moves the pertinent fields from the IPv4/IPv6 IP headers into a
      neutral format stored in skb->cb.  This is then used by the outer mode
      output functions to write the outer IP header.  In this way the output
      function no longer has to know about the inner address family.
      
      Since the extract functions are only called by tunnel modes (the only
      modes that can support inter-family transforms), I've also moved the
      xfrm*_tunnel_check_size calls into them.  This allows the correct ICMP
      message to be sent as opposed to now where you might call icmp_send
      with an IPv6 packet and vice versa.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      36cf9acf
    • Herbert Xu's avatar
      [INET]: Give outer DSCP directly to ip*_copy_dscp · 29bb43b4
      Herbert Xu authored
      This patch changes the prototype of ipv4_copy_dscp and ipv6_copy_dscp so
      that they directly take the outer DSCP rather than the outer IP header.
      This will help us to unify the code for inter-family tunnels.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      29bb43b4
  18. 18 Oct, 2007 1 commit
    • Herbert Xu's avatar
      [IPSEC]: Add missing BEET checks · 1bfcb10f
      Herbert Xu authored
      Currently BEET mode does not reinject the packet back into the stack
      like tunnel mode does.  Since BEET should behave just like tunnel mode
      this is incorrect.
      
      This patch fixes this by introducing a flags field to xfrm_mode that
      tells the IPsec code whether it should terminate and reinject the packet
      back into the stack.
      
      It then sets the flag for BEET and tunnel mode.
      
      I've also added a number of missing BEET checks elsewhere where we check
      whether a given mode is a tunnel or not.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1bfcb10f
  19. 10 Oct, 2007 4 commits
  20. 31 May, 2007 1 commit
  21. 26 Apr, 2007 8 commits
  22. 08 Feb, 2007 1 commit
  23. 22 Sep, 2006 1 commit
  24. 18 Jun, 2006 1 commit