1. 09 Oct, 2013 1 commit
  2. 23 Sep, 2013 1 commit
  3. 28 Aug, 2013 1 commit
    • Fan Du's avatar
      {ipv4,xfrm}: Introduce xfrm_tunnel_notifier for xfrm tunnel mode callback · aba82695
      Fan Du authored
      Some thoughts on IPv4 VTI implementation:
      
      The connection between VTI receiving part and xfrm tunnel mode input process
      is hardly a "xfrm_tunnel", xfrm_tunnel is used in places where, e.g ipip/sit
      and xfrm4_tunnel, acts like a true "tunnel" device.
      
      In addition, IMHO, VTI doesn't need vti_err to do something meaningful, as all
      VTI needs is just a notifier to be called whenever xfrm_input ingress a packet
      to update statistics.
      
      A IPsec protected packet is first handled by protocol handlers, e.g AH/ESP,
      to check packet authentication or encryption rightness. PMTU update is taken
      care of in this stage by protocol error handler.
      
      Then the packet is rearranged properly depending on whether it's transport
      mode or tunnel mode packed by mode "input" handler. The VTI handler code
      takes effects in this stage in tunnel mode only. So it neither need propagate
      PMTU, as it has already been done if necessary, nor the VTI handler is
      qualified as a xfrm_tunnel.
      
      So this patch introduces xfrm_tunnel_notifier and meanwhile wipe out vti_err
      code.
      Signed-off-by: default avatarFan Du <fan.du@windriver.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: David S. Miller <davem@davemloft.net>
      Reviewed-by: default avatarSaurabh Mohan <saurabh.mohan@vyatta.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      aba82695
  4. 26 Aug, 2013 1 commit
  5. 19 Aug, 2013 1 commit
  6. 14 Aug, 2013 2 commits
  7. 05 Aug, 2013 1 commit
  8. 31 May, 2013 1 commit
  9. 05 Mar, 2013 1 commit
    • Nicolas Dichtel's avatar
      xfrm: allow to avoid copying DSCP during encapsulation · a947b0a9
      Nicolas Dichtel authored
      By default, DSCP is copying during encapsulation.
      Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
      different DSCP may get reordered relative to each other in the network and then
      dropped by the remote IPsec GW if the reordering becomes too big compared to the
      replay window.
      
      It is possible to avoid this copy with netfilter rules, but it's very convenient
      to be able to configure it for each SA directly.
      
      This patch adds a toogle for this purpose. By default, it's not set to maintain
      backward compatibility.
      
      Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      a947b0a9
  10. 06 Feb, 2013 1 commit
    • Steffen Klassert's avatar
      xfrm: Add a state resolution packet queue · a0073fe1
      Steffen Klassert authored
      As the default, we blackhole packets until the key manager resolves
      the states. This patch implements a packet queue where IPsec packets
      are queued until the states are resolved. We generate a dummy xfrm
      bundle, the output routine of the returned route enqueues the packet
      to a per policy queue and arms a timer that checks for state resolution
      when dst_output() is called. Once the states are resolved, the packets
      are sent out of the queue. If the states are not resolved after some
      time, the queue is flushed.
      
      This patch keeps the defaut behaviour to blackhole packets as long
      as we have no states. To enable the packet queue the sysctl
      xfrm_larval_drop must be switched off.
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      a0073fe1
  11. 01 Feb, 2013 1 commit
  12. 29 Jan, 2013 2 commits
  13. 21 Jan, 2013 1 commit
  14. 13 Nov, 2012 1 commit
  15. 17 Sep, 2012 1 commit
    • Eric W. Biederman's avatar
      userns: Convert the audit loginuid to be a kuid · e1760bd5
      Eric W. Biederman authored
      Always store audit loginuids in type kuid_t.
      
      Print loginuids by converting them into uids in the appropriate user
      namespace, and then printing the resulting uid.
      
      Modify audit_get_loginuid to return a kuid_t.
      
      Modify audit_set_loginuid to take a kuid_t.
      
      Modify /proc/<pid>/loginuid on read to convert the loginuid into the
      user namespace of the opener of the file.
      
      Modify /proc/<pid>/loginud on write to convert the loginuid
      rom the user namespace of the opener of the file.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Paul Moore <paul@paul-moore.com> ?
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      e1760bd5
  16. 10 Sep, 2012 1 commit
  17. 04 Sep, 2012 1 commit
  18. 20 Aug, 2012 1 commit
    • Patrick McHardy's avatar
      net: ipv6: fix oops in inet_putpeer() · 9d7b0fc1
      Patrick McHardy authored
      Commit 97bab73f (inet: Hide route peer accesses behind helpers.) introduced
      a bug in xfrm6_policy_destroy(). The xfrm_dst's _rt6i_peer member is not
      initialized, causing a false positive result from inetpeer_ptr_is_peer(),
      which in turn causes a NULL pointer dereference in inet_putpeer().
      
      Pid: 314, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #17 To Be Filled By O.E.M. To Be Filled By O.E.M./P4S800D-X
      EIP: 0060:[<c03abf93>] EFLAGS: 00010246 CPU: 0
      EIP is at inet_putpeer+0xe/0x16
      EAX: 00000000 EBX: f3481700 ECX: 00000000 EDX: 000dd641
      ESI: f3481700 EDI: c05e949c EBP: f551def4 ESP: f551def4
       DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
      CR0: 8005003b CR2: 00000070 CR3: 3243d000 CR4: 00000750
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
       f551df04 c0423de1 00000000 f3481700 f551df18 c038d5f7 f254b9f8 f551df28
       f34f85d8 f551df20 c03ef48d f551df3c c0396870 f30697e8 f24e1738 c05e98f4
       f5509540 c05cd2b4 f551df7c c0142d2b c043feb5 f5509540 00000000 c05cd2e8
       [<c0423de1>] xfrm6_dst_destroy+0x42/0xdb
       [<c038d5f7>] dst_destroy+0x1d/0xa4
       [<c03ef48d>] xfrm_bundle_flo_delete+0x2b/0x36
       [<c0396870>] flow_cache_gc_task+0x85/0x9f
       [<c0142d2b>] process_one_work+0x122/0x441
       [<c043feb5>] ? apic_timer_interrupt+0x31/0x38
       [<c03967eb>] ? flow_cache_new_hashrnd+0x2b/0x2b
       [<c0143e2d>] worker_thread+0x113/0x3cc
      
      Fix by adding a init_dst() callback to struct xfrm_policy_afinfo to
      properly initialize the dst's peer pointer.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d7b0fc1
  19. 15 Aug, 2012 1 commit
  20. 02 Aug, 2012 1 commit
  21. 18 Jul, 2012 1 commit
  22. 27 Jun, 2012 1 commit
  23. 15 May, 2012 1 commit
  24. 02 Apr, 2012 1 commit
  25. 25 Feb, 2012 1 commit
  26. 22 Nov, 2011 2 commits
  27. 10 May, 2011 1 commit
    • Steffen Klassert's avatar
      xfrm: Assign the inner mode output function to the dst entry · 43a4dea4
      Steffen Klassert authored
      As it is, we assign the outer modes output function to the dst entry
      when we create the xfrm bundle. This leads to two problems on interfamily
      scenarios. We might insert ipv4 packets into ip6_fragment when called
      from xfrm6_output. The system crashes if we try to fragment an ipv4
      packet with ip6_fragment. This issue was introduced with git commit
      ad0081e4 (ipv6: Fragment locally generated tunnel-mode IPSec6 packets
      as needed). The second issue is, that we might insert ipv4 packets in
      netfilter6 and vice versa on interfamily scenarios.
      
      With this patch we assign the inner mode output function to the dst entry
      when we create the xfrm bundle. So xfrm4_output/xfrm6_output from the inner
      mode is used and the right fragmentation and netfilter functions are called.
      We switch then to outer mode with the output_finish functions.
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43a4dea4
  28. 22 Apr, 2011 1 commit
  29. 10 Apr, 2011 1 commit
    • Michael Smith's avatar
      Disable rp_filter for IPsec packets · 990078af
      Michael Smith authored
      The reverse path filter interferes with IPsec subnet-to-subnet tunnels,
      especially when the link to the IPsec peer is on an interface other than
      the one hosting the default route.
      
      With dynamic routing, where the peer might be reachable through eth0
      today and eth1 tomorrow, it's difficult to keep rp_filter enabled unless
      fake routes to the remote subnets are configured on the interface
      currently used to reach the peer.
      
      IPsec provides a much stronger anti-spoofing policy than rp_filter, so
      this patch disables the rp_filter for packets with a security path.
      Signed-off-by: default avatarMichael Smith <msmith@cbnco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      990078af
  30. 29 Mar, 2011 1 commit
  31. 21 Mar, 2011 1 commit
    • Wei Yongjun's avatar
      xfrm: Fix initialize repl field of struct xfrm_state · a454f0cc
      Wei Yongjun authored
      Commit 'xfrm: Move IPsec replay detection functions to a separate file'
        (9fdc4883)
      introduce repl field to struct xfrm_state, and only initialize it
      under SA's netlink create path, the other path, such as pf_key,
      ipcomp/ipcomp6 etc, the repl field remaining uninitialize. So if
      the SA is created by pf_key, any input packet with SA's encryption
      algorithm will cause panic.
      
          int xfrm_input()
          {
              ...
              x->repl->advance(x, seq);
              ...
          }
      
      This patch fixed it by introduce new function __xfrm_init_state().
      
      Pid: 0, comm: swapper Not tainted 2.6.38-next+ #14 Bochs Bochs
      EIP: 0060:[<c078e5d5>] EFLAGS: 00010206 CPU: 0
      EIP is at xfrm_input+0x31c/0x4cc
      EAX: dd839c00 EBX: 00000084 ECX: 00000000 EDX: 01000000
      ESI: dd839c00 EDI: de3a0780 EBP: dec1de88 ESP: dec1de64
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Process swapper (pid: 0, ti=dec1c000 task=c09c0f20 task.ti=c0992000)
      Stack:
       00000000 00000000 00000002 c0ba27c0 00100000 01000000 de3a0798 c0ba27c0
       00000033 dec1de98 c0786848 00000000 de3a0780 dec1dea4 c0786868 00000000
       dec1debc c074ee56 e1da6b8c de3a0780 c074ed44 de3a07a8 dec1decc c074ef32
      Call Trace:
       [<c0786848>] xfrm4_rcv_encap+0x22/0x27
       [<c0786868>] xfrm4_rcv+0x1b/0x1d
       [<c074ee56>] ip_local_deliver_finish+0x112/0x1b1
       [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
       [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
       [<c074ef77>] ip_local_deliver+0x3e/0x44
       [<c074ed44>] ? ip_local_deliver_finish+0x0/0x1b1
       [<c074ec03>] ip_rcv_finish+0x30a/0x332
       [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
       [<c074ef32>] NF_HOOK.clone.1+0x3d/0x44
       [<c074f188>] ip_rcv+0x20b/0x247
       [<c074e8f9>] ? ip_rcv_finish+0x0/0x332
       [<c072797d>] __netif_receive_skb+0x373/0x399
       [<c0727bc1>] netif_receive_skb+0x4b/0x51
       [<e0817e2a>] cp_rx_poll+0x210/0x2c4 [8139cp]
       [<c072818f>] net_rx_action+0x9a/0x17d
       [<c0445b5c>] __do_softirq+0xa1/0x149
       [<c0445abb>] ? __do_softirq+0x0/0x149
      Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a454f0cc
  32. 13 Mar, 2011 4 commits
  33. 12 Mar, 2011 2 commits