Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v5.6-rc7 2019-12-09T08:59:07+00:00 2019-12-09T08:59:07+00:00 Sabrina Dubroca sd@queasysnail.net 2019-11-25T13:49:02+00:00 urn:sha1:e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 TCP encapsulation of IKE and IPsec messages (RFC 8229) is implemented as a TCP ULP, overriding in particular the sendmsg and recvmsg operations. A Stream Parser is used to extract messages out of the TCP stream using the first 2 bytes as length marker. Received IKE messages are put on "ike_queue", waiting to be dequeued by the custom recvmsg implementation. Received ESP messages are sent to XFRM, like with UDP encapsulation. Some of this code is taken from the original submission by Herbert Xu. Currently, only IPv4 is supported, like for UDP encapsulation. Co-developed-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-12-09T08:59:07+00:00 Sabrina Dubroca sd@queasysnail.net 2019-11-25T13:48:58+00:00 urn:sha1:7b3801927e52f8621de311277f7fc727635019e7 This will be used by TCP encapsulation to write packets to the encap socket without holding the user socket's lock. Without this reinjection, we're already holding the lock of the user socket, and then try to lock the encap socket as well when we enqueue the encrypted packet. While at it, add a BUILD_BUG_ON like we usually do for skb->cb, since it's missing for struct xfrm_trans_cb. Co-developed-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-10-09T04:55:32+00:00 Alexey Dobriyan adobriyan@gmail.com 2019-10-03T21:21:57+00:00 urn:sha1:fd1ac07f3f17fbbc2f08e3b43951bed937d86a7b If IPsec is not configured, there is no reason to delay the inevitable. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-07-17T08:03:54+00:00 Nicolas Dichtel nicolas.dichtel@6wind.com 2019-07-15T10:00:23+00:00 urn:sha1:22d6552f827ef76ade3edf6bbb3f05048a0a7d8b With the current implementation, phydev cannot be removed: $ ip link add dummy type dummy $ ip link add xfrm1 type xfrm dev dummy if_id 1 $ ip l d dummy kernel:[77938.465445] unregister_netdevice: waiting for dummy to become free. Usage count = 1 Manage it like in ip tunnels, ie just keep the ifindex. Not that the side effect, is that the phydev is now optional. Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Tested-by: Julien Floret <julien.floret@6wind.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-07-17T08:03:54+00:00 Nicolas Dichtel nicolas.dichtel@6wind.com 2019-07-15T10:00:21+00:00 urn:sha1:e0aaa332e6a97dae57ad59cdb19e21f83c3d081c The ifname is copied when the interface is created, but is never updated later. In fact, this property is used only in one error message, where the netdevice pointer is available, thus let's use it. Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-07-01T04:16:40+00:00 Florian Westphal fw@strlen.de 2019-06-24T20:04:48+00:00 urn:sha1:c7b37c769d2a5e711106a3c793140a4f46768e04 esp4_get_mtu and esp6_get_mtu are exactly the same, the only difference is a single sizeof() (ipv4 vs. ipv6 header). Merge both into xfrm_state_mtu() and remove the indirection. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-06-06T06:34:50+00:00 Florian Westphal fw@strlen.de 2019-05-03T15:46:19+00:00 urn:sha1:4f518e802ccad30c9dccc895f2294398757b87c0 Only a handful of xfrm_types exist, no need to have 512 pointers for them. Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms. Also, the unregister function doesn't need to return an error, no single caller does anything useful with it. Just place a WARN_ON() where needed instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-06-06T06:34:50+00:00 Florian Westphal fw@strlen.de 2019-05-03T15:46:18+00:00 urn:sha1:4c203b0454b5b6bfafe2c4ab1b5472d4a7a8a0f2 xfrm_prepare_input needs to lookup the state afinfo backend again to fetch the address family ethernet protocol value. There are only two address families, so a switch statement is simpler. While at it, use u8 for family and proto and remove the owner member -- its not used anywhere. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-06-06T06:34:50+00:00 Florian Westphal fw@strlen.de 2019-05-03T15:46:17+00:00 urn:sha1:3aaf3915a31aac83523d2de0191a480d3ad1e747 No module dependency, placing this in xfrm_state.c avoids need for an indirection. This also removes the state spinlock -- I don't see why we would need to hold it during sorting. This in turn allows to remove the 'net' argument passed to xfrm_tmpl_sort. Last, remove the EXPORT_SYMBOL, there are no modular callers. For the CONFIG_IPV6=m case, vmlinux size increase is about 300 byte. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-06-05T11:16:30+00:00 Florian Westphal fw@strlen.de 2019-05-03T15:46:16+00:00 urn:sha1:e46817472a1d7da32e8f265f9469a4e2fa39c60f There is only one implementation of this function; just call it directly. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>