aboutsummaryrefslogtreecommitdiff
path: root/net/xfrm/xfrm_state.c
AgeCommit message (Collapse)Author
2006-12-06audit: disable ipsec auditing when CONFIG_AUDITSYSCALL=nJoy Latten
Disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. Also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-06audit: Add auditing to ipsecJoy Latten
An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-12-06[XFRM] Optimize SA dumpingJamal Hadi Salim
Same comments as in "[XFRM] Optimize policy dumping" The numbers are (20K SAs):
2006-12-05Merge branch 'master' of ↵David Howells
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6 Conflicts: drivers/infiniband/core/iwcm.c drivers/net/chelsio/cxgb2.c drivers/net/wireless/bcm43xx/bcm43xx_main.c drivers/net/wireless/prism54/islpci_eth.c drivers/usb/core/hub.h drivers/usb/input/hid-core.c net/core/netpoll.c Fix up merge failures with Linus's head and fix new compilation failures. Signed-Off-By: David Howells <dhowells@redhat.com>
2006-12-02[XFRM]: annotate ->new_mapping()Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-11-22WorkStruct: make allyesconfigDavid Howells
Fix up for make allyesconfig. Signed-Off-By: David Howells <dhowells@redhat.com>
2006-10-24[XFRM]: Fix xfrm_state accountingPatrick McHardy
xfrm_state_num needs to be increased for XFRM_STATE_ACQ states created by xfrm_state_find() to prevent the counter from going negative when the state is destroyed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-15[XFRM]: Fix xfrm_state_num going negative.David S. Miller
Missing counter bump when hashing in a new ACQ xfrm_state. Now that we have two spots to do the hash grow check, break it out into a helper function. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-10-04[XFRM] STATE: Use destination address for src hash.Masahide NAKAMURA
Src hash is introduced for Mobile IPv6 route optimization usage. On current kenrel code it is calculated with source address only. It results we uses the same hash value for outbound state (when the node has only one address for Mobile IPv6). This patch use also destination address as peer information for src hash to be dispersed. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-28[XFRM]: Do not add a state whose SPI is zero to the SPI hash.Masahide NAKAMURA
SPI=0 is used for acquired IPsec SA and MIPv6 RO state. Such state should not be added to the SPI hash because we do not care about it on deleting path. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2006-09-28[XFRM]: xfrm_spi_hash() annotationsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-28[XFRM]: xfrm_replay_advance() annotationsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-28[XFRM]: xrfm_replay_check() annotationsAl Viro
seq argument is net-endian Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-28[XFRM]: xfrm_state_lookup() annotationsAl Viro
spi argument of xfrm_state_lookup() is net-endian Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-28[XFRM]: xfrm_alloc_spi() annotatedAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM] STATE: Fix flusing with hash mask.Masahide NAKAMURA
This is a minor fix about transformation state flushing for net-2.6.19. Please apply it. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Extract common hashing code into xfrm_hash.[ch]David S. Miller
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Hash xfrm_state objects by source address too.David S. Miller
The source address is always non-prefixed so we should use it to help give entropy to the bydst hash. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Kill excessive refcounting of xfrm_state objects.David S. Miller
The refcounting done for timers and hash table insertions are just wasted cycles. We can eliminate all of this refcounting because: 1) The implicit refcount when the xfrm_state object is active will always be held while the object is in the hash tables. We never kfree() the xfrm_state until long after we've made sure that it has been unhashed. 2) Timers are even easier. Once we mark that x->km.state as anything other than XFRM_STATE_VALID (__xfrm_state_delete sets it to XFRM_STATE_DEAD), any timer that fires will do nothing and return without rearming the timer. Therefore we can defer the del_timer calls until when the object is about to be freed up during GC. We have to use del_timer_sync() and defer it to GC because we can't do a del_timer_sync() while holding x->lock which all callers of __xfrm_state_delete hold. This makes SA changes even more light-weight. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Purge dst references to deleted SAs passively.David S. Miller
Just let GC and other normal mechanisms take care of getting rid of DST cache references to deleted xfrm_state objects instead of walking all the policy bundles. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Do not flush all bundles on SA insert.David S. Miller
Instead, simply set all potentially aliasing existing xfrm_state objects to have the current generation counter value. This will make routes get relooked up the next time an existing route mentioning these aliased xfrm_state objects gets used, via xfrm_dst_check(). Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Simplify xfrm_spi_hashDavid S. Miller
It can use __xfrm{4,6}_addr_hash(). Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Put more keys into destination hash function.David S. Miller
Besides the daddr, key the hash on family and reqid too. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Add generation count to xfrm_state and xfrm_dst.David S. Miller
Each xfrm_state inserted gets a new generation counter value. When a bundle is created, the xfrm_dst objects get the current generation counter of the xfrm_state they will attach to at dst->xfrm. xfrm_bundle_ok() will return false if it sees an xfrm_dst with a generation count different from the generation count of the xfrm_state that dst points to. This provides a facility by which to passively and cheaply invalidate cached IPSEC routes during SA database changes. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Dynamic xfrm_state hash table sizing.David S. Miller
The grow algorithm is simple, we grow if: 1) we see a hash chain collision at insert, and 2) we haven't hit the hash size limit (currently 1*1024*1024 slots), and 3) the number of xfrm_state objects is > the current hash mask All of this needs some tweaking. Remove __initdata from "hashdist" so we can use it safely at run time. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Convert xfrm_state hash linkage to hlists.David S. Miller
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Pull xfrm_state_by{spi,src} hash table knowledge out of afinfo.David S. Miller
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Pull xfrm_state_bydst hash table knowledge out of afinfo.David S. Miller
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Add sorting interface for state and template.Masahide NAKAMURA
Under two transformation policies it is required to merge them. This is a platform to sort state for outbound and templates for inbound respectively. It will be used when Mobile IPv6 and IPsec are used at the same time. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Introduce XFRM_MSG_REPORT.Masahide NAKAMURA
XFRM_MSG_REPORT is a message as notification of state protocol and selector from kernel to user-space. Mobile IPv6 will use it when inbound reject is occurred at route optimization to make user-space know a binding error requirement. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM] STATE: Introduce care-of address.Noriaki TAKAMIYA
Care-of address is carried by state as a transformation option like IPsec encryption/authentication algorithm. Based on MIPL2 kernel patch. Signed-off-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2006-09-22[XFRM] STATE: Common receive function for route optimization extension headers.Masahide NAKAMURA
XFRM_STATE_WILDRECV flag is introduced; the last resort state is set it and receives packet which is not route optimized but uses such extension headers i.e. Mobile IPv6 signaling (binding update and acknowledgement). A node enabled Mobile IPv6 adds the state. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM] STATE: Search by address using source address list.Masahide NAKAMURA
This is a support to search transformation states by its addresses by using source address list for Mobile IPv6 usage. To use it from user-space, it is also added a message type for source address as a xfrm state option. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM] STATE: Add source address list.Masahide NAKAMURA
Support source address based searching. Mobile IPv6 will use it. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[XFRM]: Introduce a helper to compare id protocol.Masahide NAKAMURA
Put the helper to header for future use. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[MLSXFRM]: Default labeling of socket specific IPSec policiesVenkat Yekkirala
This defaults the label of socket-specific IPSec policies to be the same as the socket they are set on. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22[MLSXFRM]: Flow based matching of xfrm policy and stateVenkat Yekkirala
This implements a seemless mechanism for xfrm policy selection and state matching based on the flow sid. This also includes the necessary SELinux enforcement pieces. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-07-21[NET]: Conversions from kmalloc+memset to k(z|c)alloc.Panagiotis Issaris
Signed-off-by: Panagiotis Issaris <takis@issaris.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-06-29[XFRM]: unexport xfrm_state_mtuAdrian Bunk
This patch removes the unused EXPORT_SYMBOL(xfrm_state_mtu). Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-06-17[IPSEC] xfrm: Abstract out encapsulation modesHerbert Xu
This patch adds the structure xfrm_mode. It is meant to represent the operations carried out by transport/tunnel modes. By doing this we allow additional encapsulation modes to be added without clogging up the xfrm_input/xfrm_output paths. Candidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and BEET modes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-06-17[IPSEC] xfrm: Undo afinfo lock proliferationHerbert Xu
The number of locks used to manage afinfo structures can easily be reduced down to one each for policy and state respectively. This is based on the observation that the write locks are only held by module insertion/removal which are very rare events so there is no need to further differentiate between the insertion of modules like ipv6 versus esp6. The removal of the read locks in xfrm4_policy.c/xfrm6_policy.c might look suspicious at first. However, after you realise that nobody ever takes the corresponding write lock you'll feel better :) As far as I can gather it's an attempt to guard against the removal of the corresponding modules. Since neither module can be unloaded at all we can leave it to whoever fixes up IPv6 unloading :) Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-29[XFRM]: fix incorrect xfrm_state_afinfo_lock useIngo Molnar
xfrm_state_afinfo_lock can be read-locked from bh context, so take it in a bh-safe manner in xfrm_state_register_afinfo() and xfrm_state_unregister_afinfo(). Found by the lock validator. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-04-14[XFRM]: Fix aevent timer.Jamal Hadi Salim
Send aevent immediately if we have sent nothing since last timer and this is the first packet. Fixes a corner case when packet threshold is very high, the timer low and a very low packet rate input which is bursty. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[XFRM]: Add some missing exports.David S. Miller
To fix the case of modular xfrm_user. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[XFRM]: Move xfrm_nl to xfrm_state.c from xfrm_user.cDavid S. Miller
xfrm_user could be modular, and since generic code uses this symbol now... Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[XFRM]: Make sure xfrm_replay_timer_handler() is declared early enough.David S. Miller
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[IPSEC]: Sync series - policy expiresJamal Hadi Salim
This is similar to the SA expire insertion patch - only it inserts expires for SP. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[IPSEC]: Sync series - SA expiresJamal Hadi Salim
This patch allows a user to insert SA expires. This is useful to do on an HA backup for the case of byte counts but may not be very useful for the case of time based expiry. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[IPSEC]: Sync series - acquire insertJamal Hadi Salim
This introduces a feature similar to the one described in RFC 2367: " ... the application needing an SA sends a PF_KEY SADB_ACQUIRE message down to the Key Engine, which then either returns an error or sends a similar SADB_ACQUIRE message up to one or more key management applications capable of creating such SAs. ... ... The third is where an application-layer consumer of security associations (e.g. an OSPFv2 or RIPv2 daemon) needs a security association. Send an SADB_ACQUIRE message from a user process to the kernel. <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> The kernel returns an SADB_ACQUIRE message to registered sockets. <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> The user-level consumer waits for an SADB_UPDATE or SADB_ADD message for its particular type, and then can use that association by using SADB_GET messages. " An app such as OSPF could then use ipsec KM to get keys Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-03-20[IPSEC]: Sync series - core changesJamal Hadi Salim
This patch provides the core functionality needed for sync events for ipsec. Derived work of Krisztian KOVACS <hidden@balabit.hu> Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>