From 02bfd8ecf5cf980ede53e30a903b102924fc32f4 Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Tue, 27 Nov 2012 09:46:17 +0100 Subject: xfrm: Remove unused defines XFRM_REPLAY_SEQ, XFRM_REPLAY_OSEQ and XFRM_REPLAY_SEQ_MASK were introduced years ago but actually never used. Signed-off-by: Steffen Klassert --- include/net/xfrm.h | 4 ---- 1 file changed, 4 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 63445ede48bb..421f764794d5 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -557,10 +557,6 @@ struct xfrm_migrate { }; #define XFRM_KM_TIMEOUT 30 -/* which seqno */ -#define XFRM_REPLAY_SEQ 1 -#define XFRM_REPLAY_OSEQ 2 -#define XFRM_REPLAY_SEQ_MASK 3 /* what happened */ #define XFRM_REPLAY_UPDATE XFRM_AE_CR #define XFRM_REPLAY_TIMEOUT XFRM_AE_CE -- cgit v1.2.3 From ff88b30c717f21dffba6784cae4d3287da16f6ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?YOSHIFUJI=20Hideaki=20/=20=E5=90=89=E8=97=A4=E8=8B=B1?= =?UTF-8?q?=E6=98=8E?= Date: Tue, 29 Jan 2013 12:48:31 +0000 Subject: xfrm: Use ipv6_addr_equal() where appropriate. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- include/net/xfrm.h | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 421f764794d5..0d8a797f0441 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1032,7 +1032,7 @@ static inline int __xfrm6_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x) { return (!ipv6_addr_any((struct in6_addr*)&tmpl->saddr) && - ipv6_addr_cmp((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); + !ipv6_addr_equal((struct in6_addr *)&tmpl->saddr, (struct in6_addr*)&x->props.saddr)); } static inline int @@ -1243,8 +1243,8 @@ static __inline__ int __xfrm6_state_addr_check(const struct xfrm_state *x, const xfrm_address_t *daddr, const xfrm_address_t *saddr) { - if (!ipv6_addr_cmp((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && - (!ipv6_addr_cmp((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr)|| + if (ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)&x->id.daddr) && + (ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)&x->props.saddr) || ipv6_addr_any((struct in6_addr *)saddr) || ipv6_addr_any((struct in6_addr *)&x->props.saddr))) return 1; @@ -1588,6 +1588,13 @@ static inline int xfrm_addr_cmp(const xfrm_address_t *a, } } +static inline bool xfrm6_addr_equal(const xfrm_address_t *a, + const xfrm_address_t *b) +{ + return ipv6_addr_equal((const struct in6_addr *)a, + (const struct in6_addr *)b); +} + static inline int xfrm_policy_id2dir(u32 index) { return index & 7; -- cgit v1.2.3 From 70e94e66aec255aff276397f5ed3f3626c548f1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?YOSHIFUJI=20Hideaki=20/=20=E5=90=89=E8=97=A4=E8=8B=B1?= =?UTF-8?q?=E6=98=8E?= Date: Tue, 29 Jan 2013 12:48:50 +0000 Subject: xfrm: Convert xfrm_addr_cmp() to boolean xfrm_addr_equal(). All users of xfrm_addr_cmp() use its result as boolean. Introduce xfrm_addr_equal() (which is equal to !xfrm_addr_cmp()) and convert all users. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- include/net/xfrm.h | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 0d8a797f0441..de34883e8b16 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1574,27 +1574,26 @@ extern struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe); extern struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, int probe); -static inline int xfrm_addr_cmp(const xfrm_address_t *a, - const xfrm_address_t *b, - int family) +static inline bool xfrm6_addr_equal(const xfrm_address_t *a, + const xfrm_address_t *b) +{ + return ipv6_addr_equal((const struct in6_addr *)a, + (const struct in6_addr *)b); +} + +static inline bool xfrm_addr_equal(const xfrm_address_t *a, + const xfrm_address_t *b, + sa_family_t family) { switch (family) { default: case AF_INET: - return (__force u32)a->a4 - (__force u32)b->a4; + return ((__force u32)a->a4 ^ (__force u32)b->a4) == 0; case AF_INET6: - return ipv6_addr_cmp((const struct in6_addr *)a, - (const struct in6_addr *)b); + return xfrm6_addr_equal(a, b); } } -static inline bool xfrm6_addr_equal(const xfrm_address_t *a, - const xfrm_address_t *b) -{ - return ipv6_addr_equal((const struct in6_addr *)a, - (const struct in6_addr *)b); -} - static inline int xfrm_policy_id2dir(u32 index) { return index & 7; -- cgit v1.2.3 From 7e50f84c94b82c3b2d23ac8878012b3b60ea0e96 Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Thu, 31 Jan 2013 12:40:38 +0200 Subject: pf_key/xfrm_algo: prepare pf_key and xfrm_algo for new algorithms without pfkey support Mark existing algorithms as pfkey supported and make pfkey only use algorithms that have pfkey_supported set. Signed-off-by: Jussi Kivilinna Signed-off-by: Steffen Klassert --- include/net/xfrm.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 421f764794d5..814a1baa175c 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1320,6 +1320,7 @@ struct xfrm_algo_desc { char *name; char *compat; u8 available:1; + u8 pfkey_supported:1; union { struct xfrm_algo_aead_info aead; struct xfrm_algo_auth_info auth; @@ -1561,8 +1562,8 @@ extern void xfrm_input_init(void); extern int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq); extern void xfrm_probe_algs(void); -extern int xfrm_count_auth_supported(void); -extern int xfrm_count_enc_supported(void); +extern int xfrm_count_pfkey_auth_supported(void); +extern int xfrm_count_pfkey_enc_supported(void); extern struct xfrm_algo_desc *xfrm_aalg_get_byidx(unsigned int idx); extern struct xfrm_algo_desc *xfrm_ealg_get_byidx(unsigned int idx); extern struct xfrm_algo_desc *xfrm_aalg_get_byid(int alg_id); -- cgit v1.2.3 From a0073fe18e718a1c815fe8b0120f1ac3c60284ba Mon Sep 17 00:00:00 2001 From: Steffen Klassert Date: Tue, 5 Feb 2013 12:52:55 +0100 Subject: xfrm: Add a state resolution packet queue As the default, we blackhole packets until the key manager resolves the states. This patch implements a packet queue where IPsec packets are queued until the states are resolved. We generate a dummy xfrm bundle, the output routine of the returned route enqueues the packet to a per policy queue and arms a timer that checks for state resolution when dst_output() is called. Once the states are resolved, the packets are sent out of the queue. If the states are not resolved after some time, the queue is flushed. This patch keeps the defaut behaviour to blackhole packets as long as we have no states. To enable the packet queue the sysctl xfrm_larval_drop must be switched off. Signed-off-by: Steffen Klassert --- include/net/xfrm.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'include/net/xfrm.h') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 814a1baa175c..30f3e5b362ee 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -501,6 +501,12 @@ struct xfrm_policy_walk { u32 seq; }; +struct xfrm_policy_queue { + struct sk_buff_head hold_queue; + struct timer_list hold_timer; + unsigned long timeout; +}; + struct xfrm_policy { #ifdef CONFIG_NET_NS struct net *xp_net; @@ -522,6 +528,7 @@ struct xfrm_policy { struct xfrm_lifetime_cfg lft; struct xfrm_lifetime_cur curlft; struct xfrm_policy_walk_entry walk; + struct xfrm_policy_queue polq; u8 type; u8 action; u8 flags; -- cgit v1.2.3