summaryrefslogtreecommitdiff
path: root/net/xfrm
AgeCommit message (Collapse)Author
2008-05-13net: Allow netdevices to specify needed head/tailroomJohannes Berg
This patch adds needed_headroom/needed_tailroom members to struct net_device and updates many places that allocate sbks to use them. Not all of them can be converted though, and I'm sure I missed some (I mostly grepped for LL_RESERVED_SPACE) Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-29Merge branch 'audit.b50' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current * 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] new predicate - AUDIT_FILETYPE [patch 2/2] Use find_task_by_vpid in audit code [patch 1/2] audit: let userspace fully control TTY input auditing [PATCH 2/2] audit: fix sparse shadowed variable warnings [PATCH 1/2] audit: move extern declarations to audit.h Audit: MAINTAINERS update Audit: increase the maximum length of the key field Audit: standardize string audit interfaces Audit: stop deadlock from signals under load Audit: save audit_backlog_limit audit messages in case auditd comes back Audit: collect sessionid in netlink messages Audit: end printk with newline
2008-04-29Remove duplicated unlikely() in IS_ERR()Hirofumi Nakagawa
Some drivers have duplicated unlikely() macros. IS_ERR() already has unlikely() in itself. This patch cleans up such pointless code. Signed-off-by: Hirofumi Nakagawa <hnakagawa@miraclelinux.com> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Jeff Garzik <jeff@garzik.org> Cc: Paul Clements <paul.clements@steeleye.com> Cc: Richard Purdie <rpurdie@rpsys.net> Cc: Alessandro Zummo <a.zummo@towertech.it> Cc: David Brownell <david-b@pacbell.net> Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: Michael Halcrow <mhalcrow@us.ibm.com> Cc: Anton Altaparmakov <aia21@cantab.net> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Carsten Otte <cotte@de.ibm.com> Cc: Patrick McHardy <kaber@trash.net> Cc: Paul Mundt <lethal@linux-sh.org> Cc: Jaroslav Kysela <perex@perex.cz> Cc: Takashi Iwai <tiwai@suse.de> Acked-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-28Audit: collect sessionid in netlink messagesEric Paris
Previously I added sessionid output to all audit messages where it was available but we still didn't know the sessionid of the sender of netlink messages. This patch adds that information to netlink messages so we can audit who sent netlink messages. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2008-04-27[IPSEC]: Use digest_null directly for authHerbert Xu
Previously digest_null had no setkey function which meant that we used hmac(digest_null) for IPsec since IPsec always calls setkey. Now that digest_null has a setkey we no longer need to do that. In fact when only confidentiality is specified for ESP we already use digest_null directly. However, when the null algorithm is explicitly specified by the user we still opt for hmac(digest_null). This patch removes this discrepancy. I have not added a new compat name for it because by chance it wasn't actualy possible for the user to specify the name hmac(digest_null) due to a key length check in xfrm_user (which I found out when testing that compat name :) Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-27[XFRM] AUDIT: Fix flowlabel text format ambibuity.YOSHIFUJI Hideaki
Flowlabel text format was not correct and thus ambiguous. For example, 0x00123 or 0x01203 are formatted as 0x123. This is not what audit tools want. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-22[IPSEC]: Fix catch-22 with algorithm IDs above 31Herbert Xu
As it stands it's impossible to use any authentication algorithms with an ID above 31 portably. It just happens to work on x86 but fails miserably on ppc64. The reason is that we're using a bit mask to check the algorithm ID but the mask is only 32 bits wide. After looking at how this is used in the field, I have concluded that in the long term we should phase out state matching by IDs because this is made superfluous by the reqid feature. For current applications, the best solution IMHO is to allow all algorithms when the bit masks are all ~0. The following patch does exactly that. This bug was identified by IBM when testing on the ppc64 platform using the NULL authentication algorithm which has an ID of 251. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-14[XFRM]: Compilation warnings in xfrm_user.c.Denis V. Lunev
When CONFIG_SECURITY_NETWORK_XFRM is undefined the following warnings appears: net/xfrm/xfrm_user.c: In function 'xfrm_add_pol_expire': net/xfrm/xfrm_user.c:1576: warning: 'ctx' may be used uninitialized in this function net/xfrm/xfrm_user.c: In function 'xfrm_get_policy': net/xfrm/xfrm_user.c:1340: warning: 'ctx' may be used uninitialized in this function (security_xfrm_policy_alloc is noop for the case). It seems that they are result of the commit 03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b ("LSM: Make the Labeled IPsec hooks more stack friendly") Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-14Merge branch 'master' of ↵David S. Miller
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/ehea/ehea_main.c drivers/net/wireless/iwlwifi/Kconfig drivers/net/wireless/rt2x00/rt61pci.c net/ipv4/inet_timewait_sock.c net/ipv6/raw.c net/mac80211/ieee80211_sta.c
2008-04-13LSM: Make the Labeled IPsec hooks more stack friendlyPaul Moore
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to fix that problem by changing the LSM API to require only the relevant "security" pointers instead of the entire SPD entry; we do this for all of the security_xfrm_policy*() functions to keep things consistent. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-09[XFRM]: xfrm_user: fix selector family initializationPatrick McHardy
Commit df9dcb45 ([IPSEC]: Fix inter address family IPsec tunnel handling) broke openswan by removing the selector initialization for tunnel mode in case it is uninitialized. This patch restores the initialization, fixing openswan, but probably breaking inter-family tunnels again (unknown since the patch author disappeared). The correct thing for inter-family tunnels is probably to simply initialize the selector family explicitly. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-03-28Merge branch 'master' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/usb/rndis_host.c drivers/net/wireless/b43/dma.c net/ipv6/ndisc.c
2008-03-25[NET] NETNS: Omit net_device->nd_net without CONFIG_NET_NS.YOSHIFUJI Hideaki
Introduce per-net_device inlines: dev_net(), dev_net_set(). Without CONFIG_NET_NS, no namespace other than &init_net exists. Let's explicitly define them to help compiler optimizations. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2008-03-25[XFRM] MIP6: Fix address keys for routing search.YOSHIFUJI Hideaki
Each MIPv6 XFRM state (DSTOPT/RH2) holds either destination or source address to be mangled in the IPv6 header (that is "CoA"). On Inter-MN communication after both nodes binds each other, they use route optimized traffic two MIPv6 states applied, and both source and destination address in the IPv6 header are replaced by the states respectively. The packet format is correct, however, next-hop routing search are not. This patch fixes it by remembering address pairs for later states. Based on patch from Masahide NAKAMURA <nakam@linux-ipv6.org>. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2008-03-24[IPSEC]: Fix inter address family IPsec tunnel handling.Kazunori MIYAZAWA
Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-29[XFRM]: Speed up xfrm_policy and xfrm_state walkingTimo Teras
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n). This is achieved adding the entries to one more list which is used solely for walking the entries. This also fixes some races where the dump can have duplicate or missing entries when the SPD/SADB is modified during an ongoing dump. Dumping SADB with 20000 entries using "time ip xfrm state" the sys time dropped from 1.012s to 0.080s. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-18[XFRM]: Fix ordering issue in xfrm_dst_hash_transfer().YOSHIFUJI Hideaki
Keep ordering of policy entries with same selector in xfrm_dst_hash_transfer(). Issue should not appear in usual cases because multiple policy entries with same selector are basically not allowed so far. Bug was pointed out by Sebastien Decugis <sdecugis@hongo.wide.ad.jp>. We could convert bydst from hlist to list and use list_add_tail() instead. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Sebastien Decugis <sdecugis@hongo.wide.ad.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-14[XFRM]: Avoid bogus BUG() when throwing new policy away.YOSHIFUJI Hideaki
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> When we destory a new policy entry, we need to tell xfrm_policy_destroy() explicitly that the entry is not alive yet. Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-14net: xfrm statistics depend on INETPaul Mundt
net/built-in.o: In function `xfrm_policy_init': /home/pmundt/devel/git/sh-2.6.25/net/xfrm/xfrm_policy.c:2338: undefined reference to `snmp_mib_init' snmp_mib_init() is only built in if CONFIG_INET is set. Signed-off-by: Paul Mundt <lethal@linux-sh.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-13[IPSEC]: Fix bogus usage of u64 on input sequence numberHerbert Xu
Al Viro spotted a bogus use of u64 on the input sequence number which is big-endian. This patch fixes it by giving the input sequence number its own member in the xfrm_skb_cb structure. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-08[IPSEC]: Add support for aes-ctr.Joy Latten
The below patch allows IPsec to use CTR mode with AES encryption algorithm. Tested this using setkey in ipsec-tools. Signed-off-by: Joy Latten <latten@austin.ibm.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01[PATCH] switch audit_get_loginuid() to task_struct *Al Viro
all callers pass something->audit_context Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2008-02-01[XFRM]: Fix statistics.Masahide NAKAMURA
o Outbound sequence number overflow error status is counted as XfrmOutStateSeqError. o Additionaly, it changes inbound sequence number replay error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError to apply name scheme above. o Inbound IPv4 UDP encapsuling type mismatch error is wrongly mapped to XfrmInStateInvalid then this patch fiex the error to XfrmInStateMismatch. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01[XFRM]: Remove unused exports.Adrian Bunk
This patch removes the following no longer used EXPORT_SYMBOL's: - xfrm_input.c: xfrm_parse_spi - xfrm_state.c: xfrm_replay_check - xfrm_state.c: xfrm_replay_advance Signed-off-by: Adrian Bunk <bunk@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01[XFRM]: constify 'struct xfrm_type'Eric Dumazet
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01[IPSEC]: Add support for combined mode algorithmsHerbert Xu
This patch adds support for combined mode algorithms with GCM being the first algorithm supported. Combined mode algorithms can be added through the xfrm_user interface using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms is identified by its name and the ICV length. For the purposes of matching algorithms in xfrm_tmpl structures, combined mode algorithms occupy the same name space as encryption algorithms. This is in line with how they are negotiated using IKE. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01[IPSEC]: Allow async algorithmsHerbert Xu
Now that ESP uses authenc we can turn on the support for async algorithms in IPsec. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NETNS]: Consolidate kernel netlink socket destruction.Denis V. Lunev
Create a specific helper for netlink kernel socket disposal. This just let the code look better and provides a ground for proper disposal inside a namespace. Signed-off-by: Denis V. Lunev <den@openvz.org> Tested-by: Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM] xfrm_policy: kill some bloatIlpo Järvinen
net/xfrm/xfrm_policy.c: xfrm_audit_policy_delete | -692 xfrm_audit_policy_add | -692 2 functions changed, 1384 bytes removed, diff: -1384 net/xfrm/xfrm_policy.c: xfrm_audit_common_policyinfo | +704 1 function changed, 704 bytes added, diff: +704 net/xfrm/xfrm_policy.o: 3 functions changed, 704 bytes added, 1384 bytes removed, diff: -680 Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Remove ifdef crypto.Sebastian Siewior
and select the crypto subsystem if neccessary Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: xfrm_state_clone() should be static, not exportedEric Dumazet
xfrm_state_clone() is not used outside of net/xfrm/xfrm_state.c There is no need to export it. Spoted by sparse checker. CHECK net/xfrm/xfrm_state.c net/xfrm/xfrm_state.c:1103:19: warning: symbol 'xfrm_state_clone' was not declared. Should it be static? Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM] xfrm_policy_destroy: Rename and relative fixes.WANG Cong
Since __xfrm_policy_destroy is used to destory the resources allocated by xfrm_policy_alloc. So using the name __xfrm_policy_destroy is not correspond with xfrm_policy_alloc. Rename it to xfrm_policy_destroy. And along with some instances that call xfrm_policy_alloc but not using xfrm_policy_destroy to destroy the resource, fix them. Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM] Statistics: Add outbound-dropping error.Masahide NAKAMURA
o Increment PolError counter when flow_cache_lookup() returns errored pointer. o Increment NoStates counter at larval-drop. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Kill some bloatIlpo Järvinen
net/xfrm/xfrm_state.c: xfrm_audit_state_delete | -589 xfrm_replay_check | -542 xfrm_audit_state_icvfail | -520 xfrm_audit_state_add | -589 xfrm_audit_state_replay_overflow | -523 xfrm_audit_state_notfound_simple | -509 xfrm_audit_state_notfound | -521 7 functions changed, 3793 bytes removed, diff: -3793 net/xfrm/xfrm_state.c: xfrm_audit_helper_pktinfo | +522 xfrm_audit_helper_sainfo | +598 2 functions changed, 1120 bytes added, diff: +1120 net/xfrm/xfrm_state.o: 9 functions changed, 1120 bytes added, 3793 bytes removed, diff: -2673 Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPSEC]: Return EOVERFLOW when output sequence number overflowsHerbert Xu
Previously we made it an error on the output path if the sequence number overflowed. However we did not set the err variable accordingly. This patch sets err to -EOVERFLOW in that case. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[NET]: Add some acquires/releases sparse annotations.Eric Dumazet
Add __acquires() and __releases() annotations to suppress some sparse warnings. example of warnings : net/ipv4/udp.c:1555:14: warning: context imbalance in 'udp_seq_start' - wrong count at exit net/ipv4/udp.c:1571:13: warning: context imbalance in 'udp_seq_stop' - unexpected unlock Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPSEC]: Move all calls to xfrm_audit_state_icvfail to xfrm_inputHerbert Xu
Let's nip the code duplication in the bud :) Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPSEC]: Fix double free on skb on async outputHerbert Xu
When the output transform returns EINPROGRESS due to async operation we'll free the skb the straight away as if it were an error. This patch fixes that so that the skb is freed when the async operation completes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Fix outbound statistics.Masahide NAKAMURA
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Drop packets when replay counter would overflowPaul Moore
According to RFC4303, section 3.3.3 we need to drop outgoing packets which cause the replay counter to overflow: 3.3.3. Sequence Number Generation The sender's counter is initialized to 0 when an SA is established. The sender increments the sequence number (or ESN) counter for this SA and inserts the low-order 32 bits of the value into the Sequence Number field. Thus, the first packet sent using a given SA will contain a sequence number of 1. If anti-replay is enabled (the default), the sender checks to ensure that the counter has not cycled before inserting the new value in the Sequence Number field. In other words, the sender MUST NOT send a packet on an SA if doing so would cause the sequence number to cycle. An attempt to transmit a packet that would result in sequence number overflow is an auditable event. The audit log entry for this event SHOULD include the SPI value, current date/time, Source Address, Destination Address, and (in IPv6) the cleartext Flow ID. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: RFC4303 compliant auditingPaul Moore
This patch adds a number of new IPsec audit events to meet the auditing requirements of RFC4303. This includes audit hooks for the following events: * Could not find a valid SA [sections 2.1, 3.4.2] . xfrm_audit_state_notfound() . xfrm_audit_state_notfound_simple() * Sequence number overflow [section 3.3.3] . xfrm_audit_state_replay_overflow() * Replayed packet [section 3.4.3] . xfrm_audit_state_replay() * Integrity check failure [sections 3.4.4.1, 3.4.4.2] . xfrm_audit_state_icvfail() While RFC4304 deals only with ESP most of the changes in this patch apply to IPsec in general, i.e. both AH and ESP. The one case, integrity check failure, where ESP specific code had to be modified the same was done to the AH code for the sake of consistency. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Assorted IPsec fixupsPaul Moore
This patch fixes a number of small but potentially troublesome things in the XFRM/IPsec code: * Use the 'audit_enabled' variable already in include/linux/audit.h Removed the need for extern declarations local to each XFRM audit fuction * Convert 'sid' to 'secid' everywhere we can The 'sid' name is specific to SELinux, 'secid' is the common naming convention used by the kernel when refering to tokenized LSM labels, unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise we risk breaking userspace * Convert address display to use standard NIP* macros Similar to what was recently done with the SPD audit code, this also also includes the removal of some unnecessary memcpy() calls * Move common code to xfrm_audit_common_stateinfo() Code consolidation from the "less is more" book on software development * Proper spacing around commas in function arguments Minor style tweak since I was already touching the code Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Add packet processing statistics option.Masahide NAKAMURA
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Support to increment packet dropping statistics.Masahide NAKAMURA
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Define packet dropping statistics.Masahide NAKAMURA
This statistics is shown factor dropped by transformation at /proc/net/xfrm_stat for developer. It is a counter designed from current transformation source code and defined as linux private MIB. See Documentation/networking/xfrm_proc.txt for the detail. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM] IPv6: Fix dst/routing check at transformation.Masahide NAKAMURA
IPv6 specific thing is wrongly removed from transformation at net-2.6.25. This patch recovers it with current design. o Update "path" of xfrm_dst since IPv6 transformation should care about routing changes. It is required by MIPv6 and off-link destined IPsec. o Rename nfheader_len which is for non-fragment transformation used by MIPv6 to rt6i_nfheader_len as IPv6 name space. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPSEC]: Do xfrm_state_check_space before encapsulationHerbert Xu
While merging the IPsec output path I moved the encapsulation output operation to the top of the loop so that it sits outside of the locked section. Unfortunately in doing so it now sits in front of the space check as well which could be a fatal error. This patch rearranges the calls so that the space check happens as the thing on the output path. This patch also fixes an incorrect goto should the encapsulation output fail. Thanks to Kazunori MIYAZAWA for finding this bug. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[XFRM]: Fix potential race vs xfrm_state(only)_find and xfrm_hash_resize.Pavel Emelyanov
The _find calls calculate the hash value using the xfrm_state_hmask, without the xfrm_state_lock. But the value of this mask can change in the _resize call under the state_lock, so we risk to fail in finding the desired entry in hash. I think, that the hash value is better to calculate under the state lock. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPSEC]: Fix zero return value in xfrm_lookup on errorHerbert Xu
Further testing shows that my ICMP relookup patch can cause xfrm_lookup to return zero on error which isn't very nice since it leads to the caller dying on null pointer dereference. The bug is due to not setting err to ENOENT just before we leave xfrm_lookup in case of no policy. This patch moves the err setting to where it should be. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-28[IPSEC]: Add ICMP host relookup supportHerbert Xu
RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch implements this for ICMP traffic that originates from or terminates on localhost. This is activated on outbound with the new policy flag XFRM_POLICY_ICMP, and on inbound by the new state flag XFRM_STATE_ICMP. On inbound the policy check is now performed by the ICMP protocol so that it can repeat the policy check where necessary. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>