kernel/linux.git/include/net/xfrm.h, branch v5.8.17

xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate

2020-10-14T09:55:51+00:00

[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ] XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new. Migrate this attribute during XFRMA_MSG_MIGRATE v1->v2: - move curleft cloning to a separate patch Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state") Signed-off-by: Antony Antony Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin

xfrm: Fix crash when the hold queue is used.

2020-07-21T06:33:56+00:00

The commits "xfrm: Move dst->path into struct xfrm_dst" and "net: Create and use new helper xfrm_dst_child()." changed xfrm bundle handling under the assumption that xdst->path and dst->child are not a NULL pointer only if dst->xfrm is not a NULL pointer. That is true with one exception. If the xfrm hold queue is used to wait until a SA is installed by the key manager, we create a dummy bundle without a valid dst->xfrm pointer. The current xfrm bundle handling crashes in that case. Fix this by extending the NULL check of dst->xfrm with a test of the DST_XFRM_QUEUE flag. Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst") Fixes: b92cf4aab8e6 ("net: Create and use new helper xfrm_dst_child().") Signed-off-by: Steffen Klassert

xfrm: policy: match with both mark and mask on user interfaces

2020-06-24T07:13:13+00:00

In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), it would take 'priority' to make a policy unique, and allow duplicated policies with different 'priority' to be added, which is not expected by userland, as Tobias reported in strongswan. To fix this duplicated policies issue, and also fix the issue in commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), when doing add/del/get/update on user interfaces, this patch is to change to look up a policy with both mark and mask by doing: mark.v == pol->mark.v && mark.m == pol->mark.m and leave the check: (mark & pol->mark.m) == pol->mark.v for tx/rx path only. As the userland expects an exact mark and mask match to manage policies. v1->v2: - make xfrm_policy_mark_match inline and fix the changelog as Tobias suggested. Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark") Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list") Reported-by: Tobias Brunner Tested-by: Tobias Brunner Signed-off-by: Xin Long Signed-off-by: Steffen Klassert

xfrm: Fix double ESP trailer insertion in IPsec crypto offload.

2020-06-04T08:45:14+00:00

During IPsec performance testing, we see bad ICMP checksum. The error packet has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call is from ip_output, but the packet cannot be sent because netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second call is from NET_TX softirq. However after the first call, the packet already has the ESP trailer. Fix by marking the skb with XFRM_XMIT bit after the packet is handled by validate_xmit_xfrm to avoid duplicate ESP trailer insertion. Fixes: f6e27114a60a ("net: Add a xfrm validate function to validate_xmit_skb") Signed-off-by: Huy Nguyen Reviewed-by: Boris Pismenny Reviewed-by: Raed Salem Reviewed-by: Saeed Mahameed Signed-off-by: Steffen Klassert

xfrm: remove output_finish indirection from xfrm_state_afinfo

2020-05-06T07:40:08+00:00

There are only two implementaions, one for ipv4 and one for ipv6. Both are almost identical, they clear skb->cb[], set the TRANSFORMED flag in IP(6)CB and then call the common xfrm_output() function. By placing the IPCB handling into the common function, we avoid the need for the output_finish indirection as the output functions can simply use xfrm_output(). Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert

xfrm: remove extract_output indirection from xfrm_state_afinfo

2020-05-06T07:40:08+00:00

Move this to xfrm_output.c. This avoids the state->extract_output indirection. This patch also removes the duplicated __xfrm6_extract_header helper added in an earlier patch, we can now use the one from xfrm_inout.h . Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert

xfrm: place xfrm6_local_dontfrag in xfrm.h

2020-05-06T07:40:08+00:00

so next patch can re-use it from net/xfrm/xfrm_output.c without causing a linker error when IPV6 is a module. Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert

xfrm: expose local_rxpmtu via ipv6_stubs

2020-05-06T07:40:08+00:00

We cannot call this function from the core kernel unless we would force CONFIG_IPV6=y. Therefore expose this via ipv6_stubs so we can call it from net/xfrm in the followup patch. Since the call is expected to be unlikely, no extra code for the IPV6=y case is added and we will always eat the indirection cost. Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert

xfrm: move xfrm4_extract_header to common helper

2020-05-06T07:40:08+00:00

The function only initializes the XFRM CB in the skb. After previous patch xfrm4_extract_header is only called from net/xfrm/xfrm_{input,output}.c. Because of IPV6=m linker errors the ipv6 equivalent (xfrm6_extract_header) was already placed in xfrm_inout.h because we can't call functions residing in a module from the core. So do the same for the ipv4 helper and place it next to the ipv6 one. Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert

xfrm: state: remove extract_input indirection from xfrm_state_afinfo

2020-05-06T07:40:08+00:00

In order to keep CONFIG_IPV6=m working, xfrm6_extract_header needs to be duplicated. It will be removed again in a followup change when the remaining caller is moved to net/xfrm as well. Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert