)]}' { "log": [ { "commit": "a1e59abf824969554b90facd44a4ab16e265afa4", "tree": "b981536bbf7dde2c55e9a5223a5e31bea2c356a2", "parents": [ "1ef9696c909060ccdae3ade245ca88692b49285b" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Tue Sep 19 12:57:34 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:19:06 2006 -0700" }, "message": "[XFRM]: Fix wildcard as tunnel source\n\nHashing SAs by source address breaks templates with wildcards as tunnel\nsource since the source address used for hashing/lookup is still 0/0.\nMove source address lookup to xfrm_tmpl_resolve_one() so we can use the\nreal address in the lookup.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d1d9facfd1b326e0df587c96f0ee55de2ae9f946", "tree": "a451927f0a8269ce7a34ca0cb833c0f5d16f2576", "parents": [ "eb878e84575fbce21d2edb079eada78bfa27023d" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 01 00:32:12 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:49 2006 -0700" }, "message": "[XFRM]: remove xerr_idxp from __xfrm_policy_check()\n\nIt seems that during the MIPv6 respin, some code which was originally\nconditionally compiled around CONFIG_XFRM_ADVANCED was accidently left\nin after the config option was removed.\n\nThis patch removes an extraneous pointer (xerr_idxp) which is no\nlonger needed.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a9917c06652165fe4eeb9ab7a5d1e0674e90e508", "tree": "d73dacb6b29848b143bd760fcacec5831f5a8ece", "parents": [ "ff9b5e0f08cb650d113eef0c654f931c0a7ae730" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Thu Aug 31 15:14:32 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:45 2006 -0700" }, "message": "[XFRM] STATE: Fix flusing with hash mask.\n\nThis is a minor fix about transformation state flushing\nfor net-2.6.19. Please apply it.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e5d679f33900c71d1a76ba07c5b04055abd34480", "tree": "fb581f7156870056dbb91feaab9d3dd22fdcf61e", "parents": [ "ff5dfe736dd9f6c74b206aa77c0465dfd503bdb9" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Sat Aug 26 19:25:52 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:19 2006 -0700" }, "message": "[NET]: Use SLAB_PANIC\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "acba48e1a3c95082af1e12c5efaaca3506103a92", "tree": "a6c001ca19cfb67427aaec822952c32bb0916568", "parents": [ "65e3d72654d9a33cdccd5c19777a5515ae9dd37d" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Aug 25 15:46:46 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:05 2006 -0700" }, "message": "[XFRM]: Respect priority in policy lookups.\n\nEven if we find an exact match in the hash table,\nwe must inspect the inexact list to look for a match\nwith a better priority.\n\nNoticed by Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "44e36b42a8378be1dcf7e6f8a1cb2710a8903387", "tree": "2c057957a4e4dc7f679ac671a9f091f3fe366b92", "parents": [ "2518c7c2b3d7f0a6b302b4efe17c911f8dd4049f" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 04:50:50 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:49 2006 -0700" }, "message": "[XFRM]: Extract common hashing code into xfrm_hash.[ch]\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2518c7c2b3d7f0a6b302b4efe17c911f8dd4049f", "tree": "7de05ca17d76eee141d4feff3b7b27d850557ae6", "parents": [ "c1969f294e624d5b642fc8e6ab9468b7c7791fa8" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 04:45:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:48 2006 -0700" }, "message": "[XFRM]: Hash policies when non-prefixed.\n\nThis idea is from Alexey Kuznetsov.\n\nIt is common for policies to be non-prefixed. And for\nthat case we can optimize lookups, insert, etc. quite\na bit.\n\nFor each direction, we have a dynamically sized policy\nhash table for non-prefixed policies. We also have a\nhash table on policy-\u003eindex.\n\nFor prefixed policies, we have a list per-direction which\nwe will consult on lookups when a non-prefix hashtable\nlookup fails.\n\nThis still isn\u0027t as efficient as I would like it. There\nare four immediate problems:\n\n1) Lots of excessive refcounting, which can be fixed just\n like xfrm_state was\n2) We do 2 hash probes on insert, one to look for dups and\n one to allocate a unique policy-\u003eindex. Althought I wonder\n how much this matters since xfrm_state inserts do up to\n 3 hash probes and that seems to perform fine.\n3) xfrm_policy_insert() is very complex because of the priority\n ordering and entry replacement logic.\n4) Lots of counter bumping, in addition to policy refcounts,\n in the form of xfrm_policy_count[]. This is merely used\n to let code path(s) know that some IPSEC rules exist. So\n this count is indexed per-direction, maybe that is overkill.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c1969f294e624d5b642fc8e6ab9468b7c7791fa8", "tree": "b2487a8cd5d2552e837ceaeb279e660267e528b3", "parents": [ "a47f0ce05ae12ce9acad62896ff703175764104e" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 04:00:03 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:47 2006 -0700" }, "message": "[XFRM]: Hash xfrm_state objects by source address too.\n\nThe source address is always non-prefixed so we should use\nit to help give entropy to the bydst hash.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a47f0ce05ae12ce9acad62896ff703175764104e", "tree": "7d2d64d86ca869b2039ffe8ec066a5daa87b8673", "parents": [ "1c0953997567b22e32fdf85d3b4bc0f2461fd161" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:54:22 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:47 2006 -0700" }, "message": "[XFRM]: Kill excessive refcounting of xfrm_state objects.\n\nThe refcounting done for timers and hash table insertions\nare just wasted cycles. We can eliminate all of this\nrefcounting because:\n\n1) The implicit refcount when the xfrm_state object is active\n will always be held while the object is in the hash tables.\n We never kfree() the xfrm_state until long after we\u0027ve made\n sure that it has been unhashed.\n\n2) Timers are even easier. Once we mark that x-\u003ekm.state as\n anything other than XFRM_STATE_VALID (__xfrm_state_delete\n sets it to XFRM_STATE_DEAD), any timer that fires will\n do nothing and return without rearming the timer.\n\n Therefore we can defer the del_timer calls until when the\n object is about to be freed up during GC. We have to use\n del_timer_sync() and defer it to GC because we can\u0027t do\n a del_timer_sync() while holding x-\u003elock which all callers\n of __xfrm_state_delete hold.\n\nThis makes SA changes even more light-weight.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1c0953997567b22e32fdf85d3b4bc0f2461fd161", "tree": "5e4d691503d911f2134734e345ae0d7f01b97e4e", "parents": [ "c7f5ea3a4d1ae6b3b426e113358fdc57494bc754" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:30:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:46 2006 -0700" }, "message": "[XFRM]: Purge dst references to deleted SAs passively.\n\nJust let GC and other normal mechanisms take care of getting\nrid of DST cache references to deleted xfrm_state objects\ninstead of walking all the policy bundles.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c7f5ea3a4d1ae6b3b426e113358fdc57494bc754", "tree": "d77be695b79131617029d8586fd729a6b94b56e5", "parents": [ "2575b65434d56559bd03854450b9b6aaf19b9c90" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:29:04 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:45 2006 -0700" }, "message": "[XFRM]: Do not flush all bundles on SA insert.\n\nInstead, simply set all potentially aliasing existing xfrm_state\nobjects to have the current generation counter value.\n\nThis will make routes get relooked up the next time an existing\nroute mentioning these aliased xfrm_state objects gets used,\nvia xfrm_dst_check().\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2575b65434d56559bd03854450b9b6aaf19b9c90", "tree": "6e7ae9460a5a61b97f3964b2cb97ff5524e2557b", "parents": [ "a624c108e5595b5827796c253481436929cd5344" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:26:44 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:44 2006 -0700" }, "message": "[XFRM]: Simplify xfrm_spi_hash\n\nIt can use __xfrm{4,6}_addr_hash().\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a624c108e5595b5827796c253481436929cd5344", "tree": "55b4f940a86c1c842c93fd7c98423aa86c0e48da", "parents": [ "9d4a706d852411154d0c91b9ffb3bec68b94b25c" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:24:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:43 2006 -0700" }, "message": "[XFRM]: Put more keys into destination hash function.\n\nBesides the daddr, key the hash on family and reqid too.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9d4a706d852411154d0c91b9ffb3bec68b94b25c", "tree": "1613607168baa8b654c300895cd7d0ffb6f18581", "parents": [ "f034b5d4efdfe0fb9e2a1ce1d95fa7914f24de49" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:18:09 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:42 2006 -0700" }, "message": "[XFRM]: Add generation count to xfrm_state and xfrm_dst.\n\nEach xfrm_state inserted gets a new generation counter\nvalue. When a bundle is created, the xfrm_dst objects\nget the current generation counter of the xfrm_state\nthey will attach to at dst-\u003exfrm.\n\nxfrm_bundle_ok() will return false if it sees an\nxfrm_dst with a generation count different from the\ngeneration count of the xfrm_state that dst points to.\n\nThis provides a facility by which to passively and\ncheaply invalidate cached IPSEC routes during SA\ndatabase changes.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f034b5d4efdfe0fb9e2a1ce1d95fa7914f24de49", "tree": "e166f1e87606f7e53a78cac543284c3484481727", "parents": [ "8f126e37c0b250310a48a609bedf92a19a5559ec" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:08:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:41 2006 -0700" }, "message": "[XFRM]: Dynamic xfrm_state hash table sizing.\n\nThe grow algorithm is simple, we grow if:\n\n1) we see a hash chain collision at insert, and\n2) we haven\u0027t hit the hash size limit (currently 1*1024*1024 slots), and\n3) the number of xfrm_state objects is \u003e the current hash mask\n\nAll of this needs some tweaking.\n\nRemove __initdata from \"hashdist\" so we can use it safely at run time.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8f126e37c0b250310a48a609bedf92a19a5559ec", "tree": "c1de0aea5f425d74b99453e9edb4561dfd147d2c", "parents": [ "edcd582152090bfb0ccb4ad444c151798a73eda8" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 02:45:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:40 2006 -0700" }, "message": "[XFRM]: Convert xfrm_state hash linkage to hlists.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "edcd582152090bfb0ccb4ad444c151798a73eda8", "tree": "9d6051e71c5c22c50315d6b2c740170002469288", "parents": [ "2770834c9f44afd1bfa13914c7285470775af657" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 00:42:45 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:39 2006 -0700" }, "message": "[XFRM]: Pull xfrm_state_by{spi,src} hash table knowledge out of afinfo.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2770834c9f44afd1bfa13914c7285470775af657", "tree": "40191fdc632e572bc7878f57dc8fb385109a3aa8", "parents": [ "64d9fdda8e1bdf416b2d9203c3ad9c249ea301be" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 00:13:10 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:38 2006 -0700" }, "message": "[XFRM]: Pull xfrm_state_bydst hash table knowledge out of afinfo.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f7b6983f0feeefcd2a594138adcffe640593d8de", "tree": "41878fad9f0f0306718fa832eac7dfa76f51222d", "parents": [ "41a49cc3c02ace59d4dddae91ea211c330970ee3" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:49:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:35 2006 -0700" }, "message": "[XFRM] POLICY: Support netlink socket interface for sub policy.\n\nSub policy can be used through netlink socket.\nPF_KEY uses main only and it is TODO to support sub.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "41a49cc3c02ace59d4dddae91ea211c330970ee3", "tree": "bca262bd2d32f1cf7473b5360052ff3103845e23", "parents": [ "4e81bb8336a0ac50289d4d4c7a55e559b994ee8f" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:48:31 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:34 2006 -0700" }, "message": "[XFRM]: Add sorting interface for state and template.\n\nUnder two transformation policies it is required to merge them.\nThis is a platform to sort state for outbound and templates\nfor inbound respectively.\nIt will be used when Mobile IPv6 and IPsec are used at the same time.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4e81bb8336a0ac50289d4d4c7a55e559b994ee8f", "tree": "fefa71843c3f8152dd0a008b3b40fe2e42d204d7", "parents": [ "c11f1a15c522ddd3bbd2c32b5ce3e0b1831b22f2" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:43:30 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:34 2006 -0700" }, "message": "[XFRM] POLICY: sub policy support.\n\nSub policy is introduced. Main and sub policy are applied the same flow.\n(Policy that current kernel uses is named as main.)\nIt is required another transformation policy management to keep IPsec\nand Mobile IPv6 lives separate.\nPolicy which lives shorter time in kernel should be a sub i.e. normally\nmain is for IPsec and sub is for Mobile IPv6.\n(Such usage as two IPsec policies on different database can be used, too.)\n\nLimitation or TODOs:\n - Sub policy is not supported for per socket one (it is always inserted as main).\n - Current kernel makes cached outbound with flowi to skip searching database.\n However this patch makes it disabled only when \"two policies are used and\n the first matched one is bypass case\" because neither flowi nor bundle\n information knows about transformation template size.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\n" }, { "commit": "c11f1a15c522ddd3bbd2c32b5ce3e0b1831b22f2", "tree": "6946876fcace9b21e142ba21f03a6ebd7801e8d2", "parents": [ "01be8e5d59d7e6da5c425a31b43709c2a4a69b5d" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:38:14 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:33 2006 -0700" }, "message": "[XFRM] POLICY: Add Kconfig to support sub policy.\n\nAdd Kconfig to support sub policy.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "tree": "424700fb0a41b28c5615d0d21ca74d699e1fa872", "parents": [ "df0ba92a99ca757039dfa84a929281ea3f7a50e8" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:44:06 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:30 2006 -0700" }, "message": "[XFRM]: Introduce XFRM_MSG_REPORT.\n\nXFRM_MSG_REPORT is a message as notification of state protocol and\nselector from kernel to user-space.\n\nMobile IPv6 will use it when inbound reject is occurred at route\noptimization to make user-space know a binding error requirement.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "df0ba92a99ca757039dfa84a929281ea3f7a50e8", "tree": "26f1f562c513ad43f813dcf2c58d426a3649625b", "parents": [ "2ce4272a699c731b9736d76126dc742353e381db" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:41:00 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:29 2006 -0700" }, "message": "[XFRM]: Trace which secpath state is reject factor.\n\nFor Mobile IPv6 usage, it is required to trace which secpath state is\nreject factor in order to notify it to user space (to know the address\nwhich cannot be used route optimized communication).\n\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Henrik Petander \u003cpetander@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e23c7194a8a21e96b99106bdabde94614c4b84d6", "tree": "a1b7f5ec06b0f3f82db55c5250d3021417c07270", "parents": [ "3d126890dd67beffec27c1b6f51c040fc8d0b526" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:33:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:59 2006 -0700" }, "message": "[XFRM] STATE: Add Mobile IPv6 route optimization protocols to netlink interface.\n\nAdd Mobile IPv6 route optimization protocols to netlink interface.\nRoute optimization states carry care-of address.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "654b32c6aad19d2fd363813cd8a1a1e64daf611b", "tree": "280057a850e9d79752eb6b20bafb475a0c6f67d9", "parents": [ "e53820de0f81da1429048634cadc6ef5f50c2f8b" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 19:12:56 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:45 2006 -0700" }, "message": "[XFRM]: Fix message about transformation user interface.\n\nTransformation user interface is not only for IPsec.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e53820de0f81da1429048634cadc6ef5f50c2f8b", "tree": "7a63689f564c0719a0d4fea2cc5d3b84ea00fbbd", "parents": [ "9afaca057980c02771f4657c455cc7592fcd7373" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 19:12:01 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:44 2006 -0700" }, "message": "[XFRM] IPV6: Restrict bundle reusing\n\nFor outbound transformation, bundle is checked whether it is\nsuitable for current flow to be reused or not. In such IPv6 case\nas below, transformation may apply incorrect bundle for the flow instead\nof creating another bundle:\n\n- The policy selector has destination prefix length \u003c 128\n (Two or more addresses can be matched it)\n- Its bundle holds dst entry of default route whose prefix length \u003c 128\n (Previous traffic was used such route as next hop)\n- The policy and the bundle were used a transport mode state and\n this time flow address is not matched the bundled state.\n\nThis issue is found by Mobile IPv6 usage to protect mobility signaling\nby IPsec, but it is not a Mobile IPv6 specific.\nThis patch adds strict check to xfrm_bundle_ok() for each\nstate mode and address when prefix length is less than 128.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9afaca057980c02771f4657c455cc7592fcd7373", "tree": "3ef6e1b304248fad27c8063b7fbffdba966a0671", "parents": [ "060f02a3bdd4d9ba8aa3c48e9b470672b1f3a585" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:20:16 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:43 2006 -0700" }, "message": "[XFRM] IPV6: Update outbound state timestamp for each sending.\n\nWith this patch transformation state is updated last used time\nfor each sending. Xtime is used for it like other state lifetime\nexpiration.\nMobile IPv6 enabled nodes will want to know traffic status of each\nbinding (e.g. judgement to request binding refresh by correspondent node,\nor to keep home/care-of nonce alive by mobile node).\nThe last used timestamp is an important hint about it.\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Henrik Petander \u003cpetander@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "060f02a3bdd4d9ba8aa3c48e9b470672b1f3a585", "tree": "0eb60cf50ad70ceb856c82c32124470f6bce2d86", "parents": [ "1b5c229987dc4d0c92a38fac0cde2aeec08cd775" ], "author": { "name": "Noriaki TAKAMIYA", "email": "takamiya@po.ntts.co.jp", "time": "Wed Aug 23 18:18:55 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:42 2006 -0700" }, "message": "[XFRM] STATE: Introduce care-of address.\n\nCare-of address is carried by state as a transformation option like\nIPsec encryption/authentication algorithm.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Noriaki TAKAMIYA \u003ctakamiya@po.ntts.co.jp\u003e\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\n" }, { "commit": "9e51fd371a022318c5b64b831c43026e89bc4f75", "tree": "d11b58ab8d89bc52eb5c875a8e698fcb285c87ef", "parents": [ "fbd9a5b47ee9c319ff0cae584391241ce78ffd6b" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:09:09 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:40 2006 -0700" }, "message": "[XFRM]: Rename secpath_has_tunnel to secpath_has_nontransport.\n\nOn current kernel inbound transformation state is allowed transport and\ndisallowed tunnel mode when mismatch is occurred between tempates and states.\nAs the result of adding two more modes by Mobile IPv6, this function name\nis misleading. Inbound transformation can allow only transport mode\nwhen mismatch is occurred between template and secpath.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fbd9a5b47ee9c319ff0cae584391241ce78ffd6b", "tree": "3e6cdcf297e3f82b7ab276e5ffa59abfcb912f44", "parents": [ "f3bd484021d9486b826b422a017d75dd0bd258ad" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:08:21 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:39 2006 -0700" }, "message": "[XFRM] STATE: Common receive function for route optimization extension headers.\n\nXFRM_STATE_WILDRECV flag is introduced; the last resort state is set\nit and receives packet which is not route optimized but uses such\nextension headers i.e. Mobile IPv6 signaling (binding update and\nacknowledgement). A node enabled Mobile IPv6 adds the state.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f3bd484021d9486b826b422a017d75dd0bd258ad", "tree": "52ec4e50183dffc02d33bd3cfcafe4cbc2022910", "parents": [ "1d71627d699eca831c1fbfb66ea67bb1fba41415" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:00:48 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:38 2006 -0700" }, "message": "[XFRM]: Restrict authentication algorithm only when inbound transformation protocol is IPsec.\n\nFor Mobile IPv6 usage, routing header or destination options header is\nused and it doesn\u0027t require this comparison. It is checked only for\nIPsec template.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "eb2971b68a7d17a7d0fa2c7fc6fbc4bfe41cd694", "tree": "5f6e98ac376d0d2faa69e8a6644706a7312a1ff1", "parents": [ "6c44e6b7ab500d7e3e3f406c83325671be51a752" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:56:04 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:35 2006 -0700" }, "message": "[XFRM] STATE: Search by address using source address list.\n\nThis is a support to search transformation states by its addresses\nby using source address list for Mobile IPv6 usage.\nTo use it from user-space, it is also added a message type for\nsource address as a xfrm state option.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6c44e6b7ab500d7e3e3f406c83325671be51a752", "tree": "d68b6347f4e437cd4aac9444ed9ee323f73eb06c", "parents": [ "622dc8281a80374873686514e46f852093d91106" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:53:57 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:34 2006 -0700" }, "message": "[XFRM] STATE: Add source address list.\n\nSupport source address based searching.\nMobile IPv6 will use it.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dc00a525603650a1471c823a1e48c6505c2f9765", "tree": "5ea2b999a564daf2f6fb217db13859db702b4537", "parents": [ "5794708f11551b6d19b10673abf4b0202f66b44d" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:49:52 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:32 2006 -0700" }, "message": "[XFRM] STATE: Allow non IPsec protocol.\n\nIt will be added two more transformation protocols (routing header\nand destination options header) for Mobile IPv6.\nxfrm_id_proto_match() can be handle zero as all, IPSEC_PROTO_ANY as\nall IPsec and otherwise as exact one.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5794708f11551b6d19b10673abf4b0202f66b44d", "tree": "60d954e185dd80af7e6c08608fd0528cf21a5d41", "parents": [ "7e49e6de30efa716614e280d97963c570f3acf29" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Fri Sep 22 15:06:24 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Sep 22 15:06:24 2006 -0700" }, "message": "[XFRM]: Introduce a helper to compare id protocol.\n\nPut the helper to header for future use.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7e49e6de30efa716614e280d97963c570f3acf29", "tree": "8eaef9d40300d16a7675722e082c5d8ab2a53d40", "parents": [ "77d16f450ae0452d7d4b009f78debb1294fb435c" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Fri Sep 22 15:05:15 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Sep 22 15:05:15 2006 -0700" }, "message": "[XFRM]: Add XFRM_MODE_xxx for future use.\n\nTransformation mode is used as either IPsec transport or tunnel.\nIt is required to add two more items, route optimization and inbound trigger\nfor Mobile IPv6.\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Ville Nuorvala \u003cvnuorval@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb969f072b6d67770b559617f14e767f47e77ece", "tree": "4112eb0182e8b3e28b42aebaa40ca25454fc6b76", "parents": [ "beb8d13bed80f8388f1a9a107d07ddd342e627e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:20 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:28 2006 -0700" }, "message": "[MLSXFRM]: Default labeling of socket specific IPSec policies\n\nThis defaults the label of socket-specific IPSec policies to be the\nsame as the socket they are set on.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "beb8d13bed80f8388f1a9a107d07ddd342e627e8", "tree": "19d5763b9b3b8ff3969997565e5ec0edd6e4bd33", "parents": [ "4e2ba18eae7f370c7c3ed96eaca747cc9b39f917" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Fri Aug 04 23:12:42 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:27 2006 -0700" }, "message": "[MLSXFRM]: Add flow labeling\n\nThis labels the flows that could utilize IPSec xfrms at the points the\nflows are defined so that IPSec policy and SAs at the right label can\nbe used.\n\nThe following protos are currently not handled, but they should\ncontinue to be able to use single-labeled IPSec like they currently\ndo.\n\nipmr\nip_gre\nipip\nigmp\nsit\nsctp\nip6_tunnel (IPv6 over IPv6 tunnel device)\ndecnet\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0d681623d30c6565e8b62889f3aa3f4d4662c3e8", "tree": "ecda711a40bcee7472e2e25e68cc712854245fad", "parents": [ "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Mon Jul 24 23:30:44 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:25 2006 -0700" }, "message": "[MLSXFRM]: Add security context to acquire messages using netlink\n\nThis includes the security context of a security association created\nfor use by IKE in the acquire messages sent to IKE daemons using\nnetlink/xfrm_user. This would allow the daemons to include the\nsecurity context in the negotiation, so that the resultant association\nis unique to that security context.\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c", "tree": "bf023c17abf6813f2694ebf5fafff82edd6a1023", "parents": [ "b6340fcd761acf9249b3acbc95c4dc555d9beb07" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:29:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:24 2006 -0700" }, "message": "[MLSXFRM]: Flow based matching of xfrm policy and state\n\nThis implements a seemless mechanism for xfrm policy selection and\nstate matching based on the flow sid. This also includes the necessary\nSELinux enforcement pieces.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e4d5b79c661c7cfca9d8d5afd040a295f128d3cb", "tree": "55a19ceca1b51b26d1934d388b26f0b1bed99a3e", "parents": [ "fce32d70ba834129b164c40c2d4260e5a7a7d850" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Aug 26 18:12:40 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:46:22 2006 +1000" }, "message": "[CRYPTO] users: Use crypto_comp and crypto_has_*\n\nThis patch converts all users to use the new crypto_comp type and the\ncrypto_has_* functions.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "07d4ee583e21830ec5604d31f65cdc60a6eca19e", "tree": "32962ef0dd13d0d1f66b143ca5d03a88d8b9f772", "parents": [ "e9d41164e2fdd897fe4520c2079ea0000f6e0ec3" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Aug 20 14:24:50 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:46:18 2006 +1000" }, "message": "[IPSEC]: Use HMAC template and hash interface\n\nThis patch converts IPsec to use the new HMAC template. The names of\nexisting simple digest algorithms may still be used to refer to their\nHMAC composites.\n\nThe same structure can be used by other MACs such as AES-XCBC-MAC.\n\nThis patch also switches from the digest interface to hash.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6b7326c8497f954c2cfcb4c49fe42be5b80887bc", "tree": "5739c37f7a72d1ef281fbbb5bbc1483226eec198", "parents": [ "04ff12609445c7b462d7fc7f2d30dad442c922f3" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Jul 30 15:41:01 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:46:14 2006 +1000" }, "message": "[IPSEC] ESP: Use block ciphers where applicable\n\nThis patch converts IPSec/ESP to use the new block cipher type where\napplicable. Similar to the HMAC conversion, existing algorithm names\nhave been kept for compatibility.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "04ff12609445c7b462d7fc7f2d30dad442c922f3", "tree": "f19aff48d2e6a4c7e4bf25044c1b30ea428f4318", "parents": [ "d1806f6a97a536b043fe50e6d8a25b061755cf50" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Aug 13 08:50:00 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:46:14 2006 +1000" }, "message": "[IPSEC]: Add compatibility algorithm name support\n\nThis patch adds a compatibility name field for each IPsec algorithm. This\nis needed when parameterised algorithms are used. For example, \"md5\" will\nbecome \"hmac(md5)\", and \"aes\" will become \"cbc(aes)\".\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "9409f38a0c8773c04bff8dda8c552d7ea013d956", "tree": "694ad993535d6dcfd479f9b5cb4faab64c12fcd7", "parents": [ "6521f30273fbec65146a0f16de74b7b402b0f7b0" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Aug 06 19:49:12 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:16:30 2006 +1000" }, "message": "[IPSEC]: Move linux/crypto.h inclusion out of net/xfrm.h\n\nThe header file linux/crypto.h is only needed by a few files so including\nit in net/xfrm.h (which is included by half of the networking stack) is a\nwaste. This patch moves it out of net/xfrm.h and into the specific header\nfiles that actually need it.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "d49c73c729e2ef644558a1f441c044bfacdc9744", "tree": "db35cd20d57fe5d9a7fcac5f40539902b6abbdf9", "parents": [ "1c7628bd7a458faf7c96ef521f6d3a5ea9b106b8" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sun Aug 13 18:55:53 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sun Aug 13 18:55:53 2006 -0700" }, "message": "[IPSEC]: Validate properly in xfrm_dst_check()\n\nIf dst-\u003eobsolete is -1, this is a signal from the\nbundle creator that we want the XFRM dst and the\ndsts that it references to be validated on every\nuse.\n\nI misunderstood this intention when I changed\nxfrm_dst_check() to always return NULL.\n\nNow, when we purge a dst entry, by running dst_free()\non it. This will set the dst-\u003eobsolete to a positive\ninteger, and we want to return NULL in that case so\nthat the socket does a relookup for the route.\n\nThus, if dst-\u003eobsolete\u003c0, let stale_bundle() validate\nthe state, else always return NULL.\n\nIn general, we need to do things more intelligently\nhere because we flush too much state during rule\nchanges. Herbert Xu has some ideas wherein the key\nmanager gives us some help in this area. We can also\nuse smarter state management algorithms inside of\nthe kernel as well.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0da974f4f303a6842516b764507e3c0a03f41e5a", "tree": "8872aec792f02040269c6769dd1009b20f71d186", "parents": [ "a0ee7c70b22f78593957f99faa06acb4747b8bc0" ], "author": { "name": "Panagiotis Issaris", "email": "takis@issaris.org", "time": "Fri Jul 21 14:51:30 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Jul 21 14:51:30 2006 -0700" }, "message": "[NET]: Conversions from kmalloc+memset to k(z|c)alloc.\n\nSigned-off-by: Panagiotis Issaris \u003ctakis@issaris.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n\n" }, { "commit": "6ab3d5624e172c553004ecc862bfeac16d9d68b7", "tree": "6d98881fe91fd9583c109208d5c27131b93fa248", "parents": [ "e02169b682bc448ccdc819dc8639ed34a23cedd8" ], "author": { "name": "Jörn Engel", "email": "joern@wohnheim.fh-wedel.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "message": "Remove obsolete #include \u003clinux/config.h\u003e\n\nSigned-off-by: Jörn Engel \u003cjoern@wohnheim.fh-wedel.de\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "244055fdc8dd39407a33d4eb9f4053dd4ca8f1bb", "tree": "0b4c7cdcd5293099bc9989f57a864d65e4554e50", "parents": [ "5bba17127e7c78e819560519449db237e1b0f99b" ], "author": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Thu Jun 29 13:04:41 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 29 16:58:33 2006 -0700" }, "message": "[XFRM]: unexport xfrm_state_mtu\n\nThis patch removes the unused EXPORT_SYMBOL(xfrm_state_mtu).\n\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c7bdb545d23026b18be53289fd866d1ac07f5f8c", "tree": "6d9a218871d88f7579dd53f14692df2529b6e712", "parents": [ "576a30eb6453439b3c37ba24455ac7090c247b5a" ], "author": { "name": "Darrel Goeddel", "email": "dgoeddel@trustedcs.com", "time": "Tue Jun 27 13:26:11 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 29 16:57:55 2006 -0700" }, "message": "[NETLINK]: Encapsulate eff_cap usage within security framework.\n\nThis patch encapsulates the usage of eff_cap (in netlink_skb_params) within\nthe security framework by extending security_netlink_recv to include a required\ncapability parameter and converting all direct usage of eff_caps outside\nof the lsm modules to use the interface. It also updates the SELinux\nimplementation of the security_netlink_send and security_netlink_recv\nhooks to take advantage of the sid in the netlink_skb_params struct.\nThis also enables SELinux to perform auditing of netlink capability checks.\nPlease apply, for 2.6.18 if possible.\n\nSigned-off-by: Darrel Goeddel \u003cdgoeddel@trustedcs.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6f68dc37759b1d6ff3b4d4a9d097605a09f8f043", "tree": "7d0be960b8c0ec5b947637a0650f1c639002103a", "parents": [ "9dadaa19cb11a8db38072a92a3f95deab7a797fb" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 08 23:58:52 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:49 2006 -0700" }, "message": "[NET]: Fix warnings after LSM-IPSEC changes.\n\nAssignment used as truth value in xfrm_del_sa()\nand xfrm_get_policy().\n\nWrong argument type declared for security_xfrm_state_delete()\nwhen SELINUX is disabled.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63", "tree": "b4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf", "parents": [ "cec6f7f39c3db7d9f6091bf2f8fc8d520f372719" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 08 23:39:49 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:45 2006 -0700" }, "message": "[LSM-IPsec]: SELinux Authorize\n\nThis patch contains a fix for the previous patch that adds security\ncontexts to IPsec policies and security associations. In the previous\npatch, no authorization (besides the check for write permissions to\nSAD and SPD) is required to delete IPsec policies and security\nassocations with security contexts. Thus a user authorized to change\nSAD and SPD can bypass the IPsec policy authorization by simply\ndeleteing policies with security contexts. To fix this security hole,\nan additional authorization check is added for removing security\npolicies and security associations with security contexts.\n\nNote that if no security context is supplied on add or present on\npolicy to be deleted, the SELinux module allows the change\nunconditionally. The hook is called on deletion when no context is\npresent, which we may want to change. At present, I left it up to the\nmodule.\n\nLSM changes:\n\nThe patch adds two new LSM hooks: xfrm_policy_delete and\nxfrm_state_delete. The new hooks are necessary to authorize deletion\nof IPsec policies that have security contexts. The existing hooks\nxfrm_policy_free and xfrm_state_free lack the context to do the\nauthorization, so I decided to split authorization of deletion and\nmemory management of security data, as is typical in the LSM\ninterface.\n\nUse:\n\nThe new delete hooks are checked when xfrm_policy or xfrm_state are\ndeleted by either the xfrm_user interface (xfrm_get_policy,\nxfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).\n\nSELinux changes:\n\nThe new policy_delete and state_delete functions are added.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b59f45d0b2878ab76f8053b0973654e6621828ee", "tree": "40dc5e2ede2620f7935fb3dae0d0eb199851f611", "parents": [ "546be2405be119ef55467aace45f337a16e5d424" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat May 27 23:05:54 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:28:39 2006 -0700" }, "message": "[IPSEC] xfrm: Abstract out encapsulation modes\n\nThis patch adds the structure xfrm_mode. It is meant to represent\nthe operations carried out by transport/tunnel modes.\n\nBy doing this we allow additional encapsulation modes to be added\nwithout clogging up the xfrm_input/xfrm_output paths.\n\nCandidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and\nBEET modes.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "546be2405be119ef55467aace45f337a16e5d424", "tree": "9b09f0041f9f82a20ab25ace3c7360e4a4b7989f", "parents": [ "9cb3528cdbffc513eb9fb8faa45d41e397355830" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat May 27 23:03:58 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:28:37 2006 -0700" }, "message": "[IPSEC] xfrm: Undo afinfo lock proliferation\n\nThe number of locks used to manage afinfo structures can easily be reduced\ndown to one each for policy and state respectively. This is based on the\nobservation that the write locks are only held by module insertion/removal\nwhich are very rare events so there is no need to further differentiate\nbetween the insertion of modules like ipv6 versus esp6.\n\nThe removal of the read locks in xfrm4_policy.c/xfrm6_policy.c might look\nsuspicious at first. However, after you realise that nobody ever takes\nthe corresponding write lock you\u0027ll feel better :)\n\nAs far as I can gather it\u0027s an attempt to guard against the removal of\nthe corresponding modules. Since neither module can be unloaded at all\nwe can leave it to whoever fixes up IPv6 unloading :)\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4195f81453b9727f82bb8ceae03411b7fe52a994", "tree": "061d410408c883058afbbbbc39b4276ac359dc03", "parents": [ "ae181bc44c65fdc93d0d2d908534b22e43f60f56" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon May 22 16:53:22 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon May 22 16:53:22 2006 -0700" }, "message": "[NET]: Fix \"ntohl(ntohs\" bugs\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e" }, { "commit": "e959d8121fcbfee6ec049cc617e9423d1799f2e4", "tree": "5bbb925d554c1c0c29ce36cb9a771a12bf403861", "parents": [ "f3111502c065d32dcb021f55e30398aaebd8fb0f" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 28 15:32:29 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Apr 29 18:33:21 2006 -0700" }, "message": "[XFRM]: fix incorrect xfrm_policy_afinfo_lock use\n\nxfrm_policy_afinfo_lock can be taken in bh context, at:\n\n [\u003cc013fe1a\u003e] lockdep_acquire_read+0x54/0x6d\n [\u003cc0f6e024\u003e] _read_lock+0x15/0x22\n [\u003cc0e8fcdb\u003e] xfrm_policy_get_afinfo+0x1a/0x3d\n [\u003cc0e8fd10\u003e] xfrm_decode_session+0x12/0x32\n [\u003cc0e66094\u003e] ip_route_me_harder+0x1c9/0x25b\n [\u003cc0e770d3\u003e] ip_nat_local_fn+0x94/0xad\n [\u003cc0e2bbc8\u003e] nf_iterate+0x2e/0x7a\n [\u003cc0e2bc50\u003e] nf_hook_slow+0x3c/0x9e\n [\u003cc0e3a342\u003e] ip_push_pending_frames+0x2de/0x3a7\n [\u003cc0e53e19\u003e] icmp_push_reply+0x136/0x141\n [\u003cc0e543fb\u003e] icmp_reply+0x118/0x1a0\n [\u003cc0e54581\u003e] icmp_echo+0x44/0x46\n [\u003cc0e53fad\u003e] icmp_rcv+0x111/0x138\n [\u003cc0e36764\u003e] ip_local_deliver+0x150/0x1f9\n [\u003cc0e36be2\u003e] ip_rcv+0x3d5/0x413\n [\u003cc0df760f\u003e] netif_receive_skb+0x337/0x356\n [\u003cc0df76c3\u003e] process_backlog+0x95/0x110\n [\u003cc0df5fe2\u003e] net_rx_action+0xa5/0x16d\n [\u003cc012d8a7\u003e] __do_softirq+0x6f/0xe6\n [\u003cc0105ec2\u003e] do_softirq+0x52/0xb1\n\nthis means that all write-locking of xfrm_policy_afinfo_lock must be\nbh-safe. This patch fixes xfrm_policy_register_afinfo() and\nxfrm_policy_unregister_afinfo().\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f3111502c065d32dcb021f55e30398aaebd8fb0f", "tree": "59c51b1d18f866c38d23ad6fe74820f0a2cdb43d", "parents": [ "83de47cd0c5738105f40e65191b0761dfa7431ac" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 28 15:30:03 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Apr 29 18:33:20 2006 -0700" }, "message": "[XFRM]: fix incorrect xfrm_state_afinfo_lock use\n\nxfrm_state_afinfo_lock can be read-locked from bh context, so take it\nin a bh-safe manner in xfrm_state_register_afinfo() and\nxfrm_state_unregister_afinfo(). Found by the lock validator.\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8dff7c29707b7514043539f5ab5e0a6eb7bd9dcd", "tree": "a584dcfb2142d4596086d7081a3d63fd9988e7ce", "parents": [ "a76e07acd0de635122c5e60ccd5e55f9d5082391" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Fri Apr 28 15:23:59 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Apr 29 18:33:18 2006 -0700" }, "message": "[XFRM]: fix softirq-unsafe xfrm typemap-\u003elock use\n\nxfrm typemap-\u003elock may be used in softirq context, so all write_lock()\nuses must be softirq-safe.\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2717096ab41eacdbf07352dca6826b59470eb39a", "tree": "9282ac7ffd15bbd41f438201ef76f6deaa23c90a", "parents": [ "6c97e72a162648eaf7c401cfc139493cefa6bed2" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Fri Apr 14 15:03:05 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Apr 14 15:03:05 2006 -0700" }, "message": "[XFRM]: Fix aevent timer.\n\nSend aevent immediately if we have sent nothing since last timer and\nthis is the first packet.\n\nFixes a corner case when packet threshold is very high, the timer low\nand a very low packet rate input which is bursty.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dbe5b4aaafc715b12dbbea309d3d17958d01fd65", "tree": "936518ad9d5452f5efe18e0107255eab0aafb58d", "parents": [ "e695633e21ffb6a443a8c2f8b3f095c7f1a48eb0" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Apr 01 00:54:16 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 01 00:54:16 2006 -0800" }, "message": "[IPSEC]: Kill unused decap state structure\n\nThis patch removes the *_decap_state structures which were previously\nused to share state between input/post_input. This is no longer\nneeded.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "be33690d8fcf40377f16193c463681170eb6b295", "tree": "08c7be2ba1d046fca40bbb1d3ddac789b393ecc9", "parents": [ "15d99e02babae8bc20b836917ace07d93e318149" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Mar 20 22:40:54 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:40:54 2006 -0800" }, "message": "[XFRM]: Fix aevent related crash\n\nWhen xfrm_user isn\u0027t loaded xfrm_nl is NULL, which makes IPsec crash because\nxfrm_aevent_is_on passes the NULL pointer to netlink_has_listeners as socket.\nA second problem is that the xfrm_nl pointer is not cleared when the socket\nis releases at module unload time.\n\nProtect references of xfrm_nl from outside of xfrm_user by RCU, check\nthat the socket is present in xfrm_aevent_is_on and set it to NULL\nwhen unloading xfrm_user.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4a3e2f711a00a1feb72ae12fdc749da10179d185", "tree": "76ced9d3270dea4b864da71fa1d4415d2e3c8b11", "parents": [ "d4ccd08cdfa8d34f4d25b62041343c52fc79385f" ], "author": { "name": "Arjan van de Ven", "email": "arjan@infradead.org", "time": "Mon Mar 20 22:33:17 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:33:17 2006 -0800" }, "message": "[NET] sem2mutex: net/\n\nSemaphore to mutex conversion.\n\nThe conversion was generated via scripts, and the result was validated\nautomatically via a script as well.\n\nSigned-off-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "253aa11578c1b89757282430891bb66ae5300092", "tree": "00ff3d18c1a7ead1bca4602385e85b65f012823c", "parents": [ "50bf3e224a2963c6dd5098f77bd7233222ebfbd2" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:23:35 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:23:35 2006 -0800" }, "message": "[IPSEC] xfrm_user: Kill PAGE_SIZE check in verify_sec_ctx_len()\n\nFirst, it warns when PAGE_SIZE \u003e\u003d 64K because the ctx_len\nfield is 16-bits.\n\nSecondly, if there are any real length limitations it can\nbe verified by the security layer security_xfrm_state_alloc()\ncall.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a70fcb0ba337956d91476e2e7c3e71d9df940a82", "tree": "500eb6a2296f4aae0581936e8832504f153f984e", "parents": [ "ee857a7d672859cf4eb735d32bce22c8b7ad0bd2" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:18:52 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:18:52 2006 -0800" }, "message": "[XFRM]: Add some missing exports.\n\nTo fix the case of modular xfrm_user.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ee857a7d672859cf4eb735d32bce22c8b7ad0bd2", "tree": "4a6274454ed4af42fb2806151d14280f778f2281", "parents": [ "0ac8475248164553ffe21948c7b1a4b9d2a935dc" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:18:37 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:18:37 2006 -0800" }, "message": "[XFRM]: Move xfrm_nl to xfrm_state.c from xfrm_user.c\n\nxfrm_user could be modular, and since generic code uses this symbol\nnow...\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0ac8475248164553ffe21948c7b1a4b9d2a935dc", "tree": "45495847e8ea192c45c9babbd4b9e8c51d82692f", "parents": [ "8c29bfe1cfbe6050c797a6364a0cc0ff57c377fc" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:18:23 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:18:23 2006 -0800" }, "message": "[XFRM]: Make sure xfrm_replay_timer_handler() is declared early enough.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6c5c8ca7ff20523e427b955aa84cef407934710f", "tree": "382a4b07027efd8a41638ed9c051cc9ec2506f0b", "parents": [ "53bc6b4d29c07664f3abe029b7e6878a1067899a" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:17:25 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:17:25 2006 -0800" }, "message": "[IPSEC]: Sync series - policy expires\n\nThis is similar to the SA expire insertion patch - only it inserts\nexpires for SP.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "53bc6b4d29c07664f3abe029b7e6878a1067899a", "tree": "d97fc26acc763dde9d1dc15573a51253180b617f", "parents": [ "980ebd25794f0f87ac32844e2c73e9e81f0a72ba" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:17:03 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:17:03 2006 -0800" }, "message": "[IPSEC]: Sync series - SA expires\n\nThis patch allows a user to insert SA expires. This is useful to\ndo on an HA backup for the case of byte counts but may not be very\nuseful for the case of time based expiry.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "980ebd25794f0f87ac32844e2c73e9e81f0a72ba", "tree": "da52df6e31bd4b2527c223ca2585e0d792bf3ea2", "parents": [ "d51d081d65048a7a6f9956a7809c3bb504f3b95d" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:16:40 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:16:40 2006 -0800" }, "message": "[IPSEC]: Sync series - acquire insert\n\nThis introduces a feature similar to the one described in RFC 2367:\n\"\n ... the application needing an SA sends a PF_KEY\n SADB_ACQUIRE message down to the Key Engine, which then either\n returns an error or sends a similar SADB_ACQUIRE message up to one or\n more key management applications capable of creating such SAs.\n ...\n ...\n The third is where an application-layer consumer of security\n associations (e.g. an OSPFv2 or RIPv2 daemon) needs a security\n association.\n\n Send an SADB_ACQUIRE message from a user process to the kernel.\n\n \u003cbase, address(SD), (address(P),) (identity(SD),) (sensitivity,)\n proposal\u003e\n\n The kernel returns an SADB_ACQUIRE message to registered\n sockets.\n\n \u003cbase, address(SD), (address(P),) (identity(SD),) (sensitivity,)\n proposal\u003e\n\n The user-level consumer waits for an SADB_UPDATE or SADB_ADD\n message for its particular type, and then can use that\n association by using SADB_GET messages.\n\n \"\nAn app such as OSPF could then use ipsec KM to get keys\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d51d081d65048a7a6f9956a7809c3bb504f3b95d", "tree": "55c62e9f6ff96d131a3ba59090d76209b68051ae", "parents": [ "9500e8a81fe6302fcc5e4110adc4d166c9873d3a" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:16:12 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:16:12 2006 -0800" }, "message": "[IPSEC]: Sync series - user\n\nAdd xfrm as the user of the core changes\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f8cd54884e675dfaf0c86cc7c088adb6ca9d7638", "tree": "7850e8ebebf1f8543c96acdd7c197003b3b4d54c", "parents": [ "f5539eb8caa52a9198079df767cc1bb5494e69e3" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:15:11 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:15:11 2006 -0800" }, "message": "[IPSEC]: Sync series - core changes\n\nThis patch provides the core functionality needed for sync events\nfor ipsec. Derived work of Krisztian KOVACS \u003chidden@balabit.hu\u003e\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "752c1f4c78fe86d0fd6497387f763306b0d8fc53", "tree": "50d7e52940d1adf0936805645d52e2419e5922cf", "parents": [ "4bf05eceecf2efb4c883e9e9b17825682e7330dd" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Feb 27 13:00:40 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Feb 27 13:00:40 2006 -0800" }, "message": "[IPSEC]: Kill post_input hook and do NAT-T in esp_input directly\n\nThe only reason post_input exists at all is that it gives us the\npotential to adjust the checksums incrementally in future which\nwe ought to do.\n\nHowever, after thinking about it for a bit we can adjust the\nchecksums without using this post_input stuff at all. The crucial\npoint is that only the inner-most NAT-T SA needs to be considered\nwhen adjusting checksums. What\u0027s more, the checksum adjustment\ncomes down to a single u32 due to the linearity of IP checksums.\n\nWe just happen to have a spare u32 lying around in our skb structure :)\nWhen ip_summed is set to CHECKSUM_NONE on input, the value of skb-\u003ecsum\nis currently unused. All we have to do is to make that the checksum\nadjustment and voila, there goes all the post_input and decap structures!\n\nI\u0027ve left in the decap data structures for now since it\u0027s intricately\nwoven into the sec_path stuff. We can kill them later too.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "21380b81ef8699179b535e197a95b891a7badac7", "tree": "1a6be9864cabbed59db6357b2f0244413acac4c4", "parents": [ "85259878499d6c428cba191bb4e415a250dcd75a" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Feb 22 14:47:13 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Feb 23 16:10:53 2006 -0800" }, "message": "[XFRM]: Eliminate refcounting confusion by creating __xfrm_state_put().\n\nWe often just do an atomic_dec(\u0026x-\u003erefcnt) on an xfrm_state object\nbecause we know there is more than 1 reference remaining and thus\nwe can elide the heavier xfrm_state_put() call.\n\nDo this behind an inline function called __xfrm_state_put() so that is\nmore obvious and also to allow us to more cleanly add refcount\ndebugging later.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "42cf93cd464e0df3c85d298c647411bae6d99e6e", "tree": "f68f155f6eedbac8ac8c32c8c947d5a2f6cb2033", "parents": [ "a80614d1adba903a1e5cb22bf14ebc640fc2ba4c" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Tue Feb 21 13:37:35 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Feb 23 16:10:51 2006 -0800" }, "message": "[NETFILTER]: Fix bridge netfilter related in xfrm_lookup\n\nThe bridge-netfilter code attaches a fake dst_entry with dst-\u003eops \u003d\u003d NULL\nto purely bridged packets. When these packets are SNATed and a policy\nlookup is done, xfrm_lookup crashes because it tries to dereference\ndst-\u003eops.\n\nChange xfrm_lookup not to dereference dst-\u003eops before checking for the\nDST_NOXFRM flag and set this flag in the fake dst_entry.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "995110143880fd9cb255fa5df05f8950c56fb43a", "tree": "06666d72e4a4e06c646cb0ca683ee9ce0f286c82", "parents": [ "bd71c2b17468a2531fb4c81ec1d73520845e97e1" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Sun Feb 19 22:11:50 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Feb 19 22:11:50 2006 -0800" }, "message": "[XFRM]: Fix policy double put\n\nThe policy is put once immediately and once at the error label, which results\nin the following Oops:\n\nkernel BUG at net/xfrm/xfrm_policy.c:250!\ninvalid opcode: 0000 [#2]\nPREEMPT\n[...]\nCPU: 0\nEIP: 0060:[\u003cc028caf7\u003e] Not tainted VLI\nEFLAGS: 00210246 (2.6.16-rc3 #39)\nEIP is at __xfrm_policy_destroy+0xf/0x46\neax: d49f2000 ebx: d49f2000 ecx: f74bd880 edx: f74bd280\nesi: d49f2000 edi: 00000001 ebp: cd506dcc esp: cd506dc8\nds: 007b es: 007b ss: 0068\nProcess ssh (pid: 31970, threadinfo\u003dcd506000 task\u003dcfb04a70)\nStack: \u003c0\u003ecd506000 cd506e34 c028e92b ebde7280 cd506e58 cd506ec0 f74bd280 00000000\n 00000214 0000000a 0000000a 00000000 00000002 f7ae6000 00000000 cd506e58\n cd506e14 c0299e36 f74bd280 e873fe00 c02943fd cd506ec0 ebde7280 f271f440\nCall Trace:\n [\u003cc0103a44\u003e] show_stack_log_lvl+0xaa/0xb5\n [\u003cc0103b75\u003e] show_registers+0x126/0x18c\n [\u003cc0103e68\u003e] die+0x14e/0x1db\n [\u003cc02b6809\u003e] do_trap+0x7c/0x96\n [\u003cc0104237\u003e] do_invalid_op+0x89/0x93\n [\u003cc01035af\u003e] error_code+0x4f/0x54\n [\u003cc028e92b\u003e] xfrm_lookup+0x349/0x3c2\n [\u003cc02b0b0d\u003e] ip6_datagram_connect+0x317/0x452\n [\u003cc0281749\u003e] inet_dgram_connect+0x49/0x54\n [\u003cc02404d2\u003e] sys_connect+0x51/0x68\n [\u003cc0240928\u003e] sys_socketcall+0x6f/0x166\n [\u003cc0102aa1\u003e] syscall_call+0x7/0xb\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "00de651d14baabc5c1d2f32c49d9a984d8891c8e", "tree": "dee86291586baf00e9c34dd8f4545088a36877ef", "parents": [ "6d3e85ecf22a5e3610df47b9c3fb2fc32cfd35bf" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Feb 13 16:01:27 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Feb 13 16:01:27 2006 -0800" }, "message": "[IPSEC]: Fix strange IPsec freeze.\n\nProblem discovered and initial patch by Olaf Kirch:\n\n\tthere\u0027s a problem with IPsec that has been bugging some of our users\n\tfor the last couple of kernel revs. Every now and then, IPsec will\n\tfreeze the machine completely. This is with openswan user land,\n\tand with kernels up to and including 2.6.16-rc2.\n\n\tI managed to debug this a little, and what happens is that we end\n\tup looping in xfrm_lookup, and never get out. With a bit of debug\n\tprintks added, I can this happening:\n\n\t\tip_route_output_flow calls xfrm_lookup\n\n\t\txfrm_find_bundle returns NULL (apparently we\u0027re in the\n\t\t\tmiddle of negotiating a new SA or something)\n\n\t\tWe therefore call xfrm_tmpl_resolve. This returns EAGAIN\n\t\t\tWe go to sleep, waiting for a policy update.\n\t\t\tThen we loop back to the top\n\n\t\tApparently, the dst_orig that was passed into xfrm_lookup\n\t\t\thas been dropped from the routing table (obsolete\u003d2)\n\t\t\tThis leads to the endless loop, because we now create\n\t\t\ta new bundle, check the new bundle and find it\u0027s stale\n\t\t\t(stale_bundle -\u003e xfrm_bundle_ok -\u003e dst_check() return 0)\n\n\tPeople have been testing with the patch below, which seems to fix the\n\tproblem partially. They still see connection hangs however (things\n\tonly clear up when they start a new ping or new ssh). So the patch\n\tis obvsiouly not sufficient, and something else seems to go wrong.\n\n\tI\u0027m grateful for any hints you may have...\n\nI suggest that we simply bail out always. If the dst decides to die\non us later on, the packet will be dropped anyway. So there is no\ngreat urgency to retry here. Once we have the proper resolution\nqueueing, we can then do the retry again.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nAcked-by: Olaf Kirch \u003cokir@suse.de\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1b8623545b42c03eb92e51b28c84acf4b8ba00a3", "tree": "071045ad9c60d2697292c523c77322a70a248fb9", "parents": [ "92118c739df879497b8cc5a2eb3a9dc255f01b20" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Dec 15 01:07:03 2005 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Feb 07 20:56:35 2006 -0500" }, "message": "[PATCH] remove bogus asm/bug.h includes.\n\nA bunch of asm/bug.h includes are both not needed (since it will get\npulled anyway) and bogus (since they are done too early). Removed.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "09a626600b437d91f6b13ade5c7c4b374893c54e", "tree": "a6de3c2a33b7d896cd22a3fe799d1b40d28daf40", "parents": [ "4bba3925924148c24fb0c7636a04ad69a6a56b84" ], "author": { "name": "Kris Katterjohn", "email": "kjak@users.sourceforge.net", "time": "Sun Jan 08 22:24:28 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Jan 09 14:16:18 2006 -0800" }, "message": "[NET]: Change some \"if (x) BUG();\" to \"BUG_ON(x);\"\n\nThis changes some simple \"if (x) BUG();\" statements to \"BUG_ON(x);\"\n\nSigned-off-by: Kris Katterjohn \u003ckjak@users.sourceforge.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "eb9c7ebe6980c41cf6ae889e301c3b49f473ee9f", "tree": "419103d15b9de9c26c8400c698625231df55da91", "parents": [ "b59c270104f03960069596722fea70340579244d" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Fri Jan 06 23:06:30 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jan 07 12:57:37 2006 -0800" }, "message": "[NETFILTER]: Handle NAT in IPsec policy checks\n\nHandle NAT of decapsulated IPsec packets by reconstructing the struct flowi\nof the original packet from the conntrack information for IPsec policy\nchecks.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "3e3850e989c5d2eb1aab6f0fd9257759f0f4cbc6", "tree": "fa05d1de4767bc30e77442ffbacfe8bd8dd2213d", "parents": [ "8cdfab8a43bb4b3da686ea503a702cb6f9f6a803" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Fri Jan 06 23:04:54 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jan 07 12:57:33 2006 -0800" }, "message": "[NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder\n\nip_route_me_harder doesn\u0027t use the port numbers of the xfrm lookup and\nuses ip_route_input for non-local addresses which doesn\u0027t do a xfrm\nlookup, ip6_route_me_harder doesn\u0027t do a xfrm lookup at all.\n\nUse xfrm_decode_session and do the lookup manually, make sure both\nonly do the lookup if the packet hasn\u0027t been transformed already.\n\nMakeing sure the lookup only happens once needs a new field in the\nIP6CB, which exceeds the size of skb-\u003ecb. The size of skb-\u003ecb is\nincreased to 48b. Apparently the IPv6 mobile extensions need some\nmore room anyway.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5f8ac64b15172c7ced7d7990eb28342092bc751b", "tree": "63046817c9a6e8db513379337f01289c045a5d63", "parents": [ "69549ddd2f894c4cead50ee2b60cc02990c389ad" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Fri Jan 06 13:22:39 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Jan 06 13:22:39 2006 -0800" }, "message": "[LSM-IPSec]: Corrections to LSM-IPSec Nethooks\n\nThis patch contains two corrections to the LSM-IPsec Nethooks patches\npreviously applied. \n\n(1) free a security context on a failed insert via xfrm_user \ninterface in xfrm_add_policy. Memory leak.\n\n(2) change the authorization of the allocation of a security context\nin a xfrm_policy or xfrm_state from both relabelfrom and relabelto \nto setcontext.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9b78a82c1cf19aa813bdaa184fa840a3ba811750", "tree": "5500cc243037614ed8787b39a3f1baa0246443c9", "parents": [ "4c7e6895027362889422e5dc437dc3238b6b4745" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Dec 22 07:39:48 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Dec 22 07:39:48 2005 -0800" }, "message": "[IPSEC]: Fix policy updates missed by sockets\n\nThe problem is that when new policies are inserted, sockets do not see\nthe update (but all new route lookups do).\n\nThis bug is related to the SA insertion stale route issue solved\nrecently, and this policy visibility problem can be fixed in a similar\nway.\n\nThe fix is to flush out the bundles of all policies deeper than the\npolicy being inserted. Consider beginning state of \"outgoing\"\ndirection policy list:\n\n\tpolicy A --\u003e policy B --\u003e policy C --\u003e policy D\n\nFirst, realize that inserting a policy into a list only potentially\nchanges IPSEC routes for that direction. Therefore we need not bother\nconsidering the policies for other directions. We need only consider\nthe existing policies in the list we are doing the inserting.\n\nConsider new policy \"B\u0027\", inserted after B.\n\n\tpolicy A --\u003e policy B --\u003e policy B\u0027 --\u003e policy C --\u003e policy D\n\nTwo rules:\n\n1) If policy A or policy B matched before the insertion, they\n appear before B\u0027 and thus would still match after inserting\n B\u0027\n\n2) Policy C and D, now \"shadowed\" and after policy B\u0027, potentially\n contain stale routes because policy B\u0027 might be selected\n instead of them.\n\nTherefore we only need flush routes assosciated with policies\nappearing after a newly inserted policy, if any.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "399c180ac5f0cb66ef9479358e0b8b6bafcbeafe", "tree": "4014154b7800e96058d94f78dc34a53681e8d5e5", "parents": [ "9e999993c71e1506378d26d81f842277aff8a250" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Dec 19 14:23:23 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Dec 19 14:23:23 2005 -0800" }, "message": "[IPSEC]: Perform SA switchover immediately.\n\nWhen we insert a new xfrm_state which potentially\nsubsumes an existing one, make sure all cached\nbundles are flushed so that the new SA is used\nimmediately.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "88fc2c84312d095545c08a9f871ad1888a688cf6", "tree": "73ff00acabf9cee4b3a8c5b00f4cd44262fdc7df", "parents": [ "82ace47a7256fd39d370a6442e0649f75961b831" ], "author": { "name": "Thomas Graf", "email": "tgraf@suug.ch", "time": "Thu Nov 10 02:25:54 2005 +0100" }, "committer": { "name": "Thomas Graf", "email": "tgr@axs.localdomain", "time": "Thu Nov 10 02:26:40 2005 +0100" }, "message": "[XFRM]: Use generic netlink receive queue processor\n\nSigned-off-by: Thomas Graf \u003ctgraf@suug.ch\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a8f74b228826eef1cbe04a05647d61e896f5fd63", "tree": "6abffeafca83f1aa342ed905367fab1f5a1ac554", "parents": [ "bfa83a9e03cf8d501c6272999843470afecb32ed" ], "author": { "name": "Thomas Graf", "email": "tgraf@suug.ch", "time": "Thu Nov 10 02:25:52 2005 +0100" }, "committer": { "name": "Thomas Graf", "email": "tgr@axs.localdomain", "time": "Thu Nov 10 02:26:40 2005 +0100" }, "message": "[NETLINK]: Make netlink_callback-\u003edone() optional\n\nMost netlink families make no use of the done() callback, making\nit optional gets rid of all unnecessary dummy implementations.\n\nSigned-off-by: Thomas Graf \u003ctgraf@suug.ch\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a51482bde22f99c63fbbb57d5d46cc666384e379", "tree": "5482ed1c0803edb2ffbd51035de921fb0f72d82b", "parents": [ "ac7c98eca88a854755475fcfe1b2bf5f97f90d99" ], "author": { "name": "Jesper Juhl", "email": "jesper.juhl@gmail.com", "time": "Tue Nov 08 09:41:34 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 08 09:41:34 2005 -0800" }, "message": "[NET]: kfree cleanup\n\nFrom: Jesper Juhl \u003cjesper.juhl@gmail.com\u003e\n\nThis is the net/ part of the big kfree cleanup patch.\n\nRemove pointless checks for NULL prior to calling kfree() in net/.\n\nSigned-off-by: Jesper Juhl \u003cjesper.juhl@gmail.com\u003e\nCc: \"David S. Miller\" \u003cdavem@davemloft.net\u003e\nCc: Arnaldo Carvalho de Melo \u003cacme@conectiva.com.br\u003e\nAcked-by: Marcel Holtmann \u003cmarcel@holtmann.org\u003e\nAcked-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\n" }, { "commit": "80b30c1023dbd795faf948dee0cfb3b270b56d47", "tree": "18a6c4d4647e6b52ea9b53e1f938b5e7f7e97f8f", "parents": [ "1371e37da299d4df6267ad0ddf010435782c28e9" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Oct 15 10:58:30 2005 +1000" }, "committer": { "name": "Arnaldo Carvalho de Melo", "email": "acme@mandriva.com", "time": "Wed Oct 26 00:48:45 2005 -0200" }, "message": "[IPSEC]: Kill obsolete get_mss function\n\nNow that we\u0027ve switched over to storing MTUs in the xfrm_dst entries,\nwe no longer need the dst\u0027s get_mss methods. This patch gets rid of\nthem.\n\nIt also documents the fact that our MTU calculation is not optimal\nfor ESP.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@mandriva.com\u003e\n" }, { "commit": "dd0fc66fb33cd610bc1a5db8a5e232d34879b4d7", "tree": "51f96a9db96293b352e358f66032e1f4ff79fafb", "parents": [ "3b0e77bd144203a507eb191f7117d2c5004ea1de" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Fri Oct 07 07:46:04 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Oct 08 15:00:57 2005 -0700" }, "message": "[PATCH] gfp flags annotations - part 1\n\n - added typedef unsigned int __nocast gfp_t;\n\n - replaced __nocast uses for gfp flags with gfp_t - it gives exactly\n the same warnings as far as sparse is concerned, doesn\u0027t change\n generated code (from gcc point of view we replaced unsigned int with\n typedef) and documents what\u0027s going on far better.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "77d8d7a6848c81084f413e1ec4982123a56e2ccb", "tree": "37a160b0b5fcb8a079bcafec5091fd331e14d54c", "parents": [ "140e26fcd559f6988e5a9056385eecade19d9b49" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Oct 05 12:15:12 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 05 12:15:12 2005 -0700" }, "message": "[IPSEC]: Document that policy direction is derived from the index.\n\nHere is a patch that adds a helper called xfrm_policy_id2dir to\ndocument the fact that the policy direction can be and is derived\nfrom the index.\n\nThis is based on a patch by YOSHIFUJI Hideaki and 210313105@suda.edu.cn.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "83fa3400ebcba307a60909824a251be984eb9567", "tree": "b01c3eaabd156ba75ec41bea0be3d73fd066713c", "parents": [ "3d2aef668920e8d93b77f145f8f647f62abe75db" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Tue Oct 04 22:45:35 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 04 22:45:35 2005 -0700" }, "message": "[XFRM]: fix sparse gfp nocast warnings\n\nFix implicit nocast warnings in xfrm code:\nnet/xfrm/xfrm_policy.c:232:47: warning: implicit cast to nocast type\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e104411b82f5c4d19752c335492036abdbf5880d", "tree": "03f26f98685689ab6bfa47d5bdbb6730f64bfadb", "parents": [ "cf0b450cd5176b68ac7d5bbe68aeae6bb6a5a4b8" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Thu Sep 08 15:11:55 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Sep 08 15:11:55 2005 -0700" }, "message": "[XFRM]: Always release dst_entry on error in xfrm_lookup\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ba89966c1984513f4f2cc0a6c182266be44ddd03", "tree": "6e5766fc5c287708c03e0a162531dfd4785b0703", "parents": [ "29cb9f9c5502f6218cd3ea574efe46a5e55522d2" ], "author": { "name": "Eric Dumazet", "email": "dada1@cosmosbay.com", "time": "Fri Aug 26 12:05:31 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Aug 29 16:11:18 2005 -0700" }, "message": "[NET]: use __read_mostly on kmem_cache_t , DEFINE_SNMP_STAT pointers\n\nThis patch puts mostly read only data in the right section\n(read_mostly), to help sharing of these data between CPUS without\nmemory ping pongs.\n\nOn one of my production machine, tcp_statistics was sitting in a\nheavily modified cache line, so *every* SNMP update had to force a\nreload.\n\nSigned-off-by: Eric Dumazet \u003cdada1@cosmosbay.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "066286071d3542243baa68166acb779187c848b3", "tree": "ef6604f16ceb13842a30311654e6a64aac716c48", "parents": [ "9a4595bc7e67962f13232ee55a64e063062c3a99" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Aug 15 12:33:26 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Aug 29 16:01:11 2005 -0700" }, "message": "[NETLINK]: Add \"groups\" argument to netlink_kernel_create\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ac6d439d2097b72ea0cbc2322ce1263a38bc1fd0", "tree": "19e638a226993dddede5a2da577e2572f7555a95", "parents": [ "d629b836d151d43332492651dd841d32e57ebe3b" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Sun Aug 14 19:29:52 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Aug 29 16:00:54 2005 -0700" }, "message": "[NETLINK]: Convert netlink users to use group numbers instead of bitmasks\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "43e943c32b9213b5d25407b281c94aaa474fd9a6", "tree": "7844a1aa95d697ae378bc799085e1b29eb0b8a48", "parents": [ "ad93e266a17c6f606e96304c866eb73665ae34fa" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Sun Aug 14 19:25:47 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Aug 29 16:00:34 2005 -0700" }, "message": "[NETLINK]: Fix missing dst_groups initializations in netlink_broadcast users\n\nnetlink_broadcast users must initialize NETLINK_CB(skb).dst_groups to the\ndestination group mask for netlink_recvmsg.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4fdb3bb723db469717c6d38fda667d8b0fa86ebd", "tree": "43d82e717922e6319cf8a8f9dc5ee902c651b491", "parents": [ "020b4c12dbe3868d792a01d7c1470cd837abe10f" ], "author": { "name": "Harald Welte", "email": "laforge@netfilter.org", "time": "Tue Aug 09 19:40:55 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Aug 29 15:35:08 2005 -0700" }, "message": "[NETLINK]: Add properly module refcounting for kernel netlink sockets.\n\n- Remove bogus code for compiling netlink as module\n- Add module refcounting support for modules implementing a netlink\n protocol\n- Add support for autoloading modules that implement a netlink protocol\n as soon as someone opens a socket for that protocol\n\nSigned-off-by: Harald Welte \u003claforge@netfilter.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a4f1bac62564049ea4718c4624b0fadc9f597c84", "tree": "294ef690f2b8978ee83b9e4e7dadbfb391ea1f94", "parents": [ "cadf01c2fc0cd66dfef4956ef1a6482ed01c3150" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Tue Jul 26 15:43:17 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Jul 26 15:43:17 2005 -0700" }, "message": "[XFRM]: Fix possible overflow of sock-\u003esk_policy\n\nSpotted by, and original patch by, Balazs Scheidler.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6a2e9b738cb5c929df73b6acabdd8f9a4e9a0416", "tree": "c7cdf9033093b52e360ad04dc29739ca36a617a4", "parents": [ "d5950b4355049092739bea97d1bdc14433126cc5" ], "author": { "name": "Sam Ravnborg", "email": "sam@ravnborg.org", "time": "Mon Jul 11 21:13:56 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jul 11 21:13:56 2005 -0700" }, "message": "[NET]: move config options out to individual protocols\n\nMove the protocol specific config options out to the specific protocols.\nWith this change net/Kconfig now starts to become readable and serve as a\ngood basis for further re-structuring.\n\nThe menu structure is left almost intact, except that indention is\nfixed in most cases. Most visible are the INET changes where several\n\"depends on INET\" are replaced with a single ifdef INET / endif pair.\n\nSeveral new files were created to accomplish this change - they are\nsmall but serve the purpose that config options are now distributed\nout where they belongs.\n\nSigned-off-by: Sam Ravnborg \u003csam@ravnborg.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" } ], "next": "d094cd83c06e06e01d8edb540555f3f64e4081c2" }