)]}' { "log": [ { "commit": "e5bbef20e017efcb10700398cc048c49b98628e0", "tree": "5139dfbfb416eaeb43cc75645e486fe6a103e39b", "parents": [ "a224be766bf593f7bcd534ca0c48dbd3eaf7bfce" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Oct 15 12:50:28 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Oct 15 12:50:28 2007 -0700" }, "message": "[IPV6]: Replace sk_buff ** with sk_buff * in input handlers\n\nWith all the users of the double pointers removed from the IPv6 input path,\nthis patch converts all occurances of sk_buff ** to sk_buff * in IPv6 input\nhandlers.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "37fedd3aab6517daec628764c5d66dd8761fbe5f", "tree": "12227aec3944168bff04173dccd580240f4496aa", "parents": [ "7b277b1a5fb147cb828e5d8b9780cee60f31a9bf" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Oct 10 15:44:44 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:55:54 2007 -0700" }, "message": "[IPSEC]: Use IPv6 calling convention as the convention for x-\u003emode-\u003eoutput\n\nThe IPv6 calling convention for x-\u003emode-\u003eoutput is more general and could\nhelp an eventual protocol-generic x-\u003etype-\u003eoutput implementation. This\npatch adopts it for IPv4 as well and modifies the IPv4 type output functions\naccordingly.\n\nIt also rewrites the IPv6 mac/transport header calculation to be based off\nthe network header where practical.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "658b219e9379d75fbdc578b9630b598098471258", "tree": "fe802c4e1ee6468a9c2558a5e529b2380845a003", "parents": [ "75ba28c633952f7994a7117c98ae6515b58f8d30" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Tue Oct 09 13:29:52 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:55:01 2007 -0700" }, "message": "[IPSEC]: Move common code into xfrm_alloc_spi\n\nThis patch moves some common code that conceptually belongs to the xfrm core\nfrom af_key/xfrm_user into xfrm_alloc_spi.\n\nIn particular, the spin lock on the state is now taken inside xfrm_alloc_spi.\nPreviously it also protected the construction of the response PF_KEY/XFRM\nmessages to user-space. This is inconsistent as other identical constructions\nare not protected by the state lock. This is bad because they in fact should\nbe protected but only in certain spots (so as not to hold the lock for too\nlong which may cause packet drops).\n\nThe SPI byte order conversion has also been moved.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cdf7e668d4327a33e11be04c4cb9bcc604eaaa0f", "tree": "3ffa05d642ec702b73eb568894024b4787849faa", "parents": [ "436a0a402203d5a47d2edf7e4dde6c08a7257983" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Oct 08 17:26:34 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:54:55 2007 -0700" }, "message": "[IPSEC]: Unexport xfrm_replay_notify\n\nNow that the only callers of xfrm_replay_notify are in xfrm, we can remove\nthe export.\n\nThis patch also removes xfrm_aevent_doreplay since it\u0027s now called in just\none spot.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "436a0a402203d5a47d2edf7e4dde6c08a7257983", "tree": "b47e73326a2ff7dbf8ac3fbcb6c4acea5c06619d", "parents": [ "83815dea47cf3e98ccbb6aecda08cba1ba91208f" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Oct 08 17:25:53 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:54:54 2007 -0700" }, "message": "[IPSEC]: Move output replay code into xfrm_output\n\nThe replay counter is one of only two remaining things in the output code\nthat requires a lock on the xfrm state (the other being the crypto). This\npatch moves it into the generic xfrm_output so we can remove the lock from\nthe transforms themselves.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "83815dea47cf3e98ccbb6aecda08cba1ba91208f", "tree": "6d728f3b26dc02685ec6c8eb5c08605adf9d2688", "parents": [ "406ef77c893ebd882209be4e393d64b01fe72054" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Oct 08 17:25:08 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:54:54 2007 -0700" }, "message": "[IPSEC]: Move xfrm_state_check into xfrm_output.c\n\nThe functions xfrm_state_check and xfrm_state_check_space are only used by\nthe output code in xfrm_output.c so we can move them over.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "406ef77c893ebd882209be4e393d64b01fe72054", "tree": "815d753889769b355fba7e648abef7ad1422559e", "parents": [ "bc31d3b2c7d7f2a03721a05cb3c9a3ce8b1e2e5a" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Oct 08 17:16:30 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:54:53 2007 -0700" }, "message": "[IPSEC]: Move common output code to xfrm_output\n\nMost of the code in xfrm4_output_one and xfrm6_output_one are identical so\nthis patch moves them into a common xfrm_output function which will live\nin net/xfrm.\n\nIn fact this would seem to fix a bug as on IPv4 we never reset the network\nheader after a transform which may upset netfilter later on.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce", "tree": "bf3915a618b29f507d882e9c665ed9d07e7c0765", "parents": [ "d2e9117c7aa9544d910634e17e3519fd67155229" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Sep 17 11:51:22 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:02 2007 -0700" }, "message": "[XFRM]: xfrm audit calls\n\nThis patch modifies the current ipsec audit layer\nby breaking it up into purpose driven audit calls.\n\nSo far, the only audit calls made are when add/delete\nan SA/policy. It had been discussed to give each\nkey manager it\u0027s own calls to do this, but I found\nthere to be much redundnacy since they did the exact\nsame things, except for how they got auid and sid, so I\ncombined them. The below audit calls can be made by any\nkey manager. Hopefully, this is ok.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "bd0bf0765ea1fba80d7085e1f0375ec045631dc1", "tree": "7a637d217e6f090f3eebe127a11fcbfaabc1c3cd", "parents": [ "16751347a060a10c09b11593bb179fd5b0240c04" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Wed Jul 18 01:55:52 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jul 18 01:55:52 2007 -0700" }, "message": "[XFRM]: Fix crash introduced by struct dst_entry reordering\n\nXFRM expects xfrm_dst-\u003eu.next to be same pointer as dst-\u003enext, which\nwas broken by the dst_entry reordering in commit 1e19e02c~, causing\nan oops in xfrm_bundle_ok when walking the bundle upwards.\n\nKill xfrm_dst-\u003eu.next and change the only user to use dst-\u003enext instead.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "067b207b281db5e3f03f8d244286c20f61aa2343", "tree": "a947ba1fdc03ca82fdb2c7d6f8334b995c1c5ab2", "parents": [ "93cce3d3657bfb5d04789afcd5104f8c48700f32" ], "author": { "name": "James Chapman", "email": "jchapman@katalix.com", "time": "Thu Jul 05 17:08:05 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jul 10 22:16:53 2007 -0700" }, "message": "[UDP]: Cleanup UDP encapsulation code\n\nThis cleanup fell out after adding L2TP support where a new encap_rcv\nfuncptr was added to struct udp_sock. Have XFRM use the new encap_rcv\nfuncptr, which allows us to move the XFRM encap code from udp.c into\nxfrm4_input.c.\n\nMake xfrm4_rcv_encap() static since it is no longer called externally.\n\nSigned-off-by: James Chapman \u003cjchapman@katalix.com\u003e\nAcked-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "628529b6ee334fedc8d25ce56205bb99566572b9", "tree": "4545df6f7ecdec05c903bb2c11ba9fb4380ac71c", "parents": [ "007a531b0a0c902392a3deff730acd28ce6625c7" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Jul 02 22:41:14 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jul 10 22:16:35 2007 -0700" }, "message": "[XFRM] Introduce standalone SAD lookup\n\nThis allows other in-kernel functions to do SAD lookups.\nThe only known user at the moment is pktgen.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d3d6dd3adaaad71eae20902ed81808a66a40a5b9", "tree": "b08faa2174867f3f589889695bfa8388d2237f1e", "parents": [ "59fbb3a61e02deaeaa4fb50792217921f3002d64" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Tue Jun 26 23:57:49 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jul 10 22:15:43 2007 -0700" }, "message": "[XFRM]: Add module alias for transformation type.\n\nIt is clean-up for XFRM type modules and adds aliases with its\nprotocol:\n ESP, AH, IPCOMP, IPIP and IPv6 for IPsec\n ROUTING and DSTOPTS for MIPv6\n\nIt is almost the same thing as XFRM mode alias, but it is added\nnew defines XFRM_PROTO_XXX for preprocessing since some protocols\nare defined as enum.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nAcked-by: Ingo Oeser \u003cnetdev@axxeo.de\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "136ebf08b46f839e2dc9db34322b654e5d9b9936", "tree": "6a38a3c546def150ff73effcf4afd9c55881f49c", "parents": [ "2371baa4bdab3268b32009926f75e7a5d3a41506" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Tue Jun 26 23:51:41 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jul 10 22:15:41 2007 -0700" }, "message": "[IPV6] MIP6: Kill unnecessary ifdefs.\n\nKill unnecessary CONFIG_IPV6_MIP6.\n\no It is redundant for RAW socket to keep MH out with the config then\n it can handle any protocol.\no Clean-up at AH.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4aa2e62c45b5ca08be2d0d3c0744d7585b56e860", "tree": "16649593d55f3df4dac54227fcda28bb4fb49f17", "parents": [ "b00b4bf94edb42852d55619af453588b2de2dc5e" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Jun 04 19:05:57 2007 -0400" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 07 13:42:46 2007 -0700" }, "message": "xfrm: Add security check before flushing SAD/SPD\n\nCurrently we check for permission before deleting entries from SAD and\nSPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())\nHowever we are not checking for authorization when flushing the SPD and\nthe SAD completely. It was perhaps missed in the original security hooks\npatch.\n\nThis patch adds a security check when flushing entries from the SAD and\nSPD. It runs the entire database and checks each entry for a denial.\nIf the process attempting the flush is unable to remove all of the\nentries a denial is logged the the flush function returns an error\nwithout removing anything.\n\nThis is particularly useful when a process may need to create or delete\nits own xfrm entries used for things like labeled networking but that\nsame process should not be able to delete other entries or flush the\nentire database.\n\nSigned-off-by: Joy Latten\u003clatten@austin.ibm.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "01e67d08faa782f1a4d38de702331f5904def6ad", "tree": "72a546eaa73a9ef4967c1ba8232fead917d45a18", "parents": [ "4738d2fa5986d3717055d8ee14b2aad87c30f1e7" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri May 25 00:41:38 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu May 31 01:23:23 2007 -0700" }, "message": "[XFRM]: Allow XFRM_ACQ_EXPIRES to be tunable via sysctl.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5a6d34162f5c6f522f857df274f1c8240f161e11", "tree": "537d305eef465617944821a1df59da3523a640df", "parents": [ "af11e31609d93765c1b22611592543e028f7aa54" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Fri May 04 12:55:39 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri May 04 12:55:39 2007 -0700" }, "message": "[XFRM] SPD info TLV aggregation\n\nAggregate the SPD info TLVs.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "af11e31609d93765c1b22611592543e028f7aa54", "tree": "f8a915dc7d98844667308f7c234d00f59113ff3f", "parents": [ "224711df5c00f7540b89f32a8225866031977f17" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Fri May 04 12:55:13 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri May 04 12:55:13 2007 -0700" }, "message": "[XFRM] SAD info TLV aggregationx\n\nAggregate the SAD info TLVs.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "157bfc25020f7eb731f94140e099307ade47299e", "tree": "422821e5233daf0d8347ac361f09be9f49b43de4", "parents": [ "34588b4c046c34773e5a1a962da7b78b05c4d1bd" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Mon Apr 30 00:33:35 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Apr 30 00:58:09 2007 -0700" }, "message": "[XFRM]: Restrict upper layer information by bundle.\n\nOn MIPv6 usage, XFRM sub policy is enabled.\nWhen main (IPsec) and sub (MIPv6) policy selectors have the same\naddress set but different upper layer information (i.e. protocol\nnumber and its ports or type/code), multiple bundle should be created.\nHowever, currently we have issue to use the same bundle created for\nthe first time with all flows covered by the case.\n\nIt is useful for the bundle to have the upper layer information\nto be restructured correctly if it does not match with the flow.\n\n1. Bundle was created by two policies\nSelector from another policy is added to xfrm_dst.\nIf the flow does not match the selector, it goes to slow path to\nrestructure new bundle by single policy.\n\n2. Bundle was created by one policy\nFlow cache is added to xfrm_dst as originated one. If the flow does\nnot match the cache, it goes to slow path to try searching another\npolicy.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ecfd6b183780c6d9e85873693b3ce6c5f4d08b58", "tree": "8ee1330176e3011d3fdf86e70b5933b50302b7e7", "parents": [ "5632c5152aa621885d87ea0b8fdd5a6bb9f69c6f" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Sat Apr 28 21:20:32 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 28 21:20:32 2007 -0700" }, "message": "[XFRM]: Export SPD info\n\nWith this patch you can use iproute2 in user space to efficiently see\nhow many policies exist in different directions.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "28d8909bc790d936ce33f4402adf7577533bbd4b", "tree": "8de479d6660aba23bc99fa555c150852548df58d", "parents": [ "98486fa2f4894e2b01e325c659635596bdec1614" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Thu Apr 26 00:10:29 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Apr 26 00:10:29 2007 -0700" }, "message": "[XFRM]: Export SAD info.\n\nOn a system with a lot of SAs, counting SAD entries chews useful\nCPU time since you need to dump the whole SAD to user space;\ni.e something like ip xfrm state ls | grep -i src | wc -l\nI have seen taking literally minutes on a 40K SAs when the system\nis swapping.\nWith this patch, some of the SAD info (that was already being tracked)\nis exposed to user space. i.e you do:\nip xfrm state count\nAnd you get the count; you can also pass -s to the command line and\nget the hash info.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c5c2523893747f88a83376abad310c8ad13f7197", "tree": "58f1ab25ac9f7ca7460abbd24e9bab9c8683f6fd", "parents": [ "557922584d9c5b6b990bcfb2fec3134f0e73a05d" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Apr 09 11:47:18 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Apr 25 22:28:38 2007 -0700" }, "message": "[XFRM]: Optimize MTU calculation\n\nReplace the probing based MTU estimation, which usually takes 2-3 iterations\nto find a fitting value and may underestimate the MTU, by an exact calculation.\n\nAlso fix underestimation of the XFRM trailer_len, which causes unnecessary\nreallocations.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ef41aaa0b755f479012341ac11db9ca5b8928d98", "tree": "f5cd83b9117d0092f40006fbf4fd1f39652ad925", "parents": [ "05e52dd7396514648fba6c275eb7b49eca333c6d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 07 15:37:58 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Mar 07 16:08:09 2007 -0800" }, "message": "[IPSEC]: xfrm_policy delete security check misplaced\n\nThe security hooks to check permissions to remove an xfrm_policy were\nactually done after the policy was removed. Since the unlinking and\ndeletion are done in xfrm_policy_by* functions this moves the hooks\ninside those 2 functions. There we have all the information needed to\ndo the security check and it can be done before the deletion. Since\nauditing requires the result of that security check err has to be passed\nback and forth from the xfrm_policy_by* functions.\n\nThis patch also fixes a bug where a deletion that failed the security\ncheck could cause improper accounting on the xfrm_policy\n(xfrm_get_policy didn\u0027t have a put on the exit path for the hold taken\nby xfrm_policy_by*)\n\nIt also fixes the return code when no policy is found in\nxfrm_add_pol_expire. In old code (at least back in the 2.6.18 days) err\nwasn\u0027t used before the return when no policy is found and so the\ninitialization would cause err to be ENOENT. But since err has since\nbeen used above when we don\u0027t get a policy back from the xfrm_policy_by*\nfunction we would always return 0 instead of the intended ENOENT. Also\nfixed some white space damage in the same area.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "73d605d1abbd70ef67b7660cf2ff177259960756", "tree": "3b183bc597044785eef7cc8efefb41fbac097bf5", "parents": [ "c73cb5a2d607b5b95a06a54d8291ddb659b348b6" ], "author": { "name": "Kazunori MIYAZAWA", "email": "miyazawa@linux-ipv6.org", "time": "Tue Feb 13 12:55:55 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 13 12:55:55 2007 -0800" }, "message": "[IPSEC]: changing API of xfrm6_tunnel_register\n\nThis patch changes xfrm6_tunnel register and deregister\ninterface to prepare for solving the conflict of device\ntunnels with inter address family IPsec tunnel.\nThere is no device which conflicts with IPv4 over IPv6\nIPsec tunnel.\n\nSigned-off-by: Kazunori MIYAZAWA \u003cmiyazawa@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c0d56408e3ff52d635441e0f08d12164a63728cf", "tree": "026b531a00255730e9878905fdc2e6a910f4e1c7", "parents": [ "600ff0c24bb71482e7f0da948a931d5c5d72838a" ], "author": { "name": "Kazunori MIYAZAWA", "email": "miyazawa@linux-ipv6.org", "time": "Tue Feb 13 12:54:47 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 13 12:54:47 2007 -0800" }, "message": "[IPSEC]: Changing API of xfrm4_tunnel_register.\n\nThis patch changes xfrm4_tunnel register and deregister\ninterface to prepare for solving the conflict of device\ntunnels with inter address family IPsec tunnel.\n\nSigned-off-by: Kazunori MIYAZAWA \u003cmiyazawa@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "80c9abaabf4283f7cf4a0b3597cd302506635b7f", "tree": "7dd4270a22e039c827114d182c2071a84826f563", "parents": [ "9934e81c8c4981342dab3e386aff5d4499bea0d2" ], "author": { "name": "Shinta Sugimoto", "email": "shinta.sugimoto@ericsson.com", "time": "Thu Feb 08 13:11:42 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Feb 08 13:11:42 2007 -0800" }, "message": "[XFRM]: Extension for dynamic update of endpoint address(es)\n\nExtend the XFRM framework so that endpoint address(es) in the XFRM\ndatabases could be dynamically updated according to a request (MIGRATE\nmessage) from user application. Target XFRM policy is first identified\nby the selector in the MIGRATE message. Next, the endpoint addresses\nof the matching templates and XFRM states are updated according to\nthe MIGRATE message.\n\nSigned-off-by: Shinta Sugimoto \u003cshinta.sugimoto@ericsson.com\u003e\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cdca72652adf597f7fef821a27595fd0dd5eea19", "tree": "4a11752d72f70b2248aa811c165cc95007d21a8f", "parents": [ "243cb4e56061c3f4cb76312c5527840344d57c3b" ], "author": { "name": "Miika Komu", "email": "miika@iki.fi", "time": "Tue Feb 06 14:24:56 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Feb 08 12:39:00 2007 -0800" }, "message": "[IPSEC]: exporting xfrm_state_afinfo\n\nThis patch exports xfrm_state_afinfo.\n\nSigned-off-by: Miika Komu \u003cmiika@iki.fi\u003e\nSigned-off-by: Diego Beltrami \u003cDiego.Beltrami@hiit.fi\u003e\nSigned-off-by: Kazunori Miyazawa \u003cmiyazawa@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c9204d9ca79baac564b49d36d0228a69d7ded084", "tree": "190698c8b1198eda24fa63c8bf562436e6b6fb6f", "parents": [ "161a09e737f0761ca064ee6a907313402f7a54b6" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Thu Nov 30 15:50:43 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Dec 06 20:14:23 2006 -0800" }, "message": "audit: disable ipsec auditing when CONFIG_AUDITSYSCALL\u003dn\n\nDisables auditing in ipsec when CONFIG_AUDITSYSCALL is\ndisabled in the kernel.\n\nAlso includes a bug fix for xfrm_state.c as a result of\noriginal ipsec audit patch.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "161a09e737f0761ca064ee6a907313402f7a54b6", "tree": "80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e", "parents": [ "95b99a670df31ca5271f503f378e5cac3aee8f5e" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Nov 27 13:11:54 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Dec 06 20:14:22 2006 -0800" }, "message": "audit: Add auditing to ipsec\n\nAn audit message occurs when an ipsec SA\nor ipsec policy is created/deleted.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "76b3f055f38954c67dab13844eb92203580038f8", "tree": "59655690a408aef422e65660c41a51789ea2294f", "parents": [ "08dd1a506bbc4528db60dfdfff61423a1608ed3f" ], "author": { "name": "Miika Komu", "email": "miika@iki.fi", "time": "Thu Nov 30 16:40:43 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:31:48 2006 -0800" }, "message": "[IPSEC]: Add encapsulation family.\n\nSigned-off-by: Miika Komu \u003cmiika@iki.fi\u003e\nSigned-off-by: Diego Beltrami \u003cDiego.Beltrami@hiit.fi\u003e\nSigned-off-by: Kazunori Miyazawa \u003cmiyazawa@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "46ca5f5dc4f1c9b5ac02c0090ae8ff4ac8560446", "tree": "314b4ec3bfb52d536dff6e9cb201b76571e0d502", "parents": [ "d5c42c0ec4f7fd5a4e19e33a2d561758b67c55c8" ], "author": { "name": "Arnaldo Carvalho de Melo", "email": "acme@mandriva.com", "time": "Mon Nov 27 17:58:59 2006 -0200" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:30:48 2006 -0800" }, "message": "[XFRM]: Pack struct xfrm_policy\n\n[acme@newtoy net-2.6.20]$ pahole net/ipv4/tcp.o xfrm_policy\n/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */\nstruct xfrm_policy {\n struct xfrm_policy * next; /* 0 4 */\n struct hlist_node bydst; /* 4 8 */\n struct hlist_node byidx; /* 12 8 */\n rwlock_t lock; /* 20 36 */\n atomic_t refcnt; /* 56 4 */\n struct timer_list timer; /* 60 24 */\n u8 type; /* 84 1 */\n\n /* XXX 3 bytes hole, try to pack */\n\n u32 priority; /* 88 4 */\n u32 index; /* 92 4 */\n struct xfrm_selector selector; /* 96 56 */\n struct xfrm_lifetime_cfg lft; /* 152 64 */\n struct xfrm_lifetime_cur curlft; /* 216 32 */\n struct dst_entry * bundles; /* 248 4 */\n __u16 family; /* 252 2 */\n __u8 action; /* 254 1 */\n __u8 flags; /* 255 1 */\n __u8 dead; /* 256 1 */\n __u8 xfrm_nr; /* 257 1 */\n\n /* XXX 2 bytes hole, try to pack */\n\n struct xfrm_sec_ctx * security; /* 260 4 */\n struct xfrm_tmpl xfrm_vec[6]; /* 264 360 */\n}; /* size: 624, sum members: 619, holes: 2, sum holes: 5 */\n\nSo lets have just one hole instead of two, by moving \u0027type\u0027 to just before \u0027action\u0027,\nend result:\n\n[acme@newtoy net-2.6.20]$ codiff -s /tmp/tcp.o.before net/ipv4/tcp.o\n/pub/scm/linux/kernel/git/acme/net-2.6.20/net/ipv4/tcp.c:\n struct xfrm_policy | -4\n 1 struct changed\n[acme@newtoy net-2.6.20]$\n\n[acme@newtoy net-2.6.20]$ pahole -c 64 net/ipv4/tcp.o xfrm_policy\n/* /pub/scm/linux/kernel/git/acme/net-2.6.20/include/linux/security.h:67 */\nstruct xfrm_policy {\n struct xfrm_policy * next; /* 0 4 */\n struct hlist_node bydst; /* 4 8 */\n struct hlist_node byidx; /* 12 8 */\n rwlock_t lock; /* 20 36 */\n atomic_t refcnt; /* 56 4 */\n struct timer_list timer; /* 60 24 */\n u32 priority; /* 84 4 */\n u32 index; /* 88 4 */\n struct xfrm_selector selector; /* 92 56 */\n struct xfrm_lifetime_cfg lft; /* 148 64 */\n struct xfrm_lifetime_cur curlft; /* 212 32 */\n struct dst_entry * bundles; /* 244 4 */\n u16 family; /* 248 2 */\n u8 type; /* 250 1 */\n u8 action; /* 251 1 */\n u8 flags; /* 252 1 */\n u8 dead; /* 253 1 */\n u8 xfrm_nr; /* 254 1 */\n\n /* XXX 1 byte hole, try to pack */\n\n struct xfrm_sec_ctx * security; /* 256 4 */\n struct xfrm_tmpl xfrm_vec[6]; /* 260 360 */\n}; /* size: 620, sum members: 619, holes: 1, sum holes: 1 */\n\nAre there any fugly data dependencies here? None that I know.\n\nIn the process changed the removed the __ prefixed types, that are just for\nuserspace visible headers.\n\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@mandriva.com\u003e\n" }, { "commit": "ba4e58eca8aa9473b44fdfd312f26c4a2e7798b3", "tree": "700f8f989f48da480beb83b983637cfd2b5a3f67", "parents": [ "6051e2f4fb68fc8e5343db58fa680ece376f405c" ], "author": { "name": "Gerrit Renker", "email": "gerrit@erg.abdn.ac.uk", "time": "Mon Nov 27 11:10:57 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:22:46 2006 -0800" }, "message": "[NET]: Supporting UDP-Lite (RFC 3828) in Linux\n\nThis is a revision of the previously submitted patch, which alters\nthe way files are organized and compiled in the following manner:\n\n\t* UDP and UDP-Lite now use separate object files\n\t* source file dependencies resolved via header files\n\t net/ipv{4,6}/udp_impl.h\n\t* order of inclusion files in udp.c/udplite.c adapted\n\t accordingly\n\n[NET/IPv4]: Support for the UDP-Lite protocol (RFC 3828)\n\nThis patch adds support for UDP-Lite to the IPv4 stack, provided as an\nextension to the existing UDPv4 code:\n * generic routines are all located in net/ipv4/udp.c\n * UDP-Lite specific routines are in net/ipv4/udplite.c\n * MIB/statistics support in /proc/net/snmp and /proc/net/udplite\n * shared API with extensions for partial checksum coverage\n\n[NET/IPv6]: Extension for UDP-Lite over IPv6\n\nIt extends the existing UDPv6 code base with support for UDP-Lite\nin the same manner as per UDPv4. In particular,\n * UDPv6 generic and shared code is in net/ipv6/udp.c\n * UDP-Litev6 specific extensions are in net/ipv6/udplite.c\n * MIB/statistics support in /proc/net/snmp6 and /proc/net/udplite6\n * support for IPV6_ADDRFORM\n * aligned the coding style of protocol initialisation with af_inet6.c\n * made the error handling in udpv6_queue_rcv_skb consistent;\n to return `-1\u0027 on error on all error cases\n * consolidation of shared code\n\n[NET]: UDP-Lite Documentation and basic XFRM/Netfilter support\n\nThe UDP-Lite patch further provides\n * API documentation for UDP-Lite\n * basic xfrm support\n * basic netfilter support for IPv4 and IPv6 (LOG target)\n\nSigned-off-by: Gerrit Renker \u003cgerrit@erg.abdn.ac.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "776810217ac558351cdcca01c4c6a9474e4a68c2", "tree": "2712b84aea6be1e0afe3668383542a35b5ceb832", "parents": [ "fcc70d5fdc9b0bd3e99c9dacb8198224af2b4b42" ], "author": { "name": "Andrew Morton", "email": "akpm@osdl.org", "time": "Wed Nov 08 22:46:26 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:36 2006 -0800" }, "message": "[XFRM]: uninline xfrm_selector_match()\n\nSix callsites, huge.\n\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5d36b1803d875cf101fdb972ff9c56663e508e39", "tree": "36478dec86293ab8f3381a83ee3979f794958783", "parents": [ "d29ef86b0a497dd2c4f9601644a15392f7e21f73" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Nov 08 00:24:06 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:18 2006 -0800" }, "message": "[XFRM]: annotate -\u003enew_mapping()\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04ce69093f91547d3a7c4fc815d2868195591340", "tree": "69bea18b5d1b8c2999f13f8e0372491c9f9238e6", "parents": [ "8c689a6eae2d83970e4f34753d513e96fb97a025" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Nov 08 00:21:01 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:12 2006 -0800" }, "message": "[IPV6]: \u0027info\u0027 argument of ipv6 -\u003eerr_handler() is net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8c689a6eae2d83970e4f34753d513e96fb97a025", "tree": "50c67089a5a46dbde93fdcb6040227fb599d5110", "parents": [ "d2ecd9ccd0694278a8c1fa179d1d058ee66e2297" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Nov 08 00:20:21 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:11 2006 -0800" }, "message": "[XFRM]: misc annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d", "tree": "293f595f737540a546ba186ba1f054389aa95f6f", "parents": [ "134b0fc544ba062498451611cb6f3e4454221b3d" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Thu Oct 05 15:42:18 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 11 23:59:37 2006 -0700" }, "message": "IPsec: correct semantics for SELinux policy matching\n\nCurrently when an IPSec policy rule doesn\u0027t specify a security\ncontext, it is assumed to be \"unlabeled\" by SELinux, and so\nthe IPSec policy rule fails to match to a flow that it would\notherwise match to, unless one has explicitly added an SELinux\npolicy rule allowing the flow to \"polmatch\" to the \"unlabeled\"\nIPSec policy rules. In the absence of such an explicitly added\nSELinux policy rule, the IPSec policy rule fails to match and\nso the packet(s) flow in clear text without the otherwise applicable\nxfrm(s) applied.\n\nThe above SELinux behavior violates the SELinux security notion of\n\"deny by default\" which should actually translate to \"encrypt by\ndefault\" in the above case.\n\nThis was first reported by Evgeniy Polyakov and the way James Morris\nwas seeing the problem was when connecting via IPsec to a\nconfined service on an SELinux box (vsftpd), which did not have the\nappropriate SELinux policy permissions to send packets via IPsec.\n\nWith this patch applied, SELinux \"polmatching\" of flows Vs. IPSec\npolicy rules will only come into play when there\u0027s a explicit context\nspecified for the IPSec policy rule (which also means there\u0027s corresponding\nSELinux policy allowing appropriate domains/flows to polmatch to this context).\n\nSecondly, when a security module is loaded (in this case, SELinux), the\nsecurity_xfrm_policy_lookup() hook can return errors other than access denied,\nsuch as -EINVAL. We were not handling that correctly, and in fact\ninverting the return logic and propagating a false \"ok\" back up to\nxfrm_lookup(), which then allowed packets to pass as if they were not\nassociated with an xfrm policy.\n\nThe solution for this is to first ensure that errno values are\ncorrectly propagated all the way back up through the various call chains\nfrom security_xfrm_policy_lookup(), and handled correctly.\n\nThen, flow_cache_lookup() is modified, so that if the policy resolver\nfails (typically a permission denied via the security module), the flow\ncache entry is killed rather than having a null policy assigned (which\nindicates that the packet can pass freely). This also forces any future\nlookups for the same flow to consult the security module (e.g. SELinux)\nfor current security policy (rather than, say, caching the error on the\nflow cache entry).\n\nThis patch: Fix the selinux side of things.\n\nThis makes sure SELinux polmatching of flow contexts to IPSec policy\nrules comes into play only when an explicit context is associated\nwith the IPSec policy rule.\n\nAlso, this no longer defaults the context of a socket policy to\nthe context of the socket since the \"no explicit context\" case\nis now handled properly.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "61f4627b2fecce9d5c9645e4b47e75a0c29ad8c3", "tree": "56eceeeb96291a2fe0f3f5f1ff34de31bf2ec605", "parents": [ "a252cc2371930debe3162f1ac91467b9791324cb" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:48:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:41 2006 -0700" }, "message": "[XFRM]: xfrm_replay_advance() annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a252cc2371930debe3162f1ac91467b9791324cb", "tree": "9679147dcceac5dd24c97dc9dbe7c63546cf568a", "parents": [ "6067b2baba32211e84d1ef2dba863422281bd6c7" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:48:18 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:40 2006 -0700" }, "message": "[XFRM]: xrfm_replay_check() annotations\n\nseq argument is net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6067b2baba32211e84d1ef2dba863422281bd6c7", "tree": "ee954829024c0e96d240bff8cdbec3f056017ab5", "parents": [ "e037c39bf965ca66fde902e191d849a90de278fe" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:47:59 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:39 2006 -0700" }, "message": "[XFRM]: xfrm_parse_spi() annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a94cfd19744a568d97b14bbaa500b2a0c3684f34", "tree": "1e933aec3969ba63315d147fa39d0103ce311200", "parents": [ "26977b4ed728ae911a162b16dbfe1a165b7cf9a1" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:47:24 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:37 2006 -0700" }, "message": "[XFRM]: xfrm_state_lookup() annotations\n\nspi argument of xfrm_state_lookup() is net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "26977b4ed728ae911a162b16dbfe1a165b7cf9a1", "tree": "e70980811cbd0c6a271e3e92cd3c2c48bdea5701", "parents": [ "737b5761dfc609b5be4163deb2cf09226f56bcbc" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:47:05 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:36 2006 -0700" }, "message": "[XFRM]: xfrm_alloc_spi() annotated\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5f19343fb19613539355296b23cbc08d1336b52d", "tree": "122996f66a4dde454dfdadc7ba25bbb8808ea13c", "parents": [ "8f83f23e6db8b9a9fe787d02f73489224668c4e2" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:46:32 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:34 2006 -0700" }, "message": "[XFRM]: addr_match() annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f9d07e41f89e7305eb2c0475c170c51d21425581", "tree": "9cfdb75f75ffcb6160fcfe579713b6daba538df1", "parents": [ "e2e38e819bd03e9674c102aaa2c9dc8151a3c3d0" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:45:50 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:32 2006 -0700" }, "message": "[XFRM]: xfrm_flowi_[sd]port() annotations\n\nboth return net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a1e59abf824969554b90facd44a4ab16e265afa4", "tree": "b981536bbf7dde2c55e9a5223a5e31bea2c356a2", "parents": [ "1ef9696c909060ccdae3ade245ca88692b49285b" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Tue Sep 19 12:57:34 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:19:06 2006 -0700" }, "message": "[XFRM]: Fix wildcard as tunnel source\n\nHashing SAs by source address breaks templates with wildcards as tunnel\nsource since the source address used for hashing/lookup is still 0/0.\nMove source address lookup to xfrm_tmpl_resolve_one() so we can use the\nreal address in the lookup.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "eb878e84575fbce21d2edb079eada78bfa27023d", "tree": "f47eb18d4539015596de96ccb9ac3fd20584cbe5", "parents": [ "fda9ef5d679b07c9d9097aaf6ef7f069d794a8f9" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Thu Aug 31 17:42:59 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:48 2006 -0700" }, "message": "[IPSEC]: output mode to take an xfrm state as input param\n\nExpose IPSEC modes output path to take an xfrm state as input param.\nThis makes it consistent with the input mode processing (which already\ntakes the xfrm state as a param).\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2518c7c2b3d7f0a6b302b4efe17c911f8dd4049f", "tree": "7de05ca17d76eee141d4feff3b7b27d850557ae6", "parents": [ "c1969f294e624d5b642fc8e6ab9468b7c7791fa8" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 04:45:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:48 2006 -0700" }, "message": "[XFRM]: Hash policies when non-prefixed.\n\nThis idea is from Alexey Kuznetsov.\n\nIt is common for policies to be non-prefixed. And for\nthat case we can optimize lookups, insert, etc. quite\na bit.\n\nFor each direction, we have a dynamically sized policy\nhash table for non-prefixed policies. We also have a\nhash table on policy-\u003eindex.\n\nFor prefixed policies, we have a list per-direction which\nwe will consult on lookups when a non-prefix hashtable\nlookup fails.\n\nThis still isn\u0027t as efficient as I would like it. There\nare four immediate problems:\n\n1) Lots of excessive refcounting, which can be fixed just\n like xfrm_state was\n2) We do 2 hash probes on insert, one to look for dups and\n one to allocate a unique policy-\u003eindex. Althought I wonder\n how much this matters since xfrm_state inserts do up to\n 3 hash probes and that seems to perform fine.\n3) xfrm_policy_insert() is very complex because of the priority\n ordering and entry replacement logic.\n4) Lots of counter bumping, in addition to policy refcounts,\n in the form of xfrm_policy_count[]. This is merely used\n to let code path(s) know that some IPSEC rules exist. So\n this count is indexed per-direction, maybe that is overkill.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1c0953997567b22e32fdf85d3b4bc0f2461fd161", "tree": "5e4d691503d911f2134734e345ae0d7f01b97e4e", "parents": [ "c7f5ea3a4d1ae6b3b426e113358fdc57494bc754" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:30:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:46 2006 -0700" }, "message": "[XFRM]: Purge dst references to deleted SAs passively.\n\nJust let GC and other normal mechanisms take care of getting\nrid of DST cache references to deleted xfrm_state objects\ninstead of walking all the policy bundles.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c7f5ea3a4d1ae6b3b426e113358fdc57494bc754", "tree": "d77be695b79131617029d8586fd729a6b94b56e5", "parents": [ "2575b65434d56559bd03854450b9b6aaf19b9c90" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:29:04 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:45 2006 -0700" }, "message": "[XFRM]: Do not flush all bundles on SA insert.\n\nInstead, simply set all potentially aliasing existing xfrm_state\nobjects to have the current generation counter value.\n\nThis will make routes get relooked up the next time an existing\nroute mentioning these aliased xfrm_state objects gets used,\nvia xfrm_dst_check().\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9d4a706d852411154d0c91b9ffb3bec68b94b25c", "tree": "1613607168baa8b654c300895cd7d0ffb6f18581", "parents": [ "f034b5d4efdfe0fb9e2a1ce1d95fa7914f24de49" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 03:18:09 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:42 2006 -0700" }, "message": "[XFRM]: Add generation count to xfrm_state and xfrm_dst.\n\nEach xfrm_state inserted gets a new generation counter\nvalue. When a bundle is created, the xfrm_dst objects\nget the current generation counter of the xfrm_state\nthey will attach to at dst-\u003exfrm.\n\nxfrm_bundle_ok() will return false if it sees an\nxfrm_dst with a generation count different from the\ngeneration count of the xfrm_state that dst points to.\n\nThis provides a facility by which to passively and\ncheaply invalidate cached IPSEC routes during SA\ndatabase changes.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8f126e37c0b250310a48a609bedf92a19a5559ec", "tree": "c1de0aea5f425d74b99453e9edb4561dfd147d2c", "parents": [ "edcd582152090bfb0ccb4ad444c151798a73eda8" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 02:45:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:40 2006 -0700" }, "message": "[XFRM]: Convert xfrm_state hash linkage to hlists.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "edcd582152090bfb0ccb4ad444c151798a73eda8", "tree": "9d6051e71c5c22c50315d6b2c740170002469288", "parents": [ "2770834c9f44afd1bfa13914c7285470775af657" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 00:42:45 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:39 2006 -0700" }, "message": "[XFRM]: Pull xfrm_state_by{spi,src} hash table knowledge out of afinfo.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2770834c9f44afd1bfa13914c7285470775af657", "tree": "40191fdc632e572bc7878f57dc8fb385109a3aa8", "parents": [ "64d9fdda8e1bdf416b2d9203c3ad9c249ea301be" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 24 00:13:10 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:38 2006 -0700" }, "message": "[XFRM]: Pull xfrm_state_bydst hash table knowledge out of afinfo.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f7b6983f0feeefcd2a594138adcffe640593d8de", "tree": "41878fad9f0f0306718fa832eac7dfa76f51222d", "parents": [ "41a49cc3c02ace59d4dddae91ea211c330970ee3" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:49:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:35 2006 -0700" }, "message": "[XFRM] POLICY: Support netlink socket interface for sub policy.\n\nSub policy can be used through netlink socket.\nPF_KEY uses main only and it is TODO to support sub.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "41a49cc3c02ace59d4dddae91ea211c330970ee3", "tree": "bca262bd2d32f1cf7473b5360052ff3103845e23", "parents": [ "4e81bb8336a0ac50289d4d4c7a55e559b994ee8f" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:48:31 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:34 2006 -0700" }, "message": "[XFRM]: Add sorting interface for state and template.\n\nUnder two transformation policies it is required to merge them.\nThis is a platform to sort state for outbound and templates\nfor inbound respectively.\nIt will be used when Mobile IPv6 and IPsec are used at the same time.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4e81bb8336a0ac50289d4d4c7a55e559b994ee8f", "tree": "fefa71843c3f8152dd0a008b3b40fe2e42d204d7", "parents": [ "c11f1a15c522ddd3bbd2c32b5ce3e0b1831b22f2" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:43:30 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:34 2006 -0700" }, "message": "[XFRM] POLICY: sub policy support.\n\nSub policy is introduced. Main and sub policy are applied the same flow.\n(Policy that current kernel uses is named as main.)\nIt is required another transformation policy management to keep IPsec\nand Mobile IPv6 lives separate.\nPolicy which lives shorter time in kernel should be a sub i.e. normally\nmain is for IPsec and sub is for Mobile IPv6.\n(Such usage as two IPsec policies on different database can be used, too.)\n\nLimitation or TODOs:\n - Sub policy is not supported for per socket one (it is always inserted as main).\n - Current kernel makes cached outbound with flowi to skip searching database.\n However this patch makes it disabled only when \"two policies are used and\n the first matched one is bypass case\" because neither flowi nor bundle\n information knows about transformation template size.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\n" }, { "commit": "97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5", "tree": "424700fb0a41b28c5615d0d21ca74d699e1fa872", "parents": [ "df0ba92a99ca757039dfa84a929281ea3f7a50e8" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:44:06 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:30 2006 -0700" }, "message": "[XFRM]: Introduce XFRM_MSG_REPORT.\n\nXFRM_MSG_REPORT is a message as notification of state protocol and\nselector from kernel to user-space.\n\nMobile IPv6 will use it when inbound reject is occurred at route\noptimization to make user-space know a binding error requirement.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "df0ba92a99ca757039dfa84a929281ea3f7a50e8", "tree": "26f1f562c513ad43f813dcf2c58d426a3649625b", "parents": [ "2ce4272a699c731b9736d76126dc742353e381db" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:41:00 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:29 2006 -0700" }, "message": "[XFRM]: Trace which secpath state is reject factor.\n\nFor Mobile IPv6 usage, it is required to trace which secpath state is\nreject factor in order to notify it to user space (to know the address\nwhich cannot be used route optimized communication).\n\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Henrik Petander \u003cpetander@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2ce4272a699c731b9736d76126dc742353e381db", "tree": "ce60343164fa72dde2207d4c4045554662efa141", "parents": [ "6e8f4d48b265225bdf437bbf3151b0d6700dda22" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:39:03 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:07:03 2006 -0700" }, "message": "[IPV6] MIP6: Transformation support mobility header.\n\nTransformation support mobility header.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e53820de0f81da1429048634cadc6ef5f50c2f8b", "tree": "7a63689f564c0719a0d4fea2cc5d3b84ea00fbbd", "parents": [ "9afaca057980c02771f4657c455cc7592fcd7373" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 19:12:01 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:44 2006 -0700" }, "message": "[XFRM] IPV6: Restrict bundle reusing\n\nFor outbound transformation, bundle is checked whether it is\nsuitable for current flow to be reused or not. In such IPv6 case\nas below, transformation may apply incorrect bundle for the flow instead\nof creating another bundle:\n\n- The policy selector has destination prefix length \u003c 128\n (Two or more addresses can be matched it)\n- Its bundle holds dst entry of default route whose prefix length \u003c 128\n (Previous traffic was used such route as next hop)\n- The policy and the bundle were used a transport mode state and\n this time flow address is not matched the bundled state.\n\nThis issue is found by Mobile IPv6 usage to protect mobility signaling\nby IPsec, but it is not a Mobile IPv6 specific.\nThis patch adds strict check to xfrm_bundle_ok() for each\nstate mode and address when prefix length is less than 128.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "9afaca057980c02771f4657c455cc7592fcd7373", "tree": "3ef6e1b304248fad27c8063b7fbffdba966a0671", "parents": [ "060f02a3bdd4d9ba8aa3c48e9b470672b1f3a585" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:20:16 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:43 2006 -0700" }, "message": "[XFRM] IPV6: Update outbound state timestamp for each sending.\n\nWith this patch transformation state is updated last used time\nfor each sending. Xtime is used for it like other state lifetime\nexpiration.\nMobile IPv6 enabled nodes will want to know traffic status of each\nbinding (e.g. judgement to request binding refresh by correspondent node,\nor to keep home/care-of nonce alive by mobile node).\nThe last used timestamp is an important hint about it.\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Henrik Petander \u003cpetander@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "060f02a3bdd4d9ba8aa3c48e9b470672b1f3a585", "tree": "0eb60cf50ad70ceb856c82c32124470f6bce2d86", "parents": [ "1b5c229987dc4d0c92a38fac0cde2aeec08cd775" ], "author": { "name": "Noriaki TAKAMIYA", "email": "takamiya@po.ntts.co.jp", "time": "Wed Aug 23 18:18:55 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:42 2006 -0700" }, "message": "[XFRM] STATE: Introduce care-of address.\n\nCare-of address is carried by state as a transformation option like\nIPsec encryption/authentication algorithm.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Noriaki TAKAMIYA \u003ctakamiya@po.ntts.co.jp\u003e\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\n" }, { "commit": "1b5c229987dc4d0c92a38fac0cde2aeec08cd775", "tree": "5726243af6aa7194f1ed65e0340539e1ee5c6a42", "parents": [ "99505a843673faeae962a8cde128c7c034ba6b5e" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:11:50 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:41 2006 -0700" }, "message": "[XFRM] STATE: Support non-fragment outbound transformation headers.\n\nFor originated outbound IPv6 packets which will fragment, ip6_append_data()\nshould know length of extension headers before sending them and\nthe length is carried by dst_entry.\nIPv6 IPsec headers fragment then transformation was\ndesigned to place all headers after fragment header.\nOTOH Mobile IPv6 extension headers do not fragment then\nit is a good idea to make dst_entry have non-fragment length to tell it\nto ip6_append_data().\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "99505a843673faeae962a8cde128c7c034ba6b5e", "tree": "f12a7409b5981881e56fcf5ca973de0d5d6001bd", "parents": [ "9e51fd371a022318c5b64b831c43026e89bc4f75" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:10:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:41 2006 -0700" }, "message": "[XFRM] STATE: Add a hook to obtain local/remote outbound address.\n\nOutbound transformation replaces both source and destination address with\nstate\u0027s end-point addresses at the same time when IPsec tunnel mode.\nIt is also required to change them for Mobile IPv6 route optimization, but we\nshould care about the following differences:\n - changing result is not end-point but care-of address\n - either source or destination is replaced for each state\nThis hook is a common platform to change outbound address.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fbd9a5b47ee9c319ff0cae584391241ce78ffd6b", "tree": "3e6cdcf297e3f82b7ab276e5ffa59abfcb912f44", "parents": [ "f3bd484021d9486b826b422a017d75dd0bd258ad" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 18:08:21 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:39 2006 -0700" }, "message": "[XFRM] STATE: Common receive function for route optimization extension headers.\n\nXFRM_STATE_WILDRECV flag is introduced; the last resort state is set\nit and receives packet which is not route optimized but uses such\nextension headers i.e. Mobile IPv6 signaling (binding update and\nacknowledgement). A node enabled Mobile IPv6 adds the state.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "aee5adb4307c4c63a4dc5f3b49984d76f8a71b5b", "tree": "b2daac197259c535d66749617ede6f8479b355a4", "parents": [ "eb2971b68a7d17a7d0fa2c7fc6fbc4bfe41cd694" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:57:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:36 2006 -0700" }, "message": "[XFRM] STATE: Add a hook to find offset to be inserted header in outbound.\n\nOn current kernel, ip6_find_1stfragopt() is used by IPv6 IPsec to find\noffset to be inserted header in outbound for transport mode. (BTW, no\nusage may be needed for IPv4 case.) Mobile IPv6 requires another\nlogic for routing header and destination options header\nrespectively. This patch is common platform for the offset and adopts\nit to IPsec.\n\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "eb2971b68a7d17a7d0fa2c7fc6fbc4bfe41cd694", "tree": "5f6e98ac376d0d2faa69e8a6644706a7312a1ff1", "parents": [ "6c44e6b7ab500d7e3e3f406c83325671be51a752" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:56:04 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:35 2006 -0700" }, "message": "[XFRM] STATE: Search by address using source address list.\n\nThis is a support to search transformation states by its addresses\nby using source address list for Mobile IPv6 usage.\nTo use it from user-space, it is also added a message type for\nsource address as a xfrm state option.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6c44e6b7ab500d7e3e3f406c83325671be51a752", "tree": "d68b6347f4e437cd4aac9444ed9ee323f73eb06c", "parents": [ "622dc8281a80374873686514e46f852093d91106" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:53:57 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:34 2006 -0700" }, "message": "[XFRM] STATE: Add source address list.\n\nSupport source address based searching.\nMobile IPv6 will use it.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "622dc8281a80374873686514e46f852093d91106", "tree": "21ea09f939b3fe56e346b92fb07eaebc58e6f2a2", "parents": [ "dc00a525603650a1471c823a1e48c6505c2f9765" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:52:01 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:33 2006 -0700" }, "message": "[XFRM]: Expand XFRM_MAX_DEPTH for route optimization.\n\nXFRM_MAX_DEPTH is a limit of transformation states to be applied to the same\nflow. Two more extension headers are used by Mobile IPv6 transformation.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dc00a525603650a1471c823a1e48c6505c2f9765", "tree": "5ea2b999a564daf2f6fb217db13859db702b4537", "parents": [ "5794708f11551b6d19b10673abf4b0202f66b44d" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 17:49:52 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:06:32 2006 -0700" }, "message": "[XFRM] STATE: Allow non IPsec protocol.\n\nIt will be added two more transformation protocols (routing header\nand destination options header) for Mobile IPv6.\nxfrm_id_proto_match() can be handle zero as all, IPSEC_PROTO_ANY as\nall IPsec and otherwise as exact one.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5794708f11551b6d19b10673abf4b0202f66b44d", "tree": "60d954e185dd80af7e6c08608fd0528cf21a5d41", "parents": [ "7e49e6de30efa716614e280d97963c570f3acf29" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Fri Sep 22 15:06:24 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Sep 22 15:06:24 2006 -0700" }, "message": "[XFRM]: Introduce a helper to compare id protocol.\n\nPut the helper to header for future use.\nBased on MIPL2 kernel patch.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7e49e6de30efa716614e280d97963c570f3acf29", "tree": "8eaef9d40300d16a7675722e082c5d8ab2a53d40", "parents": [ "77d16f450ae0452d7d4b009f78debb1294fb435c" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Fri Sep 22 15:05:15 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Sep 22 15:05:15 2006 -0700" }, "message": "[XFRM]: Add XFRM_MODE_xxx for future use.\n\nTransformation mode is used as either IPsec transport or tunnel.\nIt is required to add two more items, route optimization and inbound trigger\nfor Mobile IPv6.\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Ville Nuorvala \u003cvnuorval@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb969f072b6d67770b559617f14e767f47e77ece", "tree": "4112eb0182e8b3e28b42aebaa40ca25454fc6b76", "parents": [ "beb8d13bed80f8388f1a9a107d07ddd342e627e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:20 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:28 2006 -0700" }, "message": "[MLSXFRM]: Default labeling of socket specific IPSec policies\n\nThis defaults the label of socket-specific IPSec policies to be the\nsame as the socket they are set on.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "07d4ee583e21830ec5604d31f65cdc60a6eca19e", "tree": "32962ef0dd13d0d1f66b143ca5d03a88d8b9f772", "parents": [ "e9d41164e2fdd897fe4520c2079ea0000f6e0ec3" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Aug 20 14:24:50 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:46:18 2006 +1000" }, "message": "[IPSEC]: Use HMAC template and hash interface\n\nThis patch converts IPsec to use the new HMAC template. The names of\nexisting simple digest algorithms may still be used to refer to their\nHMAC composites.\n\nThe same structure can be used by other MACs such as AES-XCBC-MAC.\n\nThis patch also switches from the digest interface to hash.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04ff12609445c7b462d7fc7f2d30dad442c922f3", "tree": "f19aff48d2e6a4c7e4bf25044c1b30ea428f4318", "parents": [ "d1806f6a97a536b043fe50e6d8a25b061755cf50" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Aug 13 08:50:00 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:46:14 2006 +1000" }, "message": "[IPSEC]: Add compatibility algorithm name support\n\nThis patch adds a compatibility name field for each IPsec algorithm. This\nis needed when parameterised algorithms are used. For example, \"md5\" will\nbecome \"hmac(md5)\", and \"aes\" will become \"cbc(aes)\".\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "9409f38a0c8773c04bff8dda8c552d7ea013d956", "tree": "694ad993535d6dcfd479f9b5cb4faab64c12fcd7", "parents": [ "6521f30273fbec65146a0f16de74b7b402b0f7b0" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sun Aug 06 19:49:12 2006 +1000" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Sep 21 11:16:30 2006 +1000" }, "message": "[IPSEC]: Move linux/crypto.h inclusion out of net/xfrm.h\n\nThe header file linux/crypto.h is only needed by a few files so including\nit in net/xfrm.h (which is included by half of the networking stack) is a\nwaste. This patch moves it out of net/xfrm.h and into the specific header\nfiles that actually need it.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "73654d61e556483ad324b90989eae26b22df6ef6", "tree": "f3aee3be0e35bb6012917b71ed77301de6b39ad4", "parents": [ "31a4ab93025719e62e7cf7ce899f71c34ecde5a0" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat May 27 23:06:33 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:28:43 2006 -0700" }, "message": "[IPSEC] xfrm: Use IPPROTO_MAX instead of 256\n\nThe size of the type_map array (256) comes from the number of IP protocols,\ni.e., IPPROTO_MAX. This patch is based on a suggestion from Ingo Oeser.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b59f45d0b2878ab76f8053b0973654e6621828ee", "tree": "40dc5e2ede2620f7935fb3dae0d0eb199851f611", "parents": [ "546be2405be119ef55467aace45f337a16e5d424" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat May 27 23:05:54 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:28:39 2006 -0700" }, "message": "[IPSEC] xfrm: Abstract out encapsulation modes\n\nThis patch adds the structure xfrm_mode. It is meant to represent\nthe operations carried out by transport/tunnel modes.\n\nBy doing this we allow additional encapsulation modes to be added\nwithout clogging up the xfrm_input/xfrm_output paths.\n\nCandidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and\nBEET modes.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "546be2405be119ef55467aace45f337a16e5d424", "tree": "9b09f0041f9f82a20ab25ace3c7360e4a4b7989f", "parents": [ "9cb3528cdbffc513eb9fb8faa45d41e397355830" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat May 27 23:03:58 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:28:37 2006 -0700" }, "message": "[IPSEC] xfrm: Undo afinfo lock proliferation\n\nThe number of locks used to manage afinfo structures can easily be reduced\ndown to one each for policy and state respectively. This is based on the\nobservation that the write locks are only held by module insertion/removal\nwhich are very rare events so there is no need to further differentiate\nbetween the insertion of modules like ipv6 versus esp6.\n\nThe removal of the read locks in xfrm4_policy.c/xfrm6_policy.c might look\nsuspicious at first. However, after you realise that nobody ever takes\nthe corresponding write lock you\u0027ll feel better :)\n\nAs far as I can gather it\u0027s an attempt to guard against the removal of\nthe corresponding modules. Since neither module can be unloaded at all\nwe can leave it to whoever fixes up IPv6 unloading :)\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2717096ab41eacdbf07352dca6826b59470eb39a", "tree": "9282ac7ffd15bbd41f438201ef76f6deaa23c90a", "parents": [ "6c97e72a162648eaf7c401cfc139493cefa6bed2" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Fri Apr 14 15:03:05 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Apr 14 15:03:05 2006 -0700" }, "message": "[XFRM]: Fix aevent timer.\n\nSend aevent immediately if we have sent nothing since last timer and\nthis is the first packet.\n\nFixes a corner case when packet threshold is very high, the timer low\nand a very low packet rate input which is bursty.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dbe5b4aaafc715b12dbbea309d3d17958d01fd65", "tree": "936518ad9d5452f5efe18e0107255eab0aafb58d", "parents": [ "e695633e21ffb6a443a8c2f8b3f095c7f1a48eb0" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Apr 01 00:54:16 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 01 00:54:16 2006 -0800" }, "message": "[IPSEC]: Kill unused decap state structure\n\nThis patch removes the *_decap_state structures which were previously\nused to share state between input/post_input. This is no longer\nneeded.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e695633e21ffb6a443a8c2f8b3f095c7f1a48eb0", "tree": "52a679683a11eb42ec5888309a82ec5811a21e03", "parents": [ "15901dc93fa4253bfb3661644ecad67c2e83213c" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Apr 01 00:52:46 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 01 00:52:46 2006 -0800" }, "message": "[IPSEC]: Kill unused decap state argument\n\nThis patch removes the decap_state argument from the xfrm input hook.\nPreviously this function allowed the input hook to share state with\nthe post_input hook. The latter has since been removed.\n\nThe only purpose for it now is to check the encap type. However, it\nis easier and better to move the encap type check to the generic\nxfrm_rcv function. This allows us to get rid of the decap state\nargument altogether.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d2acc3479cbccd5cfbca6c787be713ef1de12ec6", "tree": "aa348e19e15027db9abdd2da175a0c9055047858", "parents": [ "f0088a50e7c49d1ba285c88fe06345f223652fd3" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Tue Mar 28 01:12:13 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Mar 28 17:02:46 2006 -0800" }, "message": "[INET]: Introduce tunnel4/tunnel6\n\nBasically this patch moves the generic tunnel protocol stuff out of\nxfrm4_tunnel/xfrm6_tunnel and moves it into the new files of tunnel4.c\nand tunnel6 respectively.\n\nThe reason for this is that the problem that Hugo uncovered is only\nthe tip of the iceberg. The real problem is that when we removed the\ndependency of ipip on xfrm4_tunnel we didn\u0027t really consider the module\ncase at all.\n\nFor instance, as it is it\u0027s possible to build both ipip and xfrm4_tunnel\nas modules and if the latter is loaded then ipip simply won\u0027t load.\n\nAfter considering the alternatives I\u0027ve decided that the best way out of\nthis is to restore the dependency of ipip on the non-xfrm-specific part\nof xfrm4_tunnel. This is acceptable IMHO because the intention of the\nremoval was really to be able to use ipip without the xfrm subsystem.\nThis is still preserved by this patch.\n\nSo now both ipip/xfrm4_tunnel depend on the new tunnel4.c which handles\nthe arbitration between the two. The order of processing is determined\nby a simple integer which ensures that ipip gets processed before\nxfrm4_tunnel.\n\nThe situation for ICMP handling is a little bit more complicated since\nwe may not have enough information to determine who it\u0027s for. It\u0027s not\na big deal at the moment since the xfrm ICMP handlers are basically\nno-ops. In future we can deal with this when we look at ICMP caching\nin general.\n\nThe user-visible change to this is the removal of the TUNNEL Kconfig\nprompts. This makes sense because it can only be used through IPCOMP\nas it stands.\n\nThe addition of the new modules shouldn\u0027t introduce any problems since\nmodule dependency will cause them to be loaded.\n\nOh and I also turned some unnecessary pskb\u0027s in IPv6 related to this\npatch to skb\u0027s.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "be33690d8fcf40377f16193c463681170eb6b295", "tree": "08c7be2ba1d046fca40bbb1d3ddac789b393ecc9", "parents": [ "15d99e02babae8bc20b836917ace07d93e318149" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Mon Mar 20 22:40:54 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:40:54 2006 -0800" }, "message": "[XFRM]: Fix aevent related crash\n\nWhen xfrm_user isn\u0027t loaded xfrm_nl is NULL, which makes IPsec crash because\nxfrm_aevent_is_on passes the NULL pointer to netlink_has_listeners as socket.\nA second problem is that the xfrm_nl pointer is not cleared when the socket\nis releases at module unload time.\n\nProtect references of xfrm_nl from outside of xfrm_user by RCU, check\nthat the socket is present in xfrm_aevent_is_on and set it to NULL\nwhen unloading xfrm_user.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4a3e2f711a00a1feb72ae12fdc749da10179d185", "tree": "76ced9d3270dea4b864da71fa1d4415d2e3c8b11", "parents": [ "d4ccd08cdfa8d34f4d25b62041343c52fc79385f" ], "author": { "name": "Arjan van de Ven", "email": "arjan@infradead.org", "time": "Mon Mar 20 22:33:17 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:33:17 2006 -0800" }, "message": "[NET] sem2mutex: net/\n\nSemaphore to mutex conversion.\n\nThe conversion was generated via scripts, and the result was validated\nautomatically via a script as well.\n\nSigned-off-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6c5c8ca7ff20523e427b955aa84cef407934710f", "tree": "382a4b07027efd8a41638ed9c051cc9ec2506f0b", "parents": [ "53bc6b4d29c07664f3abe029b7e6878a1067899a" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:17:25 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:17:25 2006 -0800" }, "message": "[IPSEC]: Sync series - policy expires\n\nThis is similar to the SA expire insertion patch - only it inserts\nexpires for SP.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "53bc6b4d29c07664f3abe029b7e6878a1067899a", "tree": "d97fc26acc763dde9d1dc15573a51253180b617f", "parents": [ "980ebd25794f0f87ac32844e2c73e9e81f0a72ba" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:17:03 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:17:03 2006 -0800" }, "message": "[IPSEC]: Sync series - SA expires\n\nThis patch allows a user to insert SA expires. This is useful to\ndo on an HA backup for the case of byte counts but may not be very\nuseful for the case of time based expiry.\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "980ebd25794f0f87ac32844e2c73e9e81f0a72ba", "tree": "da52df6e31bd4b2527c223ca2585e0d792bf3ea2", "parents": [ "d51d081d65048a7a6f9956a7809c3bb504f3b95d" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:16:40 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:16:40 2006 -0800" }, "message": "[IPSEC]: Sync series - acquire insert\n\nThis introduces a feature similar to the one described in RFC 2367:\n\"\n ... the application needing an SA sends a PF_KEY\n SADB_ACQUIRE message down to the Key Engine, which then either\n returns an error or sends a similar SADB_ACQUIRE message up to one or\n more key management applications capable of creating such SAs.\n ...\n ...\n The third is where an application-layer consumer of security\n associations (e.g. an OSPFv2 or RIPv2 daemon) needs a security\n association.\n\n Send an SADB_ACQUIRE message from a user process to the kernel.\n\n \u003cbase, address(SD), (address(P),) (identity(SD),) (sensitivity,)\n proposal\u003e\n\n The kernel returns an SADB_ACQUIRE message to registered\n sockets.\n\n \u003cbase, address(SD), (address(P),) (identity(SD),) (sensitivity,)\n proposal\u003e\n\n The user-level consumer waits for an SADB_UPDATE or SADB_ADD\n message for its particular type, and then can use that\n association by using SADB_GET messages.\n\n \"\nAn app such as OSPF could then use ipsec KM to get keys\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f8cd54884e675dfaf0c86cc7c088adb6ca9d7638", "tree": "7850e8ebebf1f8543c96acdd7c197003b3b4d54c", "parents": [ "f5539eb8caa52a9198079df767cc1bb5494e69e3" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:15:11 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:15:11 2006 -0800" }, "message": "[IPSEC]: Sync series - core changes\n\nThis patch provides the core functionality needed for sync events\nfor ipsec. Derived work of Krisztian KOVACS \u003chidden@balabit.hu\u003e\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "752c1f4c78fe86d0fd6497387f763306b0d8fc53", "tree": "50d7e52940d1adf0936805645d52e2419e5922cf", "parents": [ "4bf05eceecf2efb4c883e9e9b17825682e7330dd" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Feb 27 13:00:40 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Feb 27 13:00:40 2006 -0800" }, "message": "[IPSEC]: Kill post_input hook and do NAT-T in esp_input directly\n\nThe only reason post_input exists at all is that it gives us the\npotential to adjust the checksums incrementally in future which\nwe ought to do.\n\nHowever, after thinking about it for a bit we can adjust the\nchecksums without using this post_input stuff at all. The crucial\npoint is that only the inner-most NAT-T SA needs to be considered\nwhen adjusting checksums. What\u0027s more, the checksum adjustment\ncomes down to a single u32 due to the linearity of IP checksums.\n\nWe just happen to have a spare u32 lying around in our skb structure :)\nWhen ip_summed is set to CHECKSUM_NONE on input, the value of skb-\u003ecsum\nis currently unused. All we have to do is to make that the checksum\nadjustment and voila, there goes all the post_input and decap structures!\n\nI\u0027ve left in the decap data structures for now since it\u0027s intricately\nwoven into the sec_path stuff. We can kill them later too.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "21380b81ef8699179b535e197a95b891a7badac7", "tree": "1a6be9864cabbed59db6357b2f0244413acac4c4", "parents": [ "85259878499d6c428cba191bb4e415a250dcd75a" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Feb 22 14:47:13 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Feb 23 16:10:53 2006 -0800" }, "message": "[XFRM]: Eliminate refcounting confusion by creating __xfrm_state_put().\n\nWe often just do an atomic_dec(\u0026x-\u003erefcnt) on an xfrm_state object\nbecause we know there is more than 1 reference remaining and thus\nwe can elide the heavier xfrm_state_put() call.\n\nDo this behind an inline function called __xfrm_state_put() so that is\nmore obvious and also to allow us to more cleanly add refcount\ndebugging later.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "48d5cad87c3a4998d0bda16ccfb5c60dfe4de5fb", "tree": "bfad91af72f4c522a44bab6133b540cda365d8c1", "parents": [ "5ecfbae093f0c37311e89b29bfc0c9d586eace87" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Wed Feb 15 15:10:22 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Feb 15 15:10:22 2006 -0800" }, "message": "[XFRM]: Fix SNAT-related crash in xfrm4_output_finish\n\nWhen a packet matching an IPsec policy is SNATed so it doesn\u0027t match any\npolicy anymore it looses its xfrm bundle, which makes xfrm4_output_finish\ncrash because of a NULL pointer dereference.\n\nThis patch directs these packets to the original output path instead. Since\nthe packets have already passed the POST_ROUTING hook, but need to start at\nthe beginning of the original output path which includes another\nPOST_ROUTING invocation, a flag is added to the IPCB to indicate that the\npacket was rerouted and doesn\u0027t need to pass the POST_ROUTING hook again.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5c901daaea3be0d900b3ae1fc9b5f64ff94e4f02", "tree": "7532b280d892bab7fd9af98b02a3f81929ddca5d", "parents": [ "4e8e9de7c25315669e2d5565acc50ec379522c28" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Fri Jan 06 23:05:36 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jan 07 12:57:35 2006 -0800" }, "message": "[NETFILTER]: Redo policy lookups after NAT when neccessary\n\nWhen NAT changes the key used for the xfrm lookup it needs to be done\nagain. If a new policy is returned in POST_ROUTING the packet needs\nto be passed to xfrm4_output_one manually after all hooks were called\nbecause POST_ROUTING is called with fixed okfn (ip_finish_output).\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "3e3850e989c5d2eb1aab6f0fd9257759f0f4cbc6", "tree": "fa05d1de4767bc30e77442ffbacfe8bd8dd2213d", "parents": [ "8cdfab8a43bb4b3da686ea503a702cb6f9f6a803" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Fri Jan 06 23:04:54 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jan 07 12:57:33 2006 -0800" }, "message": "[NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder\n\nip_route_me_harder doesn\u0027t use the port numbers of the xfrm lookup and\nuses ip_route_input for non-local addresses which doesn\u0027t do a xfrm\nlookup, ip6_route_me_harder doesn\u0027t do a xfrm lookup at all.\n\nUse xfrm_decode_session and do the lookup manually, make sure both\nonly do the lookup if the packet hasn\u0027t been transformed already.\n\nMakeing sure the lookup only happens once needs a new field in the\nIP6CB, which exceeds the size of skb-\u003ecb. The size of skb-\u003ecb is\nincreased to 48b. Apparently the IPv6 mobile extensions need some\nmore room anyway.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "951dbc8ac714b04c36296b8b5c36c8e036ce433f", "tree": "7f3599987f6b6db765f66c65d5c1cefe1457ea6a", "parents": [ "16a6677fdf1d1194f688f8291b06fbaff248c353" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Fri Jan 06 23:02:34 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jan 07 12:57:29 2006 -0800" }, "message": "[IPV6]: Move nextheader offset to the IP6CB\n\nMove nextheader offset to the IP6CB to make it possible to pass a\npacket to ip6_input_finish multiple times and have it skip already\nparsed headers. As a nice side effect this gets rid of the manual\nhopopts skipping in ip6_input_finish.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "14c850212ed8f8cbb5972ad6b8812e08a0bc901c", "tree": "53c88f03e7bbac4064f6e80d462ad484ee038326", "parents": [ "25995ff577675b58dbd848b7758e7bad87411947" ], "author": { "name": "Arnaldo Carvalho de Melo", "email": "acme@mandriva.com", "time": "Tue Dec 27 02:43:12 2005 -0200" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:11:21 2006 -0800" }, "message": "[INET_SOCK]: Move struct inet_sock \u0026 helper functions to net/inet_sock.h\n\nTo help in reducing the number of include dependencies, several files were\ntouched as they were getting needed headers indirectly for stuff they use.\n\nThanks also to Alan Menegotto for pointing out that net/dccp/proto.c had\nlinux/dccp.h include twice.\n\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@mandriva.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "399c180ac5f0cb66ef9479358e0b8b6bafcbeafe", "tree": "4014154b7800e96058d94f78dc34a53681e8d5e5", "parents": [ "9e999993c71e1506378d26d81f842277aff8a250" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Dec 19 14:23:23 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Dec 19 14:23:23 2005 -0800" }, "message": "[IPSEC]: Perform SA switchover immediately.\n\nWhen we insert a new xfrm_state which potentially\nsubsumes an existing one, make sure all cached\nbundles are flushed so that the new SA is used\nimmediately.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dd0fc66fb33cd610bc1a5db8a5e232d34879b4d7", "tree": "51f96a9db96293b352e358f66032e1f4ff79fafb", "parents": [ "3b0e77bd144203a507eb191f7117d2c5004ea1de" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Fri Oct 07 07:46:04 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Oct 08 15:00:57 2005 -0700" }, "message": "[PATCH] gfp flags annotations - part 1\n\n - added typedef unsigned int __nocast gfp_t;\n\n - replaced __nocast uses for gfp flags with gfp_t - it gives exactly\n the same warnings as far as sparse is concerned, doesn\u0027t change\n generated code (from gcc point of view we replaced unsigned int with\n typedef) and documents what\u0027s going on far better.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "77d8d7a6848c81084f413e1ec4982123a56e2ccb", "tree": "37a160b0b5fcb8a079bcafec5091fd331e14d54c", "parents": [ "140e26fcd559f6988e5a9056385eecade19d9b49" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Oct 05 12:15:12 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 05 12:15:12 2005 -0700" }, "message": "[IPSEC]: Document that policy direction is derived from the index.\n\nHere is a patch that adds a helper called xfrm_policy_id2dir to\ndocument the fact that the policy direction can be and is derived\nfrom the index.\n\nThis is based on a patch by YOSHIFUJI Hideaki and 210313105@suda.edu.cn.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "83fa3400ebcba307a60909824a251be984eb9567", "tree": "b01c3eaabd156ba75ec41bea0be3d73fd066713c", "parents": [ "3d2aef668920e8d93b77f145f8f647f62abe75db" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Tue Oct 04 22:45:35 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 04 22:45:35 2005 -0700" }, "message": "[XFRM]: fix sparse gfp nocast warnings\n\nFix implicit nocast warnings in xfrm code:\nnet/xfrm/xfrm_policy.c:232:47: warning: implicit cast to nocast type\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" } ], "next": "0742fd53a3774781255bd1e471e7aa2e4a82d5f7" }