)]}' { "log": [ { "commit": "52479b623d3d41df84c499325b6a8c7915413032", "tree": "196f303f296b53dc89a05954d9c03226a9b4158b", "parents": [ "cdcbca7c1f1946758cfacb69bc1c7eeaccb11e2d" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Tue Nov 25 17:35:18 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 25 17:35:18 2008 -0800" }, "message": "netns xfrm: lookup in netns\n\nPass netns to xfrm_lookup()/__xfrm_lookup(). For that pass netns\nto flow_cache_lookup() and resolver callback.\n\nTake it from socket or netdevice. Stub DECnet to init_net.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a210d01ae3ee006b59e54e772a7f212486e0f021", "tree": "ceea5f8de75e70b13641f340e3b13a125a52567a", "parents": [ "4edd87ad5cad8e159e0db3ce3131b3d97219c9cd" ], "author": { "name": "Julian Anastasov", "email": "ja@ssi.bg", "time": "Wed Oct 01 07:28:28 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 01 07:28:28 2008 -0700" }, "message": "ipv4: Loosen source address check on IPv4 output\n\nip_route_output() contains a check to make sure that no flows with\nnon-local source IP addresses are routed. This obviously makes using\nsuch addresses impossible.\n\nThis patch introduces a flowi flag which makes omitting this check\npossible. The new flag provides a way of handling transparent and\nnon-transparent connections differently.\n\nSigned-off-by: Julian Anastasov \u003cja@ssi.bg\u003e\nSigned-off-by: KOVACS Krisztian \u003chidden@sch.bme.hu\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "95c3e8bfcdea8676e2d4d61910c379f4502049bf", "tree": "e6382fa937467903916ee113754d50f0c71e718e", "parents": [ "2f751b67a8be698cec52f786910ef4f0beffe9a7" ], "author": { "name": "Rami Rosen", "email": "ramirose@gmail.com", "time": "Tue Aug 05 01:19:50 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Aug 05 01:19:50 2008 -0700" }, "message": "ipv4: remove unused field in struct flowi (include/net/flow.h).\n\nThis patch removes an unused field (flags) from struct flowi; it seems\nthat this \"flags\" field was used once in the past for multipath\nrouting with FLOWI_FLAG_MULTIPATHOLDROUTE flag (which does no longer\nexist); however, the \"flags\" field of struct flowi is not used\nanymore.\n\nSigned-off-by: Rami Rosen \u003cramirose@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "61f1ab41b8ede8e2a26c349a4e3372100545c5ec", "tree": "f7c5918363b8020d43a11972a7bd2951200457c0", "parents": [ "95766fff6b9a78d11fc2d3812dd035381690b55d" ], "author": { "name": "Rami Rosen", "email": "ramirose@gmail.com", "time": "Mon Dec 31 04:22:09 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jan 28 15:00:20 2008 -0800" }, "message": "[IPV4]: Remove unused multipath cached routing defintion in net/flow.h\n\nSigned-off-by: Rami Rosen \u003cramirose@gmail.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "136ebf08b46f839e2dc9db34322b654e5d9b9936", "tree": "6a38a3c546def150ff73effcf4afd9c55881f49c", "parents": [ "2371baa4bdab3268b32009926f75e7a5d3a41506" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Tue Jun 26 23:51:41 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jul 10 22:15:41 2007 -0700" }, "message": "[IPV6] MIP6: Kill unnecessary ifdefs.\n\nKill unnecessary CONFIG_IPV6_MIP6.\n\no It is redundant for RAW socket to keep MH out with the config then\n it can handle any protocol.\no Clean-up at AH.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "157bfc25020f7eb731f94140e099307ade47299e", "tree": "422821e5233daf0d8347ac361f09be9f49b43de4", "parents": [ "34588b4c046c34773e5a1a962da7b78b05c4d1bd" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Mon Apr 30 00:33:35 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Apr 30 00:58:09 2007 -0700" }, "message": "[XFRM]: Restrict upper layer information by bundle.\n\nOn MIPv6 usage, XFRM sub policy is enabled.\nWhen main (IPsec) and sub (MIPv6) policy selectors have the same\naddress set but different upper layer information (i.e. protocol\nnumber and its ports or type/code), multiple bundle should be created.\nHowever, currently we have issue to use the same bundle created for\nthe first time with all flows covered by the case.\n\nIt is useful for the bundle to have the upper layer information\nto be restructured correctly if it does not match with the flow.\n\n1. Bundle was created by two policies\nSelector from another policy is added to xfrm_dst.\nIf the flow does not match the selector, it goes to slow path to\nrestructure new bundle by single policy.\n\n2. Bundle was created by one policy\nFlow cache is added to xfrm_dst as originated one. If the flow does\nnot match the cache, it goes to slow path to try searching another\npolicy.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "47dcf0cb1005e86d0eea780f2984b2e7490f63cd", "tree": "1a56767a77e219fab54ab1daf34342745f6d62a8", "parents": [ "82e91ffef60e6eba9848fe149ce1eecd2b5aef12" ], "author": { "name": "Thomas Graf", "email": "tgraf@suug.ch", "time": "Thu Nov 09 15:20:38 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:39 2006 -0800" }, "message": "[NET]: Rethink mark field in struct flowi\n\nNow that all protocols have been made aware of the mark\nfield it can be moved out of the union thus simplyfing\nits usage.\n\nThe config options in the IPv4/IPv6/DECnet subsystems\nto enable respectively disable mark based routing only\nobfuscate the code with ifdefs, the cost for the\nadditional comparison in the flow key is insignificant,\nand most distributions have all these options enabled\nby default anyway. Therefore it makes sense to remove\nthe config options and enable mark based routing by\ndefault.\n\nSigned-off-by: Thomas Graf \u003ctgraf@suug.ch\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "90bcaf7b4a33bb9b100cc06869f0c033a870d4a0", "tree": "fb8307b99fd9779d17fdfb0c35d836a8438d424a", "parents": [ "92d9ece7af9c84bfbd1ff640926fac5b573a09f7" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Nov 08 00:25:17 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:21 2006 -0800" }, "message": "[IPV6]: flowlabels are net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "185b1aa122f87052d9154bb74990bc785372a750", "tree": "db94766ebe19f43486dde50851d1286de0825105", "parents": [ "375216ad0c303adeed45281ce82e153d41de679a" ], "author": { "name": "Eric Dumazet", "email": "dada1@cosmosbay.com", "time": "Sat Oct 21 20:24:01 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Oct 21 20:24:01 2006 -0700" }, "message": "[NET]: Reduce sizeof(struct flowi) by 20 bytes.\n\nAs suggested by David, just kill off some unused fields in dnports to\nreduce sizef(struct flowi). If they come back, they should be moved to\nnl_u.dn_u in order not to enlarge again struct flowi\n\n[ Modified to really delete this stuff instead of using #if 0. -DaveM ]\n\nSigned-off-by: Eric Dumazet \u003cdada1@cosmosbay.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "134b0fc544ba062498451611cb6f3e4454221b3d", "tree": "84120e405d2bc7112b971fc82b718ae23991351b", "parents": [ "388b24057f90ba109d4bf855006a8809c383eb76" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 05 15:42:27 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 11 23:59:34 2006 -0700" }, "message": "IPsec: propagate security module errors up from flow_cache_lookup\n\nWhen a security module is loaded (in this case, SELinux), the\nsecurity_xfrm_policy_lookup() hook can return an access denied permission\n(or other error). We were not handling that correctly, and in fact\ninverting the return logic and propagating a false \"ok\" back up to\nxfrm_lookup(), which then allowed packets to pass as if they were not\nassociated with an xfrm policy.\n\nThe way I was seeing the problem was when connecting via IPsec to a\nconfined service on an SELinux box (vsftpd), which did not have the\nappropriate SELinux policy permissions to send packets via IPsec.\n\nThe first SYNACK would be blocked, because of an uncached lookup via\nflow_cache_lookup(), which would fail to resolve an xfrm policy because\nthe SELinux policy is checked at that point via the resolver.\n\nHowever, retransmitted SYNACKs would then find a cached flow entry when\ncalling into flow_cache_lookup() with a null xfrm policy, which is\ninterpreted by xfrm_lookup() as the packet not having any associated\npolicy and similarly to the first case, allowing it to pass without\ntransformation.\n\nThe solution presented here is to first ensure that errno values are\ncorrectly propagated all the way back up through the various call chains\nfrom security_xfrm_policy_lookup(), and handled correctly.\n\nThen, flow_cache_lookup() is modified, so that if the policy resolver\nfails (typically a permission denied via the security module), the flow\ncache entry is killed rather than having a null policy assigned (which\nindicates that the packet can pass freely). This also forces any future\nlookups for the same flow to consult the security module (e.g. SELinux)\nfor current security policy (rather than, say, caching the error on the\nflow cache entry).\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4324a174304d1d826582be5422a976e09d2b1e63", "tree": "b1d0b1e47e09901ca94419ec94cb31acc542baf1", "parents": [ "9916ecb0a6f52f1475fa2f71845227d3c75fb40c" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:49:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:43 2006 -0700" }, "message": "[XFRM]: fl_ipsec_spi is net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cc939d37349bf82891bd1f4558284d7fafe7acb2", "tree": "0abc4445a7cd2077c84dde0d9b28af3f99269cf7", "parents": [ "2816e1284a2db03ad5e205bab4eacbc5f7d4f991" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:33:22 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:07 2006 -0700" }, "message": "[NET]: ip ports in struct flowi are net-endian\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f2c3fe24119ee4f8faca08699f0488f500014a27", "tree": "7f1d1e4a80f3b9f345a5339bc7370ad187132a55", "parents": [ "8c7bc84085135d5cc87e9fc6802d3c7bbbb40ef5" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Sep 26 21:26:42 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 17:54:05 2006 -0700" }, "message": "[IPV4]: annotate ipv4 addresses in struct rtable and struct flowi\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "75bff8f023e02b045a8f68f36fa7da98dca124b8", "tree": "e476cdbadcb6386d1f2dcbc6d637800261984375", "parents": [ "2cc67cc731d9b693a08e781e98fec0e3a6d6ba44" ], "author": { "name": "YOSHIFUJI Hideaki", "email": "yoshfuji@linux-ipv6.org", "time": "Mon Aug 21 19:22:01 2006 +0900" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:18:00 2006 -0700" }, "message": "[IPV6] ROUTE: Routing by FWMARK.\n\nBased on patch by Jean Lorchat \u003clorchat@sfc.wide.ad.jp\u003e.\n\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\n" }, { "commit": "2b741653b6c824fe7520ee92b6795f11c5f24b24", "tree": "eea6f085896ad74e53aa44c00f1b004775e5ef83", "parents": [ "e23c7194a8a21e96b99106bdabde94614c4b84d6" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 20:34:26 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:07:00 2006 -0700" }, "message": "[IPV6] MIP6: Add Mobility header definition.\n\nAdd Mobility header definition for Mobile IPv6.\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Antti Tuominen \u003canttit@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "e0d1caa7b0d5f02e4f34aa09c695d04251310c6c", "tree": "bf023c17abf6813f2694ebf5fafff82edd6a1023", "parents": [ "b6340fcd761acf9249b3acbc95c4dc555d9beb07" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:29:07 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:24 2006 -0700" }, "message": "[MLSXFRM]: Flow based matching of xfrm policy and state\n\nThis implements a seemless mechanism for xfrm policy selection and\nstate matching based on the flow sid. This also includes the necessary\nSELinux enforcement pieces.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "b6340fcd761acf9249b3acbc95c4dc555d9beb07", "tree": "d7691da37f840833dae9a14bacd4b657101f5c79", "parents": [ "892c141e62982272b9c738b5520ad0e5e1ad7b42" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:28:37 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:23 2006 -0700" }, "message": "[MLSXFRM]: Add security sid to flowi\n\nThis adds security to flow key for labeling of flows as also to allow\nfor making flow cache lookups based on the security label seemless.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c4ea94ab3710eb2434abe2eab1a479c2dc01f8ac", "tree": "72e07ca7d2d5fe2de31b3f5a4e64fa411efdf18d", "parents": [ "2c7946a7bf45ae86736ab3b43d0085e43947945c" ], "author": { "name": "Steven Whitehouse", "email": "steve@chygwyn.com", "time": "Mon Mar 20 22:42:39 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:42:39 2006 -0800" }, "message": "[DECnet]: Endian annotation and fixes for DECnet.\n\nThe typedef for dn_address has been removed in favour of using __le16\nor __u16 directly as appropriate. All the DECnet header files are\nupdated accordingly.\n\nThe byte ordering of dn_eth2dn() and dn_dn2eth() are both changed\nsince just about all their callers wanted network order rather than\nhost order, so the conversion is now done in the functions themselves.\n\nSeveral missed endianess conversions have been picked up during the\nconversion process. The nh_gw field in struct dn_fib_info has been\nchanged from a 32 bit field to 16 bits as it ought to be.\n\nOne or two cases of using htons rather than dn_htons in the routing\ncode have been found and fixed.\n\nThere are still a few warnings to fix, but this patch deals with the\nimportant cases.\n\nSigned-off-by: Steven Whitehouse \u003csteve@chygwyn.com\u003e\nSigned-off-by: Patrick Caulfield \u003cpatrick@tykepenguin.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }