and sets thresholds seemingly before
installing any socket policies.
Fixes: 53c2e285f970 ("xfrm: Do not hash socket policies")
Signed-off-by: Tobias Brunner <tob...@strongswan.org>
---
net/xfrm/xfrm_policy.c | 4
1 file changed, 4 insertions(+)
diff --git a/net/xfrm/xfrm_
Signed-off-by: Tobias Brunner <tob...@strongswan.org>
---
drivers/net/macsec.c | 26 ++
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 3ea47f28e143..d2e61e002926 100644
--- a/drivers/net/macsec.c
+++ b/driv
> [snip]
>> @@ -440,12 +448,12 @@ static void macsec_fill_sectag(struct
>> macsec_eth_header *h,
>> const struct macsec_secy *secy, u32 pn)
>> {
>> const struct macsec_tx_sc *tx_sc = >tx_sc;
>> +bool sci_present = send_sci(secy);
>
> You're already computing
in the packet, while the
SC flag in the TCI field of the Security Tag was still set, resulting
in invalid MACsec frames.
Signed-off-by: Tobias Brunner <tob...@strongswan.org>
---
drivers/net/macsec.c | 22 --
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/d
When handling inbound packets, the two halves of the sequence number
stored on the skb are already in network order.
Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface")
Signed-off-by: Tobias Brunner <tob...@strongswan.org>
---
net/ipv4/esp4.c | 2 +-
1 file changed, 1
When handling inbound packets, the two halves of the sequence number
stored on the skb are already in network order.
Fixes: 000ae7b2690e ("esp6: Switch to new AEAD interface")
Signed-off-by: Tobias Brunner <tob...@strongswan.org>
---
net/ipv6/esp6.c | 2 +-
1 file changed, 1
If SNAT modifies the source address the resulting packet might match
an IPsec policy, reinject the packet if that's the case.
The exact same thing is already done for IPv4.
Signed-off-by: Tobias Brunner <tob...@strongswan.org>
---
net/ipv6/ip6_output.c | 8
1 file changed, 8 inse
