New commits:
commit 25b7528c0a217dec19c63e096b7a5d7e794fc6a8
Author: Antony Antony <[email protected]>
Date: Wed Jun 28 09:47:18 2017 +0000
pluto: change order of including libreswan.h
this is tricky workaround. The previous order breaks on F22; works on
F25, CentOS 6 & 7.
The cause is updating xfrm.h with
15e318b xfrm: simplify xfrm_address_t use
commit 301514e41a3778ea9225f1211b9cda4064e0b192
Merge: 4c688af 8a86f5f
Author: Antony Antony <[email protected]>
Date: Tue Jun 27 22:24:27 2017 +0200
Merge branch 'xfrm.h'
Update local copy of programs/pluto/linux26/xfrm.h
from linux mainline include/uapi/linux/xfrm.h
With full commit message, commit ids are here.
d77e38e xfrm: Add an IPsec hardware offloading API
34a3d4b xfrm: fix header file comment reference to struct
xfrm_replay_state_esn
de95c4a xfrm: align nlattr properly when needed
15e318b xfrm: simplify xfrm_address_t use
880a6fa xfrm: configure policy hash table thresholds by netlink
870a2df xfrm: rename struct xfrm_filter
d362309 ipsec: add support of limited SA dump
a947b0a xfrm: allow to avoid copying DSCP during encapsulation
commit 8a86f5f29eb155c3daa4872e6f35d14b12ec32e9
Author: Steffen Klassert <[email protected]>
Date: Fri Apr 14 10:06:10 2017 +0200
xfrm: Add an IPsec hardware offloading API
This patch adds all the bits that are needed to do
IPsec hardware offload for IPsec states and ESP packets.
We add xfrmdev_ops to the net_device. xfrmdev_ops has
function pointers that are needed to manage the xfrm
states in the hardware and to do a per packet
offloading decision.
Joint work with:
Ilan Tayari <[email protected]>
Guy Shapiro <[email protected]>
Yossi Kuperman <[email protected]>
Signed-off-by: Guy Shapiro <[email protected]>
Signed-off-by: Ilan Tayari <[email protected]>
Signed-off-by: Yossi Kuperman <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit e6e36fd2a14ddf3e2976f0748e8314fa9b0e85c5
Author: Richard Guy Briggs <[email protected]>
Date: Thu Sep 8 13:55:56 2016 -0400
xfrm: fix header file comment reference to struct xfrm_replay_state_esn
Reported-by: Paul Wouters <[email protected]>
Signed-off-by: Richard Guy Briggs <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit d710c389097430ef2f14ff16e7e794eae390a12b
Author: Nicolas Dichtel <[email protected]>
Date: Fri Apr 22 17:31:23 2016 +0200
xfrm: align nlattr properly when needed
Signed-off-by: Nicolas Dichtel <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit 07a01d3b19ef10d4c06af20d6041d20f3f8ee926
Author: Jiri Benc <[email protected]>
Date: Sun Mar 29 16:59:24 2015 +0200
xfrm: simplify xfrm_address_t use
In many places, the a6 field is typecasted to struct in6_addr. As the
fields are in union anyway, just add in6_addr type to the union and
get rid of the typecasting.
Modifying the uapi header is okay, the union has still the same size.
Signed-off-by: Jiri Benc <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit f18a7b9595ecb9b58d1344253752455e596de8a5
Author: Christophe Gouault <[email protected]>
Date: Fri Aug 29 16:16:05 2014 +0200
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH,
sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit 0bc2a5ecfcd1aa722776cee32c88b4ce36cbe228
Author: Nicolas Dichtel <[email protected]>
Date: Thu Mar 6 18:24:29 2014 +0100
xfrm: rename struct xfrm_filter
iproute2 already defines a structure with that name, let's use another one
to
avoid any conflict.
CC: Stephen Hemminger <[email protected]>
Signed-off-by: Nicolas Dichtel <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit 86c6cc88eb36cbb9aa5fdd1175baf3fe20adb1d6
Author: Nicolas Dichtel <[email protected]>
Date: Fri Feb 14 15:30:36 2014 +0100
ipsec: add support of limited SA dump
The goal of this patch is to allow userland to dump only a part of SA by
specifying a filter during the dump.
The kernel is in charge to filter SA, this avoids to generate useless
netlink
traffic (it save also some cpu cycles). This is particularly useful when
there
is a big number of SA set on the system.
Note that I removed the union in struct xfrm_state_walk to fix a problem on
arm.
struct netlink_callback->args is defined as a array of 6 long and the first
long
is used in xfrm code to flag the cb as initialized. Hence, we must have:
sizeof(struct xfrm_state_walk) <= sizeof(long) * 5.
With the union, it was false on arm (sizeof(struct xfrm_state_walk) was
sizeof(long) * 7), due to the padding.
In fact, whatever the arch is, this union seems useless, there will be
always
padding after it. Removing it will not increase the size of this struct (and
reduce it on arm).
Signed-off-by: Nicolas Dichtel <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
commit 7b45023a96b02646ee87f816cea7093f38d867aa
Author: Nicolas Dichtel <[email protected]>
Date: Fri Feb 22 10:54:54 2013 +0100
xfrm: allow to avoid copying DSCP during encapsulation
By default, DSCP is copying during encapsulation.
Copying the DSCP in IPsec tunneling may be a bit dangerous because packets
with
different DSCP may get reordered relative to each other in the network and
then
dropped by the remote IPsec GW if the reordering becomes too big compared
to the
replay window.
It is possible to avoid this copy with netfilter rules, but it's very
convenient
to be able to configure it for each SA directly.
This patch adds a toogle for this purpose. By default, it's not set to
maintain
backward compatibility.
Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.
Signed-off-by: Nicolas Dichtel <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
_______________________________________________
Swan-commit mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-commit
