[Swan-commit] Changes to ref refs/heads/master
Antony Antony
antony at vault.libreswan.fi
Wed Jun 28 16:47:14 UTC 2017
New commits:
commit 25b7528c0a217dec19c63e096b7a5d7e794fc6a8
Author: Antony Antony <antony at phenome.org>
Date: Wed Jun 28 09:47:18 2017 +0000
pluto: change order of including libreswan.h
this is tricky workaround. The previous order breaks on F22; works on
F25, CentOS 6 & 7.
The cause is updating xfrm.h with
15e318b xfrm: simplify xfrm_address_t use
commit 301514e41a3778ea9225f1211b9cda4064e0b192
Merge: 4c688af 8a86f5f
Author: Antony Antony <antony at phenome.org>
Date: Tue Jun 27 22:24:27 2017 +0200
Merge branch 'xfrm.h'
Update local copy of programs/pluto/linux26/xfrm.h
from linux mainline include/uapi/linux/xfrm.h
With full commit message, commit ids are here.
d77e38e xfrm: Add an IPsec hardware offloading API
34a3d4b xfrm: fix header file comment reference to struct xfrm_replay_state_esn
de95c4a xfrm: align nlattr properly when needed
15e318b xfrm: simplify xfrm_address_t use
880a6fa xfrm: configure policy hash table thresholds by netlink
870a2df xfrm: rename struct xfrm_filter
d362309 ipsec: add support of limited SA dump
a947b0a xfrm: allow to avoid copying DSCP during encapsulation
commit 8a86f5f29eb155c3daa4872e6f35d14b12ec32e9
Author: Steffen Klassert <steffen.klassert at secunet.com>
Date: Fri Apr 14 10:06:10 2017 +0200
xfrm: Add an IPsec hardware offloading API
This patch adds all the bits that are needed to do
IPsec hardware offload for IPsec states and ESP packets.
We add xfrmdev_ops to the net_device. xfrmdev_ops has
function pointers that are needed to manage the xfrm
states in the hardware and to do a per packet
offloading decision.
Joint work with:
Ilan Tayari <ilant at mellanox.com>
Guy Shapiro <guysh at mellanox.com>
Yossi Kuperman <yossiku at mellanox.com>
Signed-off-by: Guy Shapiro <guysh at mellanox.com>
Signed-off-by: Ilan Tayari <ilant at mellanox.com>
Signed-off-by: Yossi Kuperman <yossiku at mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: Antony Antony <antony at phenome.org>
commit e6e36fd2a14ddf3e2976f0748e8314fa9b0e85c5
Author: Richard Guy Briggs <rgb at tricolour.ca>
Date: Thu Sep 8 13:55:56 2016 -0400
xfrm: fix header file comment reference to struct xfrm_replay_state_esn
Reported-by: Paul Wouters <paul at nohats.ca>
Signed-off-by: Richard Guy Briggs <rgb at tricolour.ca>
Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: Antony Antony <antony at phenome.org>
commit d710c389097430ef2f14ff16e7e794eae390a12b
Author: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Date: Fri Apr 22 17:31:23 2016 +0200
xfrm: align nlattr properly when needed
Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Antony Antony <antony at phenome.org>
commit 07a01d3b19ef10d4c06af20d6041d20f3f8ee926
Author: Jiri Benc <jbenc at redhat.com>
Date: Sun Mar 29 16:59:24 2015 +0200
xfrm: simplify xfrm_address_t use
In many places, the a6 field is typecasted to struct in6_addr. As the
fields are in union anyway, just add in6_addr type to the union and
get rid of the typecasting.
Modifying the uapi header is okay, the union has still the same size.
Signed-off-by: Jiri Benc <jbenc at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Antony Antony <antony at phenome.org>
commit f18a7b9595ecb9b58d1344253752455e596de8a5
Author: Christophe Gouault <christophe.gouault at 6wind.com>
Date: Fri Aug 29 16:16:05 2014 +0200
xfrm: configure policy hash table thresholds by netlink
Enable to specify local and remote prefix length thresholds for the
policy hash table via a netlink XFRM_MSG_NEWSPDINFO message.
prefix length thresholds are specified by XFRMA_SPD_IPV4_HTHRESH and
XFRMA_SPD_IPV6_HTHRESH optional attributes (struct xfrmu_spdhthresh).
example:
struct xfrmu_spdhthresh thresh4 = {
.lbits = 0;
.rbits = 24;
};
struct xfrmu_spdhthresh thresh6 = {
.lbits = 0;
.rbits = 56;
};
struct nlmsghdr *hdr;
struct nl_msg *msg;
msg = nlmsg_alloc();
hdr = nlmsg_put(msg, NL_AUTO_PORT, NL_AUTO_SEQ, XFRMA_SPD_IPV4_HTHRESH, sizeof(__u32), NLM_F_REQUEST);
nla_put(msg, XFRMA_SPD_IPV4_HTHRESH, sizeof(thresh4), &thresh4);
nla_put(msg, XFRMA_SPD_IPV6_HTHRESH, sizeof(thresh6), &thresh6);
nla_send_auto(sk, msg);
The numbers are the policy selector minimum prefix lengths to put a
policy in the hash table.
- lbits is the local threshold (source address for out policies,
destination address for in and fwd policies).
- rbits is the remote threshold (destination address for out
policies, source address for in and fwd policies).
The default values are:
XFRMA_SPD_IPV4_HTHRESH: 32 32
XFRMA_SPD_IPV6_HTHRESH: 128 128
Dynamic re-building of the SPD is performed when the thresholds values
are changed.
The current thresholds can be read via a XFRM_MSG_GETSPDINFO request:
the kernel replies to XFRM_MSG_GETSPDINFO requests by an
XFRM_MSG_NEWSPDINFO message, with both attributes
XFRMA_SPD_IPV4_HTHRESH and XFRMA_SPD_IPV6_HTHRESH.
Signed-off-by: Christophe Gouault <christophe.gouault at 6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: Antony Antony <antony at phenome.org>
commit 0bc2a5ecfcd1aa722776cee32c88b4ce36cbe228
Author: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Date: Thu Mar 6 18:24:29 2014 +0100
xfrm: rename struct xfrm_filter
iproute2 already defines a structure with that name, let's use another one to
avoid any conflict.
CC: Stephen Hemminger <stephen at networkplumber.org>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: Antony Antony <antony at phenome.org>
commit 86c6cc88eb36cbb9aa5fdd1175baf3fe20adb1d6
Author: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Date: Fri Feb 14 15:30:36 2014 +0100
ipsec: add support of limited SA dump
The goal of this patch is to allow userland to dump only a part of SA by
specifying a filter during the dump.
The kernel is in charge to filter SA, this avoids to generate useless netlink
traffic (it save also some cpu cycles). This is particularly useful when there
is a big number of SA set on the system.
Note that I removed the union in struct xfrm_state_walk to fix a problem on arm.
struct netlink_callback->args is defined as a array of 6 long and the first long
is used in xfrm code to flag the cb as initialized. Hence, we must have:
sizeof(struct xfrm_state_walk) <= sizeof(long) * 5.
With the union, it was false on arm (sizeof(struct xfrm_state_walk) was
sizeof(long) * 7), due to the padding.
In fact, whatever the arch is, this union seems useless, there will be always
padding after it. Removing it will not increase the size of this struct (and
reduce it on arm).
Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: Antony Antony <antony at phenome.org>
commit 7b45023a96b02646ee87f816cea7093f38d867aa
Author: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Date: Fri Feb 22 10:54:54 2013 +0100
xfrm: allow to avoid copying DSCP during encapsulation
By default, DSCP is copying during encapsulation.
Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
different DSCP may get reordered relative to each other in the network and then
dropped by the remote IPsec GW if the reordering becomes too big compared to the
replay window.
It is possible to avoid this copy with netfilter rules, but it's very convenient
to be able to configure it for each SA directly.
This patch adds a toogle for this purpose. By default, it's not set to maintain
backward compatibility.
Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: Antony Antony <antony at phenome.org>
More information about the Swan-commit
mailing list