linux-stable.git/include/linux/xfrm.h, branch linux-2.6.25.y Linux kernel stable tree [IPSEC]: Add support for combined mode algorithms 2008-02-01T03:27:03+00:00 Herbert Xu herbert@gondor.apana.org.au 2008-01-29T03:37:29+00:00 1a6509d991225ad210de54c63314fd9542922095 This patch adds support for combined mode algorithms with GCM being the first algorithm supported. Combined mode algorithms can be added through the xfrm_user interface using the new algorithm payload type XFRMA_ALG_AEAD. Each algorithms is identified by its name and the ICV length. For the purposes of matching algorithms in xfrm_tmpl structures, combined mode algorithms occupy the same name space as encryption algorithms. This is in line with how they are negotiated using IKE. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
This patch adds support for combined mode algorithms with GCM being
the first algorithm supported.

Combined mode algorithms can be added through the xfrm_user interface
using the new algorithm payload type XFRMA_ALG_AEAD.  Each algorithms
is identified by its name and the ICV length.

For the purposes of matching algorithms in xfrm_tmpl structures,
combined mode algorithms occupy the same name space as encryption
algorithms.  This is in line with how they are negotiated using IKE.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: Fix struct xfrm_algo code formatting. 2008-01-28T23:02:01+00:00 David S. Miller davem@davemloft.net 2008-01-13T05:31:29+00:00 3f4afb6443aaa1d69b2d8f0461c8191e40d54c3c Realign struct members. Signed-off-by: David S. Miller <davem@davemloft.net> 
Realign struct members.

Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: alg_key_len should be unsigned to avoid integer divides 2008-01-28T23:02:00+00:00 Eric Dumazet dada1@cosmosbay.com 2008-01-13T05:30:23+00:00 ba749ae98d5aa9d2ce9a7facde0deed454f92230 alg_key_len is currently defined as 'signed int'. This unfortunatly leads to integer divides in several paths. Converting it to unsigned is safe and saves 208 bytes of text on i386. Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
alg_key_len is currently defined as 'signed int'. This unfortunatly
leads to integer divides in several paths.

Converting it to unsigned is safe and saves 208 bytes of text on i386.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPSEC]: Add ICMP host relookup support 2008-01-28T22:57:23+00:00 Herbert Xu herbert@gondor.apana.org.au 2007-12-12T18:44:43+00:00 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch implements this for ICMP traffic that originates from or terminates on localhost. This is activated on outbound with the new policy flag XFRM_POLICY_ICMP, and on inbound by the new state flag XFRM_STATE_ICMP. On inbound the policy check is now performed by the ICMP protocol so that it can repeat the policy check where necessary. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload.  This patch implements this
for ICMP traffic that originates from or terminates on localhost.

This is activated on outbound with the new policy flag XFRM_POLICY_ICMP,
and on inbound by the new state flag XFRM_STATE_ICMP.

On inbound the policy check is now performed by the ICMP protocol so
that it can repeat the policy check where necessary.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse 2008-01-28T22:57:22+00:00 Herbert Xu herbert@gondor.apana.org.au 2007-12-12T18:44:16+00:00 d5422efe680fc55010c6ddca2370ca9548a96355 RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch adds the functions xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get the reverse flow to perform such a lookup. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> 
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload.  This patch adds the functions
xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get
the reverse flow to perform such a lookup.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM] SPD info TLV aggregation 2007-05-04T19:55:39+00:00 Jamal Hadi Salim hadi@cyberus.ca 2007-05-04T19:55:39+00:00 5a6d34162f5c6f522f857df274f1c8240f161e11 Aggregate the SPD info TLVs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Aggregate the SPD info TLVs.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM] SAD info TLV aggregationx 2007-05-04T19:55:13+00:00 Jamal Hadi Salim hadi@cyberus.ca 2007-05-04T19:55:13+00:00 af11e31609d93765c1b22611592543e028f7aa54 Aggregate the SAD info TLVs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 
Aggregate the SAD info TLVs.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: Export SPD info 2007-04-29T04:20:32+00:00 Jamal Hadi Salim hadi@cyberus.ca 2007-04-29T04:20:32+00:00 ecfd6b183780c6d9e85873693b3ce6c5f4d08b58 With this patch you can use iproute2 in user space to efficiently see how many policies exist in different directions. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net> 
With this patch you can use iproute2 in user space to efficiently see
how many policies exist in different directions.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: Export SAD info. 2007-04-26T07:10:29+00:00 Jamal Hadi Salim hadi@cyberus.ca 2007-04-26T07:10:29+00:00 28d8909bc790d936ce33f4402adf7577533bbd4b On a system with a lot of SAs, counting SAD entries chews useful CPU time since you need to dump the whole SAD to user space; i.e something like ip xfrm state ls | grep -i src | wc -l I have seen taking literally minutes on a 40K SAs when the system is swapping. With this patch, some of the SAD info (that was already being tracked) is exposed to user space. i.e you do: ip xfrm state count And you get the count; you can also pass -s to the command line and get the hash info. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net> 
On a system with a lot of SAs, counting SAD entries chews useful
CPU time since you need to dump the whole SAD to user space;
i.e something like ip xfrm state ls | grep -i src | wc -l
I have seen taking literally minutes on a 40K SAs when the system
is swapping.
With this patch, some of the SAD info (that was already being tracked)
is exposed to user space. i.e you do:
ip xfrm state count
And you get the count; you can also pass -s to the command line and
get the hash info.

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
[XFRM]: Extension for dynamic update of endpoint address(es) 2007-02-08T21:11:42+00:00 Shinta Sugimoto shinta.sugimoto@ericsson.com 2007-02-08T21:11:42+00:00 80c9abaabf4283f7cf4a0b3597cd302506635b7f Extend the XFRM framework so that endpoint address(es) in the XFRM databases could be dynamically updated according to a request (MIGRATE message) from user application. Target XFRM policy is first identified by the selector in the MIGRATE message. Next, the endpoint addresses of the matching templates and XFRM states are updated according to the MIGRATE message. Signed-off-by: Shinta Sugimoto <shinta.sugimoto@ericsson.com> Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
Extend the XFRM framework so that endpoint address(es) in the XFRM
databases could be dynamically updated according to a request (MIGRATE
message) from user application. Target XFRM policy is first identified
by the selector in the MIGRATE message. Next, the endpoint addresses
of the matching templates and XFRM states are updated according to
the MIGRATE message.

Signed-off-by: Shinta Sugimoto <shinta.sugimoto@ericsson.com>
Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>