summaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
AgeCommit message (Collapse)AuthorFilesLines
2011-02-23xfrm: Const'ify selector arg to xfrm_dst_update_parent.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify policy arg to clone_policy.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify policy arg and local selector in xfrm_policy_match.David S. Miller1-2/+3
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify local xfrm_address_t pointers in xfrm_policy_lookup_bytype.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify selector args in xfrm_migrate paths.David S. Miller1-4/+4
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify address args to hash helpers.David S. Miller1-2/+7
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify pointer args to migrate_tmpl_match and xfrm_migrate_checkDavid S. Miller1-2/+2
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify address arguments to __xfrm_dst_lookup()David S. Miller1-2/+2
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23xfrm: Const'ify selector argument to xfrm_selector_match()David S. Miller1-3/+3
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22net: Make flow cache paths use a const struct flowi.David S. Miller1-5/+8
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_resolve_and_create_bundle() const.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_dst_{alloc_copy,update_origin}() const.David S. Miller1-2/+2
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_bundle_create() const.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_tmpl_resolve{,_one}() const.David S. Miller1-6/+4
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_expand_policies() const.David S. Miller1-2/+2
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_policy_{lookup_by_type,match}() const.David S. Miller1-2/+2
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Kill strict arg to xfrm_bundle_ok().David S. Miller1-8/+3
Always set to "0". Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_selector_match() const.David S. Miller1-4/+4
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to xfrm_type->reject() const.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to ->fill_dst() const.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22xfrm: Mark flowi arg to ->get_tos() const.David S. Miller1-1/+1
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-19Merge branch 'master' of ↵David S. Miller1-2/+5
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: Documentation/feature-removal-schedule.txt drivers/net/e1000e/netdev.c net/xfrm/xfrm_policy.c
2011-02-17net: Add initial_ref arg to dst_alloc().David S. Miller1-1/+1
This allows avoiding multiple writes to the initial __refcnt. The most simplest cases of wanting an initial reference of "1" in ipv4 and ipv6 have been converted, the rest have been left along and kept at the existing "0". Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-10xfrm: avoid possible oopse in xfrm_alloc_dstHiroaki SHIMODA1-2/+5
Commit 80c802f3073e84 (xfrm: cache bundles instead of policies for outgoing flows) introduced possible oopse when dst_alloc returns NULL. Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-12-14net: Abstract default MTU metric calculation behind an accessor.David S. Miller1-0/+7
Like RTAX_ADVMSS, make the default calculation go through a dst_ops method rather than caching the computation in the routing cache entries. Now dst metrics are pretty much left as-is when new entries are created, thus optimizing metric sharing becomes a real possibility. Signed-off-by: David S. Miller <davem@davemloft.net>
2010-12-13net: Abstract default ADVMSS behind an accessor.David S. Miller1-0/+7
Make all RTAX_ADVMSS metric accesses go through a new helper function, dst_metric_advmss(). Leave the actual default metric as "zero" in the real metric slot, and compute the actual default value dynamically via a new dst_ops AF specific callback. For stacked IPSEC routes, we use the advmss of the path which preserves existing behavior. Unlike ipv4/ipv6, DecNET ties the advmss to the mtu and thus updates advmss on pmtu updates. This inconsistency in advmss handling results in more raw metric accesses than I wish we ended up with. Signed-off-by: David S. Miller <davem@davemloft.net>
2010-12-09net: Abstract away all dst_entry metrics accesses.David S. Miller1-3/+3
Use helper functions to hide all direct accesses, especially writes, to dst_entry metrics values. This will allow us to: 1) More easily change how the metrics are stored. 2) Implement COW for metrics. In particular this will help us put metrics into the inetpeer cache if that is what we end up doing. We can make the _metrics member a pointer instead of an array, initially have it point at the read-only metrics in the FIB, and then on the first set grab an inetpeer entry and point the _metrics member there. Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
2010-10-21xfrm: make xfrm_bundle_ok localstephen hemminger1-3/+4
Only used in one place. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-09-20xfrm: Allow different selector family in temporary stateThomas Egerer1-3/+2
The family parameter xfrm_state_find is used to find a state matching a certain policy. This value is set to the template's family (encap_family) right before xfrm_state_find is called. The family parameter is however also used to construct a temporary state in xfrm_state_find itself which is wrong for inter-family scenarios because it produces a selector for the wrong family. Since this selector is included in the xfrm_user_acquire structure, user space programs misinterpret IPv6 addresses as IPv4 and vice versa. This patch splits up the original init_tempsel function into a part that initializes the selector respectively the props and id of the temporary state, to allow for differing ip address families whithin the state. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-07-20Merge branch 'master' of ↵David S. Miller1-2/+13
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/vhost/net.c net/bridge/br_device.c Fix merge conflict in drivers/vhost/net.c with guidance from Stephen Rothwell. Revert the effects of net-2.6 commit 573201f36fd9c7c6d5218cdcd9948cee700b277d since net-next-2.6 has fixes that make bridge netpoll work properly thus we don't need it disabled. Signed-off-by: David S. Miller <davem@davemloft.net>
2010-07-14xfrm: do not assume that template resolving always returns xfrmsTimo Teräs1-2/+13
xfrm_resolve_and_create_bundle() assumed that, if policies indicated presence of xfrms, bundle template resolution would always return some xfrms. This is not true for 'use' level policies which can result in no xfrm's being applied if there is no suitable xfrm states. This fixes a crash by this incorrect assumption. Reported-by: George Spelvin <linux@horizon.com> Bisected-by: George Spelvin <linux@horizon.com> Tested-by: George Spelvin <linux@horizon.com> Signed-off-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-07-07Merge branch 'master' of ↵David S. Miller1-1/+2
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2010-06-25snmp: add align parameter to snmp_mib_init()Eric Dumazet1-1/+2
In preparation for 64bit snmp counters for some mibs, add an 'align' parameter to snmp_mib_init(), instead of assuming mibs only contain 'unsigned long' fields. Callers can use __alignof__(type) to provide correct alignment. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Herbert Xu <herbert@gondor.apana.org.au> CC: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> CC: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> CC: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-06-24xfrm: check bundle policy existance before dereferencing itTimo Teräs1-1/+2
Fix the bundle validation code to not assume having a valid policy. When we have multiple transformations for a xfrm policy, the bundle instance will be a chain of bundles with only the first one having the policy reference. When policy_genid is bumped it will expire the first bundle in the chain which is equivalent of expiring the whole chain. Reported-bisected-and-tested-by: Justin P. Mattock <justinmattock@gmail.com> Signed-off-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-06-02xfrm: force a dst reference in __xfrm_route_forward()Eric Dumazet1-0/+1
Packets going through __xfrm_route_forward() have a not refcounted dst entry, since we enabled a noref forwarding path. xfrm_lookup() might incorrectly release this dst entry. It's a bit late to make invasive changes in xfrm_lookup(), so lets force a refcount in this path. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-05-17net: Remove unnecessary returns from void function()sJoe Perches1-1/+0
This patch removes from net/ (but not any netfilter files) all the unnecessary return; statements that precede the last closing brace of void functions. It does not remove the returns that are immediately preceded by a label as gcc doesn't like that. Done via: $ grep -rP --include=*.[ch] -l "return;\n}" net/ | \ xargs perl -i -e 'local $/ ; while (<>) { s/\n[ \t\n]+return;\n}/\n}/g; print; }' Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-05-15xfrm: fix policy unreferencing on larval dropTimo Teras1-1/+1
I mistakenly had the error path to use num_pols to decide how many policies we need to drop (cruft from earlier patch set version which did not handle socket policies right). This is wrong since normally we do not keep explicit references (instead we hold reference to the cache entry which holds references to policies). drop_pols is set to num_pols if we are holding the references, so use that. Otherwise we eventually BUG_ON inside xfrm_policy_destroy due to premature policy deletion. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-30xfrm: potential uninitialized variable num_xfrmsChangli Gao1-1/+1
potential uninitialized variable num_xfrms fix compiler warning: 'num_xfrms' may be used uninitialized in this function. Signed-off-by: Changli Gao <xiaosuo@gmail.com> ---- net/xfrm/xfrm_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-07xfrm: remove policy garbage collectionTimo Teräs1-34/+5
Policies are now properly reference counted and destroyed from all code paths. The delayed gc is just an overhead now and can be removed. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-07xfrm: cache bundles instead of policies for outgoing flowsTimo Teräs1-335/+376
__xfrm_lookup() is called for each packet transmitted out of system. The xfrm_find_bundle() does a linear search which can kill system performance depending on how many bundles are required per policy. This modifies __xfrm_lookup() to store bundles directly in the flow cache. If we did not get a hit, we just create a new bundle instead of doing slow search. This means that we can now get multiple xfrm_dst's for same flow (on per-cpu basis). Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-07flow: virtualize flow cache entry methodsTimo Teräs1-38/+74
This allows to validate the cached object before returning it. It also allows to destruct object properly, if the last reference was held in flow cache. This is also a prepartion for caching bundles in the flow cache. In return for virtualizing the methods, we save on: - not having to regenerate the whole flow cache on policy removal: each flow matching a killed policy gets refreshed as the getter function notices it smartly. - we do not have to call flow_cache_flush from policy gc, since the flow cache now properly deletes the object if it had any references Signed-off-by: Timo Teras <timo.teras@iki.fi> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-01xfrm: remove policy lock when accessing policy->walk.deadTimo Teräs1-22/+9
All of the code considers ->dead as a hint that the cached policy needs to get refreshed. The read side can just drop the read lock without any side effects. The write side needs to make sure that it's written only exactly once. Only possible race is at xfrm_policy_kill(). This is fixed by checking result of __xfrm_policy_unlink() when needed. It will always succeed if the policy object is looked up from the hash list (so some checks are removed), but it needs to be checked if we are trying to unlink policy via a reference (appropriate checks added). Since policy->walk.dead is written exactly once, it no longer needs to be protected with a write lock. Signed-off-by: Timo Teras <timo.teras@iki.fi> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-03-03ipsec: Fix bogus bundle flowiHerbert Xu1-3/+4
When I merged the bundle creation code, I introduced a bogus flowi value in the bundle. Instead of getting from the caller, it was instead set to the flow in the route object, which is totally different. The end result is that the bundles we created never match, and we instead end up with an ever growing bundle list. Thanks to Jamal for find this problem. Reported-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-23xfrm: clone mark when cloning policyJamal Hadi Salim1-0/+1
When we clone the SP, we should also clone the mark. Useful for socket based SPs. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-22xfrm: SP lookups with markJamal Hadi Salim1-1/+11
Allow mark to be used when doing SP lookup Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-22xfrm: SP lookups signature with markJamal Hadi Salim1-4/+4
pass mark to all SP lookups to prepare them for when we add code to have them search. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-19xfrm: Flushing empty SPD generates false eventsJamal Hadi Salim1-3/+10
To see the effect make sure you have an empty SPD. On window1 "ip xfrm mon" and on window2 issue "ip xfrm policy flush" You get prompt back in window2 and you see the flush event on window1. With this fix, you still get prompt on window1 but no event on window2. Thanks to Alexey Dobriyan for finding a bug in earlier version when using pfkey to do the flushing. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-18xfrm: Introduce LINUX_MIB_XFRMFWDHDRERRORjamal1-2/+1
XFRMINHDRERROR counter is ambigous when validating forwarding path. It makes it tricky to debug when you have both in and fwd validation. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-17xfrm: Revert false event eliding commits.David S. Miller1-10/+3
As reported by Alexey Dobriyan: -------------------- setkey now takes several seconds to run this simple script and it spits "recv: Resource temporarily unavailable" messages. #!/usr/sbin/setkey -f flush; spdflush; add A B ipcomp 44 -m tunnel -C deflate; add B A ipcomp 45 -m tunnel -C deflate; spdadd A B any -P in ipsec ipcomp/tunnel/192.168.1.2-192.168.1.3/use; spdadd B A any -P out ipsec ipcomp/tunnel/192.168.1.3-192.168.1.2/use; -------------------- Obviously applications want the events even when the table is empty. So we cannot make this behavioral change. Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-16percpu: add __percpu sparse annotations to netTejun Heo1-3/+3
Add __percpu sparse annotations to net. These annotations are to make sparse consider percpu variables to be in a different address space and warn if accessed without going through percpu accessors. This patch doesn't affect normal builds. The macro and type tricks around snmp stats make things a bit interesting. DEFINE/DECLARE_SNMP_STAT() macros mark the target field as __percpu and SNMP_UPD_PO_STATS() macro is updated accordingly. All snmp_mib_*() users which used to cast the argument to (void **) are updated to cast it to (void __percpu **). Signed-off-by: Tejun Heo <tj@kernel.org> Acked-by: David S. Miller <davem@davemloft.net> Cc: Patrick McHardy <kaber@trash.net> Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Cc: Vlad Yasevich <vladislav.yasevich@hp.com> Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>