Re: [PATCH] [XFRM] Add CONFIG_INET dependency to CONFIG_XFRM_STATISTICS
Saturday 16 February 2008 08:24, David Miller wrote: > From: Johann Felix Soden <[EMAIL PROTECTED]> > Date: Fri, 15 Feb 2008 16:08:43 +0100 > > > From: Johann Felix Soden <[EMAIL PROTECTED]> > > > > With INET=n and XFRM_STATISTICS=y I get the following build failure: > > > > net/built-in.o: In function `xfrm_init': > > (.init.text+0xcd7): undefined reference to `snmp_mib_init' > > > > Signed-off-by: Johann Felix Soden <[EMAIL PROTECTED]> > > CC: Masahide NAKAMURA <[EMAIL PROTECTED]> > > A fix for this has been in my net-2.6 tree for a few days, > and Linus pulled it in this morning. Thank you guys for taking care of it. -- Masahide NAKAMURA -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH][XFRM]: Fix statistics.
Hello, I found some XFRM statistics updates which should be applied. This patch change user-public header defines introduced at net-2.6.25 and I hope to make it to be applied to linux 2.6.25. [PATCH][XFRM]: Fix statistics. o Outbound sequence number overflow error status is counted as XfrmOutStateSeqError. o Additionaly, it changes inbound sequence number replay error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError to apply name scheme above. o Inbound IPv4 UDP encapsuling type mismatch error is wrongly mapped to XfrmInStateInvalid then this patch fiex the error to XfrmInStateMismatch. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- Documentation/networking/xfrm_proc.txt |8 ++-- include/linux/snmp.h |3 ++- net/xfrm/xfrm_input.c |4 ++-- net/xfrm/xfrm_output.c |1 + net/xfrm/xfrm_proc.c |3 ++- 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Documentation/networking/xfrm_proc.txt b/Documentation/networking/xfrm_proc.txt index 53c1a58..d0d8baf 100644 --- a/Documentation/networking/xfrm_proc.txt +++ b/Documentation/networking/xfrm_proc.txt @@ -26,8 +26,9 @@ XfrmInStateProtoError: e.g. SA key is wrong XfrmInStateModeError: Transformation mode specific error -XfrmInSeqOutOfWindow: - Sequence out of window +XfrmInStateSeqError: + Sequence error + i.e. Sequence number is out of window XfrmInStateExpired: State is expired XfrmInStateMismatch: @@ -60,6 +61,9 @@ XfrmOutStateProtoError: Transformation protocol specific error XfrmOutStateModeError: Transformation mode specific error +XfrmOutStateSeqError: + Sequence error + i.e. Sequence number overflow XfrmOutStateExpired: State is expired XfrmOutPolBlock: diff --git a/include/linux/snmp.h b/include/linux/snmp.h index 86d3eff..5df62ef 100644 --- a/include/linux/snmp.h +++ b/include/linux/snmp.h @@ -227,7 +227,7 @@ enum LINUX_MIB_XFRMINNOSTATES, /* XfrmInNoStates */ LINUX_MIB_XFRMINSTATEPROTOERROR,/* XfrmInStateProtoError */ LINUX_MIB_XFRMINSTATEMODEERROR, /* XfrmInStateModeError */ - LINUX_MIB_XFRMINSEQOUTOFWINDOW, /* XfrmInSeqOutOfWindow */ + LINUX_MIB_XFRMINSTATESEQERROR, /* XfrmInStateSeqError */ LINUX_MIB_XFRMINSTATEEXPIRED, /* XfrmInStateExpired */ LINUX_MIB_XFRMINSTATEMISMATCH, /* XfrmInStateMismatch */ LINUX_MIB_XFRMINSTATEINVALID, /* XfrmInStateInvalid */ @@ -241,6 +241,7 @@ enum LINUX_MIB_XFRMOUTNOSTATES, /* XfrmOutNoStates */ LINUX_MIB_XFRMOUTSTATEPROTOERROR, /* XfrmOutStateProtoError */ LINUX_MIB_XFRMOUTSTATEMODEERROR,/* XfrmOutStateModeError */ + LINUX_MIB_XFRMOUTSTATESEQERROR, /* XfrmOutStateSeqError */ LINUX_MIB_XFRMOUTSTATEEXPIRED, /* XfrmOutStateExpired */ LINUX_MIB_XFRMOUTPOLBLOCK, /* XfrmOutPolBlock */ LINUX_MIB_XFRMOUTPOLDEAD, /* XfrmOutPolDead */ diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 039e701..c32b50b 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -160,12 +160,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) } if ((x->encap ? x->encap->encap_type : 0) != encap_type) { - XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEINVALID); + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMISMATCH); goto drop_unlock; } if (x->props.replay_window && xfrm_replay_check(x, skb, seq)) { - XFRM_INC_STATS(LINUX_MIB_XFRMINSEQOUTOFWINDOW); + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATESEQERROR); goto drop_unlock; } diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index f4a1047..fc69036 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -64,6 +64,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err) if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq = ++x->replay.oseq; if (unlikely(x->replay.oseq == 0)) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATESEQERROR); x->replay.oseq--; xfrm_audit_state_replay_overflow(x, skb); err = -EOVERFLOW; diff --git a/net/xfrm/xfrm_proc.c b/net/xfrm/xfrm_proc.c index 31d0354..2b0db13 100644 --- a/net/xfrm/xfrm_proc.c +++ b/net/xfrm/xfrm_proc.c @@ -22,7 +22,7 @@ static struct snmp_mib xfrm_mib_list[] = { SNMP_MIB_ITEM("XfrmInNoStates", LINUX_MIB_XFRMINNOSTATES), SNMP_MIB_ITE
[PATCH][XFRM] Statistics: Add outbound-dropping error.
Hello, I found two more points where they should be incremented as XFRM packet dropping counter. Please apply it. P.S. I don't touch XFRM_LOOKUP_ICMP related error at __xfrm_lookup() since it may not drop the packet. Correct me if it is wrong or comments are welcomed. [PATCH][XFRM] Statistics: Add outbound-dropping error. o Increment PolError counter when flow_cache_lookup() returns errored pointer. o Increment NoStates counter at larval-drop. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/xfrm/xfrm_policy.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 280f8de..d83227b 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1510,8 +1510,10 @@ restart: policy = flow_cache_lookup(fl, dst_orig->ops->family, dir, xfrm_policy_lookup); err = PTR_ERR(policy); - if (IS_ERR(policy)) + if (IS_ERR(policy)) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTPOLERROR); goto dropdst; + } } if (!policy) @@ -1603,6 +1605,7 @@ restart: /* EREMOTE tells the caller to generate * a one-shot blackhole route. */ + XFRM_INC_STATS(LINUX_MIB_XFRMOUTNOSTATES); xfrm_pol_put(policy); return -EREMOTE; } -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH][XFRM] Documentaion: Fix error example at XFRMOUTSTATEMODEERROR. (Re: [XFRM]: Fix outbound statistics.)
# This is resent email since the Subject is blank at the first time; Hello, On Fri, 21 Dec 2007 23:11:11 +0800 Herbert Xu <[EMAIL PROTECTED]> wrote: > On Fri, Dec 21, 2007 at 11:25:00PM +0900, Masahide NAKAMURA wrote: > > > > do { > > err = xfrm_state_check_space(x, skb); > > - if (err) > > + if (err) { > > + XFRM_INC_STATS(LINUX_MIB_XFRMOUTERROR); > > goto error_nolock; > > + } > > > > err = x->outer_mode->output(x, skb); > > - if (err) > > + if (err) { > > + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATEMODEERROR); > > BTW, none of our existing mode output functions actually return > an error. I noticed that the description for this field is actually > "Transformation mode specific error, e.g. Outer header space is not > enough". This is slightly misleading as output header space is > checked by xfrm_state_check_space so if there's an error that's > where it'll show up. Thanks for comment, Herbert. I fix the documentation to remove "e.g. Outer header space is not enough" from XFRMSTATEMODEERROR. About error code from xfrm_state_check_space(), I still map it XFRMOUTERROR (other errors) this time because I think the error here is not a length error by protocol (e.g MTU related things) but an internal buffer management. Any comments for the statistics are still welcomed. David, please apply the following patch, too. [XFRM] Documentaion: Fix error example at XFRMOUTSTATEMODEERROR. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- Documentation/networking/xfrm_proc.txt |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/Documentation/networking/xfrm_proc.txt b/Documentation/networking/xfrm_proc.txt index ec9045b..53c1a58 100644 --- a/Documentation/networking/xfrm_proc.txt +++ b/Documentation/networking/xfrm_proc.txt @@ -60,7 +60,6 @@ XfrmOutStateProtoError: Transformation protocol specific error XfrmOutStateModeError: Transformation mode specific error - e.g. Outer header space is not enough XfrmOutStateExpired: State is expired XfrmOutPolBlock: -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[no subject]
Subject: [XFRM] Documentaion: Fix error example at XFRMOUTSTATEMODEERROR. (Re: [XFRM]: Fix outbound statistics.) Hello, On Fri, 21 Dec 2007 23:11:11 +0800 Herbert Xu <[EMAIL PROTECTED]> wrote: > On Fri, Dec 21, 2007 at 11:25:00PM +0900, Masahide NAKAMURA wrote: > > > > do { > > err = xfrm_state_check_space(x, skb); > > - if (err) > > + if (err) { > > + XFRM_INC_STATS(LINUX_MIB_XFRMOUTERROR); > > goto error_nolock; > > + } > > > > err = x->outer_mode->output(x, skb); > > - if (err) > > + if (err) { > > + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATEMODEERROR); > > BTW, none of our existing mode output functions actually return > an error. I noticed that the description for this field is actually > "Transformation mode specific error, e.g. Outer header space is not > enough". This is slightly misleading as output header space is > checked by xfrm_state_check_space so if there's an error that's > where it'll show up. Thanks for comment, Herbert. I fix the documentation to remove "e.g. Outer header space is not enough" from XFRMSTATEMODEERROR. About error code from xfrm_state_check_space(), I still map it XFRMOUTERROR (other errors) this time because I think the error here is not a length error by protocol (e.g MTU related things) but an internal buffer management. Any comments for the statistics are still welcomed. David, please apply the following patch, too. [XFRM] Documentaion: Fix error example at XFRMOUTSTATEMODEERROR. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- Documentation/networking/xfrm_proc.txt |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/Documentation/networking/xfrm_proc.txt b/Documentation/networking/xfrm_proc.txt index ec9045b..53c1a58 100644 --- a/Documentation/networking/xfrm_proc.txt +++ b/Documentation/networking/xfrm_proc.txt @@ -60,7 +60,6 @@ XfrmOutStateProtoError: Transformation protocol specific error XfrmOutStateModeError: Transformation mode specific error - e.g. Outer header space is not enough XfrmOutStateExpired: State is expired XfrmOutPolBlock: -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[XFRM]: Fix outbound statistics.
Hello David, I'm sorry, the previous mail contains wrong code: > David, I failed to include this statistics codes since I didn't notice > the conflict with the latest Herbert XFRM fix. > > Please apply this, too. > > Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > --- [snip] > > do { > err = xfrm_state_check_space(x, skb); > - if (err) > + if (err) { > goto error_nolock; > + XFRM_INC_STATS(LINUX_MIB_XFRMOUTERROR); > + } Please apply the below patch instead of the previous. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/xfrm/xfrm_output.c | 12 +--- 1 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 867484a..f8e5961 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -43,17 +43,23 @@ static int xfrm_output_one(struct sk_buff *skb, int err) do { err = xfrm_state_check_space(x, skb); - if (err) + if (err) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTERROR); goto error_nolock; + } err = x->outer_mode->output(x, skb); - if (err) + if (err) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATEMODEERROR); goto error_nolock; + } spin_lock_bh(&x->lock); err = xfrm_state_check_expire(x); - if (err) + if (err) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATEEXPIRED); goto error; + } if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq = ++x->replay.oseq; -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[XFRM]: Fix outbound statistics.
David, I failed to include this statistics codes since I didn't notice the conflict with the latest Herbert XFRM fix. Please apply this, too. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/xfrm/xfrm_output.c | 12 +--- 1 files changed, 9 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 867484a..8dee031 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -43,17 +43,23 @@ static int xfrm_output_one(struct sk_buff *skb, int err) do { err = xfrm_state_check_space(x, skb); - if (err) + if (err) { goto error_nolock; + XFRM_INC_STATS(LINUX_MIB_XFRMOUTERROR); + } err = x->outer_mode->output(x, skb); - if (err) + if (err) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATEMODEERROR); goto error_nolock; + } spin_lock_bh(&x->lock); err = xfrm_state_check_expire(x); - if (err) + if (err) { + XFRM_INC_STATS(LINUX_MIB_XFRMOUTSTATEEXPIRED); goto error; + } if (x->type->flags & XFRM_TYPE_REPLAY_PROT) { XFRM_SKB_CB(skb)->seq = ++x->replay.oseq; -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: (usagi-core 34097) Re: [PATCH] [XFRM] IPv6: Fix dst/routing check at transformation.
Friday 21 December 2007 14:06, Masahide NAKAMURA wrote: > Thanks, I'll resend by hand this time. > Mayby I use your e-mail address without name > by current git-send-email. Ah, they are already applied. I don't need resend anymore. I'll be careful this next time. Regards, -- Masahide NAKAMURA -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] [XFRM] IPv6: Fix dst/routing check at transformation.
Friday 21 December 2007 12:50, David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Fri, 21 Dec 2007 12:48:31 +0900 > > > My 5 patches for XFRM sent to netdev should be TOed to David, but it is not. > > > > It does not seems that the command works for me. > > git-send-email --to "David S. Miller <[EMAIL PROTECTED]>" --to [EMAIL > > PROTECTED] --cc... > > > > Please see my patches, even it is not TOed to you. > > All of your patches won't make it anywhere. > > In the email headers my name shows up like this: > > David S. Miller > > Email SMTP rules dictate that if special characters like > "." appear in the name it must be surrounded by double > quotes otherwise it is a syntax error. > > This is a bug in git-send-email that I thought was fixed > by now. Perhaps it is fixed in git mainline and not any > of the stable releases yet. > > Perhaps you can submit them by hand until you resolve the > git-send-email problem? Thanks, I'll resend by hand this time. Mayby I use your e-mail address without name by current git-send-email. -- Masahide NAKAMURA -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/3] [XFRM]: Support to increment packet dropping statistics.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/xfrm6_input.c |3 ++ net/xfrm/xfrm_input.c | 41 +++--- net/xfrm/xfrm_output.c |6 - net/xfrm/xfrm_policy.c | 63 ++- 4 files changed, 90 insertions(+), 23 deletions(-) diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index f835ab4..6644fc6 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c @@ -72,6 +72,7 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, sp = secpath_dup(skb->sp); if (!sp) { + XFRM_INC_STATS(LINUX_MIB_XFRMINERROR); goto drop; } if (skb->sp) @@ -80,6 +81,7 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, } if (1 + skb->sp->len == XFRM_MAX_DEPTH) { + XFRM_INC_STATS(LINUX_MIB_XFRMINBUFFERERROR); goto drop; } @@ -149,6 +151,7 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, } if (!x) { + XFRM_INC_STATS(LINUX_MIB_XFRMINNOSTATES); goto drop; } diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 8624cbd..493243f 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -119,8 +119,10 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) struct sec_path *sp; sp = secpath_dup(skb->sp); - if (!sp) + if (!sp) { + XFRM_INC_STATS(LINUX_MIB_XFRMINERROR); goto drop; + } if (skb->sp) secpath_put(skb->sp); skb->sp = sp; @@ -131,31 +133,45 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) family = XFRM_SPI_SKB_CB(skb)->family; seq = 0; - if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0) + if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0) { + XFRM_INC_STATS(LINUX_MIB_XFRMINHDRERROR); goto drop; + } do { - if (skb->sp->len == XFRM_MAX_DEPTH) + if (skb->sp->len == XFRM_MAX_DEPTH) { + XFRM_INC_STATS(LINUX_MIB_XFRMINBUFFERERROR); goto drop; + } x = xfrm_state_lookup(daddr, spi, nexthdr, family); - if (x == NULL) + if (x == NULL) { + XFRM_INC_STATS(LINUX_MIB_XFRMINNOSTATES); goto drop; + } skb->sp->xvec[skb->sp->len++] = x; spin_lock(&x->lock); - if (unlikely(x->km.state != XFRM_STATE_VALID)) + if (unlikely(x->km.state != XFRM_STATE_VALID)) { + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEINVALID); goto drop_unlock; + } - if ((x->encap ? x->encap->encap_type : 0) != encap_type) + if ((x->encap ? x->encap->encap_type : 0) != encap_type) { + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEINVALID); goto drop_unlock; + } - if (x->props.replay_window && xfrm_replay_check(x, seq)) + if (x->props.replay_window && xfrm_replay_check(x, seq)) { + XFRM_INC_STATS(LINUX_MIB_XFRMINSEQOUTOFWINDOW); goto drop_unlock; + } - if (xfrm_state_check_expire(x)) + if (xfrm_state_check_expire(x)) { + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEEXPIRED); goto drop_unlock; + } spin_unlock(&x->lock); @@ -171,6 +187,7 @@ resume: if (nexthdr <= 0) { if (nexthdr == -EBADMSG) x->stats.integrity_failed++; + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR); goto drop_unlock; } @@ -187,8 +204,10 @@ resume: XFRM_MODE_SKB_CB(skb)->protocol = nexthdr; - if (x->inner_mode->input(x, skb)) + if (x->inner_mode->input(x, skb)) { + XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR); goto drop; + } if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) { decaps = 1; @@ -203,8 +222,10 @@ resume: family = x->outer_mode->afinfo->family; err = xfrm_parse_s
[PATCH] [XFRM] MIPv6: Fix to input RO state correctly.
Disable spin_lock during xfrm_type.input() function. Follow design as IPsec inbound does. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/xfrm6_input.c | 54 +-- 1 files changed, 29 insertions(+), 25 deletions(-) diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index 74f3aac..f835ab4 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c @@ -63,10 +63,26 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, struct xfrm_state *x = NULL; int wildcard = 0; xfrm_address_t *xany; - struct xfrm_state *xfrm_vec_one = NULL; int nh = 0; int i = 0; + /* Allocate new secpath or COW existing one. */ + if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { + struct sec_path *sp; + + sp = secpath_dup(skb->sp); + if (!sp) { + goto drop; + } + if (skb->sp) + secpath_put(skb->sp); + skb->sp = sp; + } + + if (1 + skb->sp->len == XFRM_MAX_DEPTH) { + goto drop; + } + xany = (xfrm_address_t *)&in6addr_any; for (i = 0; i < 3; i++) { @@ -119,47 +135,35 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr, continue; } + spin_unlock(&x->lock); + nh = x->type->input(x, skb); if (nh <= 0) { - spin_unlock(&x->lock); xfrm_state_put(x); x = NULL; continue; } - x->curlft.bytes += skb->len; - x->curlft.packets++; - - spin_unlock(&x->lock); - - xfrm_vec_one = x; + /* Found a state */ break; } - if (!xfrm_vec_one) + if (!x) { goto drop; - - /* Allocate new secpath or COW existing one. */ - if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { - struct sec_path *sp; - sp = secpath_dup(skb->sp); - if (!sp) - goto drop; - if (skb->sp) - secpath_put(skb->sp); - skb->sp = sp; } - if (1 + skb->sp->len > XFRM_MAX_DEPTH) - goto drop; + skb->sp->xvec[skb->sp->len++] = x; + + spin_lock(&x->lock); - skb->sp->xvec[skb->sp->len] = xfrm_vec_one; - skb->sp->len ++; + x->curlft.bytes += skb->len; + x->curlft.packets++; + + spin_unlock(&x->lock); return 1; + drop: - if (xfrm_vec_one) - xfrm_state_put(xfrm_vec_one); return -1; } -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/3] [XFRM]: Define packet dropping statistics.
This statistics is shown factor dropped by transformation at /proc/net/xfrm_stat for developer. It is a counter designed from current transformation source code and defined as linux private MIB. See Documentation/networking/xfrm_proc.txt for the detail. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- Documentation/networking/xfrm_proc.txt | 71 +++ include/linux/snmp.h | 31 ++ include/net/snmp.h |5 ++ include/net/xfrm.h | 18 ++ net/xfrm/Makefile |1 + net/xfrm/xfrm_policy.c | 24 net/xfrm/xfrm_proc.c | 96 7 files changed, 246 insertions(+), 0 deletions(-) diff --git a/Documentation/networking/xfrm_proc.txt b/Documentation/networking/xfrm_proc.txt new file mode 100644 index 000..ec9045b --- /dev/null +++ b/Documentation/networking/xfrm_proc.txt @@ -0,0 +1,71 @@ +XFRM proc - /proc/net/xfrm_* files +== +Masahide NAKAMURA <[EMAIL PROTECTED]> + + +Transformation Statistics +- +xfrm_proc is a statistics shown factor dropped by transformation +for developer. +It is a counter designed from current transformation source code +and defined like linux private MIB. + +Inbound statistics +~~ +XfrmInError: + All errors which is not matched others +XfrmInBufferError: + No buffer is left +XfrmInHdrError: + Header error +XfrmInNoStates: + No state is found + i.e. Either inbound SPI, address, or IPsec protocol at SA is wrong +XfrmInStateProtoError: + Transformation protocol specific error + e.g. SA key is wrong +XfrmInStateModeError: + Transformation mode specific error +XfrmInSeqOutOfWindow: + Sequence out of window +XfrmInStateExpired: + State is expired +XfrmInStateMismatch: + State has mismatch option + e.g. UDP encapsulation type is mismatch +XfrmInStateInvalid: + State is invalid +XfrmInTmplMismatch: + No matching template for states + e.g. Inbound SAs are correct but SP rule is wrong +XfrmInNoPols: + No policy is found for states + e.g. Inbound SAs are correct but no SP is found +XfrmInPolBlock: + Policy discards +XfrmInPolError: + Policy error + +Outbound errors +~~~ +XfrmOutError: + All errors which is not matched others +XfrmOutBundleGenError: + Bundle generation error +XfrmOutBundleCheckError: + Bundle check error +XfrmOutNoStates: + No state is found +XfrmOutStateProtoError: + Transformation protocol specific error +XfrmOutStateModeError: + Transformation mode specific error + e.g. Outer header space is not enough +XfrmOutStateExpired: + State is expired +XfrmOutPolBlock: + Policy discards +XfrmOutPolDead: + Policy is dead +XfrmOutPolError: + Policy error diff --git a/include/linux/snmp.h b/include/linux/snmp.h index 89f0c2b..86d3eff 100644 --- a/include/linux/snmp.h +++ b/include/linux/snmp.h @@ -217,4 +217,35 @@ enum __LINUX_MIB_MAX }; +/* linux Xfrm mib definitions */ +enum +{ + LINUX_MIB_XFRMNUM = 0, + LINUX_MIB_XFRMINERROR, /* XfrmInError */ + LINUX_MIB_XFRMINBUFFERERROR,/* XfrmInBufferError */ + LINUX_MIB_XFRMINHDRERROR, /* XfrmInHdrError */ + LINUX_MIB_XFRMINNOSTATES, /* XfrmInNoStates */ + LINUX_MIB_XFRMINSTATEPROTOERROR,/* XfrmInStateProtoError */ + LINUX_MIB_XFRMINSTATEMODEERROR, /* XfrmInStateModeError */ + LINUX_MIB_XFRMINSEQOUTOFWINDOW, /* XfrmInSeqOutOfWindow */ + LINUX_MIB_XFRMINSTATEEXPIRED, /* XfrmInStateExpired */ + LINUX_MIB_XFRMINSTATEMISMATCH, /* XfrmInStateMismatch */ + LINUX_MIB_XFRMINSTATEINVALID, /* XfrmInStateInvalid */ + LINUX_MIB_XFRMINTMPLMISMATCH, /* XfrmInTmplMismatch */ + LINUX_MIB_XFRMINNOPOLS, /* XfrmInNoPols */ + LINUX_MIB_XFRMINPOLBLOCK, /* XfrmInPolBlock */ + LINUX_MIB_XFRMINPOLERROR, /* XfrmInPolError */ + LINUX_MIB_XFRMOUTERROR, /* XfrmOutError */ + LINUX_MIB_XFRMOUTBUNDLEGENERROR,/* XfrmOutBundleGenError */ + LINUX_MIB_XFRMOUTBUNDLECHECKERROR, /* XfrmOutBundleCheckError */ + LINUX_MIB_XFRMOUTNOSTATES, /* XfrmOutNoStates */ + LINUX_MIB_XFRMOUTSTATEPROTOERROR, /* XfrmOutStateProtoError */ + LINUX_MIB_XFRMOUTSTATEMODEERROR,/* XfrmOutStateModeError */ + LINUX_MIB_XFRMOUTSTATEEXPIRED, /* XfrmOutStateExpired */ + LINUX_MIB_XFRMOUTPOLBLOCK, /* XfrmOutPolBlock */ + LINUX_MIB_XFRMOUTPOLDEAD, /* XfrmOutPolDead */ + LINUX_MIB_XFRMOUTPOLERROR, /* Xfr
[PATCH 3/3] [XFRM]: Add packet processing statistics option.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/xfrm/Kconfig | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig index 577a4f8..6b5b50f 100644 --- a/net/xfrm/Kconfig +++ b/net/xfrm/Kconfig @@ -35,6 +35,16 @@ config XFRM_MIGRATE If unsure, say N. +config XFRM_STATISTICS + bool "Transformation statistics (EXPERIMENTAL)" + depends on XFRM && PROC_FS && EXPERIMENTAL + ---help--- + This statistics is not a SNMP/MIB specification but shows + statistics about transformation error (or almost error) factor + at packet processing for developer. + + If unsure, say N. + config NET_KEY tristate "PF_KEY sockets" select XFRM -- 1.4.4.2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] [XFRM] IPv6: Fix dst/routing check at transformation.
IPv6 specific thing is wrongly removed from transformation at net-2.6.25. This patch recovers it with current design. o Update "path" of xfrm_dst since IPv6 transformation should care about routing changes. It is required by MIPv6 and off-link destined IPsec. o Rename nfheader_len which is for non-fragment transformation used by MIPv6 to rt6i_nfheader_len as IPv6 name space. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- include/net/ip6_fib.h |2 +- include/net/xfrm.h |3 +++ net/ipv4/xfrm4_policy.c |7 +++ net/ipv6/ip6_output.c |4 ++-- net/ipv6/xfrm6_policy.c | 17 + net/xfrm/xfrm_policy.c | 21 + 6 files changed, 51 insertions(+), 3 deletions(-) diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h index 14830ed..d8d85b1 100644 --- a/include/net/ip6_fib.h +++ b/include/net/ip6_fib.h @@ -101,7 +101,7 @@ struct rt6_info atomic_trt6i_ref; /* more non-fragment space at head required */ - unsigned short nfheader_len; + unsigned short rt6i_nfheader_len; u8 rt6i_protocol; diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 32b99e2..6df8253 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -242,6 +242,9 @@ struct xfrm_policy_afinfo { struct flowi *fl, int reverse); int (*get_tos)(struct flowi *fl); + int (*init_path)(struct xfrm_dst *path, +struct dst_entry *dst, +int nfheader_len); int (*fill_dst)(struct xfrm_dst *xdst, struct net_device *dev); }; diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 5ccae3a..656345f 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -84,6 +84,12 @@ static int xfrm4_get_tos(struct flowi *fl) return fl->fl4_tos; } +static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst, + int nfheader_len) +{ + return 0; +} + static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev) { struct rtable *rt = (struct rtable *)xdst->route; @@ -251,6 +257,7 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = { .find_bundle = __xfrm4_find_bundle, .decode_session = _decode_session4, .get_tos = xfrm4_get_tos, + .init_path =xfrm4_init_path, .fill_dst = xfrm4_fill_dst, }; diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 388a098..cb6bb89 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1126,7 +1126,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, sk->sk_sndmsg_page = NULL; sk->sk_sndmsg_off = 0; exthdrlen = rt->u.dst.header_len + (opt ? opt->opt_flen : 0) - - rt->nfheader_len; + rt->rt6i_nfheader_len; length += exthdrlen; transhdrlen += exthdrlen; } else { @@ -1141,7 +1141,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, hh_len = LL_RESERVED_SPACE(rt->u.dst.dev); - fragheaderlen = sizeof(struct ipv6hdr) + rt->nfheader_len + + fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len + (opt ? opt->opt_nflen : 0); maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr); diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index d26b7dc..cf373b4 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -98,6 +98,20 @@ static int xfrm6_get_tos(struct flowi *fl) return 0; } +static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst, + int nfheader_len) +{ + if (dst->ops->family == AF_INET6) { + struct rt6_info *rt = (struct rt6_info*)dst; + if (rt->rt6i_node) + path->path_cookie = rt->rt6i_node->fn_sernum; + } + + path->u.rt6.rt6i_nfheader_len = nfheader_len; + + return 0; +} + static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev) { struct rt6_info *rt = (struct rt6_info*)xdst->route; @@ -115,6 +129,8 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev) RTF_LOCAL); xdst->u.rt6.rt6i_metric = rt->rt6i_metric; xdst->u.rt6.rt6i_node = rt->rt6i_node; + if (rt->rt6i_node) +
Re: [PATCH 6/7] [IPSEC]: Lock state when copying non-atomic fields to user-space
Herbert, Monday 26 November 2007 20:07, Herbert Xu wrote: > On Mon, Nov 26, 2007 at 11:18:45AM +0800, Herbert Xu wrote: > > > > I'm just going to revert this patch for 2.6.24 since we've lived > > with this race for so long anyway. > > Actually, instead of reverting it completely I'm just going to > remove the newly added locks which should be just as effective. > > This would reduce the churn in the code as we'd be putting most > of it back soon anyway. With the patch you sent, the xfrm_state_walk() issue I reported is solved at current net-2.6.25. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 6/7] [IPSEC]: Lock state when copying non-atomic fields to user-space
Hello Herbert, Wednesday 10 October 2007 09:48, Herbert Xu wrote: > On Tue, Oct 09, 2007 at 01:33:07PM -0700, David Miller wrote: > > > > I would be more careful with the changelog description for > > something like this in the future. It sounds like this > > patch will cause us to touch userspace with locks held, > > which obviously only works in very limited scenerios > > and is usually a BUG. > > > > But you're actually just constructing SKB response netlink > > bits, which later will be copied into userspace but long > > after we've released these locks. > > Good point. I should've said skb destined for user-spac With SMP enabled kernel, I found a lock problem at xfrm_state_walk() path with the patch on current net-2.6.25. Its log is "circular locking dependency detected". As you might notice it, to fix it possibly you should have either: (1) Change xfrm_state_walk() as xfrm_state_flush() does; Unlock just before accessing the state instance and increment its reference count, then call the hook. or (2) Change (or create new) hook functions for xfrm_state_walk() without any lock since it is called within the list global lock (aka xfrm_state_lock ) is held i.e. af_key.c(dump_sa), xfrm_user.c(copy_to_user_state_extra). Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH 0/3][XFRM]: Support packet processing error statistics.
Wednesday 24 October 2007 21:18, jamal wrote: > On Wed, 2007-24-10 at 12:30 +0900, Masahide NAKAMURA wrote: > > > At IPsec point of view, actually "SPI mismatch" caused by user configuration > > cannot be identified easily since identify of SAD is consist of SPI, > > address and > > protocol(ESP/AH...) and linux SAD uses hash database. It is database > > identify > > mismatch. Then, SPI mismatch goes "NoStates" at my patch. > > OTOH Key mismatch goes "ProtoError" since esp[46]_input returns error. > > Would be useful to just document what you said above so that user doesnt > have to intepret it. OK, I write it to commit-log then. If anybody have another place where such information should be written, tell me. [snip] > > > In any case, it seems to me to be more accurate to not call them MIB > > > stats if they are not. This doesnt qualify using the macros, utilities > > > etc used for MIBs. > > > > BTW, I meant "doesnt disqualify them" above;-> OK ;-) Jamal, thanks for many comments. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH 0/3][XFRM]: Support packet processing error statistics.
Wednesday 24 October 2007 04:47, jamal wrote: > On Tue, 2007-23-10 at 16:08 +0900, Masahide NAKAMURA wrote: > > > Thanks. I would like you to find too much item at my patch > > for the statistics, too. > > I am not anywhere close to a machine where i can give you precise > details to this; the one thing that sticks out in my brain cells is the > SPI mismatch. This (in static setups) seemed to be the most common > mistake i saw (other than a mismatched key). Your stats as you have them > now and as is will catch both in one spot - which is a good start. At IPsec point of view, actually "SPI mismatch" caused by user configuration cannot be identified easily since identify of SAD is consist of SPI, address and protocol(ESP/AH...) and linux SAD uses hash database. It is database identify mismatch. Then, SPI mismatch goes "NoStates" at my patch. OTOH Key mismatch goes "ProtoError" since esp[46]_input returns error. > > This point is one of what I want to hear comment. > > My patch uses "XFRM_MIB_XXX" because I found "LINUX_MIB_XXX" definition at > > include/linux/snmp.h for TCP extended statistics at /proc/net/netstat and > > it does not seem to be defined by any RFC specification. > > I thought those were part of some MIB somewhere. Doesnt RFC 4898 cover > them? Thanks for pointing the RFC. I've read it, however, I cannot find them at the RFC. > In any case, it seems to me to be more accurate to not call them MIB > stats if they are not. This doesnt qualify using the macros, utilities > etc used for MIBs. How about assuming it as "private MIB" of linux? > > Then I feel it is not so bad to > > use _MIB_ for them. Maybe we have another idea to merge them into LINUX_MIB. > > > > Now we have the following candidates: > > > > (1) my patchXFRM_MIB_INHDRERROR > > (2) some extender XFRM_XXX_INHDRERROR (XXX is requested) > > (3) not-mib extenderXFRM_NOTMIB_INHDRERROR > > (4) no extender XFRM_INHDRERROR > > (5) merge linux-mib LINUX_MIB_XFRMINHDRERROR > > > > Comments? > > I am very tempted to say #4. And when you push this to be a real MIB > stat then Shouldn't we have something after XFRM_ to distinguish from other XFRM macros? > > > 2) Why /proc? Are you going to make these available also via netlink? > > > > Because /proc is easy to see it without any modified application. > > If you want the netlink interface, I can do it as the next step. Do you > > want it? > > Absolutely - it would be much appreciated. And if you dont have time, I > will write and test the user space part extension. Thanks. After my first step is completed, could you write the netlink part? -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH 0/3][XFRM]: Support packet processing error statistics.
Monday 22 October 2007 21:28, jamal wrote: > On Mon, 2007-22-10 at 15:11 +0900, Masahide NAKAMURA wrote: > > This patch introduces statistics about transformation error (or almost > > error) > > factor at packet processing for developer. > > It is not a SNMP/MIB specification from IPsec/MIPv6 but a counter > > designed from current transformation source code. > > > > Comment please. > > very nice - these stats make IPSEC a lot more usable (I will go look and > see if theres anything that i have used for debug before that you dont > have and send you mail). Two comments: Thanks. I would like you to find too much item at my patch for the statistics, too. > 1) Since these are not MIB stats, it sounds like a good idea not to use > _MIB_ extender in the naming. Maybe something like _NOTMIB_ ;-> or > totaly leave it out. One other approach is to push these to be a MIB at > IETF since they are sensible to have. This point is one of what I want to hear comment. My patch uses "XFRM_MIB_XXX" because I found "LINUX_MIB_XXX" definition at include/linux/snmp.h for TCP extended statistics at /proc/net/netstat and it does not seem to be defined by any RFC specification. Then I feel it is not so bad to use _MIB_ for them. Maybe we have another idea to merge them into LINUX_MIB. Now we have the following candidates: (1) my patchXFRM_MIB_INHDRERROR (2) some extender XFRM_XXX_INHDRERROR (XXX is requested) (3) not-mib extenderXFRM_NOTMIB_INHDRERROR (4) no extender XFRM_INHDRERROR (5) merge linux-mib LINUX_MIB_XFRMINHDRERROR Comments? > 2) Why /proc? Are you going to make these available also via netlink? Because /proc is easy to see it without any modified application. If you want the netlink interface, I can do it as the next step. Do you want it? -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH 0/3][XFRM]: Support packet processing error statistics.
Monday 22 October 2007 17:50, Herbert Xu wrote: > On Mon, Oct 22, 2007 at 03:11:06PM +0900, Masahide NAKAMURA wrote: > > This patch introduces statistics about transformation error (or almost > > error) > > factor at packet processing for developer. > > It is not a SNMP/MIB specification from IPsec/MIPv6 but a counter > > designed from current transformation source code. > > > > Comment please. > > Looks fine to me. But could you hold onto this for a few days? > I'm in the process of merging the input paths of IPv4 and IPv6. > Once that's done you'll only need to count things once rather > than once for IPv4 and again for IPv6. No problem, I'll fix my patches upon your work and resend them. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[RFC][PATCH 1/3][XFRM]: Define packet processing statistics.
This statistics is shown as /proc/net/xfrm_stat about transformation error (or almost error) factor at packet processing for developer. It is not a SNMP/MIB specification but a counter designed from current transformation source code. - Inbound errors XfrmInError - all errors which is not matched others XfrmInBufferError - no buffer is left XfrmInHdrError- header error XfrmInNoStates- no state is found XfrmInStateProtoError - error at transformation protocol XfrmInStateModeError - error at transformation mode XfrmInSeqOutOfWindow - sequence out of window XfrmInStateExpired- state is expired XfrmInStateMismatch - state has mismatch option XfrmInStateInvalid- state is invalid XfrmInTmplMismatch- no matching template for states XfrmInNoPols - no policy is found for states XfrmInPolBlock- policy discards XfrmInPolError- policy error - Outbound errors XfrmOutError - all errors which is not matched others XfrmOutLengthError- length error XfrmOutBundleError- error at bundle XfrmOutNoStates - no state is found XfrmOutStateProtoError- error at transformation protocol XfrmOutStateModeError - error at transformation mode XfrmOutStateExpired - state expired XfrmOutPolBlock - policy discards XfrmOutPolError - policy error Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- include/linux/snmp.h | 30 +++ include/net/snmp.h |5 ++ include/net/xfrm.h | 17 net/xfrm/Makefile |1 + net/xfrm/xfrm_policy.c | 35 + net/xfrm/xfrm_proc.c | 96 6 files changed, 184 insertions(+), 0 deletions(-) diff --git a/include/linux/snmp.h b/include/linux/snmp.h index 89f0c2b..3fc89f4 100644 --- a/include/linux/snmp.h +++ b/include/linux/snmp.h @@ -217,4 +217,34 @@ enum __LINUX_MIB_MAX }; +/* xfrm mib definitions */ +enum +{ + XFRM_MIB_NUM = 0, + XFRM_MIB_INERROR, /* XfrmInError */ + XFRM_MIB_INBUFFERERROR, /* XfrmInBufferError */ + XFRM_MIB_INHDRERROR,/* XfrmInHdrError */ + XFRM_MIB_INNOSTATES,/* XfrmInNoStates */ + XFRM_MIB_INSTATEPROTOERROR, /* XfrmInStateProtoError */ + XFRM_MIB_INSTATEMODEERROR, /* XfrmInStateModeError */ + XFRM_MIB_INSEQOUTOFWINDOW, /* XfrmInSeqOutOfWindow */ + XFRM_MIB_INSTATEEXPIRED,/* XfrmInStateExpired */ + XFRM_MIB_INSTATEMISMATCH, /* XfrmInStateMismatch */ + XFRM_MIB_INSTATEINVALID,/* XfrmInStateInvalid */ + XFRM_MIB_INTMPLMISMATCH,/* XfrmInTmplMismatch */ + XFRM_MIB_INNOPOLS, /* XfrmInNoPols */ + XFRM_MIB_INPOLBLOCK,/* XfrmInPolBlock */ + XFRM_MIB_INPOLERROR,/* XfrmInPolError */ + XFRM_MIB_OUTERROR, /* XfrmOutError */ + XFRM_MIB_OUTLENGTHERROR,/* XfrmOutLengthError */ + XFRM_MIB_OUTBUNDLEERROR,/* XfrmOutBundleError */ + XFRM_MIB_OUTNOSTATES, /* XfrmOutNoStates */ + XFRM_MIB_OUTSTATEPROTOERROR,/* XfrmOutStateProtoError */ + XFRM_MIB_OUTSTATEMODEERROR, /* XfrmOutStateModeError */ + XFRM_MIB_OUTSTATEEXPIRED, /* XfrmOutStateExpired */ + XFRM_MIB_OUTPOLBLOCK, /* XfrmOutPolBlock */ + XFRM_MIB_OUTPOLERROR, /* XfrmOutPolError */ + __XFRM_MIB_MAX +}; + #endif /* _LINUX_SNMP_H */ diff --git a/include/net/snmp.h b/include/net/snmp.h index ea206bf..37bcf19 100644 --- a/include/net/snmp.h +++ b/include/net/snmp.h @@ -117,6 +117,11 @@ struct linux_mib { unsigned long mibs[LINUX_MIB_MAX]; }; +/* Xfrm */ +#define XFRM_MIB_MAX __XFRM_MIB_MAX +struct xfrm_mib { + unsigned long mibs[XFRM_MIB_MAX]; +}; /* * FIXME: On x86 and some other CPUs the split into user and softirq parts diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 688f6f5..679d915 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -19,6 +19,9 @@ #include #include #include +#ifdef CONFIG_XFRM_STATISTICS +#include +#endif #define XFRM_PROTO_ESP 50 #define XFRM_PROTO_AH 51 @@ -34,6 +37,17 @@ #define MODULE_ALIAS_XFRM_TYPE(family, proto) \ MODULE_ALIAS("xfrm-type-" __stringify(family) "-" __stringify(proto)) +#ifdef CONFIG_XFRM_STATISTICS +DECLARE_SNMP_STAT(struct xfrm_mib, xfrm_statistics); +#define XFRM_INC_STATS(field) SNMP_INC_STATS(xfrm_statistics, field) +#define XFRM_INC_STATS_BH(field) SNMP_INC_STATS_BH(xfrm_statistics, field) +#define XFRM_INC_STATS_USER(field) SNMP_INC_STATS_USER(xfrm_statistics, field) +#else +#define XFRM_INC_STATS(field) +#define XFRM_INC_STATS_BH(field) +#define XFRM_INC_STATS_USER(field) +#endif + extern struct
[RFC][PATCH 2/3][XFRM]: Support to increment packet processing statistics.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv4/xfrm4_input.c | 48 +++- net/ipv4/xfrm4_output.c |4 ++- net/ipv6/xfrm6_input.c | 56 -- net/ipv6/xfrm6_output.c |4 ++- net/xfrm/xfrm_output.c | 19 +++--- net/xfrm/xfrm_policy.c | 61 +- 6 files changed, 148 insertions(+), 44 deletions(-) diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index 5e95c8a..956e093 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c @@ -45,36 +45,52 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, unsigned int nhoff = offsetof(struct iphdr, protocol); seq = 0; - if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0) + if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0) { + XFRM_INC_STATS(XFRM_MIB_INHDRERROR); goto drop; + } do { const struct iphdr *iph = ip_hdr(skb); - if (xfrm_nr == XFRM_MAX_DEPTH) + if (xfrm_nr == XFRM_MAX_DEPTH) { + XFRM_INC_STATS(XFRM_MIB_INBUFFERERROR); goto drop; + } x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, nexthdr, AF_INET); - if (x == NULL) + if (x == NULL) { + XFRM_INC_STATS(XFRM_MIB_INNOSTATES); goto drop; + } spin_lock(&x->lock); - if (unlikely(x->km.state != XFRM_STATE_VALID)) + if (unlikely(x->km.state != XFRM_STATE_VALID)) { + XFRM_INC_STATS(XFRM_MIB_INSTATEINVALID); goto drop_unlock; + } - if ((x->encap ? x->encap->encap_type : 0) != encap_type) + if ((x->encap ? x->encap->encap_type : 0) != encap_type) { + XFRM_INC_STATS(XFRM_MIB_INSTATEMISMATCH); goto drop_unlock; + } - if (x->props.replay_window && xfrm_replay_check(x, seq)) + if (x->props.replay_window && xfrm_replay_check(x, seq)) { + XFRM_INC_STATS(XFRM_MIB_INSEQOUTOFWINDOW); goto drop_unlock; + } - if (xfrm_state_check_expire(x)) + if (xfrm_state_check_expire(x)) { + XFRM_INC_STATS(XFRM_MIB_INSTATEEXPIRED); goto drop_unlock; + } nexthdr = x->type->input(x, skb); - if (nexthdr <= 0) + if (nexthdr <= 0) { + XFRM_INC_STATS(XFRM_MIB_INSTATEPROTOERROR); goto drop_unlock; + } skb_network_header(skb)[nhoff] = nexthdr; @@ -91,8 +107,10 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, xfrm_vec[xfrm_nr++] = x; - if (x->outer_mode->input(x, skb)) + if (x->outer_mode->input(x, skb)) { + XFRM_INC_STATS(XFRM_MIB_INSTATEMODEERROR); goto drop; + } if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) { decaps = 1; @@ -100,8 +118,10 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, } err = xfrm_parse_spi(skb, nexthdr, &spi, &seq); - if (err < 0) + if (err < 0) { + XFRM_INC_STATS(XFRM_MIB_INHDRERROR); goto drop; + } } while (!err); /* Allocate new secpath or COW existing one. */ @@ -109,14 +129,18 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { struct sec_path *sp; sp = secpath_dup(skb->sp); - if (!sp) + if (!sp) { + XFRM_INC_STATS(XFRM_MIB_INERROR); goto drop; + } if (skb->sp) secpath_put(skb->sp); skb->sp = sp; } - if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) + if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) { + XFRM_INC_STATS(XFRM_MIB_INBUFFERERROR); goto drop; + } memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec, xfrm_nr * sizeof(xfrm_vec[0])); diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index c4a7156..9d1d7b9
[RFC][PATCH 3/3][XFRM]: Add packet processing statistics option.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/xfrm/Kconfig | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig index 577a4f8..6b5b50f 100644 --- a/net/xfrm/Kconfig +++ b/net/xfrm/Kconfig @@ -35,6 +35,16 @@ config XFRM_MIGRATE If unsure, say N. +config XFRM_STATISTICS + bool "Transformation statistics (EXPERIMENTAL)" + depends on XFRM && PROC_FS && EXPERIMENTAL + ---help--- + This statistics is not a SNMP/MIB specification but shows + statistics about transformation error (or almost error) factor + at packet processing for developer. + + If unsure, say N. + config NET_KEY tristate "PF_KEY sockets" select XFRM -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[RFC][PATCH 0/3][XFRM]: Support packet processing error statistics.
This patch introduces statistics about transformation error (or almost error) factor at packet processing for developer. It is not a SNMP/MIB specification from IPsec/MIPv6 but a counter designed from current transformation source code. Comment please. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] [IPSEC] IPV6: Fix to add tunnel mode SA correctly.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/ah6.c |1 + net/ipv6/esp6.c |1 + 2 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 67cd066..66a9139 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -483,6 +483,7 @@ static int ah6_init_state(struct xfrm_state *x) break; case XFRM_MODE_TUNNEL: x->props.header_len += sizeof(struct ipv6hdr); + break; default: goto error; } diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index b071543..72a6598 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -360,6 +360,7 @@ static int esp6_init_state(struct xfrm_state *x) break; case XFRM_MODE_TUNNEL: x->props.header_len += sizeof(struct ipv6hdr); + break; default: goto error; } -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [2.6 patch] __inet6_csk_dst_store(): fix check-after-use
On Sun, 14 Oct 2007 19:52:12 +0200 Adrian Bunk <[EMAIL PROTECTED]> wrote: > The Coverity checker spotted that we have already oops'ed if "dst" > was NULL. > > Since "dst" being NULL doesn't seem to be possible at this point this > patch removes the NULL check. > > Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> Agreed. Acked-by: Masahide NAKAMURA <[EMAIL PROTECTED]> -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [-mm patch] IPV6 must select XFRM
Hello, On Sun, 2 Sep 2007 13:25:57 +0200 Adrian Bunk <[EMAIL PROTECTED]> wrote: > On Fri, Aug 31, 2007 at 09:58:22PM -0700, Andrew Morton wrote: > >... > > Changes since 2.6.23-rc3-mm1: > >... > > git-net.patch > >... > > git trees > >... > > This patch fixes the following compile error: > > <-- snip --> > > ... > LD .tmp_vmlinux1 > net/built-in.o: In function `inet6_csk_xmit': > (.text+0x72b0f): undefined reference to `flow_cache_genid' > net/built-in.o: In function `inet6_csk_xmit': > (.text+0x72be5): undefined reference to `flow_cache_genid' > make[1]: *** [.tmp_vmlinux1] Error 1 > > <-- snip --> > > Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]> > > --- > --- a/net/ipv6/Kconfig > +++ b/net/ipv6/Kconfig > @@ -5,6 +5,7 @@ > # IPv6 as module will cause a CRASH if you try to unload it > config IPV6 > tristate "The IPv6 protocol" > + select XFRM > default m > ---help--- > This is complemental support for the IP version 6. > > - Thank you for catching this. the issue is caused with patch "[IPV6] XFRM: Fix connected socket to use transformation." which I sent to netdev. (a85d5450ddeb959bdf9e4603f9c06e9d79217cfa on net-2.6.24). I'd prefer to modify the original patch to use "ifdef CONFIG_XFRM" than changing kernel config depends. Does it make sense? Please review the attached patch. -- Masahide NAKAMURA 0001-PATCH-IPV6-XFRM-Fix-dependency-issue-at-inet6_csk_xmit.txt Description: Binary data
[PATCH 1/2] [IPV6] IPSEC: Omit redirect for tunnelled packet.
IPv6 IPsec tunnel gateway incorrectly sends redirect to router or sender when network device the IPsec tunnelled packet is arrived is the same as the one the decapsulated packet is sent. With this patch, it omits to send the redirect when the forwarding skbuff carries secpath, since such skbuff should be assumed as a decapsulated packet from IPsec tunnel by own. It may be a rare case for an IPsec security gateway, however it is not rare when the gateway is MIPv6 Home Agent since the another tunnel end-point is Mobile Node and it changes the attached network. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/ip6_output.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 5dead39..07b82c2 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -441,8 +441,10 @@ int ip6_forward(struct sk_buff *skb) /* IPv6 specs say nothing about it, but it is clear that we cannot send redirects to source routed frames. + We don't send redirects to frames decapsulated from IPsec. */ - if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0) { + if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 && + !skb->sp) { struct in6_addr *target = NULL; struct rt6_info *rt; struct neighbour *n = dst->neighbour; -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] [IPV4] IPSEC: Omit redirect for tunnelled packet.
IPv4 IPsec tunnel gateway incorrectly sends redirect to sender if it is onlink host when network device the IPsec tunnelled packet is arrived is the same as the one the decapsulated packet is sent. With this patch, it omits to send the redirect when the forwarding skbuff carries secpath, since such skbuff should be assumed as a decapsulated packet from IPsec tunnel by own. Request for comments: Alternatively we'd have another way to change net/ipv4/route.c (__mkroute_input) to use RTCF_DOREDIRECT flag unless skbuff has no secpath. It is better than this patch at performance point of view because IPv4 redirect judgement is done at routing slow-path. However, it should be taken care of resource changes between SAD(XFRM states) and routing table. In other words, When IPv4 SAD is changed does the related routing entry go to its slow-path? If not, it is reasonable to apply this patch. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv4/ip_forward.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c index 8c95cf0..afbf938 100644 --- a/net/ipv4/ip_forward.c +++ b/net/ipv4/ip_forward.c @@ -105,7 +105,7 @@ int ip_forward(struct sk_buff *skb) * We now generate an ICMP HOST REDIRECT giving the route * we calculated. */ - if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr) + if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb->sp) ip_rt_send_redirect(skb); skb->priority = rt_tos2priority(iph->tos); -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] [IPV6] XFRM: Fix connected socket to use transformation.
When XFRM policy and state are ready after TCP connection is started, the traffic should be transformed immediately, however it does not on IPv6 TCP. It depends on a dst cache replacement policy with connected socket. It seems that the replacement is always done for IPv4, however, on IPv6 case it is done only when routing cookie is changed. This patch fix that non-transformation dst can be changed to transformation one. This behavior is required by MIPv6 and improves IPv6 IPsec. Signed-off-by: Noriaki TAKAMIYA <[EMAIL PROTECTED]> Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- include/net/ip6_fib.h|2 ++ net/ipv6/inet6_connection_sock.c | 34 -- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h index c48ea87..85d6d9f 100644 --- a/include/net/ip6_fib.h +++ b/include/net/ip6_fib.h @@ -105,6 +105,8 @@ struct rt6_info struct rt6key rt6i_src; u8 rt6i_protocol; + + u32 rt6i_flow_cache_genid; }; static inline struct inet6_dev *ip6_dst_idev(struct dst_entry *dst) diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c index 116f94a..f389322 100644 --- a/net/ipv6/inet6_connection_sock.c +++ b/net/ipv6/inet6_connection_sock.c @@ -139,6 +139,36 @@ void inet6_csk_addr2sockaddr(struct sock *sk, struct sockaddr * uaddr) EXPORT_SYMBOL_GPL(inet6_csk_addr2sockaddr); +static inline +void __inet6_csk_dst_store(struct sock *sk, struct dst_entry *dst, + struct in6_addr *daddr, struct in6_addr *saddr) +{ + struct rt6_info *rt = (struct rt6_info *)dst; + + __ip6_dst_store(sk, dst, daddr, saddr); + rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid); +} + +static inline +struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie) +{ + struct dst_entry *dst; + struct rt6_info *rt; + + dst = __sk_dst_check(sk, cookie); + if (!dst) + goto end; + + rt = (struct rt6_info *)dst; + if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) { + sk->sk_dst_cache = NULL; + dst_release(dst); + dst = NULL; + } + end: + return dst; +} + int inet6_csk_xmit(struct sk_buff *skb, int ipfragok) { struct sock *sk = skb->sk; @@ -166,7 +196,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok) final_p = &final; } - dst = __sk_dst_check(sk, np->dst_cookie); + dst = __inet6_csk_dst_check(sk, np->dst_cookie); if (dst == NULL) { int err = ip6_dst_lookup(sk, &dst, &fl); @@ -186,7 +216,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok) return err; } - __ip6_dst_store(sk, dst, NULL, NULL); + __inet6_csk_dst_store(sk, dst, NULL, NULL); } skb->dst = dst_clone(dst); -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] [XFRM] : Fix pointer copy size for encap_tmpl and coaddr.
This is minor fix about sizeof argument using with kmemdup(). Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/xfrm/xfrm_user.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 0b8491f..46076f5 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -299,14 +299,14 @@ static struct xfrm_state *xfrm_state_construct(struct xfrm_usersa_info *p, if (attrs[XFRMA_ENCAP]) { x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]), - sizeof(x->encap), GFP_KERNEL); + sizeof(*x->encap), GFP_KERNEL); if (x->encap == NULL) goto error; } if (attrs[XFRMA_COADDR]) { x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]), - sizeof(x->coaddr), GFP_KERNEL); + sizeof(*x->coaddr), GFP_KERNEL); if (x->coaddr == NULL) goto error; } -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/3] [IPROUTE2] ip command updates
Hello, There are updates for ip command. They are almost minor fixes and are not changes about 2.6.23 new features. Please apply if it is not too late for next release. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/3] [IPROUTE2] ip: xfrm: Fix flush message.
Fix xfrm state or policy flush message. And minor updates are included: o Use static buffer to show unknown value as string. o Show policy type (ptype) only when kernel specified it. o Clean-up xfrm_monitor. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/ipxfrm.c | 48 + ip/xfrm.h |1 + ip/xfrm_monitor.c | 122 +--- ip/xfrm_state.c |1 - 4 files changed, 117 insertions(+), 55 deletions(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index 359a2d2..80dbb52 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -114,6 +114,7 @@ struct typeent { static const struct typeent xfrmproto_types[]= { { "esp", IPPROTO_ESP }, { "ah", IPPROTO_AH }, { "comp", IPPROTO_COMP }, { "route2", IPPROTO_ROUTING }, { "hao", IPPROTO_DSTOPTS }, + { "ipsec-any", IPSEC_PROTO_ANY }, { NULL, -1 } }; @@ -135,6 +136,7 @@ int xfrm_xfrmproto_getbyname(char *name) const char *strxf_xfrmproto(__u8 proto) { + static char str[16]; int i; for (i = 0; ; i++) { @@ -146,7 +148,8 @@ const char *strxf_xfrmproto(__u8 proto) return t->t_name; } - return NULL; + sprintf(str, "%u", proto); + return str; } static const struct typeent algo_types[]= { @@ -172,6 +175,7 @@ int xfrm_algotype_getbyname(char *name) const char *strxf_algotype(int type) { + static char str[32]; int i; for (i = 0; ; i++) { @@ -183,7 +187,8 @@ const char *strxf_algotype(int type) return t->t_name; } - return NULL; + sprintf(str, "%d", type); + return str; } const char *strxf_mask8(__u8 mask) @@ -251,6 +256,25 @@ const char *strxf_proto(__u8 proto) return p; } +const char *strxf_ptype(__u8 ptype) +{ + static char str[16]; + + switch (ptype) { + case XFRM_POLICY_TYPE_MAIN: + strcpy(str, "main"); + break; + case XFRM_POLICY_TYPE_SUB: + strcpy(str, "sub"); + break; + default: + sprintf(str, "%u", ptype); + break; + } + + return str; +} + void xfrm_id_info_print(xfrm_address_t *saddr, struct xfrm_id *id, __u8 mode, __u32 reqid, __u16 family, int force_spi, FILE *fp, const char *prefix, const char *title) @@ -776,7 +800,6 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, const char *title) { char buf[STRBUF_SIZE]; - __u8 ptype = XFRM_POLICY_TYPE_MAIN; memset(buf, '\0', sizeof(buf)); @@ -821,31 +844,18 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, fprintf(fp, "index %u ", xpinfo->index); fprintf(fp, "priority %u ", xpinfo->priority); - fprintf(fp, "ptype "); - if (tb[XFRMA_POLICY_TYPE]) { struct xfrm_userpolicy_type *upt; + fprintf(fp, "ptype "); + if (RTA_PAYLOAD(tb[XFRMA_POLICY_TYPE]) < sizeof(*upt)) fprintf(fp, "(ERROR truncated)"); upt = (struct xfrm_userpolicy_type *)RTA_DATA(tb[XFRMA_POLICY_TYPE]); - ptype = upt->type; + fprintf(fp, "%s ", strxf_ptype(upt->type)); } - switch (ptype) { - case XFRM_POLICY_TYPE_MAIN: - fprintf(fp, "main"); - break; - case XFRM_POLICY_TYPE_SUB: - fprintf(fp, "sub"); - break; - default: - fprintf(fp, "%u", ptype); - break; - } - fprintf(fp, " "); - if (show_stats > 0) fprintf(fp, "share %s ", strxf_share(xpinfo->share)); diff --git a/ip/xfrm.h b/ip/xfrm.h index 335c2a5..930bb3f 100644 --- a/ip/xfrm.h +++ b/ip/xfrm.h @@ -127,6 +127,7 @@ const char *strxf_mask8(__u8 mask); const char *strxf_mask32(__u32 mask); const char *strxf_share(__u8 share); const char *strxf_proto(__u8 proto); +const char *strxf_ptype(__u8 ptype); void xfrm_id_info_print(xfrm_address_t *saddr, struct xfrm_id *id, __u8 mode, __u32 reqid, __u16 family, int force_spi, FILE *fp, const char *prefix, const char *title); diff --git a/ip/xfrm_monitor.c b/ip/xfrm_monitor.c index bdbf4a6..dc12fca 100644 --- a/ip/xfrm_monitor.c +++ b/ip/xfrm_monitor.c @@ -50,12 +50,6 @@ static int xfrm_acquire_print(const struct sockaddr_nl *who, struct rtattr * tb[XFRMA_MAX+1]; __u16 family; - if (n->nlmsg_type != XFRM_MSG_ACQUIRE) { - fprintf(stderr, "Not an acquire: %08x %0
[PATCH 2/3] [IPROUTE2] ip: xfrm: Fix policy and state flags.
o Support policy flag with string format. Note that kernel defines only one name "localok" for the flag and it has not had any effect currently. o Support state flag value XFRM_STATE_NOPMTUDISC. o Fix to show detailed flags value when "-s" option is used. o Fix minor typo. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/ipxfrm.c | 18 +--- ip/xfrm.h|1 + ip/xfrm_policy.c | 55 - ip/xfrm_state.c |6 +++- 4 files changed, 72 insertions(+), 8 deletions(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index d9b0e3b..359a2d2 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -745,12 +745,13 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo, fprintf(fp, "flag "); XFRM_FLAG_PRINT(fp, flags, XFRM_STATE_NOECN, "noecn"); XFRM_FLAG_PRINT(fp, flags, XFRM_STATE_DECAP_DSCP, "decap-dscp"); + XFRM_FLAG_PRINT(fp, flags, XFRM_STATE_NOPMTUDISC, "nopmtudisc"); XFRM_FLAG_PRINT(fp, flags, XFRM_STATE_WILDRECV, "wildrecv"); if (flags) fprintf(fp, "%x", flags); - if (show_stats > 0) - fprintf(fp, " (0x%s)", strxf_mask8(flags)); } + if (show_stats > 0) + fprintf(fp, " (0x%s)", strxf_mask8(xsinfo->flags)); fprintf(fp, "%s", _SL_); xfrm_xfrma_print(tb, xsinfo->family, fp, buf); @@ -845,10 +846,19 @@ void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo, } fprintf(fp, " "); - if (show_stats > 0) { + if (show_stats > 0) fprintf(fp, "share %s ", strxf_share(xpinfo->share)); - fprintf(fp, "flag 0x%s", strxf_mask8(xpinfo->flags)); + + if (show_stats > 0 || xpinfo->flags) { + __u8 flags = xpinfo->flags; + + fprintf(fp, "flag "); + XFRM_FLAG_PRINT(fp, flags, XFRM_POLICY_LOCALOK, "localok"); + if (flags) + fprintf(fp, "%x", flags); } + if (show_stats > 0) + fprintf(fp, " (0x%s)", strxf_mask8(xpinfo->flags)); fprintf(fp, "%s", _SL_); if (show_stats > 0) diff --git a/ip/xfrm.h b/ip/xfrm.h index 71345b9..335c2a5 100644 --- a/ip/xfrm.h +++ b/ip/xfrm.h @@ -98,6 +98,7 @@ struct xfrm_filter { __u32 index_mask; __u8 action_mask; __u32 priority_mask; + __u8 policy_flags_mask; __u8 ptype; __u8 ptype_mask; diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c index f4488ac..419ca67 100644 --- a/ip/xfrm_policy.c +++ b/ip/xfrm_policy.c @@ -54,10 +54,10 @@ static void usage(void) __attribute__((noreturn)); static void usage(void) { fprintf(stderr, "Usage: ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ] [ ptype PTYPE ]\n"); - fprintf(stderr, "[ action ACTION ] [ priority PRIORITY ] [ LIMIT-LIST ] [ TMPL-LIST ]\n"); + fprintf(stderr, "[ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST ] [ TMPL-LIST ]\n"); fprintf(stderr, "Usage: ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ] [ ptype PTYPE ]\n"); fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ]\n"); - fprintf(stderr, "[ index INDEX ] [ action ACTION ] [ priority PRIORITY ]\n"); + fprintf(stderr, "[ index INDEX ] [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ]\n"); fprintf(stderr, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n"); fprintf(stderr, "Usage: ip xfrm count\n"); fprintf(stderr, "PTYPE := [ main | sub ](default=main)\n"); @@ -74,6 +74,9 @@ static void usage(void) //fprintf(stderr, "PRIORITY - priority value(default=0)\n"); + fprintf(stderr, "FLAG-LIST := [ FLAG-LIST ] FLAG\n"); + fprintf(stderr, "FLAG := [ localok ]\n"); + fprintf(stderr, "LIMIT-LIST := [ LIMIT-LIST ] | [ limit LIMIT ]\n"); fprintf(stderr, "LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |\n"); fprintf(stderr, " [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] NUMBER ]\n"); @@ -135,6 +138,39 @@ static int xfrm_policy_ptype_parse(__u8 *ptype, int *argcp, char ***argvp) return 0; } +static int xfrm_policy_flag_parse(__u8 *flags, int *argcp, char ***argvp) +{ + int argc = *argcp; + char **argv = *argvp; + int len = strlen(*argv); + + if (len >
[PATCH 1/3] [IPROUTE2] ip: xfrm: Clean-up for internal mask to filter.
Remove unused or redundant usage for xfrm_filter. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/xfrm_policy.c | 17 - ip/xfrm_state.c |2 -- 2 files changed, 0 insertions(+), 19 deletions(-) diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c index c1086f1..f4488ac 100644 --- a/ip/xfrm_policy.c +++ b/ip/xfrm_policy.c @@ -222,16 +222,10 @@ static int xfrm_policy_modify(int cmd, unsigned flags, int argc, char **argv) NEXT_ARG(); xfrm_policy_dir_parse(&req.xpinfo.dir, &argc, &argv); - - filter.dir_mask = XFRM_FILTER_MASK_FULL; - } else if (strcmp(*argv, "index") == 0) { NEXT_ARG(); if (get_u32(&req.xpinfo.index, *argv, 0)) invarg("\"INDEX\" is invalid", *argv); - - filter.index_mask = XFRM_FILTER_MASK_FULL; - } else if (strcmp(*argv, "ptype") == 0) { if (ptypep) duparg("ptype", *argv); @@ -239,9 +233,6 @@ static int xfrm_policy_modify(int cmd, unsigned flags, int argc, char **argv) NEXT_ARG(); xfrm_policy_ptype_parse(&upt.type, &argc, &argv); - - filter.dir_mask = XFRM_FILTER_MASK_FULL; - } else if (strcmp(*argv, "action") == 0) { NEXT_ARG(); if (strcmp(*argv, "allow") == 0) @@ -250,16 +241,10 @@ static int xfrm_policy_modify(int cmd, unsigned flags, int argc, char **argv) req.xpinfo.action = XFRM_POLICY_BLOCK; else invarg("\"action\" value is invalid\n", *argv); - - filter.action_mask = XFRM_FILTER_MASK_FULL; - } else if (strcmp(*argv, "priority") == 0) { NEXT_ARG(); if (get_u32(&req.xpinfo.priority, *argv, 0)) invarg("\"PRIORITY\" is invalid", *argv); - - filter.priority_mask = XFRM_FILTER_MASK_FULL; - } else if (strcmp(*argv, "limit") == 0) { NEXT_ARG(); xfrm_lifetime_cfg_parse(&req.xpinfo.lft, &argc, &argv); @@ -888,8 +873,6 @@ static int xfrm_policy_flush(int argc, char **argv) NEXT_ARG(); xfrm_policy_ptype_parse(&upt.type, &argc, &argv); - - filter.dir_mask = XFRM_FILTER_MASK_FULL; } else invarg("unknown", *argv); diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c index 54e1330..2b68f49 100644 --- a/ip/xfrm_state.c +++ b/ip/xfrm_state.c @@ -216,8 +216,6 @@ static int xfrm_state_flag_parse(__u8 *flags, int *argcp, char ***argvp) } } - filter.state_flags_mask = XFRM_FILTER_MASK_FULL; - *argcp = argc; *argvp = argv; -- 1.4.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] [IPV6] MIP6: Loadable module support for MIPv6.
Hi Ingo, Ingo Oeser wrote: > Masahide NAKAMURA schrieb: >> Ingo Oeser wrote: >>> What about MODULE_ALIAS("xfrm-type-10-60") >>> and MODULE_ALIAS("xfrm-type-10-43") in mip6.c ? > > Just replace your second patch ("Loadable module support") > with one, which additionally adds these two lines to mip6.c ... > >>> The aliases in modprobe.conf(5) should not be necessary then. >>> >>> If you are really ambitious you can even define a >>> MODULE_ALIAS_XFRM_TYPE macro in include/net/xfrm.h >>> simliar to to MODULE_ALIAS_XFRM_MODE. >> I prefer to use new macro like XFRM mode to unify XFRM >> protocols i.e. esp[46].c, ah[46].c, ipcomp[46].c, and mip6.c >> if we care about it. Can I add it as extensional patch >> if nobody has a plan to do this yet? > > > ... and provide a third patch to implement this cleanup. > > That way there are no administrative changes required due to > any of your patches and we can defer the global cleanup, if it causes > problems or conflicts with other patches in that area. > > Does this sound like a plan? > Thank you for the detailed instruction. I intended to ask the list is just in order to avoid duplicated work; whether such work is already queued by anyone's TODO to support module aliases for each IPsec protocol or not. Anyway, I'll provide the third patch for review, which will be almost what you described. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] [IPV6] MIP6: Loadable module support for MIPv6.
Ingo Oeser wrote: [EMAIL PROTECTED] schrieb: From: Masahide NAKAMURA <[EMAIL PROTECTED]> This patch makes MIPv6 loadable module named "mip6". Here is a modprobe.conf(5) example to load it automatically when user application uses XFRM state for MIPv6: alias xfrm-type-10-43 mip6 alias xfrm-type-10-60 mip6 What about MODULE_ALIAS("xfrm-type-10-60") and MODULE_ALIAS("xfrm-type-10-43") in mip6.c ? The aliases in modprobe.conf(5) should not be necessary then. If you are really ambitious you can even define a MODULE_ALIAS_XFRM_TYPE macro in include/net/xfrm.h simliar to to MODULE_ALIAS_XFRM_MODE. I prefer to use new macro like XFRM mode to unify XFRM protocols i.e. esp[46].c, ah[46].c, ipcomp[46].c, and mip6.c if we care about it. Can I add it as extensional patch if nobody has a plan to do this yet? > Please be sure to discuss CC Herbert Xu then. # CC-ed. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/2] [IPV6] MIP6: Mobile IPv6 patch updates
Hello, There are Mobile IPv6 patches for net-2.6 (2.6.22-rc2), which are minor fixes and modularization. Please review and apply them. [IPV6] MIP6: Kill unnecessary ifdefs. [IPV6] MIP6: Loadable module support for MIPv6. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] [PATCH] [XFRM]: Restrict upper layer information by bundle.
On Sun, 29 Apr 2007 22:21:45 -0700 (PDT) David Miller <[EMAIL PROTECTED]> wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Mon, 30 Apr 2007 13:36:03 +0900 > > > Can you have a time to check this? > > If it is lost, I can send it again. > > I still have it, I just have not processed it yet. Each time you try > to remind me and I have to reply with the same exact answer every > time, that takes up time I could be spending getting to your patch. > > The way my backlog works is that I process all the things that take > very little brain power first, then if I still have energy left I try > to tackle the entries that require thinking. > > Most days I never get to that latter type of entry, and sadly your's > fails into that category. > > So you either must be patient or clone me. David, I'm sorry that I bothered and thank you for clarify. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] [PATCH] [XFRM]: Restrict upper layer information by bundle.
On Mon, 30 Apr 2007 00:34:37 -0700 (PDT) David Miller <[EMAIL PROTECTED]> wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Fri, 6 Apr 2007 16:25:39 +0900 > > > On MIPv6 usage, XFRM sub policy is enabled. > > When main (IPsec) and sub (MIPv6) policy selectors have the same > > address set but different upper layer information (i.e. protocol > > number and its ports or type/code), multiple bundle should be created. > > However, currently we have issue to use the same bundle created for > > the first time with all flows covered by the case. > > > > It is useful for the bundle to have the upper layer information > > to be restructured correctly if it does not match with the flow. > > > > 1. Bundle was created by two policies > > Selector from another policy is added to xfrm_dst. > > If the flow does not match the selector, it goes to slow path to > > restructure new bundle by single policy. > > > > 2. Bundle was created by one policy > > Flow cache is added to xfrm_dst as originated one. If the flow does > > not match the cache, it goes to slow path to try searching another > > policy. > > > > Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > > This is an OK solution for the problem for now. > > My senses tell me that there is probably some cleaner way to > handle this problem. If you come up with a better idea for it, > please feel free to bounce your ideas to me. I get it. It is added to my TODOs to find another way (which may include design level change) to achive it. Thank you, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] [PATCH] [XFRM]: Restrict upper layer information by bundle.
Hello, On Thu, 12 Apr 2007 15:53:33 +0900 Masahide NAKAMURA <[EMAIL PROTECTED]> wrote: > David Miller wrote: > > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > > Date: Thu, 12 Apr 2007 14:42:00 +0900 > > > >> Hello, > >> > >> I sent the patch, which is required for IPsec usage by Mobile IPv6. > >> I have not obtained any comments yet. Does anybody have it? > >> > >> I hope it to be applied. > > > > It is in my backlog. I was struggling with a bug that consumed > > a lot of my time, but now I think I've fixed that bug so I can > > process patches at a normal rate again. > > > > Please be patient :-) > > OK, I understand. Thanks. Can you have a time to check this? If it is lost, I can send it again. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] [PATCH] [XFRM]: Restrict upper layer information by bundle.
David Miller wrote: From: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Thu, 12 Apr 2007 14:42:00 +0900 Hello, I sent the patch, which is required for IPsec usage by Mobile IPv6. I have not obtained any comments yet. Does anybody have it? I hope it to be applied. It is in my backlog. I was struggling with a bug that consumed a lot of my time, but now I think I've fixed that bug so I can process patches at a normal rate again. Please be patient :-) OK, I understand. Thanks. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] [PATCH] [XFRM]: Restrict upper layer information by bundle.
Hello, I sent the patch, which is required for IPsec usage by Mobile IPv6. I have not obtained any comments yet. Does anybody have it? I hope it to be applied. Thanks, Masahide NAKAMURA wrote: > On MIPv6 usage, XFRM sub policy is enabled. > When main (IPsec) and sub (MIPv6) policy selectors have the same > address set but different upper layer information (i.e. protocol > number and its ports or type/code), multiple bundle should be created. > However, currently we have issue to use the same bundle created for > the first time with all flows covered by the case. > > It is useful for the bundle to have the upper layer information > to be restructured correctly if it does not match with the flow. > > 1. Bundle was created by two policies > Selector from another policy is added to xfrm_dst. > If the flow does not match the selector, it goes to slow path to > restructure new bundle by single policy. > > 2. Bundle was created by one policy > Flow cache is added to xfrm_dst as originated one. If the flow does > not match the cache, it goes to slow path to try searching another > policy. > > Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > --- > include/net/flow.h |6 + > include/net/xfrm.h | 10 > net/xfrm/xfrm_policy.c | 55 > > 3 files changed, 71 insertions(+), 0 deletions(-) > > diff --git a/include/net/flow.h b/include/net/flow.h > index ce4b10d..f3cc1f8 100644 > --- a/include/net/flow.h > +++ b/include/net/flow.h > @@ -97,4 +97,10 @@ extern void *flow_cache_lookup(struct flowi *key, u16 > family, u8 dir, > extern void flow_cache_flush(void); > extern atomic_t flow_cache_genid; > > +static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2) > +{ > + return (fl1->proto == fl2->proto && > + !memcmp(&fl1->uli_u, &fl2->uli_u, sizeof(fl1->uli_u))); > +} > + > #endif > diff --git a/include/net/xfrm.h b/include/net/xfrm.h > index 5a00aa8..c216c5e 100644 > --- a/include/net/xfrm.h > +++ b/include/net/xfrm.h > @@ -584,6 +584,10 @@ struct xfrm_dst > struct rt6_info rt6; > } u; > struct dst_entry *route; > +#ifdef CONFIG_XFRM_SUB_POLICY > + struct flowi *origin; > + struct xfrm_selector *partner; > +#endif > u32 genid; > u32 route_mtu_cached; > u32 child_mtu_cached; > @@ -596,6 +600,12 @@ static inline void xfrm_dst_destroy(struct xfrm_dst > *xdst) > dst_release(xdst->route); > if (likely(xdst->u.dst.xfrm)) > xfrm_state_put(xdst->u.dst.xfrm); > +#ifdef CONFIG_XFRM_SUB_POLICY > + kfree(xdst->origin); > + xdst->origin = NULL; > + kfree(xdst->partner); > + xdst->partner = NULL; > +#endif > } > > extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c > index 1942575..4a2f68f 100644 > --- a/net/xfrm/xfrm_policy.c > +++ b/net/xfrm/xfrm_policy.c > @@ -1330,6 +1330,40 @@ xfrm_bundle_create(struct xfrm_policy *policy, struct > xfrm_state **xfrm, int nx, > return err; > } > > +static int inline > +xfrm_dst_alloc_copy(void **target, void *src, int size) > +{ > + if (!*target) { > + *target = kmalloc(size, GFP_ATOMIC); > + if (!*target) > + return -ENOMEM; > + } > + memcpy(*target, src, size); > + return 0; > +} > + > +static int inline > +xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) > +{ > +#ifdef CONFIG_XFRM_SUB_POLICY > + struct xfrm_dst *xdst = (struct xfrm_dst *)dst; > + return xfrm_dst_alloc_copy((void **)&(xdst->partner), > +sel, sizeof(*sel)); > +#else > + return 0; > +#endif > +} > + > +static int inline > +xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) > +{ > +#ifdef CONFIG_XFRM_SUB_POLICY > + struct xfrm_dst *xdst = (struct xfrm_dst *)dst; > + return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); > +#else > + return 0; > +#endif > +} > > static int stale_bundle(struct dst_entry *dst); > > @@ -1518,6 +1552,18 @@ restart: > err = -EHOSTUNREACH; > goto error; > } > + > + if (npols > 1) > + err = xfrm_dst_update_parent(dst, &pols[1]->selector); > + else > + err = xfrm_dst_update_origin(dst, fl); > + if (unlikely(e
[RFC] [PATCH] [XFRM]: Restrict upper layer information by bundle.
On MIPv6 usage, XFRM sub policy is enabled. When main (IPsec) and sub (MIPv6) policy selectors have the same address set but different upper layer information (i.e. protocol number and its ports or type/code), multiple bundle should be created. However, currently we have issue to use the same bundle created for the first time with all flows covered by the case. It is useful for the bundle to have the upper layer information to be restructured correctly if it does not match with the flow. 1. Bundle was created by two policies Selector from another policy is added to xfrm_dst. If the flow does not match the selector, it goes to slow path to restructure new bundle by single policy. 2. Bundle was created by one policy Flow cache is added to xfrm_dst as originated one. If the flow does not match the cache, it goes to slow path to try searching another policy. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- include/net/flow.h |6 + include/net/xfrm.h | 10 net/xfrm/xfrm_policy.c | 55 3 files changed, 71 insertions(+), 0 deletions(-) diff --git a/include/net/flow.h b/include/net/flow.h index ce4b10d..f3cc1f8 100644 --- a/include/net/flow.h +++ b/include/net/flow.h @@ -97,4 +97,10 @@ extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir, extern void flow_cache_flush(void); extern atomic_t flow_cache_genid; +static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2) +{ + return (fl1->proto == fl2->proto && + !memcmp(&fl1->uli_u, &fl2->uli_u, sizeof(fl1->uli_u))); +} + #endif diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 5a00aa8..c216c5e 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -584,6 +584,10 @@ struct xfrm_dst struct rt6_info rt6; } u; struct dst_entry *route; +#ifdef CONFIG_XFRM_SUB_POLICY + struct flowi *origin; + struct xfrm_selector *partner; +#endif u32 genid; u32 route_mtu_cached; u32 child_mtu_cached; @@ -596,6 +600,12 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst) dst_release(xdst->route); if (likely(xdst->u.dst.xfrm)) xfrm_state_put(xdst->u.dst.xfrm); +#ifdef CONFIG_XFRM_SUB_POLICY + kfree(xdst->origin); + xdst->origin = NULL; + kfree(xdst->partner); + xdst->partner = NULL; +#endif } extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 1942575..4a2f68f 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1330,6 +1330,40 @@ xfrm_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int nx, return err; } +static int inline +xfrm_dst_alloc_copy(void **target, void *src, int size) +{ + if (!*target) { + *target = kmalloc(size, GFP_ATOMIC); + if (!*target) + return -ENOMEM; + } + memcpy(*target, src, size); + return 0; +} + +static int inline +xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel) +{ +#ifdef CONFIG_XFRM_SUB_POLICY + struct xfrm_dst *xdst = (struct xfrm_dst *)dst; + return xfrm_dst_alloc_copy((void **)&(xdst->partner), + sel, sizeof(*sel)); +#else + return 0; +#endif +} + +static int inline +xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl) +{ +#ifdef CONFIG_XFRM_SUB_POLICY + struct xfrm_dst *xdst = (struct xfrm_dst *)dst; + return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl)); +#else + return 0; +#endif +} static int stale_bundle(struct dst_entry *dst); @@ -1518,6 +1552,18 @@ restart: err = -EHOSTUNREACH; goto error; } + + if (npols > 1) + err = xfrm_dst_update_parent(dst, &pols[1]->selector); + else + err = xfrm_dst_update_origin(dst, fl); + if (unlikely(err)) { + write_unlock_bh(&policy->lock); + if (dst) + dst_free(dst); + goto error; + } + dst->next = policy->bundles; policy->bundles = dst; dst_hold(dst); @@ -1933,6 +1979,15 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first, if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) || (dst->dev && !netif_running(dst->dev))) return 0; +#ifdef CONFIG_XFRM_SUB_POLICY + if (fl) { + if (first->origin && !flow_cache_uli_match(first->origin, fl)) +
Re: [RFC][PATCH][IPSEC][2/3] IPv6 over IPv4 IPsec tunnel
Hello, Kazunori MIYAZAWA wrote: > This is the patch to support IPv6 over IPv4 IPsec > > Signed-off-by: Miika Komu <[EMAIL PROTECTED]> > Signed-off-by: Diego Beltrami <[EMAIL PROTECTED]> > Signed-off-by: Kazunori Miyazawa <[EMAIL PROTECTED]> This seems to break Mobile IPv6 route optimization (RO). (This patch is commited as c82f963efe823d3cacaf1f1b7f1a35cc9628b188 to David's tree.) Please find my comment below. > diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c > index 8dffd4d..a1ac537 100644 > --- a/net/ipv6/xfrm6_policy.c > +++ b/net/ipv6/xfrm6_policy.c > @@ -131,13 +131,11 @@ __xfrm6_bundle_create(struct xfrm_policy > struct dst_entry *dst, *dst_prev; > struct rt6_info *rt0 = (struct rt6_info*)(*dst_p); > struct rt6_info *rt = rt0; > - struct in6_addr *remote = &fl->fl6_dst; > - struct in6_addr *local = &fl->fl6_src; > struct flowi fl_tunnel = { > .nl_u = { > .ip6_u = { > - .saddr = *local, > - .daddr = *remote > + .saddr = fl->fl6_src, > + .daddr = fl->fl6_dst, > } > } > }; > @@ -153,7 +151,6 @@ __xfrm6_bundle_create(struct xfrm_policy > for (i = 0; i < nx; i++) { > struct dst_entry *dst1 = dst_alloc(&xfrm6_dst_ops); > struct xfrm_dst *xdst; > - int tunnel = 0; > > if (unlikely(dst1 == NULL)) { > err = -ENOBUFS; > @@ -177,19 +174,27 @@ __xfrm6_bundle_create(struct xfrm_policy > > dst1->next = dst_prev; > dst_prev = dst1; > - if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) { > - remote = __xfrm6_bundle_addr_remote(xfrm[i], remote); > - local = __xfrm6_bundle_addr_local(xfrm[i], local); > - tunnel = 1; > - } > + > __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]); > trailer_len += xfrm[i]->props.trailer_len; > > - if (tunnel) { > - ipv6_addr_copy(&fl_tunnel.fl6_dst, remote); > - ipv6_addr_copy(&fl_tunnel.fl6_src, local); > - err = xfrm_dst_lookup((struct xfrm_dst **) &rt, > - &fl_tunnel, AF_INET6); > + if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL) { > + unsigned short encap_family = xfrm[i]->props.family; > + switch(encap_family) { > + case AF_INET: > + fl_tunnel.fl4_dst = xfrm[i]->id.daddr.a4; > + fl_tunnel.fl4_src = xfrm[i]->props.saddr.a4; > + break; > + case AF_INET6: > + ipv6_addr_copy(&fl_tunnel.fl6_dst, (struct > in6_addr*)&xfrm[i]->id.daddr.a6); > + ipv6_addr_copy(&fl_tunnel.fl6_src, (struct > in6_addr*)&xfrm[i]->props.saddr.a6); > + break; > + default: > + BUG_ON(1); > + } > + > + err = xfrm_dst_lookup((struct xfrm_dst **) &rt, > + &fl_tunnel, encap_family); > if (err) > goto error; > } else You missed RO mode path when you changed semantics to check the mode from "xfrm[i]->props.mode != XFRM_MODE_TRANSPORT" to "xfrm[i]->props.mode == XFRM_MODE_TUNNEL" before changing address. Your patch also makes two incline functions __xfrm6_bundle_addr_{remote,local} are used by nobody. I suggest a fix to add "|| xfrm[i]->props.mode == XFRM_MODE_ROUTEOPTIMIZATION" there to make it clearer for other developers about RO-is-there than restoring the code. # FYI, we don't have to fix another side of inter-family IPsec tunneling (xfrm4_policy.c) # where you have similar patch (IPv4 over IPv6 IPsec tunnel) because the RO # is used only for the case of "IPv6 flow and IPv6 extension headers". Please give me comments for the attached patch. I hope it will be applied (or replaced the original patch with including mine). Regards, -- Masahide NAKAMURA From ce9f1ac8c8df22b462a15d4609d05ec939930208 Mon Sep 17 00:00:00 2001 From: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Sat, 10 Feb 2007 11:48:49 +0900 Subject: [PATCH][XFRM] IPV6: Fix outbound RO transformation which is broke
Re: [IPV6] RAW: Add checksum default defines for MH.
David Miller wrote: From: Herbert Xu <[EMAIL PROTECTED]> Date: Wed, 24 Jan 2007 17:56:23 +1100 David Miller <[EMAIL PROTECTED]> wrote: Did a complete agreement occur that this patch is ok? My only concern is that we're putting an arbitrary list of protocols in the generic raw.c. What's the justification for including these protocols in particular but not others? Is there any reason why the application can't just use the existing IPV6_CHECKSUM socket option to set the same fields? My understanding in the MH case is that the kernel is going to make changes to the header that the user can't predict and thus it's impossible for them to set the correct checksum. Yes, kernel will change the IPv6 header address, however, actually it is possible to compute MH checksum by user-space since final address (=home address) is seen by application on both sending and receiving case and the checksum is calculated by the address. It is true user can use IPV6_CHECKSUM option to set the same fields. (FYI, it is failed to validate MH checksum with IPv6 header address on wire (or before parsing extension headers) for such Mobile IPv6 routing optimized packet). So this fix is not mandatory feature for kernel. This patch just relaxes user application like ICMPv6 case then we can cancel this if it is too much. Thanks for taking care of this again, guys. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IPV6] RAW: Add checksum default defines for MH.
Add checksum default defines for mobility header(MH) which goes through raw socket. As the result kernel's behavior is to handle MH checksum as default. This patch also removes verifying inbound MH checksum at mip6_mh_filter() since it did not consider user specified checksum offset and was redundant check with raw socket code. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/mip6.c | 26 -- net/ipv6/raw.c | 13 +++-- 2 files changed, 11 insertions(+), 28 deletions(-) diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index be7dd7d..681bb07 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c @@ -89,7 +89,6 @@ static int mip6_mh_len(int type) int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) { struct ip6_mh *mh; - int mhlen; if (!pskb_may_pull(skb, (skb->h.raw - skb->data) + 8) || !pskb_may_pull(skb, (skb->h.raw - skb->data) + ((skb->h.raw[1] + 1) << 3))) @@ -103,31 +102,6 @@ int mip6_mh_filter(struct sock *sk, stru mip6_param_prob(skb, 0, (&mh->ip6mh_hdrlen) - skb->nh.raw); return -1; } - mhlen = (mh->ip6mh_hdrlen + 1) << 3; - - if (skb->ip_summed == CHECKSUM_COMPLETE) { - skb->ip_summed = CHECKSUM_UNNECESSARY; - if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, - &skb->nh.ipv6h->daddr, - mhlen, IPPROTO_MH, - skb->csum)) { - LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH hw checksum failed\n"); - skb->ip_summed = CHECKSUM_NONE; - } - } - if (skb->ip_summed == CHECKSUM_NONE) { - if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, - &skb->nh.ipv6h->daddr, - mhlen, IPPROTO_MH, - skb_checksum(skb, 0, mhlen, 0))) { - LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH checksum failed " - "[" NIP6_FMT " > " NIP6_FMT "]\n", - NIP6(skb->nh.ipv6h->saddr), - NIP6(skb->nh.ipv6h->daddr)); - return -1; - } - skb->ip_summed = CHECKSUM_UNNECESSARY; - } if (mh->ip6mh_proto != IPPROTO_NONE) { LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 4ae1b19..4b83e69 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -1094,10 +1094,19 @@ static void rawv6_close(struct sock *sk, static int rawv6_init_sk(struct sock *sk) { - if (inet_sk(sk)->num == IPPROTO_ICMPV6) { - struct raw6_sock *rp = raw6_sk(sk); + struct raw6_sock *rp = raw6_sk(sk); + + switch (inet_sk(sk)->num) { + case IPPROTO_ICMPV6: rp->checksum = 1; rp->offset = 2; + break; + case IPPROTO_MH: + rp->checksum = 1; + rp->offset = 4; + break; + default: + break; } return(0); } -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IPV6] RAW: Add checksum default defines for MH.
Add checksum default defines for mobility header(MH) which goes through raw socket. As the result kernel's behavior is to handle MH checksum as default. This patch also removes verifying inbound MH checksum at mip6_mh_filter() since it did not consider user specified checksum offset and was redundant check with raw socket code. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/mip6.c | 26 -- net/ipv6/raw.c | 13 +++-- 2 files changed, 11 insertions(+), 28 deletions(-) diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index be7dd7d..681bb07 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c @@ -89,7 +89,6 @@ static int mip6_mh_len(int type) int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) { struct ip6_mh *mh; - int mhlen; if (!pskb_may_pull(skb, (skb->h.raw - skb->data) + 8) || !pskb_may_pull(skb, (skb->h.raw - skb->data) + ((skb->h.raw[1] + 1) << 3))) @@ -103,31 +102,6 @@ int mip6_mh_filter(struct sock *sk, stru mip6_param_prob(skb, 0, (&mh->ip6mh_hdrlen) - skb->nh.raw); return -1; } - mhlen = (mh->ip6mh_hdrlen + 1) << 3; - - if (skb->ip_summed == CHECKSUM_COMPLETE) { - skb->ip_summed = CHECKSUM_UNNECESSARY; - if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, - &skb->nh.ipv6h->daddr, - mhlen, IPPROTO_MH, - skb->csum)) { - LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH hw checksum failed\n"); - skb->ip_summed = CHECKSUM_NONE; - } - } - if (skb->ip_summed == CHECKSUM_NONE) { - if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, - &skb->nh.ipv6h->daddr, - mhlen, IPPROTO_MH, - skb_checksum(skb, 0, mhlen, 0))) { - LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH checksum failed " - "[" NIP6_FMT " > " NIP6_FMT "]\n", - NIP6(skb->nh.ipv6h->saddr), - NIP6(skb->nh.ipv6h->daddr)); - return -1; - } - skb->ip_summed = CHECKSUM_UNNECESSARY; - } if (mh->ip6mh_proto != IPPROTO_NONE) { LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 4ae1b19..4b83e69 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -1094,10 +1094,19 @@ static void rawv6_close(struct sock *sk, static int rawv6_init_sk(struct sock *sk) { - if (inet_sk(sk)->num == IPPROTO_ICMPV6) { - struct raw6_sock *rp = raw6_sk(sk); + struct raw6_sock *rp = raw6_sk(sk); + + switch (inet_sk(sk)->num) { + case IPPROTO_ICMPV6: rp->checksum = 1; rp->offset = 2; + break; + case IPPROTO_MH: + rp->checksum = 1; + rp->offset = 4; + break; + default: + break; } return(0); } -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IP] TUNNEL: Fix to be built with user application.
include/linux/if_tunnel.h is broken for user application because it was changed to use __be32 which is required to include linux/types.h in advance but didn't. (This issue is found when building MIPL2 daemon. We are not sure this is the last header to be fixed about __be32.) Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> Signed-off-by: TAKAMIYA Noriaki <[EMAIL PROTECTED]> --- include/linux/if_tunnel.h |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/include/linux/if_tunnel.h b/include/linux/if_tunnel.h index 8de079b..660b501 100644 --- a/include/linux/if_tunnel.h +++ b/include/linux/if_tunnel.h @@ -1,6 +1,8 @@ #ifndef _IF_TUNNEL_H_ #define _IF_TUNNEL_H_ +#include + #define SIOCGETTUNNEL (SIOCDEVPRIVATE + 0) #define SIOCADDTUNNEL (SIOCDEVPRIVATE + 1) #define SIOCDELTUNNEL (SIOCDEVPRIVATE + 2) -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] [IPV6] RAW: Add checksum default defines for mobility header.
YOSHIFUJI Hideaki / wrote: If it is okay to defer the checksumming after checking the next header protocol, we can omit the checksumming in mip6_mh_filter(), and leave it to rawv6_rcv() and rawv6_recvmsg(). Anyway, we have 4 options. 1. IPV6_CHECKSUM default for IPPROTO_MH == 4 omit checksumming in mip6_mh_filter() 2. IPV6_CHECKSUM default for IPPROTO_MH == -1 omit checksumming in mip6_mh_filter() 3. IPV6_CHECKSUM for IPPROTO_MH == 4 always perform checksumming in mip6_mh_filter() 4. IPV6_CHECKSUM default for IPPROTO_MH == -1 always perform checksumming in mip6_mh_filter() Current behavior is 4, but it is not appropriate. I guess 1 is the way to go. I would like to have 1, too. Another question may arise; is it okay to change the default if the raw socket for Mobility Header is NOT for user-space daemon? or, For such application (if any), it has used setsockopt = 4 or hasn't used it for inbound checksum. Those code should work with the kernel change then I can not find any issue here. Do you have anything else to be discussed? is it okay to have two different default value depending on CONFIG_IPV6_MIP6? If we take these question seriously, we should take 2. We have a solution here, to remove "ifdef CONFIG_IPV6_MIP6" from rawv6_init_sk() to have the same default value = 4 for IPPROTO_MH regardless user config. BTW ICMPv6 default is on and offset = 2. It is better idea for me to have the similar design for both MH and ICMPv6 as raw socket stuff than you pointed. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: iproute2 update
Stephen Hemminger wrote: I am about to push out a new version, so if you have any more patches pending the window is about to close. Please retest with current git tree Brief tests for MIPv6 xfrm are passed with the tree on kernel 2.6.19. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/7] Sync with 2.6.19 kernel header about include/linux.
Thomas Graf wrote: Why are you reverting this? I just update the header about include/linux without thinking. Should I have to update them except fib_rules.h? The iproute2 git tree already contains patches for the 2.6.20 release. OK, thanks. Can you know another patch which is already updated to newer version except fib_fules.h, iprule.c? Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/7] Sync with 2.6.19 kernel header about include/linux.
Thomas Graf wrote: * Masahide NAKAMURA <[EMAIL PROTECTED]> 2006-12-05 19:15 diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h index 8270aac..4418c8d 100644 --- a/include/linux/fib_rules.h +++ b/include/linux/fib_rules.h @@ -6,7 +6,6 @@ #include /* rule is permanent, and cannot be deleted */ #define FIB_RULE_PERMANENT 1 -#define FIB_RULE_INVERT2 struct fib_rule_hdr { @@ -35,7 +34,7 @@ enum FRA_UNUSED3, FRA_UNUSED4, FRA_UNUSED5, - FRA_FWMARK, /* mark */ + FRA_FWMARK, /* netfilter mark */ FRA_FLOW, /* flow/class id */ FRA_UNUSED6, FRA_UNUSED7, Why are you reverting this? I just update the header about include/linux without thinking. Should I have to update them except fib_rules.h? Anyway, I'll fix "[PATCH 1/7]" and send it again. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/7] [IP] RULE: Add ifdef to FIB_RULE_INVERT since it is missing.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/iprule.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/ip/iprule.c b/ip/iprule.c index c584b18..1da64b8 100644 --- a/ip/iprule.c +++ b/ip/iprule.c @@ -83,8 +83,10 @@ int print_rule(const struct sockaddr_nl else fprintf(fp, "0:\t"); +#ifdef FIB_RULE_INVERT if (r->rtm_flags & FIB_RULE_INVERT) fprintf(fp, "not "); +#endif if (tb[RTA_SRC]) { if (r->rtm_src_len != host_len) { @@ -224,7 +226,9 @@ static int iprule_modify(int cmd, int ar while (argc > 0) { if (strcmp(*argv, "not") == 0) { +#ifdef FIB_RULE_INVERT req.r.rtm_flags |= FIB_RULE_INVERT; +#endif } else if (strcmp(*argv, "from") == 0) { inet_prefix dst; NEXT_ARG(); -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 5/7] [IP] XFRM: Mobile IPv6 route optimization support.
To support Mobile IPv6 RO, the following extension is included: o Use XFRM_MODE_XXX macro instead of magic number o New attribute option for all state: source address for deleting or getting message o New attribute options for RO: care-of address, last-used timestamp and wild-receive flag Note: Flush command like `ip xfrm state flush` is to remove all XFRM state. It has been effected for IPsec SAD but with this patch it flushes both IPsec SAD and Mobile IPv6 RO states. To make only IPsec SA flush, it is recommanded to specify each XFRM protocol like below: `ip x s f proto esp ; ip x s f proto ah ; ip x s f proto comp` Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/ipxfrm.c | 84 ++ ip/xfrm.h|2 + ip/xfrm_policy.c |7 ++-- ip/xfrm_state.c | 107 -- 4 files changed, 169 insertions(+), 31 deletions(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index 79fc133..7c9fd0b 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -94,6 +94,19 @@ int xfrm_addr_match(xfrm_address_t *x1, return 0; } +int xfrm_xfrmproto_is_ipsec(__u8 proto) +{ + return (proto == IPPROTO_ESP || + proto == IPPROTO_AH || + proto == IPPROTO_COMP); +} + +int xfrm_xfrmproto_is_ro(__u8 proto) +{ + return (proto == IPPROTO_ROUTING || + proto == IPPROTO_DSTOPTS); +} + struct typeent { const char *t_name; int t_type; @@ -101,6 +114,7 @@ struct typeent { static const struct typeent xfrmproto_types[]= { { "esp", IPPROTO_ESP }, { "ah", IPPROTO_AH }, { "comp", IPPROTO_COMP }, + { "route2", IPPROTO_ROUTING }, { "hao", IPPROTO_DSTOPTS }, { NULL, -1 } }; @@ -276,13 +290,19 @@ void xfrm_id_info_print(xfrm_address_t * fprintf(fp, "mode "); switch (mode) { - case 0: + case XFRM_MODE_TRANSPORT: fprintf(fp, "transport"); break; - case 1: + case XFRM_MODE_TUNNEL: fprintf(fp, "tunnel"); break; - case 4: + case XFRM_MODE_ROUTEOPTIMIZATION: + fprintf(fp, "ro"); + break; + case XFRM_MODE_IN_TRIGGER: + fprintf(fp, "in_trigger"); + break; + case XFRM_MODE_BEET: fprintf(fp, "beet"); break; default: @@ -643,6 +663,48 @@ void xfrm_xfrma_print(struct rtattr *tb[ xfrm_tmpl_print((struct xfrm_user_tmpl *) RTA_DATA(rta), RTA_PAYLOAD(rta), family, fp, prefix); } + + if (tb[XFRMA_COADDR]) { + char abuf[256]; + xfrm_address_t *coa; + + if (prefix) + fprintf(fp, prefix); + fprintf(fp, "coa "); + + coa = (xfrm_address_t *)RTA_DATA(tb[XFRMA_COADDR]); + + if (RTA_PAYLOAD(tb[XFRMA_COADDR]) < sizeof(*coa)) { + fprintf(fp, "(ERROR truncated)"); + fprintf(fp, "%s", _SL_); + return; + } + + memset(abuf, '\0', sizeof(abuf)); + fprintf(fp, "%s", + rt_addr_n2a(family, sizeof(*coa), coa, + abuf, sizeof(abuf))); + fprintf(fp, "%s", _SL_); + } + + if (tb[XFRMA_LASTUSED]) { + __u64 lastused; + + if (prefix) + fprintf(fp, prefix); + fprintf(fp, "lastused "); + + if (RTA_PAYLOAD(tb[XFRMA_LASTUSED]) < sizeof(lastused)) { + fprintf(fp, "(ERROR truncated)"); + fprintf(fp, "%s", _SL_); + return; + } + + lastused = *(__u64 *)RTA_DATA(tb[XFRMA_LASTUSED]); + + fprintf(fp, "%s", strxf_time(lastused)); + fprintf(fp, "%s", _SL_); + } } static int xfrm_selector_iszero(struct xfrm_selector *s) @@ -659,12 +721,13 @@ void xfrm_state_info_print(struct xfrm_u const char *title) { char buf[STRBUF_SIZE]; + int force_spi = xfrm_xfrmproto_is_ipsec(xsinfo->id.proto); memset(buf, '\0', sizeof(buf)); xfrm_id_info_print(&xsinfo->saddr, &xsinfo->id, xsinfo->mode, - xsinfo->reqid, xsinfo->family, 1, fp, prefix, - title); + xsinfo->reqid, xsinfo->family, force_spi, fp, + prefix, title); if (prefix) STRBUF_CAT(buf, prefix); @@ -680,6 +743,7 @
[PATCH 4/7] [IP] XFRM: sub policy support.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/ipxfrm.c | 27 ++ ip/xfrm.h|4 + ip/xfrm_policy.c | 150 -- 3 files changed, 164 insertions(+), 17 deletions(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index 4bcd2f3..79fc133 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -709,6 +709,7 @@ void xfrm_policy_info_print(struct xfrm_ const char *title) { char buf[STRBUF_SIZE]; + __u8 ptype = XFRM_POLICY_TYPE_MAIN; memset(buf, '\0', sizeof(buf)); @@ -752,6 +753,32 @@ void xfrm_policy_info_print(struct xfrm_ if (show_stats) fprintf(fp, "index %u ", xpinfo->index); fprintf(fp, "priority %u ", xpinfo->priority); + + fprintf(fp, "ptype "); + + if (tb[XFRMA_POLICY_TYPE]) { + struct xfrm_userpolicy_type *upt; + + if (RTA_PAYLOAD(tb[XFRMA_POLICY_TYPE]) < sizeof(*upt)) + fprintf(fp, "(ERROR truncated)"); + + upt = (struct xfrm_userpolicy_type *)RTA_DATA(tb[XFRMA_POLICY_TYPE]); + ptype = upt->type; + } + + switch (ptype) { + case XFRM_POLICY_TYPE_MAIN: + fprintf(fp, "main"); + break; + case XFRM_POLICY_TYPE_SUB: + fprintf(fp, "sub"); + break; + default: + fprintf(fp, "%u", ptype); + break; + } + fprintf(fp, " "); + if (show_stats > 0) { fprintf(fp, "share %s ", strxf_share(xpinfo->share)); fprintf(fp, "flag 0x%s", strxf_mask8(xpinfo->flags)); diff --git a/ip/xfrm.h b/ip/xfrm.h index 4833b36..7a53e59 100644 --- a/ip/xfrm.h +++ b/ip/xfrm.h @@ -92,6 +92,10 @@ struct xfrm_filter { __u32 index_mask; __u8 action_mask; __u32 priority_mask; + + __u8 ptype; + __u8 ptype_mask; + }; #define XFRM_FILTER_MASK_FULL (~0) diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c index abca713..6be7bfd 100644 --- a/ip/xfrm_policy.c +++ b/ip/xfrm_policy.c @@ -53,12 +53,14 @@ static void usage(void) __attribute__((n static void usage(void) { - fprintf(stderr, "Usage: ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ] \n"); + fprintf(stderr, "Usage: ip xfrm policy { add | update } dir DIR SELECTOR [ index INDEX ] [ ptype PTYPE ]\n"); fprintf(stderr, "[ action ACTION ] [ priority PRIORITY ] [ LIMIT-LIST ] [ TMPL-LIST ]\n"); - fprintf(stderr, "Usage: ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ]\n"); + fprintf(stderr, "Usage: ip xfrm policy { delete | get } dir DIR [ SELECTOR | index INDEX ] [ ptype PTYPE ]\n"); fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ dir DIR ] [ SELECTOR ]\n"); fprintf(stderr, "[ index INDEX ] [ action ACTION ] [ priority PRIORITY ]\n"); - fprintf(stderr, "Usage: ip xfrm policy flush\n"); + fprintf(stderr, "Usage: ip xfrm policy flush [ ptype PTYPE ]\n"); + + fprintf(stderr, "PTYPE := [ main | sub ](default=main)\n"); fprintf(stderr, "DIR := [ in | out | fwd ]\n"); fprintf(stderr, "SELECTOR := src ADDR[/PLEN] dst ADDR[/PLEN] [ UPSPEC ] [ dev DEV ]\n"); @@ -114,6 +116,24 @@ static int xfrm_policy_dir_parse(__u8 *d return 0; } +static int xfrm_policy_ptype_parse(__u8 *ptype, int *argcp, char ***argvp) +{ + int argc = *argcp; + char **argv = *argvp; + + if (strcmp(*argv, "main") == 0) + *ptype = XFRM_POLICY_TYPE_MAIN; + else if (strcmp(*argv, "sub") == 0) + *ptype = XFRM_POLICY_TYPE_SUB; + else + invarg("\"PTYPE\" is invalid", *argv); + + *argcp = argc; + *argvp = argv; + + return 0; +} + static int xfrm_tmpl_parse(struct xfrm_user_tmpl *tmpl, int *argcp, char ***argvp) { @@ -174,10 +194,13 @@ static int xfrm_policy_modify(int cmd, u } req; char *dirp = NULL; char *selp = NULL; + char *ptypep = NULL; + struct xfrm_userpolicy_type upt; char tmpls_buf[XFRM_TMPLS_BUF_SIZE]; int tmpls_len = 0; memset(&req, 0, sizeof(req)); + memset(&upt, 0, sizeof(upt)); memset(&tmpls_buf, 0, sizeof(tmpls_buf)); req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.xpinfo)); @@ -208,6 +231,16 @@ static int xfrm_policy_modify(int cmd, u filter.index_mask = XFRM_FILTER_MASK_FULL; + } else if (strcmp(*argv, "ptype") == 0) { + if (ptypep) +
[PATCH 6/7] [IP] XFRM: support report message by monitor.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/xfrm.h |2 ++ ip/xfrm_monitor.c | 52 2 files changed, 54 insertions(+), 0 deletions(-) diff --git a/ip/xfrm.h b/ip/xfrm.h index 51ffa4b..d33ff94 100644 --- a/ip/xfrm.h +++ b/ip/xfrm.h @@ -52,6 +52,8 @@ #define XFRMACQ_RTA(x)((struct rtattr*) #define XFRMEXP_RTA(x) ((struct rtattr*)(((char*)(x)) + NLMSG_ALIGN(sizeof(struct xfrm_user_expire #define XFRMPEXP_RTA(x)((struct rtattr*)(((char*)(x)) + NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire +#define XFRMREP_RTA(x) ((struct rtattr*)(((char*)(x)) + NLMSG_ALIGN(sizeof(struct xfrm_user_report + #define XFRM_FLAG_PRINT(fp, flags, f, s) \ do { \ if (flags & f) { \ diff --git a/ip/xfrm_monitor.c b/ip/xfrm_monitor.c index baa4610..b4fda02 100644 --- a/ip/xfrm_monitor.c +++ b/ip/xfrm_monitor.c @@ -108,6 +108,48 @@ static int xfrm_acquire_print(const stru return 0; } +static int xfrm_report_print(const struct sockaddr_nl *who, +struct nlmsghdr *n, void *arg) +{ + FILE *fp = (FILE*)arg; + struct xfrm_user_report *xrep = NLMSG_DATA(n); + int len = n->nlmsg_len; + struct rtattr * tb[XFRMA_MAX+1]; + __u16 family; + + if (n->nlmsg_type != XFRM_MSG_REPORT) { + fprintf(stderr, "Not a report: %08x %08x %08x\n", + n->nlmsg_len, n->nlmsg_type, n->nlmsg_flags); + return 0; + } + + len -= NLMSG_LENGTH(sizeof(*xrep)); + if (len < 0) { + fprintf(stderr, "BUG: wrong nlmsg len %d\n", len); + return -1; + } + + family = xrep->sel.family; + if (family == AF_UNSPEC) + family = preferred_family; + + fprintf(fp, "report "); + + fprintf(fp, "proto %s ", strxf_xfrmproto(xrep->proto)); + fprintf(fp, "%s", _SL_); + + xfrm_selector_print(&xrep->sel, family, fp, " sel "); + + parse_rtattr(tb, XFRMA_MAX, XFRMREP_RTA(xrep), len); + + xfrm_xfrma_print(tb, family, fp, " "); + + if (oneline) + fprintf(fp, "\n"); + + return 0; +} + static int xfrm_accept_msg(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg) { @@ -144,6 +186,10 @@ static int xfrm_accept_msg(const struct fprintf(fp, "Flushed policy\n"); return 0; } + if (n->nlmsg_type == XFRM_MSG_REPORT) { + xfrm_report_print(who, n, arg); + return 0; + } if (n->nlmsg_type != NLMSG_ERROR && n->nlmsg_type != NLMSG_NOOP && n->nlmsg_type != NLMSG_DONE) { fprintf(fp, "Unknown message: %08d 0x%08x 0x%08x\n", @@ -162,6 +208,7 @@ int do_xfrm_monitor(int argc, char **arg int lexpire=0; int lpolicy=0; int lsa=0; + int lreport=0; rtnl_close(&rth); @@ -181,6 +228,9 @@ int do_xfrm_monitor(int argc, char **arg } else if (matches(*argv, "policy") == 0) { lpolicy=1; groups = 0; + } else if (matches(*argv, "report") == 0) { + lreport=1; + groups = 0; } else if (matches(*argv, "help") == 0) { usage(); } else { @@ -198,6 +248,8 @@ int do_xfrm_monitor(int argc, char **arg groups |= XFRMGRP_SA; if (lpolicy) groups |= XFRMGRP_POLICY; + if (lreport) + groups |= XFRMGRP_REPORT; if (file) { FILE *fp; -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 7/7] [IP] XFRM: Mobility header support.
Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- ip/ipxfrm.c |9 + ip/xfrm.h |3 +++ 2 files changed, 12 insertions(+), 0 deletions(-) diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index 7c9fd0b..9c8b4bd 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -483,6 +483,14 @@ void xfrm_selector_print(struct xfrm_sel if (sel->dport_mask) fprintf(fp, "code %u ", ntohs(sel->dport)); break; + case IPPROTO_MH: + if (sel->sport_mask) + fprintf(fp, "type %u ", ntohs(sel->sport)); + if (sel->dport_mask) { + if (show_stats > 0) + fprintf(fp, "(dport) 0x%.4x ", sel->dport); + } + break; } if (sel->ifindex > 0) { @@ -,6 +1119,7 @@ static int xfrm_selector_upspec_parse(st switch (sel->proto) { case IPPROTO_ICMP: case IPPROTO_ICMPV6: + case IPPROTO_MH: break; default: fprintf(stderr, "\"type\" and \"code\" are invalid with proto=%s\n", strxf_proto(sel->proto)); diff --git a/ip/xfrm.h b/ip/xfrm.h index d33ff94..03db37b 100644 --- a/ip/xfrm.h +++ b/ip/xfrm.h @@ -35,6 +35,9 @@ #endif #ifndef IPPPROTO_DCCP # define IPPROTO_DCCP 33 #endif +#ifndef IPPROTO_MH +# define IPPROTO_MH135 +#endif #define XFRMS_RTA(x) ((struct rtattr*)(((char*)(x)) + NLMSG_ALIGN(sizeof(struct xfrm_usersa_info #define XFRMS_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct xfrm_usersa_info)) -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/7] Add missing macros which was removed from kernel header.
{IFA,IFLA,NDA,NDTA}_{RTA,PAYLOAD} macro is removed from kernel header since linux-2.6.19 because it is not used by kernel code. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- include/libnetlink.h | 35 +++ 1 files changed, 35 insertions(+), 0 deletions(-) diff --git a/include/libnetlink.h b/include/libnetlink.h index 63cc3c8..9de3a0b 100644 --- a/include/libnetlink.h +++ b/include/libnetlink.h @@ -4,6 +4,9 @@ #define __LIBNETLINK_H__ 1 #include #include #include +#include +#include +#include struct rtnl_handle { @@ -53,5 +56,37 @@ extern int rtnl_from_file(FILE *, rtnl_f #define NLMSG_TAIL(nmsg) \ ((struct rtattr *) (((void *) (nmsg)) + NLMSG_ALIGN((nmsg)->nlmsg_len))) +#ifndef IFA_RTA +#define IFA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg +#endif +#ifndef IFA_PAYLOAD +#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg)) +#endif + +#ifndef IFLA_RTA +#define IFLA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg +#endif +#ifndef IFLA_PAYLOAD +#define IFLA_PAYLOAD(n)NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg)) +#endif + +#ifndef NDA_RTA +#define NDA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg +#endif +#ifndef NDA_PAYLOAD +#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) +#endif + +#ifndef NDTA_RTA +#define NDTA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndtmsg +#endif +#ifndef NDTA_PAYLOAD +#define NDTA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndtmsg)) +#endif + #endif /* __LIBNETLINK_H__ */ -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/7] iproute2: 2.6.19 updates and Mobile IPv6 support for ip command
Hello, These are iproute2 updates: o Kernel header updates for 2.6.19 o libnetlink header updates to fit with 2.6.19 kernel o Mobile IPv6 xfrm support for ip command Since I could not build with the define nor find it on the kernel tree, It also contains a patch which disable FIB_RULE_INVERT. Please review and apply them. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] [IPV6] RAW: Add checksum default defines for mobility header.
Add checksum default defines for mobility header(MH). As the result kernel's behavior is to handle MH checksum as default. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/raw.c | 15 +-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index aa1d420..389fa32 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -1095,10 +1095,21 @@ static void rawv6_close(struct sock *sk, static int rawv6_init_sk(struct sock *sk) { - if (inet_sk(sk)->num == IPPROTO_ICMPV6) { - struct raw6_sock *rp = raw6_sk(sk); + struct raw6_sock *rp = raw6_sk(sk); + + switch (inet_sk(sk)->num) { + case IPPROTO_ICMPV6: rp->checksum = 1; rp->offset = 2; + break; +#ifdef CONFIG_IPV6_MIP6 + case IPPROTO_MH: + rp->checksum = 1; + rp->offset = 4; + break; +#endif + default: + break; } return(0); } -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] [IPV6] RAW: Don't release unlocked sock.
When user builds IPv6 header and send it through raw socket, kernel tries to release unlocked sock. (Kernel log shows "BUG: bad unlock balance detected" with enabled debug option.) The lock is held only for non-hdrincl sock in this function then this patch fix to do nothing about lock for hdrincl one. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/raw.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index d6dedc4..aa1d420 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -855,7 +855,8 @@ back_from_confirm: } done: dst_release(dst); - release_sock(sk); + if (!inet->hdrincl) + release_sock(sk); out: fl6_sock_release(flowlabel); return err<0?err:len; -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/7][IP] IProute2 ip command updates
Stephen Hemminger wrote: Plan is to put out new iproute2 release after 2.6.19 final OK. As you know, netlink related interface is changed at 2.6.19. I have another patches for iproute2 (libnetlink fix and Mobile IPv6 support). Those are depends on 2.6.19 headers. So this time I'd like to know when to update your tree's kernel headers, too. To use this chance to test with your tree, can I send my patches with the header update to 2.6.19-rcX in advance (updating headers by you is also fine with me), or just wait till 2.6.19 final release is done? Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH][XFRM]: nlmsg length not computed correctly in the presence of subpolicies
On Fri, 17 Nov 2006 08:48:31 -0500 jamal <[EMAIL PROTECTED]> wrote: > Another one in the same spirit as before. Compiles. I dont have > a good test case, but looks right. > Nakamura-san please ACK and Dave (as before this goes in as a bug-fix). Acked-by: Masahide NAKAMURA <[EMAIL PROTECTED]> I've tested with your patch and the result is fine. However, unlike the add/delete XFRM policy case pointed by Jamal as the previous patch, I don't see the error without this patch on my environment about acqiure. (Maybe, does acquire path happen to make some buffer for policy type since the structures is not aligned cleanly?) ..Anyway, the fix is correct for me. David, please apply it, too. > [XFRM]: nlmsg length not computed correctly in the presence of subpolicies > > I actually dont have a test case for these; i just found them by > inspection. Refer to patch "[XFRM]: Sub-policies broke policy events" > for more info > > Signed-off-by: Jamal Hadi Salim <[EMAIL PROTECTED]> > > --- > commit c3d793454ab2a36c2d618d226d7de975ab9b7570 > tree 26198ba84d85317b4f1b54c0e10c220dbe0d97da > parent b53ec68c276ac1d879759de130620a72254cb969 > author Jamal Hadi Salim <[EMAIL PROTECTED]> Fri, 17 Nov 2006 08:39:52 -0500 > committer Jamal Hadi Salim <[EMAIL PROTECTED](none)> Fri, 17 Nov 2006 > 08:39:52 -0500 -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [[PATCH][XFRM]: Sub-policies broke policy events
On Fri, 17 Nov 2006 08:34:44 -0500 jamal <[EMAIL PROTECTED]> wrote: > > Found the cause of my problems. > Dave, this is against Linus tree because it is bug fix. > > Nakamura-san please ACK. > > cheers, > jamal It looks fine to me. Thanks, Jamal. Acked-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > [XFRM]: Sub-policies broke policy events > XFRM policy events are broken when sub-policy feature is turned on. > A simple test to verify this: > run ip xfrm mon on one window and add then delete a policy on another > window .. > > Signed-off-by: Jamal Hadi Salim <[EMAIL PROTECTED]> > > --- -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH][XFRM] Fixes for net-2.6
David Miller wrote: From: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Tue, 03 Oct 2006 12:29:54 +0900 [XFRM] POLICY: Fix per-direction policy counter after flushing. Currently when xfrm_policy_flush() is called per-direction policy counter is cleared. However flusing policy is performed for each type (i.e. main or sub) then it is not always true to make the counter zero. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> The idea of this code is to avoid updating global state many many times during such a flush. This can be expensive and cause much SMP cacheline activity as other cpus read the counter in the routing lookup path. Thanks for the clarify. My patch should have included such cacheline consideration. I think what I'll do is reimplement this patch so that a local variable is used to maintain how many entries were removed, and then simply subtract that counter from xfrm_policy_count[dir] at the very end where the assignment to zero occurs. I feel it's better idea now. I agree to apply it instead of my patch. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH][XFRM] Fixes for net-2.6
Hello, I have two patches to fix XFRM. Can you check and apply them? HEADLINES - [XFRM] POLICY: Fix per-direction policy counter after flushing. [XFRM] STATE: Use destination address for src hash. DIFFSTAT net/xfrm/xfrm_hash.h |7 --- net/xfrm/xfrm_policy.c |4 ++-- net/xfrm/xfrm_state.c | 16 +--- 3 files changed, 15 insertions(+), 12 deletions(-) CHANGESETS -- commit 90c1f7d3e1019b2885844b03088588268e38cec5 Author: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Sun Sep 24 14:46:59 2006 +0900 [XFRM] POLICY: Fix per-direction policy counter after flushing. Currently when xfrm_policy_flush() is called per-direction policy counter is cleared. However flusing policy is performed for each type (i.e. main or sub) then it is not always true to make the counter zero. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index b6e2e79..048e248 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -787,6 +787,7 @@ void xfrm_policy_flush(u8 type) continue; hlist_del(&pol->bydst); hlist_del(&pol->byidx); + xfrm_policy_count[dir]--; write_unlock_bh(&xfrm_policy_lock); xfrm_policy_kill(pol); @@ -804,6 +805,7 @@ void xfrm_policy_flush(u8 type) continue; hlist_del(&pol->bydst); hlist_del(&pol->byidx); + xfrm_policy_count[dir]--; write_unlock_bh(&xfrm_policy_lock); xfrm_policy_kill(pol); @@ -812,8 +814,6 @@ void xfrm_policy_flush(u8 type) goto again2; } } - - xfrm_policy_count[dir] = 0; } atomic_inc(&flow_cache_genid); write_unlock_bh(&xfrm_policy_lock); --- commit e517421855d241f0b85a186b25e85d00eafa129f Author: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Sat Sep 23 16:41:34 2006 +0900 [XFRM] STATE: Use destination address for src hash. Src hash is introduced for Mobile IPv6 route optimization usage. On current kenrel code it is calculated with source address only. It results we uses the same hash value for outbound state (when the node has only one address for Mobile IPv6). This patch use also destination address as peer information for src hash to be dispersed. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> diff --git a/net/xfrm/xfrm_hash.h b/net/xfrm/xfrm_hash.h index 6ac4e4f..d401dc8 100644 --- a/net/xfrm/xfrm_hash.h +++ b/net/xfrm/xfrm_hash.h @@ -41,17 +41,18 @@ static inline unsigned int __xfrm_dst_ha return (h ^ (h >> 16)) & hmask; } -static inline unsigned __xfrm_src_hash(xfrm_address_t *saddr, +static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr, + xfrm_address_t *saddr, unsigned short family, unsigned int hmask) { unsigned int h = family; switch (family) { case AF_INET: - h ^= __xfrm4_addr_hash(saddr); + h ^= __xfrm4_daddr_saddr_hash(daddr, saddr); break; case AF_INET6: - h ^= __xfrm6_addr_hash(saddr); + h ^= __xfrm6_daddr_saddr_hash(daddr, saddr); break; }; return (h ^ (h >> 16)) & hmask; diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index f927b73..39b8bf3 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -63,10 +63,11 @@ static inline unsigned int xfrm_dst_hash return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask); } -static inline unsigned int xfrm_src_hash(xfrm_address_t *addr, +static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr, +xfrm_address_t *saddr, unsigned short family) { - return __xfrm_src_hash(addr, family, xfrm_state_hmask); + return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask); } static inline unsigned int @@ -92,7 +93,8 @@ static void xfrm_hash_transfer(struct hl nhashmask); hlist_add_head(&x->bydst, ndsttable+h); - h = __xfrm_src_hash(&x->props.saddr, x->props.family, + h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr, + x->props.family, nhashmask); hlist_add_head(&x->bysrc, nsrctable+h); @@ -458,
[IPROUTE2][PATCH] Add missing macros which was removed from kernel header. (Re: [GIT PATCH] NET: Fixes for net-2.6.19)
> David Miller wrote: > >> commit 0844565fb8a9418f5a860aa480c1aef70319c9a2 > >> Author: Thomas Graf <[EMAIL PROTECTED]> > >> Date: Fri Aug 4 23:05:56 2006 -0700 > >> > >> [NET]: Move netlink interface bits to linux/if.h > >> > >> Signed-off-by: Thomas Graf <[EMAIL PROTECTED]> > >> Signed-off-by: David S. Miller <[EMAIL PROTECTED]> > > > > Stephen, we just removed the troublesome bits from linux/if.h when I > > put in Yoshifuji's patches last night, it should explicitly remove > > this problem. > > > > You will thus see that linux/rtnetlink.h no longer includes > > linux/if.h, which is why your errors were completely perplexing > > to me. Instead, it includes linux/if_link.h > > > > It's been in my tree since last night, and if you had used > > the rtnetlink.h from my current tree you wouldn't have seen > > the error. > > Yes, as David mentioned you need to copy the latest rtnetlink.h > at first. It is also required to be added if_{link,addr}.h, neighbour.h > to iproute2 tree. Some macros may be needed for libnetlink.h, too. > I'll send the patch to you if you haven't started on it. Stephen, this patch is for iproute2. Please check and apply it after syncing kernel headers (e.g. rtnetlink.h) with David's tree. Please also note to add new ones (i.e. include/linux/{if_link.h,if_addr.h,neighbour.h}) which is split from rtnetlink.h. [PATCH] Add missing macros which was removed from kernel header. {IFA,IFLA,NDA,NDTA}_{RTA,PAYLOAD} macro is removed from kernel header since net-2.6.19 because it is not used by kernel code. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- include/libnetlink.h | 35 +++ 1 files changed, 35 insertions(+), 0 deletions(-) diff --git a/include/libnetlink.h b/include/libnetlink.h index 63cc3c8..9de3a0b 100644 --- a/include/libnetlink.h +++ b/include/libnetlink.h @@ -4,6 +4,9 @@ #define __LIBNETLINK_H__ 1 #include #include #include +#include +#include +#include struct rtnl_handle { @@ -53,5 +56,37 @@ extern int rtnl_from_file(FILE *, rtnl_f #define NLMSG_TAIL(nmsg) \ ((struct rtattr *) (((void *) (nmsg)) + NLMSG_ALIGN((nmsg)->nlmsg_len))) +#ifndef IFA_RTA +#define IFA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg +#endif +#ifndef IFA_PAYLOAD +#define IFA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ifaddrmsg)) +#endif + +#ifndef IFLA_RTA +#define IFLA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifinfomsg +#endif +#ifndef IFLA_PAYLOAD +#define IFLA_PAYLOAD(n)NLMSG_PAYLOAD(n,sizeof(struct ifinfomsg)) +#endif + +#ifndef NDA_RTA +#define NDA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndmsg +#endif +#ifndef NDA_PAYLOAD +#define NDA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndmsg)) +#endif + +#ifndef NDTA_RTA +#define NDTA_RTA(r) \ + ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ndtmsg +#endif +#ifndef NDTA_PAYLOAD +#define NDTA_PAYLOAD(n) NLMSG_PAYLOAD(n,sizeof(struct ndtmsg)) +#endif + #endif /* __LIBNETLINK_H__ */ -- 1.4.2 -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT PATCH] NET: Fixes for net-2.6.19
David Miller wrote: >> commit 0844565fb8a9418f5a860aa480c1aef70319c9a2 >> Author: Thomas Graf <[EMAIL PROTECTED]> >> Date: Fri Aug 4 23:05:56 2006 -0700 >> >> [NET]: Move netlink interface bits to linux/if.h >> >> Signed-off-by: Thomas Graf <[EMAIL PROTECTED]> >> Signed-off-by: David S. Miller <[EMAIL PROTECTED]> > > Stephen, we just removed the troublesome bits from linux/if.h when I > put in Yoshifuji's patches last night, it should explicitly remove > this problem. > > You will thus see that linux/rtnetlink.h no longer includes > linux/if.h, which is why your errors were completely perplexing > to me. Instead, it includes linux/if_link.h > > It's been in my tree since last night, and if you had used > the rtnetlink.h from my current tree you wouldn't have seen > the error. Yes, as David mentioned you need to copy the latest rtnetlink.h at first. It is also required to be added if_{link,addr}.h, neighbour.h to iproute2 tree. Some macros may be needed for libnetlink.h, too. I'll send the patch to you if you haven't started on it. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] xfrm: remove xerr_idxp from __xfrm_policy_check()
James Morris wrote: It seems that during the MIPv6 respin, some code which was originally conditionally compiled around CONFIG_XFRM_ADVANCED was accidently left in after the config option was removed. This patch removes an extraneous pointer (xerr_idxp) which is no longer needed. Please review & apply. Signed-off-by: James Morris <[EMAIL PROTECTED]> It seems fine for me. David, please apply it. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] [XFRM] STATE: Fix flusing with hash mask.
David Miller wrote: Masahide-san, please provide a Signed-off-by: line in the future, even for simple changes like this one. OK, I'll :-) Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[IPV6] MIP6: Fix to update IP6CB when cloned skbuff is received at HAO. (Re: [PATCH 23/44] [IPV6]: Allow to replace skbuff by TLV parser.)
> From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> > Date: Thu, 24 Aug 2006 00:02:24 +0900 > > > In receiving Mobile IPv6 home address option which is a TLV carried > > by destination options header, kernel will try to mangle source adderss > > of packet. Think of cloned skbuff it is required to replace it by > > the parser just like routing header case. > > This is a framework to achieve that to allow TLV parser to replace > > inbound skbuff pointer. > > > > Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > > Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> > > Applied to net-2.6.19, thanks a lot. > I've found issue about the patch above. This is a fix for it, to update IP6CB when cloned skbuff is received at HAO. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> --- net/ipv6/exthdrs.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index f4c7629..ec93a1d 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -233,9 +233,14 @@ static int ipv6_dest_hao(struct sk_buff if (skb_cloned(skb)) { struct sk_buff *skb2 = skb_copy(skb, GFP_ATOMIC); + struct inet6_skb_parm *opt2; + if (skb2 == NULL) goto discard; + opt2 = IP6CB(skb2); + memcpy(opt2, opt, sizeof(*opt2)); + kfree_skb(skb); /* update all variable using below by copied skbuff */ @@ -296,6 +301,7 @@ #endif if (ip6_parse_tlv(tlvprocdestopt_lst, skbp)) { skb = *skbp; skb->h.raw += ((skb->h.raw[1]+1)<<3); + opt = IP6CB(skb); #ifdef CONFIG_IPV6_MIP6 opt->nhoff = dstbuf; #else @@ -690,6 +696,7 @@ int ipv6_parse_hopopts(struct sk_buff ** if (ip6_parse_tlv(tlvprochopopt_lst, skbp)) { skb = *skbp; skb->h.raw += (skb->h.raw[1]+1)<<3; + opt = IP6CB(skb); opt->nhoff = sizeof(struct ipv6hdr); return 1; } -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] [XFRM] STATE: Fix flusing with hash mask.
Hello, This is a minor fix about transformation state flushing for net-2.6.19. Please apply it. --- net/xfrm/xfrm_state.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 4341795..9f63edd 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -384,7 +384,7 @@ void xfrm_state_flush(u8 proto) int i; spin_lock_bh(&xfrm_state_lock); - for (i = 0; i < xfrm_state_hmask; i++) { + for (i = 0; i <= xfrm_state_hmask; i++) { struct hlist_node *entry; struct xfrm_state *x; restart: -- 1.4.2 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 44/44] [XFRM] IPV6: Support Mobile IPv6 extension headers sorting.
On Fri, 25 Aug 2006 03:16:51 -0700 (PDT) David Miller <[EMAIL PROTECTED]> wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Fri, 25 Aug 2006 19:06:40 +0900 > > > I've found a problem about MIPv6 CN with the patch below. > > We just need to search by priority in the inexact list, even > if we get a hit in the hash table. > > The fix is trivial, please try this patch: Thank you for providing it quickly. It works! I continue my test with this patch for now to confirm other features. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 44/44] [XFRM] IPV6: Support Mobile IPv6 extension headers sorting.
Masahide NAKAMURA wrote: > David Miller wrote: >> From: Masahide NAKAMURA <[EMAIL PROTECTED]> >> Date: Thu, 24 Aug 2006 16:05:39 +0900 >> >>> David Miller wrote: >>>> In the mean time, I will work on porting my XFRM hashing changes >>>> for the current net-2.6.19 tree. >>> FYI, your work will not have any conflict with the left of MIPv6 patches >>> which I will describe later since they are almost out of XFRM. >> >> Great. >> >> I just finished the port and pushed all of that work to net-2.6.19, >> can folks please take a look? >> >> I tested IPSEC as best as I could with XFRM_SUB_POLICY enabled, but I >> have no way currently to test sub-policies or MIPV6 cases. > > OK, I will review it and also start my XFRM test with net-2.6.19 > as I've done with my tree. I've found a problem about MIPv6 CN with the patch below. commit 02b0fa84daaa70f035767c9a5a0d539667249e60 Author: David S. Miller <[EMAIL PROTECTED]> Date: Thu Aug 24 04:45:07 2006 -0700 [XFRM]: Hash policies when non-prefixed. It seems that the policy hashing is not always used with selector protocol. It may conflict with MIPL daemon thought. Let me explain the detail: MIPv6 specification says that all mobility header(MH) must be sent without routing header type 2(RT2) / home address option, except [*1]. To satisfy it MIPL daemon uses some bypass policies. For CN outbound example(ip command output): (a)MIPL daemon adds MH bypass policy when it starts to run: src ::/0 dst ::/0 proto 135 dir out priority 12 ptype sub (b)After binding is accepted, it also adds route optimization policy to send user traffic with RT2: src 3ffe:501::100::/128 dst 3ffe:501::101::/128 dir out priority 16 ptype sub tmpl src :: dst :: proto route2 reqid 0 mode ro level use When the daemon added both policy we expected that all MH was used (a) otherwise (b) because of priority order. But the kernel used (b) when the daemon sent MH from 3ffe:501::100:: to 3ffe:501::101::. Note: such bypasses are also required for ICMPv6 error and neighbor discovery. (*1: Binding update(BU) can be sent with home address option and binding ack(BA) can be sent with RT2.) Do you have any ideas? Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 44/44] [XFRM] IPV6: Support Mobile IPv6 extension headers sorting.
David Miller wrote: From: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 16:05:39 +0900 David Miller wrote: In the mean time, I will work on porting my XFRM hashing changes for the current net-2.6.19 tree. FYI, your work will not have any conflict with the left of MIPv6 patches which I will describe later since they are almost out of XFRM. Great. I just finished the port and pushed all of that work to net-2.6.19, can folks please take a look? I tested IPSEC as best as I could with XFRM_SUB_POLICY enabled, but I have no way currently to test sub-policies or MIPV6 cases. OK, I will review it and also start my XFRM test with net-2.6.19 as I've done with my tree. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 44/44] [XFRM] IPV6: Support Mobile IPv6 extension headers sorting.
David Miller wrote: From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 15:04:42 +0900 (JST) In article <[EMAIL PROTECTED]> (at Wed, 23 Aug 2006 22:57:06 -0700 (PDT)), David Miller <[EMAIL PROTECTED]> says: Are there any other Mobile-IPV6 patches necessary for the kernel? The patches cover most of MIPv6 and CN should work. However, for HA/MN, there are small number of patches to send. We will send them, of course. Nakamura-san, please describe the details. I'll send them later, but anyway, Ok, thank you. In the mean time, I will work on porting my XFRM hashing changes for the current net-2.6.19 tree. FYI, your work will not have any conflict with the left of MIPv6 patches which I will describe later since they are almost out of XFRM. Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 36/44] [XFRM]: Introduce XFRM_MSG_REPORT.
David Miller wrote: From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 00:02:37 +0900 XFRM_MSG_REPORT is a message as notification of state protocol and selector from kernel to user-space. Mobile IPv6 will use it when inbound reject is occurred at route optimization to make user-space know a binding error requirement. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Applied to net-2.6.19, but... Please check whether this XFRM_MSG_REPORT functionality can be provided via XFRM_MSG_*AE. It seems to me that AEVENTS can be used to report these rejection situations too. But you might have a good reason why not do merge the functionality. Just let me know. Thank you for pointing it. Now I've checked AEVENT briefly and I feel it is a smarter design to implement this rejection on AEVENT. However it would make us have more lines than XFRM_MSG_REPORT. AEVENT is designed to manage for each existing XFRM state. OTOH XFRM_MSG_REPORT's requirement is to manage unexpected packet then no matching state is there. We would need to add such code as "XFRM state generated by kernel for REPORT" like ACQUIRE to use AEVENT. It might make us define one more status XFRM_STATE_XXX (or adding xfrm_state.km.XXX used with XFRM_STATE_ACQ), too. It is good that AEVENT has a reducing mechanism for message passing between kernel and user-space in receiving packet. For REPORT purpose, we would need to modify to specify thresh e.g. dividing sysctl per XFRM protocol (i.e. ESP, AH, IPComp and DSTOPTS) to specify REPORT state. Should I start to design it? -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 18/44] [IPV6]: Add Kconfig to enable Mobile IPv6.
David Miller wrote: From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 00:02:19 +0900 From: Masahide NAKAMURA <[EMAIL PROTECTED]> Add Kconfig to enable Mobile IPv6. Based on MIPL2 kernel patch. Signed-off-by: Noriaki TAKAMIYA <[EMAIL PROTECTED]> Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Applied to net-2.6.19 Won't we also need a selection of route optimization and/or subtree options when enabling the mobile ipv6 config option? We won't need them for building. I thought this option should be just for the basic MIPv6 feature (i.e. knowledge of header types) then I didn't add such dependency. However, if we would think this option is a switch for enabling MIPv6 roles (i.e. CN, HA and MN), RO mode: Yes, it is required by all roles. Policy routing: I guess No. Because it is not required by CN. (required by MN, used by HA only for supporting physical home link) Regards, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 16/44] [XFRM] IPV6: Restrict bundle reusing
David Miller wrote: From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 00:02:17 +0900 From: Masahide NAKAMURA <[EMAIL PROTECTED]> For outbound transformation, bundle is checked whether it is suitable for current flow to be reused or not. In such IPv6 case as below, transformation may apply incorrect bundle for the flow instead of creating another bundle: - The policy selector has destination prefix length < 128 (Two or more addresses can be matched it) - Its bundle holds dst entry of default route whose prefix length < 128 (Previous traffic was used such route as next hop) - The policy and the bundle were used a transport mode state and this time flow address is not matched the bundled state. This issue is found by Mobile IPv6 usage to protect mobility signaling by IPsec, but it is not a Mobile IPv6 specific. This patch adds strict check to xfrm_bundle_ok() for each state mode and address when prefix length is less than 128. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Applied. Maybe ipv4 side wants to check for prefix length < 32? Or does it not matter for some reason under ipv4? Logically yes. But I was not clear IPv4 __xfrm4_find_bundle() has no prefix check as opposed to IPv6 one then I couldn't include it. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 5/44] [XFRM] STATE: Add source address list.
David Miller wrote: From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Date: Thu, 24 Aug 2006 00:02:06 +0900 From: Masahide NAKAMURA <[EMAIL PROTECTED]> Support source address based searching. Mobile IPv6 will use it. Based on MIPL2 kernel patch. Signed-off-by: Masahide NAKAMURA <[EMAIL PROTECTED]> Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]> Patch applied to net-2.6.19, thanks a lot. I see this is where I will need to perform conflict resolution with my XFRM layer hashing patches :-) That's right. As you may already find out the resolution will not be so hard since this it is doing the same thing as destination hash about XFRM list. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] Mobile IPv6 introduction
Hugo Santos wrote: >Although the ICMP-filter approach would be better, it is not flexible > enough to handle this situation. We must also send ICMPv6 Parameter > Problems when ip6mh_proto isn't IPPROTO_NONE. I don't think it is too I don't think IPPROTO_NONE case is a suitable example here (it is also supported by our kernel patch). We don't have any problem about who checks next header field since its offset of mobility header never changes then its value can be checked as the same way for all type number. But anyway, > much of a burthen to handle ICMPv6 in the control daemon because you > should already do so to react to ICMPv6 error messages from peers > concerning MIPv6 signalling. I'm strongly against doing these checks in > the kernel for the simple reason that it is not easily extendable. You > wouldn't be able to deploy a new daemon version over an existing kernel > with these changes if it supported a new control protocol with new > messages. I think we should follow a different path here and i propose > either have a hdrinc=1 mode (for reception only) for protocol raw > sockets, possibly adding with control on reception which specifies the > offset of the UPL header; or have a control message to obtain the > network headers. For instance: > > put_cmsg(msg, SOL_IPV6, ..., (skb->h.raw - skb->nh.raw), >skb->nh.raw); I can agree such suggestion as new kernel feature but I'm not sure MIPv6 stuff should depend on it just for new message type to extend later. On our design MIPv6 signaling itself is almost done by user-space daemon. When developer wants to add new or original type number, it is enough for kernel to be added the number and its length. All other things can be modified at user-space application. If there is much requirement to add new type number without any modification of kernel code at all I would support ICMPv6 filter approach, too. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 7/23] [PATCH] [XFRM] STATE: Add a hook to find where to be inserted header in outbound.
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Wed, 02 Aug 2006 11:20:30 +0900 > >> David Miller wrote: >>> I see a dangerous pattern of adding many, many, many methods >>> to the xfrm_type structure which are only used by ipv6. >>> But I cannot suggest another method. >> Sometimes this is a difficult point for me to design. > > Do not worry so much about it right now, it is not a barrier > for code integration. We can try to refine this later on. OK, I improve my code for current framework at first. Thanks :-) -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/20][IPV6/XFRM] MIPv6 CN (part B)
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Sat, 29 Jul 2006 18:37:04 +0900 > >> Here is Part B patches, following this mail. >> >> Part B is also available as mip6cn-20060716-review branch at: >> >> git://git.skbuff.net:9419/gitroot/nakam/linux-2.6-mip6cn >> >> This tree includes part A, then it has all patches about >> "Advanced XFRM for CN". > > These patches mainly deal with the specifics of ipv6 > mobility processing, they look mostly fine to me and > I could not spot any obvious errors. Thank you for reviewing. Next time I prepare the patch for the latest tree with fixes about comments. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/23] [PATCH] [XFRM]: Add XFRM_MODE_xxx for future use.
Herbert Xu wrote: > Please rebase your tree on something that's more recent. We've had > xfrm modes for more than two months now. OK, I use rebase to catch up with the latest tree. (This tree is just for review then it is not against the latest but 2.6.17.) -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: (usagi-core 30280) Re: [PATCH 10/23] [PATCH] [XFRM]: Trace which secpath state is reject factor.
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Sat, 29 Jul 2006 18:30:29 +0900 > >> @@ -272,6 +272,9 @@ #define XFRM_TYPE_NON_FRAGMENT 1 >> void(*destructor)(struct xfrm_state *); >> int (*input)(struct xfrm_state *, struct sk_buff >> *skb); >> int (*output)(struct xfrm_state *, struct sk_buff >> *pskb); >> +#ifdef CONFIG_XFRM_ADVANCED >> +int (*reject)(struct xfrm_state *, struct sk_buff >> *skb, struct flowi *); >> +#endif > > xfrm_secpath_reject() unconditionally dereferences this new reject > operation pointer, but this patch contains no assignments of it. > > Please send incremental patches that are fully functional all by > themselves, so that if each one is applied, it would compile and > work. Thanks, I'll send so next time. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] Mobile IPv6 introduction
Hi Hugo, Please fine my comment inline: Hugo Santos wrote: [snip] >- In general, lot's of places in the IPv6 stack don't take the source > address into consideration and generically only use destination as > key, i think this is a major setback that should be approached > individually. As David answered, the policy routing is it. >- I don't like having the individual MIPv6-specific messages checking > in the kernel because feature-wise this is not scalable. Only > data-path specific processing should be done in the kernel IMO (RT2 > hdr processing, HOA DSTopt processing with address swapping, etc) > Introducing new mobility header message type would involve modify- > ing the kernel when there would be no other reason to do so (you > would then need NEMO-specific code in the kernel, FMIPv6-specific > code, etc). Taking the error reporting as an example, what i would > prefer would be a way of either signaling the kernel ICMPv6 > component to send ParamProb or other types of errors (difficult to > support), or instead introducing a new datagram control message > that would enable the control application to retrieve the original > network headers (although possibly modified) and send the ICMPv6 > message itself (which was my choice). Our patch is similar as you said. Our design is that kernel does nothing as possible about validation which can be done by user-space. As you mentioned ICMPv6 error is hard to be sent by user-space because it carries original packet causing error. MIPv6 RFC says when mobility header length is too short ICMPv6 error (parameter problem) is sent. We also discussed about design like your choice. but we have not taken it because ICMPv6 sending mechanism is already in kernel then it is reasonable to use it. We MIPL developers concluded that kernel should know mobility header types and their minimum length at least. I guess when we would support NEMO and FMIPv6, we just add their defines at that time. (Actually, their implementations based on MIPL2 exists.) If somebody would feel that such defines should be removed from kernel we have another idea to make new socket interface like ICMP filter to store mobility header type and its minimum length to kernel by user-space. >- Maybe others disagree, but i don't like having a "Route > optimization" mode in XFRM. From my POV, "Route optimization" is > one kind of transformation specific to MIPv6. Other protocols > require other kind of transformations. I think XFRM should be > instead extended to support generic transformations, where the > Mobile IPv6-specific one would implement a RO transform in order to > support it's binding cache. Also, these new modes are not > "advanced" but instead "Mobile IPv6 specific". I agree XFRM should be generic transformation. XFRM_ADVANCED will be removed from my patch because some comments are sent. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 7/23] [PATCH] [XFRM] STATE: Add a hook to find where to be inserted header in outbound.
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Sat, 29 Jul 2006 18:30:23 +0900 > >> @@ -270,6 +270,7 @@ struct xfrm_type >> void(*destructor)(struct xfrm_state *); >> int (*input)(struct xfrm_state *, struct sk_buff >> *skb); >> int (*output)(struct xfrm_state *, struct sk_buff >> *pskb); >> +int (*place_find)(struct xfrm_state *, struct >> sk_buff *, u8 **); >> /* Estimate maximal size of result of transformation of a dgram */ >> u32 (*get_max_size)(struct xfrm_state *, int size); >> }; > > I see a dangerous pattern of adding many, many, many methods > to the xfrm_type structure which are only used by ipv6. > But I cannot suggest another method. Sometimes this is a difficult point for me to design. > There are frequent calls of the form: > > if (x->type->op != NULL) > x->type->op(x, y, z); > else > foo(y, z); > > it might be nicer to hide all of this behind carefully crafted > inline functions. I'll fix it. James gave me this comment, too. BTW he also gave me another point: > Maybe also change the naming of ->place_find to ->hdr_offset I'll use this idea, too. Thank you. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 6/23] [PATCH] [XFRM] STATE: Search by address using source address list.
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Sat, 29 Jul 2006 18:30:18 +0900 > >> +#ifdef CONFIG_XFRM_ADVANCED >> +struct xfrm_state *(*state_lookup_byaddr)(xfrm_address_t *daddr, >> xfrm_address_t *saddr, u8 proto); >> +#endif > > I think we should delete XFRM_ADVANCED config option, it is only > serving to make the code very ugly and full of ifdefs. I see, I remove it. My thought was to keep XFRM code intact as possible for users who wants only IPsec. But don't worry, it should not be changed existing logic of course then I've made regression test for IPsec behavior with both case: new config is off and on. Then I guess I can remove the config easily. >> +#ifdef CONFIG_XFRM_ADVANCED >> +int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); >> +#else >> +int use_spi = 1; >> +#endif > > Why this transformation? In fact, you added several others. > xfrm_id_proto_match() with userproto argument IPSEC_PROTO_ANY > always evaluates to one. > > If you intend to change the userproto argument in some future > changeset, then add the xfrm_id_proto_match() call in that > changeset. You already find out by another mail, but I should have to change patch order to get it easily for others or write more particular commit log. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 22/23] [PATCH] [XFRM] POLICY: Support netlink socket interface for sub policy.
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Sat, 29 Jul 2006 18:30:55 +0900 > >> diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h >> index 901bb65..68d3443 100644 >> --- a/include/linux/xfrm.h >> +++ b/include/linux/xfrm.h >> @@ -303,12 +303,14 @@ #define XFRM_POLICY_BLOCK 1 >> __u8flags; >> #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy >> */ >> __u8share; >> +__u8type; >> }; >> >> struct xfrm_userpolicy_id { >> struct xfrm_selectorsel; >> __u32 index; >> __u8dir; >> +__u8type; >> }; >> >> struct xfrm_user_acquire { > > Again, these are user visible data structures which cannot be > modified without changing the API. Please use another xfrm > netlink attribute or similar to pass this information. I'll try to add XFRMA_POLICY_TYPE for this case. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 5/23] [PATCH] [XFRM] STATE: Add source address list.
David Miller wrote: > This is a userspace exported structure, therefore you cannot > make changes to it like this, it will break the userland API. OK. > If you need to provide the source address, you need to pass it in via > a new xfrm netlink attribute or use an existing data structure member > which records the source address (if any such thing does exist). There is no xfrm netlink attribute to carry source address. I'll add it like XFRMA_SRCADDR. BTW another patch newly defined XFRMA_ADDR to carry care-of address. This would be changed e.g. XFRMA_COADDR or something, too. -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/23] [PATCH] [XFRM]: Add XFRM_MODE_xxx for future use.
David Miller wrote: > From: Masahide NAKAMURA <[EMAIL PROTECTED]> > Date: Sat, 29 Jul 2006 18:29:45 +0900 > >> Transformation mode is used as either IPsec transport or tunnel. >> It is required to add two more items, route-optimization and inbound trigger >> by Mobile IPv6. >> Based on MIPL2 kernel patch. > > This change looks fine, but please explain the inconsistent > transformation done in xfrm4_encap() vs. xfrm6_encap(). > [snip] > Unless there is a reason to do things differently, we should make the > checks identical even if ipv4 will never use values other than > XFRM_MODE_TUNNEL and XFRM_MODE_TRANSPORT. Oops, I'm sorry, both should be the same. My fix wants to change it as xfrm6_encap case, then I'll fix xfrm4_encap. And I will check all patches with that point. Thanks, -- Masahide NAKAMURA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/20] [PATCH] [XFRM] IPV6: Support Mobile IPv6 extension headers sorting.
Support Mobile IPv6 extension headers sorting for two transformation policies. Mobile IPv6 extension headers should be placed after IPsec transport mode, but before transport AH when outbound. --- net/ipv6/xfrm6_state.c | 28 ++-- 1 files changed, 26 insertions(+), 2 deletions(-) diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c index 1a5cc65..8d431ab 100644 --- a/net/ipv6/xfrm6_state.c +++ b/net/ipv6/xfrm6_state.c @@ -178,7 +178,19 @@ __xfrm6_state_sort(struct xfrm_state **d if (j == n) goto end; - /* XXX: Rule 2: select MIPv6 RO or inbound trigger */ + /* Rule 2: select MIPv6 RO or inbound trigger */ +#ifdef CONFIG_IPV6_MIP6 + for (i = 0; i < n; i++) { + if (src[i] && + (src[i]->props.mode == XFRM_MODE_ROUTEOPTIMIZATION || +src[i]->props.mode == XFRM_MODE_IN_TRIGGER)) { + dst[j++] = src[i]; + src[i] = NULL; + } + } + if (j == n) + goto end; +#endif /* Rule 3: select IPsec transport AH */ for (i = 0; i < n; i++) { @@ -231,7 +243,19 @@ __xfrm6_tmpl_sort(struct xfrm_tmpl **dst if (j == n) goto end; - /* XXX: Rule 2: select MIPv6 RO or inbound trigger */ + /* Rule 2: select MIPv6 RO or inbound trigger */ +#ifdef CONFIG_IPV6_MIP6 + for (i = 0; i < n; i++) { + if (src[i] && + (src[i]->mode == XFRM_MODE_ROUTEOPTIMIZATION || +src[i]->mode == XFRM_MODE_IN_TRIGGER)) { + dst[j++] = src[i]; + src[i] = NULL; + } + } + if (j == n) + goto end; +#endif /* Rule 3: select IPsec tunnel */ for (i = 0; i < n; i++) { -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 12/20] [PATCH] [IPV6] MIP6: Add routing header type 2 transformation.
Add routing header type 2 transformation for Mobile IPv6. Based on MIPL2 kernel patch. --- include/net/mip6.h | 31 + net/ipv6/Makefile |3 + net/ipv6/af_inet6.c |9 ++ net/ipv6/mip6.c | 186 +++ 4 files changed, 229 insertions(+), 0 deletions(-) diff --git a/include/net/mip6.h b/include/net/mip6.h new file mode 100644 index 000..644b8b6 --- /dev/null +++ b/include/net/mip6.h @@ -0,0 +1,31 @@ +/* + * Copyright (C)2003-2006 Helsinki University of Technology + * Copyright (C)2003-2006 USAGI/WIDE Project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ +/* + * Authors: + * Noriaki TAKAMIYA @USAGI + * Masahide NAKAMURA @USAGI + * YOSHIFUJI Hideaki @USAGI + */ +#ifndef _NET_MIP6_H +#define _NET_MIP6_H + +extern int mip6_init(void); +extern void mip6_fini(void); + +#endif diff --git a/net/ipv6/Makefile b/net/ipv6/Makefile index a760b09..3d46adb 100644 --- a/net/ipv6/Makefile +++ b/net/ipv6/Makefile @@ -13,6 +13,9 @@ ipv6-objs := af_inet6.o anycast.o ip6_ou ipv6-$(CONFIG_XFRM) += xfrm6_policy.o xfrm6_state.o xfrm6_input.o \ xfrm6_output.o ipv6-$(CONFIG_NETFILTER) += netfilter.o + +ipv6-$(CONFIG_IPV6_MIP6) += mip6.o + ipv6-objs += $(ipv6-y) obj-$(CONFIG_INET6_AH) += ah6.o diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index e19457f..e40af02 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -60,6 +60,9 @@ #include #ifdef CONFIG_IPV6_TUNNEL #include #endif +#ifdef CONFIG_IPV6_MIP6 +#include +#endif #include #include @@ -859,6 +862,9 @@ #endif ipv6_frag_init(); ipv6_nodata_init(); ipv6_destopt_init(); +#ifdef CONFIG_IPV6_MIP6 + mip6_init(); +#endif /* Init v6 transport protocols. */ udpv6_init(); @@ -922,6 +928,9 @@ #ifdef CONFIG_PROC_FS tcp6_proc_exit(); raw6_proc_exit(); #endif +#ifdef CONFIG_IPV6_MIP6 + mip6_fini(); +#endif /* Cleanup code parts. */ sit_cleanup(); ip6_flowlabel_cleanup(); diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c new file mode 100644 index 000..0fa495a --- /dev/null +++ b/net/ipv6/mip6.c @@ -0,0 +1,186 @@ +/* + * Copyright (C)2003-2006 Helsinki University of Technology + * Copyright (C)2003-2006 USAGI/WIDE Project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ +/* + * Authors: + * Noriaki TAKAMIYA @USAGI + * Masahide NAKAMURA @USAGI + */ + +#include +#include +#include +#include +#include +#include +#include + +static xfrm_address_t *mip6_xfrm_addr(struct xfrm_state *x, + xfrm_address_t *addr) +{ + return x->coaddr; +} + +/* + * Routing Header type 2 + */ + +static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb) +{ + struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data; + + if (!ipv6_addr_equal(&rt2->addr, (struct in6_addr *)x->coaddr) && + !ipv6_addr_any((struct in6_addr *)x->coaddr)) + return -ENOENT; + + return rt2->rt_hdr.nexthdr; +} + +/* Routing Header type 2 is inserted. + * IP Header's dst address is replaced with Routing Header's Home Address. + */ +static int mip6_rthdr_output(struct xfrm_state *x, struct sk_buff *skb) +{ + struct ipv6hdr *iph; + struct rt2_hdr *rt2; + u8 nexthdr; + + iph = (struct ipv6hdr *)skb->data; + iph->payload_len = htons(skb->len - sizeof(*iph)); + + nexthdr = *skb->nh.raw; + *skb->nh.raw = IPPROTO_ROUTING; +
[PATCH 8/20] [PATCH] [IPV6] MIP6: Add home address option definition.
Add home address option definition for Mobile IPv6. Based on MIPL2 kernel patch. --- include/linux/in6.h |1 + include/linux/ipv6.h | 10 ++ 2 files changed, 11 insertions(+), 0 deletions(-) diff --git a/include/linux/in6.h b/include/linux/in6.h index 304aaed..086ec2a 100644 --- a/include/linux/in6.h +++ b/include/linux/in6.h @@ -142,6 +142,7 @@ #define IPV6_TLV_PAD0 0 #define IPV6_TLV_PADN 1 #define IPV6_TLV_ROUTERALERT 5 #define IPV6_TLV_JUMBO 194 +#define IPV6_TLV_HAO 201 /* home address option */ /* * IPV6 socket options diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 9152d4b..43e2e70 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -87,6 +87,16 @@ struct rt2_hdr { #define rt2_type rt_hdr.type }; +/* + * home address option in destination options header + */ + +struct destopt_hao { + __u8type; + __u8length; + struct in6_addr addr; +} __attribute__ ((__packed__)); + struct ipv6_auth_hdr { __u8 nexthdr; __u8 hdrlen; /* This one is measured in 32 bit units! */ -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 17/20] [PATCH] [IPV6] MIP6: Add receiving mobility header functions through raw socket.
Like ICMPv6, mobility header is handled through raw socket. In inbound case, check only whether ICMPv6 error should be sent as a reply or not by kernel. Based on MIPL2 kernel patch. --- include/net/mip6.h |4 ++ net/ipv6/mip6.c| 87 net/ipv6/raw.c | 29 + 3 files changed, 119 insertions(+), 1 deletions(-) diff --git a/include/net/mip6.h b/include/net/mip6.h index fd43178..68263c6 100644 --- a/include/net/mip6.h +++ b/include/net/mip6.h @@ -25,6 +25,9 @@ #ifndef _NET_MIP6_H #define _NET_MIP6_H +#include +#include + #define MIP6_OPT_PAD_1 0 #define MIP6_OPT_PAD_N 1 @@ -53,5 +56,6 @@ #define IP6_MH_TYPE_MAX IP6_MH_TYPE_BER extern int mip6_init(void); extern void mip6_fini(void); +extern int mip6_mh_filter(struct sock *sk, struct sk_buff *skb); #endif diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index ebe2f76..fb973d9 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c @@ -27,7 +27,10 @@ #include #include #include #include +#include +#include #include +#include #include #include @@ -58,6 +61,90 @@ static inline void *mip6_padn(__u8 *data } /* + * Mobility Header + */ + +static int _mh_len(int type) +{ + int len = 0; + + switch (type) { + case IP6_MH_TYPE_BRR: + len = 0; + break; + case IP6_MH_TYPE_HOTI: + case IP6_MH_TYPE_COTI: + case IP6_MH_TYPE_BU: + case IP6_MH_TYPE_BACK: + len = 1; + break; + case IP6_MH_TYPE_HOT: + case IP6_MH_TYPE_COT: + case IP6_MH_TYPE_BERROR: + len = 2; + break; + } + return len; +} + +static inline void mip6_param_prob(struct sk_buff *skb, int code, int pos) +{ + icmpv6_send(skb, ICMPV6_PARAMPROB, code, pos, skb->dev); +} + +int mip6_mh_filter(struct sock *sk, struct sk_buff *skb) +{ + struct ip6_mh *mh; + int mhlen; + + if (!pskb_may_pull(skb, (skb->h.raw - skb->data) + 8) || + !pskb_may_pull(skb, (skb->h.raw - skb->data) + ((skb->h.raw[1] + 1) << 3))) + return -1; + + mh = (struct ip6_mh *)skb->h.raw; + + if (mh->ip6mh_hdrlen < _mh_len(mh->ip6mh_type)) { + LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH message too short: %d vs >=%d\n", + mh->ip6mh_hdrlen, _mh_len(mh->ip6mh_type)); + mip6_param_prob(skb, 0, (&mh->ip6mh_hdrlen) - skb->nh.raw); + return -1; + } + mhlen = (mh->ip6mh_hdrlen + 1) << 3; + + if (skb->ip_summed == CHECKSUM_HW) { + skb->ip_summed = CHECKSUM_UNNECESSARY; + if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, + &skb->nh.ipv6h->daddr, + mhlen, IPPROTO_MH, + skb->csum)) { + LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH hw checksum failed\n"); + skb->ip_summed = CHECKSUM_NONE; + } + } + if (skb->ip_summed == CHECKSUM_NONE) { + if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, + &skb->nh.ipv6h->daddr, + mhlen, IPPROTO_MH, + skb_checksum(skb, 0, mhlen, 0))) { + LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH checksum failed [%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x > %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x]\n", + NIP6(skb->nh.ipv6h->saddr), + NIP6(skb->nh.ipv6h->daddr)); + return -1; + } + skb->ip_summed = CHECKSUM_UNNECESSARY; + } + + if (mh->ip6mh_proto != IPPROTO_NONE) { + LIMIT_NETDEBUG(KERN_DEBUG "mip6: MH invalid payload proto = %d\n", + mh->ip6mh_proto); + mip6_param_prob(skb, 0, (&mh->ip6mh_proto) - skb->nh.raw); + return -1; + } + + return 0; +} + +/* * Destination Options Header */ diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index fa1ce0a..e0faf4d 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -50,6 +50,9 @@ #include #include #include #include +#ifdef CONFIG_IPV6_MIP6 +#include +#endif #include #include @@ -169,8 +172,32 @@ int ipv6_raw_deliver(struct sk_buff *skb sk = __raw_v6_lookup(sk, nexthdr, daddr, saddr, IP6CB(skb)->iif); while (sk) { + int filtered; + delivered = 1; - if (nexthdr != IPPROTO_ICMPV6 || !icmpv6_filter(sk, skb)) { + switch (nexthdr) { + case IPPROTO_ICMPV6: + filtered = icmpv6_filter(sk, skb); + break; +#ifdef CONFIG_IPV6_MIP6 +
[PATCH 19/20] [PATCH] [IPV6] MIP6: Add sending mobility header functions through raw socket.
Mobility header is built by user-space and sent through raw socket. Kernel just extracts its type to flow. Based on MIPL2 kernel patch. --- net/ipv6/raw.c | 17 + 1 files changed, 17 insertions(+), 0 deletions(-) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index e0faf4d..0e8dca2 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -608,6 +608,9 @@ static void rawv6_probe_proto_opt(struct struct iovec *iov; u8 __user *type = NULL; u8 __user *code = NULL; +#ifdef CONFIG_IPV6_MIP6 + u8 len = 0; +#endif int probed = 0; int i; @@ -639,6 +642,20 @@ static void rawv6_probe_proto_opt(struct probed = 1; } break; +#ifdef CONFIG_IPV6_MIP6 + case IPPROTO_MH: + if (iov->iov_base && iov->iov_len < 1) + break; + /* check if type field is readable or not. */ + if (iov->iov_len > 2 - len) { + u8 __user *p = iov->iov_base; + get_user(fl->fl_mh_type, &p[2 - len]); + probed = 1; + } else + len += iov->iov_len; + + break; +#endif default: probed = 1; break; -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 18/20] [PATCH] [IPV6] MIP6: Ignore mobility headers if it is rejected.
Ignore mobility headers if it is rejected by route optimization. Mobility headers should be bypassed for any route optimization and application should use transformation policy and wild-card states corerctly to catch mobility headers prior than other packets. This case which such reject is occurred may be either missing poilcy or erroneous policy is inserted to kernel. Based on MIPL2 kernel patch. --- net/ipv6/mip6.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index fb973d9..43d0b53 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c @@ -243,6 +243,9 @@ static int mip6_destopt_reject(struct xf struct timeval stamp; int err = 0; + if (unlikely(fl->proto == IPPROTO_MH && fl->fl_mh_type <= IP6_MH_TYPE_MAX)) + goto out; + if (likely(opt->dsthao)) { offset = ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO); if (likely(offset >= 0)) -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 15/20] [PATCH] [XFRM] STATE: Add Mobile IPv6 route optimization protocols to netlink interface.
Add Mobile IPv6 route optimization protocols to netlink interface. Route optimization states carry care-of address. Based on MIPL2 kernel patch. --- net/xfrm/xfrm_user.c | 22 ++ 1 files changed, 22 insertions(+), 0 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index cf62208..e45d25f 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -27,6 +27,9 @@ #include #include #include #include +#ifdef CONFIG_IPV6_MIP6 +#include +#endif static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -171,7 +174,26 @@ #endif goto out; break; +#ifdef CONFIG_IPV6_MIP6 + case IPPROTO_DSTOPTS: + case IPPROTO_ROUTING: +#ifdef CONFIG_XFRM_ADVANCED + if (xfrma[XFRMA_ALG_COMP-1] || + xfrma[XFRMA_ALG_AUTH-1] || + xfrma[XFRMA_ALG_CRYPT-1]|| + xfrma[XFRMA_ENCAP-1]|| + xfrma[XFRMA_SEC_CTX - 1]|| + !xfrma[XFRMA_ADDR-1]) + goto out; + break; +#else + err = -ENOSYS; + goto out; +#endif +#endif + default: + err = -EPROTONOSUPPORT; goto out; }; -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/20] [PATCH] [IPV6] MIP6: Add inbound interface of routing header type 2.
Add inbound interface of routing header type 2 for Mobile IPv6. Based on MIPL2 kernel patch. --- include/net/addrconf.h |7 + net/ipv6/exthdrs.c | 71 +++- 2 files changed, 70 insertions(+), 8 deletions(-) diff --git a/include/net/addrconf.h b/include/net/addrconf.h index 750e250..71fc890 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h @@ -62,6 +62,13 @@ extern int addrconf_set_dstaddr(void _ extern int ipv6_chk_addr(struct in6_addr *addr, struct net_device *dev, int strict); +/* XXX: this is a placeholder till addrconf supports */ +#ifdef CONFIG_IPV6_MIP6 +static inline int ipv6_chk_home_addr(struct in6_addr *addr) +{ + return 0; +} +#endif extern struct inet6_ifaddr * ipv6_get_ifaddr(struct in6_addr *addr, struct net_device *dev, int strict); diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index a18d425..138cb12 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -43,6 +43,9 @@ #include #include #include #include +#ifdef CONFIG_IPV6_MIP6 +#include +#endif #include @@ -219,7 +222,7 @@ static int ipv6_rthdr_rcv(struct sk_buff { struct sk_buff *skb = *skbp; struct inet6_skb_parm *opt = IP6CB(skb); - struct in6_addr *addr; + struct in6_addr *addr = NULL; struct in6_addr daddr; int n, i; @@ -244,6 +247,23 @@ static int ipv6_rthdr_rcv(struct sk_buff looped_back: if (hdr->segments_left == 0) { + switch (hdr->type) { +#ifdef CONFIG_IPV6_MIP6 + case IPV6_SRCRT_TYPE_2: + /* Silently discard type 2 header unless it was +* processed by own +*/ + if (!addr) { + IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS); + kfree_skb(skb); + return -1; + } + break; +#endif + default: + break; + } + opt->lastopt = skb->h.raw - skb->nh.raw; opt->srcrt = skb->h.raw - skb->nh.raw; skb->h.raw += (hdr->hdrlen + 1) << 3; @@ -253,17 +273,29 @@ looped_back: return 1; } - if (hdr->type != IPV6_SRCRT_TYPE_0) { + switch (hdr->type) { + case IPV6_SRCRT_TYPE_0: + if (hdr->hdrlen & 0x01) { + IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw); + return -1; + } + break; +#ifdef CONFIG_IPV6_MIP6 + case IPV6_SRCRT_TYPE_2: + /* Silently discard invalid RTH type 2 */ + if (hdr->hdrlen != 2 || hdr->segments_left != 1) { + IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); + kfree_skb(skb); + return -1; + } + break; +#endif + default: IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw); return -1; } - - if (hdr->hdrlen & 0x01) { - IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); - icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw); - return -1; - } /* * This is the routing header forwarding algorithm from @@ -303,6 +335,29 @@ looped_back: addr = rthdr->addr; addr += i - 1; + switch (hdr->type) { +#ifdef CONFIG_IPV6_MIP6 + case IPV6_SRCRT_TYPE_2: + if (__xfrm6_rcv_one(skb, + (xfrm_address_t *)addr, + (xfrm_address_t *)&skb->nh.ipv6h->saddr, + IPPROTO_ROUTING) < 0) { + IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS); + kfree_skb(skb); + return -1; + } + + if (!ipv6_chk_home_addr(addr)) { + IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS); + kfree_skb(skb); + return -1; + } + break; +#endif + default: + break; + } + if (ipv6_addr_is_multicast(addr)) { IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS); kfree_skb(skb); -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info