tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2015-08-17

1) Fix IPv6 ECN decapsulation for IPsec interfamily tunnels.
From Thomas Egerer.

2) Use kmemdup instead of duplicating it in xfrm_dump_sa().
From Andrzej Hajda.

3) Pass oif to the xfrm lookups so that it gets set on the flow
and the resolver routines can match based on oif.
From David Ahern.

4) Add documentation for the new xfrm garbage collector threshold.
From Alexander Duyck.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller c87acb25 fbaff3ef

+42 -26
+10
Documentation/networking/ip-sysctl.txt
··· 1181 1181 Allows you to write a number, which can be used as required. 1182 1182 Default value is 0. 1183 1183 1184 + xfrm4_gc_thresh - INTEGER 1185 + The threshold at which we will start garbage collecting for IPv4 1186 + destination cache entries. At twice this value the system will 1187 + refuse new allocations. 1188 + 1184 1189 Alexey Kuznetsov. 1185 1190 kuznet@ms2.inr.ac.ru 1186 1191 ··· 1621 1616 0 to disable any limiting, 1622 1617 otherwise the minimal space between responses in milliseconds. 1623 1618 Default: 1000 1619 + 1620 + xfrm6_gc_thresh - INTEGER 1621 + The threshold at which we will start garbage collecting for IPv6 1622 + destination cache entries. At twice this value the system will 1623 + refuse new allocations. 1624 1624 1625 1625 1626 1626 IPv6 Update by:
+5 -2
include/net/xfrm.h
··· 285 285 unsigned short family; 286 286 struct dst_ops *dst_ops; 287 287 void (*garbage_collect)(struct net *net); 288 - struct dst_entry *(*dst_lookup)(struct net *net, int tos, 288 + struct dst_entry *(*dst_lookup)(struct net *net, 289 + int tos, int oif, 289 290 const xfrm_address_t *saddr, 290 291 const xfrm_address_t *daddr); 291 - int (*get_saddr)(struct net *net, xfrm_address_t *saddr, xfrm_address_t *daddr); 292 + int (*get_saddr)(struct net *net, int oif, 293 + xfrm_address_t *saddr, 294 + xfrm_address_t *daddr); 292 295 void (*decode_session)(struct sk_buff *skb, 293 296 struct flowi *fl, 294 297 int reverse);
+6 -5
net/ipv4/xfrm4_policy.c
··· 19 19 static struct xfrm_policy_afinfo xfrm4_policy_afinfo; 20 20 21 21 static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4, 22 - int tos, 22 + int tos, int oif, 23 23 const xfrm_address_t *saddr, 24 24 const xfrm_address_t *daddr) 25 25 { ··· 28 28 memset(fl4, 0, sizeof(*fl4)); 29 29 fl4->daddr = daddr->a4; 30 30 fl4->flowi4_tos = tos; 31 + fl4->flowi4_oif = oif; 31 32 if (saddr) 32 33 fl4->saddr = saddr->a4; 33 34 ··· 39 38 return ERR_CAST(rt); 40 39 } 41 40 42 - static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos, 41 + static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos, int oif, 43 42 const xfrm_address_t *saddr, 44 43 const xfrm_address_t *daddr) 45 44 { 46 45 struct flowi4 fl4; 47 46 48 - return __xfrm4_dst_lookup(net, &fl4, tos, saddr, daddr); 47 + return __xfrm4_dst_lookup(net, &fl4, tos, oif, saddr, daddr); 49 48 } 50 49 51 - static int xfrm4_get_saddr(struct net *net, 50 + static int xfrm4_get_saddr(struct net *net, int oif, 52 51 xfrm_address_t *saddr, xfrm_address_t *daddr) 53 52 { 54 53 struct dst_entry *dst; 55 54 struct flowi4 fl4; 56 55 57 - dst = __xfrm4_dst_lookup(net, &fl4, 0, NULL, daddr); 56 + dst = __xfrm4_dst_lookup(net, &fl4, 0, oif, NULL, daddr); 58 57 if (IS_ERR(dst)) 59 58 return -EHOSTUNREACH; 60 59
+1 -2
net/ipv6/xfrm6_mode_tunnel.c
··· 20 20 21 21 static inline void ipip6_ecn_decapsulate(struct sk_buff *skb) 22 22 { 23 - const struct ipv6hdr *outer_iph = ipv6_hdr(skb); 24 23 struct ipv6hdr *inner_iph = ipipv6_hdr(skb); 25 24 26 - if (INET_ECN_is_ce(ipv6_get_dsfield(outer_iph))) 25 + if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos)) 27 26 IP6_ECN_set_ce(inner_iph); 28 27 } 29 28
+4 -3
net/ipv6/xfrm6_policy.c
··· 26 26 27 27 static struct xfrm_policy_afinfo xfrm6_policy_afinfo; 28 28 29 - static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, 29 + static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif, 30 30 const xfrm_address_t *saddr, 31 31 const xfrm_address_t *daddr) 32 32 { ··· 35 35 int err; 36 36 37 37 memset(&fl6, 0, sizeof(fl6)); 38 + fl6.flowi6_oif = oif; 38 39 memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr)); 39 40 if (saddr) 40 41 memcpy(&fl6.saddr, saddr, sizeof(fl6.saddr)); ··· 51 50 return dst; 52 51 } 53 52 54 - static int xfrm6_get_saddr(struct net *net, 53 + static int xfrm6_get_saddr(struct net *net, int oif, 55 54 xfrm_address_t *saddr, xfrm_address_t *daddr) 56 55 { 57 56 struct dst_entry *dst; 58 57 struct net_device *dev; 59 58 60 - dst = xfrm6_dst_lookup(net, 0, NULL, daddr); 59 + dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr); 61 60 if (IS_ERR(dst)) 62 61 return -EHOSTUNREACH; 63 62
+14 -10
net/xfrm/xfrm_policy.c
··· 115 115 rcu_read_unlock(); 116 116 } 117 117 118 - static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, 118 + static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, 119 + int tos, int oif, 119 120 const xfrm_address_t *saddr, 120 121 const xfrm_address_t *daddr, 121 122 int family) ··· 128 127 if (unlikely(afinfo == NULL)) 129 128 return ERR_PTR(-EAFNOSUPPORT); 130 129 131 - dst = afinfo->dst_lookup(net, tos, saddr, daddr); 130 + dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr); 132 131 133 132 xfrm_policy_put_afinfo(afinfo); 134 133 135 134 return dst; 136 135 } 137 136 138 - static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, int tos, 137 + static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, 138 + int tos, int oif, 139 139 xfrm_address_t *prev_saddr, 140 140 xfrm_address_t *prev_daddr, 141 141 int family) ··· 155 153 daddr = x->coaddr; 156 154 } 157 155 158 - dst = __xfrm_dst_lookup(net, tos, saddr, daddr, family); 156 + dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family); 159 157 160 158 if (!IS_ERR(dst)) { 161 159 if (prev_saddr != saddr) ··· 1375 1373 } 1376 1374 1377 1375 static int 1378 - xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote, 1379 - unsigned short family) 1376 + xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local, 1377 + xfrm_address_t *remote, unsigned short family) 1380 1378 { 1381 1379 int err; 1382 1380 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1383 1381 1384 1382 if (unlikely(afinfo == NULL)) 1385 1383 return -EINVAL; 1386 - err = afinfo->get_saddr(net, local, remote); 1384 + err = afinfo->get_saddr(net, oif, local, remote); 1387 1385 xfrm_policy_put_afinfo(afinfo); 1388 1386 return err; 1389 1387 } ··· 1412 1410 remote = &tmpl->id.daddr; 1413 1411 local = &tmpl->saddr; 1414 1412 if (xfrm_addr_any(local, tmpl->encap_family)) { 1415 - error = xfrm_get_saddr(net, &tmp, remote, tmpl->encap_family); 1413 + error = xfrm_get_saddr(net, fl->flowi_oif, 1414 + &tmp, remote, 1415 + tmpl->encap_family); 1416 1416 if (error) 1417 1417 goto fail; 1418 1418 local = &tmp; ··· 1694 1690 1695 1691 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) { 1696 1692 family = xfrm[i]->props.family; 1697 - dst = xfrm_dst_lookup(xfrm[i], tos, &saddr, &daddr, 1698 - family); 1693 + dst = xfrm_dst_lookup(xfrm[i], tos, fl->flowi_oif, 1694 + &saddr, &daddr, family); 1699 1695 err = PTR_ERR(dst); 1700 1696 if (IS_ERR(dst)) 1701 1697 goto put_states;
+2 -4
net/xfrm/xfrm_user.c
··· 925 925 return err; 926 926 927 927 if (attrs[XFRMA_ADDRESS_FILTER]) { 928 - filter = kmalloc(sizeof(*filter), GFP_KERNEL); 928 + filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]), 929 + sizeof(*filter), GFP_KERNEL); 929 930 if (filter == NULL) 930 931 return -ENOMEM; 931 - 932 - memcpy(filter, nla_data(attrs[XFRMA_ADDRESS_FILTER]), 933 - sizeof(*filter)); 934 932 } 935 933 936 934 if (attrs[XFRMA_PROTO])