summaryrefslogtreecommitdiff
path: root/net/key
AgeCommit message (Collapse)AuthorFilesLines
2009-10-12net: Generalize socket rx gap / receive queue overflow cmsgNeil Horman1-1/+1
Create a new socket level option to report number of queue overflows Recently I augmented the AF_PACKET protocol to report the number of frames lost on the socket receive queue between any two enqueued frames. This value was exported via a SOL_PACKET level cmsg. AFter I completed that work it was requested that this feature be generalized so that any datagram oriented socket could make use of this option. As such I've created this patch, It creates a new SOL_SOCKET level option called SO_RXQ_OVFL, which when enabled exports a SOL_SOCKET level cmsg that reports the nubmer of times the sk_receive_queue overflowed between any two given frames. It also augments the AF_PACKET protocol to take advantage of this new feature (as it previously did not touch sk->sk_drops, which this patch uses to record the overflow count). Tested successfully by me. Notes: 1) Unlike my previous patch, this patch simply records the sk_drops value, which is not a number of drops between packets, but rather a total number of drops. Deltas must be computed in user space. 2) While this patch currently works with datagram oriented protocols, it will also be accepted by non-datagram oriented protocols. I'm not sure if thats agreeable to everyone, but my argument in favor of doing so is that, for those protocols which aren't applicable to this option, sk_drops will always be zero, and reporting no drops on a receive queue that isn't used for those non-participating protocols seems reasonable to me. This also saves us having to code in a per-protocol opt in mechanism. 3) This applies cleanly to net-next assuming that commit 977750076d98c7ff6cbda51858bb5a5894a9d9ab (my af packet cmsg patch) is reverted Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-10-07net: mark net_proto_ops as constStephen Hemminger1-1/+1
All usages of structure net_proto_ops should be declared const. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-02net: file_operations should be constStephen Hemminger1-1/+1
All instances of file_operations should be const. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-09-02net: seq_operations should be constStephen Hemminger1-1/+1
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-06-18net: correct off-by-one write allocations reportsEric Dumazet1-2/+2
commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) changed initial sk_wmem_alloc value. We need to take into account this offset when reporting sk_wmem_alloc to user, in PROC_FS files or various ioctls (SIOCOUTQ/TIOCOUTQ) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-02-26af_key: remove some pointless conditionals before kfree_skb()Wei Yongjun1-4/+2
Remove some pointless conditionals before kfree_skb(). Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-25af_key: initialize xfrm encap_oaTimo Teras1-0/+1
Currently encap_oa is left uninitialized, so it contains garbage data which is visible to userland via Netlink. Initialize it by zeroing it out. Signed-off-by: Timo Teras <timo.teras@iki.fi> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns PF_KEY: per-netns /proc/pfkeyAlexey Dobriyan1-17/+17
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns PF_KEY: part 2Alexey Dobriyan1-45/+60
* interaction with userspace -- take netns from userspace socket. * in ->notify hook take netns either from SA or explicitly passed -- we don't know if SA/SPD flush is coming. * stub policy migration with init_net for now. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns PF_KEY: part 1Alexey Dobriyan1-15/+73
* netns boilerplate * keep per-netns socket list * keep per-netns number of sockets Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: pass netns with KM notificationsAlexey Dobriyan1-0/+2
SA and SPD flush are executed with NULL SA and SPD respectively, for these cases pass netns explicitly from userspace socket. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: policy walking in netnsAlexey Dobriyan1-2/+2
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: finding policy in netnsAlexey Dobriyan1-3/+3
Add netns parameter to xfrm_policy_bysel_ctx(), xfrm_policy_byidx(). Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: policy flushing in netnsAlexey Dobriyan1-1/+1
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: state walking in netnsAlexey Dobriyan1-1/+1
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: finding states in netnsAlexey Dobriyan1-3/+3
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: state lookup in netnsAlexey Dobriyan1-1/+1
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: state flush in netnsAlexey Dobriyan1-1/+1
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: add struct xfrm_policy::xp_netAlexey Dobriyan1-2/+2
Again, to avoid complications with passing netns when not necessary. Again, ->xp_net is set-once field, once set it never changes. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: per-netns km_waitqAlexey Dobriyan1-1/+1
Disallow spurious wakeups in __xfrm_lookup(). Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-25netns xfrm: add struct xfrm_state::xs_netAlexey Dobriyan1-1/+1
To avoid unnecessary complications with passing netns around. * set once, very early after allocating * once set, never changes For a while create every xfrm_state in init_net. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-11-06af_key: mark policy as dead before destroyingAlexey Dobriyan1-0/+1
xfrm_policy_destroy() will oops if not dead policy is passed to it. On error path in pfkey_compile_policy() exactly this happens. Oopsable for CAP_NET_ADMIN owners. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-10-31key: fix setkey(8) policy set breakageAlexey Dobriyan1-1/+0
Steps to reproduce: #/usr/sbin/setkey -f flush; spdflush; add 192.168.0.42 192.168.0.1 ah 24500 -A hmac-md5 "1234567890123456"; add 192.168.0.42 192.168.0.1 esp 24501 -E 3des-cbc "123456789012123456789012"; spdadd 192.168.0.42 192.168.0.1 any -P out ipsec esp/transport//require ah/transport//require; setkey: invalid keymsg length Policy dump will bail out with the same message after that. -recv(4, "\2\16\0\0\32\0\3\0\0\0\0\0\37\r\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\0*\0"..., 32768, 0) = 208 +recv(4, "\2\16\0\0\36\0\3\0\0\0\0\0H\t\0\0\3\0\5\0\377 \0\0\2\0\0\0\300\250\0*\0"..., 32768, 0) = 208 Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-10-10af_key: fix SADB_X_SPDDELETE responseTobias Brunner1-0/+1
When deleting an SPD entry using SADB_X_SPDDELETE, c.data.byid is not initialized to zero in pfkey_spddelete(). Thus, key_notify_policy() responds with a PF_KEY message of type SADB_X_SPDDELETE2 instead of SADB_X_SPDDELETE. Signed-off-by: Tobias Brunner <tobias.brunner@strongswan.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-10-05xfrm: MIGRATE enhancements (draft-ebalard-mext-pfkey-enhanced-migrate)Arnaud Ebalard1-17/+69
Provides implementation of the enhancements of XFRM/PF_KEY MIGRATE mechanism specified in draft-ebalard-mext-pfkey-enhanced-migrate-00. Defines associated PF_KEY SADB_X_EXT_KMADDRESS extension and XFRM/netlink XFRMA_KMADDRESS attribute. Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-10-01ipsec: Put dumpers on the dump listHerbert Xu1-5/+33
Herbert Xu came up with the idea and the original patch to make xfrm_state dump list contain also dumpers: As it is we go to extraordinary lengths to ensure that states don't go away while dumpers go to sleep. It's much easier if we just put the dumpers themselves on the list since they can't go away while they're going. I've also changed the order of addition on new states to prevent a never-ending dump. Timo Teräs improved the patch to apply cleanly to latest tree, modified iteration code to be more readable by using a common struct for entries in the list, implemented the same idea for xfrm_policy dumping and moved the af_key specific "last" entry caching to af_key. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-10-01af_key: Free dumping state on socket closeTimo Teras1-11/+19
Fix a xfrm_{state,policy}_walk leak if pfkey socket is closed while dumping is on-going. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-25net: convert BUG_TRAP to generic WARN_ONIlpo Järvinen1-2/+2
Removes legacy reinvent-the-wheel type thing. The generic machinery integrates much better to automated debugging aids such as kerneloops.org (and others), and is unambiguous due to better naming. Non-intuively BUG_TRAP() is actually equal to WARN_ON() rather than BUG_ON() though some might actually be promoted to BUG_ON() but I left that to future. I could make at least one BUILD_BUG_ON conversion. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-13Merge branch 'master' of ↵David S. Miller1-0/+3
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/smc911x.c
2008-06-12key: Use xfrm_addr_cmp() where appropriate.YOSHIFUJI Hideaki1-8/+1
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2008-06-12key: Share common code path to extract address from sockaddr{}.YOSHIFUJI Hideaki1-69/+38
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2008-06-12key: Share common code path to fill sockaddr{}.YOSHIFUJI Hideaki1-347/+111
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2008-06-12key: Introduce pfkey_sockaddr_len() for raw sockaddr{} length.YOSHIFUJI Hideaki1-31/+19
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
2008-06-10ipsec: pfkey should ignore events when no listenersJamal Hadi Salim1-0/+3
When pfkey has no km listeners, it still does a lot of work before finding out there aint nobody out there. If a tree falls in a forest and no one is around to hear it, does it make a sound? In this case it makes a lot of noise: With this short-circuit adding 10s of thousands of SAs using netlink improves performance by ~10%. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-21af_key: Fix selector family initialization.Kazunori MIYAZAWA1-1/+1
This propagates the xfrm_user fix made in commit bcf0dda8d2408fe1c1040cdec5a98e5fcad2ac72 ("[XFRM]: xfrm_user: fix selector family initialization") Based upon a bug report from, and tested by, Alan Swanson. Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-28Audit: collect sessionid in netlink messagesEric Paris1-5/+12
Previously I added sessionid output to all audit messages where it was available but we still didn't know the sessionid of the sender of netlink messages. This patch adds that information to netlink messages so we can audit who sent netlink messages. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2008-04-24af_key: Fix af_key.c compiler warningBrian Haley1-3/+2
net/key/af_key.c: In function ‘pfkey_spddelete’: net/key/af_key.c:2359: warning: ‘pol_ctx’ may be used uninitialized in this function When CONFIG_SECURITY_NETWORK_XFRM isn't set, security_xfrm_policy_alloc() is an inline that doesn't set pol_ctx, so this seemed like the easiest fix short of using *uninitialized_var(pol_ctx). Signed-off-by: Brian Haley <brian.haley@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-22[IPSEC]: Fix catch-22 with algorithm IDs above 31Herbert Xu1-1/+1
As it stands it's impossible to use any authentication algorithms with an ID above 31 portably. It just happens to work on x86 but fails miserably on ppc64. The reason is that we're using a bit mask to check the algorithm ID but the mask is only 32 bits wide. After looking at how this is used in the field, I have concluded that in the long term we should phase out state matching by IDs because this is made superfluous by the reqid feature. For current applications, the best solution IMHO is to allow all algorithms when the bit masks are all ~0. The following patch does exactly that. This bug was identified by IBM when testing on the ppc64 platform using the NULL authentication algorithm which has an ID of 251. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-04-12LSM: Make the Labeled IPsec hooks more stack friendlyPaul Moore1-12/+11
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to fix that problem by changing the LSM API to require only the relevant "security" pointers instead of the entire SPD entry; we do this for all of the security_xfrm_policy*() functions to keep things consistent. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-03-27Merge branch 'master' of ↵David S. Miller1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/net/usb/rndis_host.c drivers/net/wireless/b43/dma.c net/ipv6/ndisc.c
2008-03-24[IPSEC]: Fix inter address family IPsec tunnel handling.Kazunori MIYAZAWA1-1/+1
Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-03-03[AF_KEY]: Dump SA/SP entries non-atomicallyTimo Teras1-29/+91
Stop dumping of entries when af_key socket receive queue is getting full and continue it later when there is more room again. This fixes dumping of large databases. Currently the entries not fitting into the receive queue are just dropped (including the end-of-dump message) which can confuse applications. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-28[XFRM]: Speed up xfrm_policy and xfrm_state walkingTimo Teras1-4/+20
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n). This is achieved adding the entries to one more list which is used solely for walking the entries. This also fixes some races where the dump can have duplicate or missing entries when the SPD/SADB is modified during an ongoing dump. Dumping SADB with 20000 entries using "time ip xfrm state" the sys time dropped from 1.012s to 0.080s. Signed-off-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-26[AF_KEY]: Fix oops by converting to proc_net_*().David S. Miller1-3/+2
To make sure the procfs visibility occurs after the ->proc_fs ops are setup, use proc_net_fops_create() and proc_net_remove(). This also fixes an OOPS after module unload in that the name string for remove was wrong, so it wouldn't actually be removed. That bug was introduced by commit 61145aa1a12401ac71bcc450a58c773dd6e2bfb9 ("[KEY]: Clean up proc files creation a bit.") Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-14[AF_KEY]: Fix bug in spdaddKazunori MIYAZAWA1-0/+1
This patch fix a BUG when adding spds which have same selector. Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-09[KEY]: Convert net/pfkey to use seq files.Pavel Emelyanov1-35/+57
The seq files API disposes the caller of the difficulty of checking file position, the length of data to produce and the size of provided buffer. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-09[KEY]: Clean up proc files creation a bit.Pavel Emelyanov1-8/+27
Mainly this removes ifdef-s from inside the ipsec_pfkey_init. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01[PATCH] switch audit_get_loginuid() to task_struct *Al Viro1-7/+7
all callers pass something->audit_context Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2008-01-28[XFRM] xfrm_policy_destroy: Rename and relative fixes.WANG Cong1-4/+2
Since __xfrm_policy_destroy is used to destory the resources allocated by xfrm_policy_alloc. So using the name __xfrm_policy_destroy is not correspond with xfrm_policy_alloc. Rename it to xfrm_policy_destroy. And along with some instances that call xfrm_policy_alloc but not using xfrm_policy_destroy to destroy the resource, fix them. Signed-off-by: WANG Cong <xiyou.wangcong@gmail.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-20[AF_KEY]: Fix skb leak on pfkey_send_migrate() errorPatrick McHardy1-7/+9
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>