* pull request (net-next): ipsec-next 2022-01-06
@ 2022-01-06 9:13 Steffen Klassert
2022-01-06 9:13 ` [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements Steffen Klassert
` (7 more replies)
0 siblings, 8 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
1) Fix some clang_analyzer warnings about never read variables.
From luo penghao.
2) Check for pols[0] only once in xfrm_expand_policies().
From Jean Sacren.
3) The SA curlft.use_time was updated only on SA cration time.
Update whenever the SA is used. From Antony Antony
4) Add support for SM3 secure hash.
From Xu Jia.
5) Add support for SM4 symmetric cipher algorithm.
From Xu Jia.
6) Add a rate limit for SA mapping change messages.
From Antony Antony.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit bb8cecf8ba127abca8ccd102207a59c55fdae515:
Merge branch 'lan78xx-napi' (2021-11-18 12:11:51 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master
for you to fetch changes up to 4e484b3e969b52effd95c17f7a86f39208b2ccf4:
xfrm: rate limit SA mapping change message to user space (2021-12-23 09:32:51 +0100)
----------------------------------------------------------------
Antony Antony (2):
xfrm: update SA curlft.use_time
xfrm: rate limit SA mapping change message to user space
Jean Sacren (1):
net: xfrm: drop check of pols[0] for the second time
Xu Jia (2):
xfrm: Add support for SM3 secure hash
xfrm: Add support for SM4 symmetric cipher algorithm
luo penghao (2):
ipv6/esp6: Remove structure variables and alignment statements
xfrm: Remove duplicate assignment
include/net/xfrm.h | 5 +++++
include/uapi/linux/pfkeyv2.h | 2 ++
include/uapi/linux/xfrm.h | 1 +
net/ipv6/esp6.c | 3 +--
net/xfrm/xfrm_algo.c | 41 +++++++++++++++++++++++++++++++++++++++++
net/xfrm/xfrm_compat.c | 6 ++++--
net/xfrm/xfrm_input.c | 1 +
net/xfrm/xfrm_output.c | 1 +
net/xfrm/xfrm_policy.c | 3 +--
net/xfrm/xfrm_state.c | 23 ++++++++++++++++++++++-
net/xfrm/xfrm_user.c | 18 +++++++++++++++++-
11 files changed, 96 insertions(+), 8 deletions(-)
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 12:20 ` patchwork-bot+netdevbpf
2022-01-06 9:13 ` [PATCH 2/7] xfrm: Remove duplicate assignment Steffen Klassert
` (6 subsequent siblings)
7 siblings, 1 reply; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: luo penghao <luo.penghao@zte.com.cn>
The definition of this variable is just to find the length of the
structure after aligning the structure. The PTR alignment function
is to optimize the size of the structure. In fact, it doesn't seem
to be of much use, because both members of the structure are of
type u32.
So I think that the definition of the variable and the
corresponding alignment can be deleted, the value of extralen can
be directly passed in the size of the structure.
The clang_analyzer complains as follows:
net/ipv6/esp6.c:117:27 warning:
Value stored to 'extra' during its initialization is never read
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: luo penghao <luo.penghao@zte.com.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv6/esp6.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index ed2f061b8768..c35c211c9cb7 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -114,7 +114,6 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead,
static void esp_ssg_unref(struct xfrm_state *x, void *tmp)
{
- struct esp_output_extra *extra = esp_tmp_extra(tmp);
struct crypto_aead *aead = x->data;
int extralen = 0;
u8 *iv;
@@ -122,7 +121,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp)
struct scatterlist *sg;
if (x->props.flags & XFRM_STATE_ESN)
- extralen += sizeof(*extra);
+ extralen += sizeof(struct esp_output_extra);
iv = esp_tmp_iv(aead, tmp, extralen);
req = esp_tmp_req(aead, iv);
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/7] xfrm: Remove duplicate assignment
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
2022-01-06 9:13 ` [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 9:13 ` [PATCH 3/7] net: xfrm: drop check of pols[0] for the second time Steffen Klassert
` (5 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: luo penghao <luo.penghao@zte.com.cn>
The statement in the switch is repeated with the statement at the
beginning of the while loop, so this statement is meaningless.
The clang_analyzer complains as follows:
net/xfrm/xfrm_policy.c:3392:2 warning:
Value stored to 'exthdr' is never read
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: luo penghao <luo.penghao@zte.com.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 1a06585022ab..edc673e78114 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3392,7 +3392,6 @@ decode_session6(struct sk_buff *skb, struct flowi *fl, bool reverse)
case NEXTHDR_DEST:
offset += ipv6_optlen(exthdr);
nexthdr = exthdr->nexthdr;
- exthdr = (struct ipv6_opt_hdr *)(nh + offset);
break;
case IPPROTO_UDP:
case IPPROTO_UDPLITE:
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/7] net: xfrm: drop check of pols[0] for the second time
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
2022-01-06 9:13 ` [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements Steffen Klassert
2022-01-06 9:13 ` [PATCH 2/7] xfrm: Remove duplicate assignment Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 9:13 ` [PATCH 4/7] xfrm: update SA curlft.use_time Steffen Klassert
` (4 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Jean Sacren <sakiwit@gmail.com>
!pols[0] is checked earlier. If we don't return, pols[0] is always
true. We should drop the check of pols[0] for the second time and the
binary is also smaller.
Before:
text data bss dec hex filename
48395 957 240 49592 c1b8 net/xfrm/xfrm_policy.o
After:
text data bss dec hex filename
48379 957 240 49576 c1a8 net/xfrm/xfrm_policy.o
Signed-off-by: Jean Sacren <sakiwit@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index edc673e78114..9341298b2a70 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2680,7 +2680,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
*num_xfrms = pols[0]->xfrm_nr;
#ifdef CONFIG_XFRM_SUB_POLICY
- if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
+ if (pols[0]->action == XFRM_POLICY_ALLOW &&
pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
XFRM_POLICY_TYPE_MAIN,
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/7] xfrm: update SA curlft.use_time
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
` (2 preceding siblings ...)
2022-01-06 9:13 ` [PATCH 3/7] net: xfrm: drop check of pols[0] for the second time Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 9:13 ` [PATCH 5/7] xfrm: Add support for SM3 secure hash Steffen Klassert
` (3 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Antony Antony <antony.antony@secunet.com>
SA use_time was only updated once, for the first packet.
with this fix update the use_time for every packet.
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_input.c | 1 +
net/xfrm/xfrm_output.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 70a8c36f0ba6..144238a50f3d 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -669,6 +669,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
x->curlft.bytes += skb->len;
x->curlft.packets++;
+ x->curlft.use_time = ktime_get_real_seconds();
spin_unlock(&x->lock);
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 229544bc70c2..3585bfc302f9 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -533,6 +533,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
x->curlft.bytes += skb->len;
x->curlft.packets++;
+ x->curlft.use_time = ktime_get_real_seconds();
spin_unlock_bh(&x->lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 5/7] xfrm: Add support for SM3 secure hash
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
` (3 preceding siblings ...)
2022-01-06 9:13 ` [PATCH 4/7] xfrm: update SA curlft.use_time Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 9:13 ` [PATCH 6/7] xfrm: Add support for SM4 symmetric cipher algorithm Steffen Klassert
` (2 subsequent siblings)
7 siblings, 0 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Xu Jia <xujia39@huawei.com>
This patch allows IPsec to use SM3 HMAC authentication algorithm.
Signed-off-by: Xu Jia <xujia39@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
include/uapi/linux/pfkeyv2.h | 1 +
net/xfrm/xfrm_algo.c | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/include/uapi/linux/pfkeyv2.h b/include/uapi/linux/pfkeyv2.h
index d65b11785260..798ba9ffd48c 100644
--- a/include/uapi/linux/pfkeyv2.h
+++ b/include/uapi/linux/pfkeyv2.h
@@ -309,6 +309,7 @@ struct sadb_x_filter {
#define SADB_X_AALG_SHA2_512HMAC 7
#define SADB_X_AALG_RIPEMD160HMAC 8
#define SADB_X_AALG_AES_XCBC_MAC 9
+#define SADB_X_AALG_SM3_256HMAC 10
#define SADB_X_AALG_NULL 251 /* kame */
#define SADB_AALG_MAX 251
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 4dae3ab8d030..00b5444a4d86 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -341,6 +341,26 @@ static struct xfrm_algo_desc aalg_list[] = {
.pfkey_supported = 0,
},
+{
+ .name = "hmac(sm3)",
+ .compat = "sm3",
+
+ .uinfo = {
+ .auth = {
+ .icv_truncbits = 256,
+ .icv_fullbits = 256,
+ }
+ },
+
+ .pfkey_supported = 1,
+
+ .desc = {
+ .sadb_alg_id = SADB_X_AALG_SM3_256HMAC,
+ .sadb_alg_ivlen = 0,
+ .sadb_alg_minbits = 256,
+ .sadb_alg_maxbits = 256
+ }
+},
};
static struct xfrm_algo_desc ealg_list[] = {
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 6/7] xfrm: Add support for SM4 symmetric cipher algorithm
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
` (4 preceding siblings ...)
2022-01-06 9:13 ` [PATCH 5/7] xfrm: Add support for SM3 secure hash Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 9:13 ` [PATCH 7/7] xfrm: rate limit SA mapping change message to user space Steffen Klassert
2022-01-06 12:20 ` pull request (net-next): ipsec-next 2022-01-06 patchwork-bot+netdevbpf
7 siblings, 0 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Xu Jia <xujia39@huawei.com>
This patch adds SM4 encryption algorithm entry to ealg_list.
Signed-off-by: Xu Jia <xujia39@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
include/uapi/linux/pfkeyv2.h | 1 +
net/xfrm/xfrm_algo.c | 21 +++++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/include/uapi/linux/pfkeyv2.h b/include/uapi/linux/pfkeyv2.h
index 798ba9ffd48c..8abae1f6749c 100644
--- a/include/uapi/linux/pfkeyv2.h
+++ b/include/uapi/linux/pfkeyv2.h
@@ -330,6 +330,7 @@ struct sadb_x_filter {
#define SADB_X_EALG_AES_GCM_ICV16 20
#define SADB_X_EALG_CAMELLIACBC 22
#define SADB_X_EALG_NULL_AES_GMAC 23
+#define SADB_X_EALG_SM4CBC 24
#define SADB_EALG_MAX 253 /* last EALG */
/* private allocations should use 249-255 (RFC2407) */
#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 00b5444a4d86..094734fbec96 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -572,6 +572,27 @@ static struct xfrm_algo_desc ealg_list[] = {
.sadb_alg_maxbits = 288
}
},
+{
+ .name = "cbc(sm4)",
+ .compat = "sm4",
+
+ .uinfo = {
+ .encr = {
+ .geniv = "echainiv",
+ .blockbits = 128,
+ .defkeybits = 128,
+ }
+ },
+
+ .pfkey_supported = 1,
+
+ .desc = {
+ .sadb_alg_id = SADB_X_EALG_SM4CBC,
+ .sadb_alg_ivlen = 16,
+ .sadb_alg_minbits = 128,
+ .sadb_alg_maxbits = 256
+ }
+},
};
static struct xfrm_algo_desc calg_list[] = {
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 7/7] xfrm: rate limit SA mapping change message to user space
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
` (5 preceding siblings ...)
2022-01-06 9:13 ` [PATCH 6/7] xfrm: Add support for SM4 symmetric cipher algorithm Steffen Klassert
@ 2022-01-06 9:13 ` Steffen Klassert
2022-01-06 12:20 ` pull request (net-next): ipsec-next 2022-01-06 patchwork-bot+netdevbpf
7 siblings, 0 replies; 10+ messages in thread
From: Steffen Klassert @ 2022-01-06 9:13 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Antony Antony <antony.antony@secunet.com>
Kernel generates mapping change message, XFRM_MSG_MAPPING,
when a source port chage is detected on a input state with UDP
encapsulation set. Kernel generates a message for each IPsec packet
with new source port. For a high speed flow per packet mapping change
message can be excessive, and can overload the user space listener.
Introduce rate limiting for XFRM_MSG_MAPPING message to the user space.
The rate limiting is configurable via netlink, when adding a new SA or
updating it. Use the new attribute XFRMA_MTIMER_THRESH in seconds.
v1->v2 change:
update xfrm_sa_len()
v2->v3 changes:
use u32 insted unsigned long to reduce size of struct xfrm_state
fix xfrm_ompat size Reported-by: kernel test robot <lkp@intel.com>
accept XFRM_MSG_MAPPING only when XFRMA_ENCAP is present
Co-developed-by: Thomas Egerer <thomas.egerer@secunet.com>
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
include/net/xfrm.h | 5 +++++
include/uapi/linux/xfrm.h | 1 +
net/xfrm/xfrm_compat.c | 6 ++++--
net/xfrm/xfrm_state.c | 23 ++++++++++++++++++++++-
net/xfrm/xfrm_user.c | 18 +++++++++++++++++-
5 files changed, 49 insertions(+), 4 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 2308210793a0..2589e4c0501b 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -200,6 +200,11 @@ struct xfrm_state {
struct xfrm_algo_aead *aead;
const char *geniv;
+ /* mapping change rate limiting */
+ __be16 new_mapping_sport;
+ u32 new_mapping; /* seconds */
+ u32 mapping_maxage; /* seconds for input SA */
+
/* Data for encapsulator */
struct xfrm_encap_tmpl *encap;
struct sock __rcu *encap_sk;
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index eda0426ec4c2..4e29d7851890 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -313,6 +313,7 @@ enum xfrm_attr_type_t {
XFRMA_SET_MARK, /* __u32 */
XFRMA_SET_MARK_MASK, /* __u32 */
XFRMA_IF_ID, /* __u32 */
+ XFRMA_MTIMER_THRESH, /* __u32 in seconds for input SA */
__XFRMA_MAX
#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK /* Compatibility */
diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
index 2bf269390163..a0f62fa02e06 100644
--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@@ -127,6 +127,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = {
[XFRMA_SET_MARK] = { .type = NLA_U32 },
[XFRMA_SET_MARK_MASK] = { .type = NLA_U32 },
[XFRMA_IF_ID] = { .type = NLA_U32 },
+ [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 },
};
static struct nlmsghdr *xfrm_nlmsg_put_compat(struct sk_buff *skb,
@@ -274,9 +275,10 @@ static int xfrm_xlate64_attr(struct sk_buff *dst, const struct nlattr *src)
case XFRMA_SET_MARK:
case XFRMA_SET_MARK_MASK:
case XFRMA_IF_ID:
+ case XFRMA_MTIMER_THRESH:
return xfrm_nla_cpy(dst, src, nla_len(src));
default:
- BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID);
+ BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH);
pr_warn_once("unsupported nla_type %d\n", src->nla_type);
return -EOPNOTSUPP;
}
@@ -431,7 +433,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
int err;
if (type > XFRMA_MAX) {
- BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID);
+ BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH);
NL_SET_ERR_MSG(extack, "Bad attribute");
return -EOPNOTSUPP;
}
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a2f4001221d1..78d51399a0f4 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1593,6 +1593,9 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
x->km.seq = orig->km.seq;
x->replay = orig->replay;
x->preplay = orig->preplay;
+ x->mapping_maxage = orig->mapping_maxage;
+ x->new_mapping = 0;
+ x->new_mapping_sport = 0;
return x;
@@ -2242,7 +2245,7 @@ int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
}
EXPORT_SYMBOL(km_query);
-int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
+static int __km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
{
int err = -EINVAL;
struct xfrm_mgr *km;
@@ -2257,6 +2260,24 @@ int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
rcu_read_unlock();
return err;
}
+
+int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
+{
+ int ret = 0;
+
+ if (x->mapping_maxage) {
+ if ((jiffies / HZ - x->new_mapping) > x->mapping_maxage ||
+ x->new_mapping_sport != sport) {
+ x->new_mapping_sport = sport;
+ x->new_mapping = jiffies / HZ;
+ ret = __km_new_mapping(x, ipaddr, sport);
+ }
+ } else {
+ ret = __km_new_mapping(x, ipaddr, sport);
+ }
+
+ return ret;
+}
EXPORT_SYMBOL(km_new_mapping);
void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 7c36cc1f3d79..130240680655 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -282,6 +282,10 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
err = 0;
+ if (attrs[XFRMA_MTIMER_THRESH])
+ if (!attrs[XFRMA_ENCAP])
+ err = -EINVAL;
+
out:
return err;
}
@@ -521,6 +525,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+ struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH];
if (re) {
struct xfrm_replay_state_esn *replay_esn;
@@ -552,6 +557,9 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
if (rt)
x->replay_maxdiff = nla_get_u32(rt);
+
+ if (mt)
+ x->mapping_maxage = nla_get_u32(mt);
}
static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m)
@@ -1024,8 +1032,13 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
if (ret)
goto out;
}
- if (x->security)
+ if (x->security) {
ret = copy_sec_ctx(x->security, skb);
+ if (ret)
+ goto out;
+ }
+ if (x->mapping_maxage)
+ ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage);
out:
return ret;
}
@@ -3069,6 +3082,9 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x)
/* Must count x->lastused as it may become non-zero behind our back. */
l += nla_total_size_64bit(sizeof(u64));
+ if (x->mapping_maxage)
+ l += nla_total_size(sizeof(x->mapping_maxage));
+
return l;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: pull request (net-next): ipsec-next 2022-01-06
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
` (6 preceding siblings ...)
2022-01-06 9:13 ` [PATCH 7/7] xfrm: rate limit SA mapping change message to user space Steffen Klassert
@ 2022-01-06 12:20 ` patchwork-bot+netdevbpf
7 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-01-06 12:20 UTC (permalink / raw)
To: Steffen Klassert; +Cc: davem, kuba, herbert, netdev
Hello:
This pull request was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:
On Thu, 6 Jan 2022 10:13:43 +0100 you wrote:
> 1) Fix some clang_analyzer warnings about never read variables.
> From luo penghao.
>
> 2) Check for pols[0] only once in xfrm_expand_policies().
> From Jean Sacren.
>
> 3) The SA curlft.use_time was updated only on SA cration time.
> Update whenever the SA is used. From Antony Antony
>
> [...]
Here is the summary with links:
- pull request (net-next): ipsec-next 2022-01-06
https://git.kernel.org/netdev/net/c/c4251db3b9d2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements
2022-01-06 9:13 ` [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements Steffen Klassert
@ 2022-01-06 12:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-01-06 12:20 UTC (permalink / raw)
To: Steffen Klassert; +Cc: davem, kuba, herbert, netdev
Hello:
This series was applied to netdev/net-next.git (master)
by Steffen Klassert <steffen.klassert@secunet.com>:
On Thu, 6 Jan 2022 10:13:44 +0100 you wrote:
> From: luo penghao <luo.penghao@zte.com.cn>
>
> The definition of this variable is just to find the length of the
> structure after aligning the structure. The PTR alignment function
> is to optimize the size of the structure. In fact, it doesn't seem
> to be of much use, because both members of the structure are of
> type u32.
> So I think that the definition of the variable and the
> corresponding alignment can be deleted, the value of extralen can
> be directly passed in the size of the structure.
>
> [...]
Here is the summary with links:
- [1/7] ipv6/esp6: Remove structure variables and alignment statements
https://git.kernel.org/netdev/net-next/c/c6e7871894a3
- [2/7] xfrm: Remove duplicate assignment
https://git.kernel.org/netdev/net-next/c/2e1809208a4a
- [3/7] net: xfrm: drop check of pols[0] for the second time
https://git.kernel.org/netdev/net-next/c/ac1077e92825
- [4/7] xfrm: update SA curlft.use_time
https://git.kernel.org/netdev/net-next/c/af734a26a1a9
- [5/7] xfrm: Add support for SM3 secure hash
https://git.kernel.org/netdev/net-next/c/e6911affa416
- [6/7] xfrm: Add support for SM4 symmetric cipher algorithm
https://git.kernel.org/netdev/net-next/c/23b6a6df94c6
- [7/7] xfrm: rate limit SA mapping change message to user space
https://git.kernel.org/netdev/net-next/c/4e484b3e969b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-01-06 12:20 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-06 9:13 pull request (net-next): ipsec-next 2022-01-06 Steffen Klassert
2022-01-06 9:13 ` [PATCH 1/7] ipv6/esp6: Remove structure variables and alignment statements Steffen Klassert
2022-01-06 12:20 ` patchwork-bot+netdevbpf
2022-01-06 9:13 ` [PATCH 2/7] xfrm: Remove duplicate assignment Steffen Klassert
2022-01-06 9:13 ` [PATCH 3/7] net: xfrm: drop check of pols[0] for the second time Steffen Klassert
2022-01-06 9:13 ` [PATCH 4/7] xfrm: update SA curlft.use_time Steffen Klassert
2022-01-06 9:13 ` [PATCH 5/7] xfrm: Add support for SM3 secure hash Steffen Klassert
2022-01-06 9:13 ` [PATCH 6/7] xfrm: Add support for SM4 symmetric cipher algorithm Steffen Klassert
2022-01-06 9:13 ` [PATCH 7/7] xfrm: rate limit SA mapping change message to user space Steffen Klassert
2022-01-06 12:20 ` pull request (net-next): ipsec-next 2022-01-06 patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).