Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-4.16.y 2018-01-18T09:42:59Z 2018-01-18T09:42:59Z Yossef Efraim yossefe@mellanox.com 2018-01-14T09:39:10Z urn:sha1:50bd870a9e5cca9fcf5fb4c130c373643d7d9906 This patch adds ESN support to IPsec device offload. Adding new xfrm device operation to synchronize device ESN. Signed-off-by: Yossef Efraim <yossefe@mellanox.com> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2017-12-29T20:42:26Z David S. Miller davem@davemloft.net 2017-12-29T20:14:27Z urn:sha1:6bb8824732f69de0f233ae6b1a8158e149627b38 net/ipv6/ip6_gre.c is a case of parallel adds. include/trace/events/tcp.h is a little bit more tricky. The removal of in-trace-macro ifdefs in 'net' paralleled with moving show_tcp_state_name and friends over to include/trace/events/sock.h in 'net-next'. Signed-off-by: David S. Miller <davem@davemloft.net> 2017-12-21T07:17:48Z Shannon Nelson shannon.nelson@oracle.com 2017-12-19T23:35:47Z urn:sha1:7f05b467a735aba1476d9ae8e0ae9d9d8e60066c The current XFRM code assumes that we've implemented the xdo_dev_state_free() callback, even if it is meaningless to the driver. This patch adds a check for it before calling, as done in other APIs, to prevent a NULL function pointer kernel crash. Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2017-12-20T09:41:48Z Steffen Klassert steffen.klassert@secunet.com 2017-12-20T09:41:48Z urn:sha1:2271d5190ec60b06921c2e4e184fd1f4fad4e634 With support of async crypto operations in the GSO codepath we have everything in place to allow GSO for local sockets. This patch enables the GSO codepath. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2017-12-20T09:41:36Z Steffen Klassert steffen.klassert@secunet.com 2017-12-20T09:41:36Z urn:sha1:f53c723902d1ac5f0b0a11d7c9dcbff748dde74e This patch implements asynchronous crypto callbacks and a backlog handler that can be used when IPsec is done at layer 2 in the TX path. It also extends the skb validate functions so that we can update the driver transmit return codes based on async crypto operation or to indicate that we queued the packet in a backlog queue. Joint work with: Aviv Heller <avivh@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2017-12-20T09:41:31Z Steffen Klassert steffen.klassert@secunet.com 2017-12-20T09:41:31Z urn:sha1:3dca3f38cfb8efb8571040568cac7d0025fa5bb1 We change the ESP GSO handlers to only segment the packets. The ESP handling and encryption is defered to validate_xmit_xfrm() where this is done for non GRO packets too. This makes the code more robust and prepares for asynchronous crypto handling. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2017-12-19T07:23:21Z Herbert Xu herbert@gondor.apana.org.au 2017-12-15T05:40:44Z urn:sha1:acf568ee859f098279eadf551612f103afdacb4e This is an old bugbear of mine: https://www.mail-archive.com/netdev@vger.kernel.org/msg03894.html By crafting special packets, it is possible to cause recursion in our kernel when processing transport-mode packets at levels that are only limited by packet size. The easiest one is with DNAT, but an even worse one is where UDP encapsulation is used in which case you just have to insert an UDP encapsulation header in between each level of recursion. This patch avoids this problem by reinjecting tranport-mode packets through a tasklet. Fixes: b05e106698d9 ("[IPV4/6]: Netfilter IPsec input hooks") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2017-11-30T14:54:26Z David Miller davem@davemloft.net 2017-11-28T20:40:46Z urn:sha1:0f6c480f23f49b53644b383c5554e579498347f3 The first member of an IPSEC route bundle chain sets it's dst->path to the underlying ipv4/ipv6 route that carries the bundle. Stated another way, if one were to follow the xfrm_dst->child chain of the bundle, the final non-NULL pointer would be the path and point to either an ipv4 or an ipv6 route. This is largely used to make sure that PMTU events propagate down to the correct ipv4 or ipv6 route. When we don't have the top of an IPSEC bundle 'dst->path == dst'. Move it down into xfrm_dst and key off of dst->xfrm. Signed-off-by: David S. Miller <davem@davemloft.net> Reviewed-by: Eric Dumazet <edumazet@google.com> 2017-11-30T14:54:26Z David Miller davem@davemloft.net 2017-11-28T20:45:44Z urn:sha1:b6ca8bd5a9198c70c48297390723e4e56bd6e879 XFRM bundle child chains look like this: xdst1 --> xdst2 --> xdst3 --> path_dst All of xdstN are xfrm_dst objects and xdst->u.dst.xfrm is non-NULL. The final child pointer in the chain, here called 'path_dst', is some other kind of route such as an ipv4 or ipv6 one. The xfrm output path pops routes, one at a time, via the child pointer, until we hit one which has a dst->xfrm pointer which is NULL. We can easily preserve the above mechanisms with child sitting only in the xfrm_dst structure. All children in the chain before we break out of the xfrm_output() loop have dst->xfrm non-NULL and are therefore xfrm_dst objects. Since we break out of the loop when we find dst->xfrm NULL, we will not try to dereference 'dst' as if it were an xfrm_dst. Signed-off-by: David S. Miller <davem@davemloft.net> 2017-11-30T14:54:26Z David Miller davem@davemloft.net 2017-11-28T20:40:28Z urn:sha1:45b018beddb631fb9a0ecbc3ba103521b03c4c80 This will make a future change moving the dst->child pointer less invasive. Signed-off-by: David S. Miller <davem@davemloft.net> Reviewed-by: Eric Dumazet <edumazet@google.com>