Hi,
On Mon, Mar 15, 2021 at 16:29:59 +0100, Sabrina Dubroca wrote:
> 2021-03-15, 11:43:50 +0100, Steffen Klassert wrote:
> > On Wed, Mar 10, 2021 at 10:36:11AM +0100, Antony Antony wrote:
> > > When ESP offload is not supported by the device return an error,
> > > -
defined and the user is trying to create an SA with the offload.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Antony Antony
---
include/net/xfrm.h | 2 +-
net/xfrm/xfrm_device.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
di
s with tabs for consistency
v3->v4
- use kernel lockdown instead of a /proc setting
v4->v5
- remove kconfig option
Reviewed-by: Stephan Mueller
Signed-off-by: Antony Antony
---
include/linux/security.h | 1 +
net/xfrm/xfrm_user.c | 74
securit
On Sat, Oct 31, 2020 at 11:49:11 +0100, Steffen Klassert wrote:
> On Fri, Oct 16, 2020 at 03:36:12PM +0200, Antony Antony wrote:
> > redact XFRM SA secret in the netlink response to xfrm_get_sa()
> > or dumpall sa.
> > Enable this at build time and set kernel lockdo
bs for consistency
v3->v4
- use kernel lockdown instead of a /proc setting
Reviewed-by: Stephan Mueller
Signed-off-by: Antony Antony
---
include/linux/security.h | 1 +
net/xfrm/Kconfig | 9 +
net/xfrm/xfrm_user.c | 76
security/s
: add ipsec offload add and remove SA")
Signed-off-by: Antony Antony
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 5 +
drivers/net/ethernet/intel/ixgbevf/ipsec.c | 5 +
2 files changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
b/drivers/ne
.0.0/0 dst 0.0.0.0/0
Signed-off-by: Antony Antony
---
v1 -> v2
- add man page and usage for mask
--
ip/xfrm_state.c| 23 ++-
man/man8/ip-xfrm.8 | 4 +++-
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index ddf78
.0.0/0 dst 0.0.0.0/0
Signed-off-by: Antony Antony
---
ip/xfrm_state.c | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index ddf784ca..779ccf0e 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -328,7 +328,7 @@
uot; is wrong: MARK value is invalid
./ip/ip xfrm state add mark 0xZZ mask 0xab proto esp auth \
digest_null 0 enc cipher_null ''
Error: argument "0xZZ" is wrong: MARK value is invalid
Signed-off-by: Antony Antony
---
ip/xfrm_state.c | 13 +++--
1 file changed, 7 inserti
r: argument "0xZZ" is wrong: value after "output-mark" is invalid
vs
./ip/ip xfrm state add mark 0xZZ mask 0xab proto esp \
auth digest_null 0 enc cipher_null ''
Error: argument "0xZZ" is wrong: MARK value is invalid
Signed-off-by: Antony Antony
---
When we clone state only add_time was cloned. It missed values like
bytes, packets. Now clone the all members of the structure.
v1->v3:
- use memcpy to copy the entire structure
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint
address(es)")
Signed-off-by:
XFRMA_SEC_CTX was not cloned from the old to the new.
Migrate this attribute during XFRMA_MSG_MIGRATE
v1->v2:
- return -ENOMEM on error
v2->v3:
- fix return type to int
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint
address(es)")
Signed-off-by: Antony
XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new.
Migrate this attribute during XFRMA_MSG_MIGRATE
v1->v2:
- move curleft cloning to a separate patch
Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state")
Signed-off-by: Antony Antony
---
inclu
XFRMA_SET_MARK and XFRMA_SET_MARK_MASK was not cloned from the old
to the new. Migrate these two attributes during XFRMA_MSG_MIGRATE
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction
and masking.")
Signed-off-by: Antony Antony
---
net/xfrm/xfrm_state.c | 1
32 flag af-unspec
output-mark 0x3/0xff
aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
if_id 0x1
Signed-off-by: Antony Antony
---
ip/ipxfrm.c | 4
1 file changed, 4 insertions(+)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index cac8ba25..e4a72bd0 100644
--- a/ip/ipxfrm.c
Based on talks and indirect references ixgbe driver does not
support offloading IPsec tunnel mode. It only support transport mode.
Now explicitly fail to avoid when trying to offload.
Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA")
Signed-off-by: Antony Antony
---
Hi David,
On Mon, Aug 24, 2020 at 08:00:38 +0200, Antony Antony wrote:
> On Thu, Aug 20, 2020 at 15:42:22 -0700, David Miller wrote:
> > From: Antony Antony
> > Date: Thu, 20 Aug 2020 20:35:49 +0200
> >
> > > Redacting secret is a FIPS 140-2 requirement.
> &g
When we clone state only add_time was cloned. It missed values like
bytes, packets. Now clone the all members of the structure.
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint
address(es)")
Signed-off-by: Antony Antony
---
net/xfrm/xfrm_state.c | 2 +-
1 file
XFRMA_SEC_CTX was not cloned from the old to the new.
Migrate this attribute during XFRMA_MSG_MIGRATE
v1->v2:
- return -ENOMEM on error
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint
address(es)")
Signed-off-by: Antony Antony
---
net/xfrm/xfrm
XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new.
Migrate this attribute during XFRMA_MSG_MIGRATE
v1->v2:
- move curleft cloning to a seperate patch
Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state")
Signed-off-by: Antony Antony
---
inclu
XFRMA_SET_MARK and XFRMA_SET_MARK_MASK was not cloned from the old
to the new. Migrate these two attributes during XFRMA_MSG_MIGRATE
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction
and masking.")
Signed-off-by: Antony Antony
---
net/xfrm/xfrm_state.c | 1
On Thu, Aug 20, 2020 at 15:42:22 -0700, David Miller wrote:
> From: Antony Antony
> Date: Thu, 20 Aug 2020 20:35:49 +0200
>
> > Redacting secret is a FIPS 140-2 requirement.
>
> Why not control this via the kernel lockdown mode rather than making
> an ad-hoc API for t
lls
v1->v3
- replace spaces with tabs for consistancy
Signed-off-by: Antony Antony
---
Documentation/networking/xfrm_sysctl.rst | 7 +++
include/net/netns/xfrm.h | 1 +
net/xfrm/Kconfig | 10
net/xfrm/xfrm_sysctl.c | 20 +++
XFRMA_SEC_CTX was not cloned from the old to the new.
Migrate this attribute during XFRMA_MSG_MIGRATE
Signed-off-by: Antony Antony
---
net/xfrm/xfrm_state.c | 28
1 file changed, 28 insertions(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index
XFRMA_REPLAY_ESN_VAL was not cloned from the old to the new.
Migrate this attribute during XFRMA_MSG_MIGRATE
Signed-off-by: Antony Antony
---
include/net/xfrm.h| 16 ++--
net/xfrm/xfrm_state.c | 2 +-
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/include/net
XFRMA_SET_MARK and XFRMA_SET_MARK_MASK was not cloned from the old
to the new. Migrate these two attributes during XFRMA_MSG_MIGRATE
Signed-off-by: Antony Antony
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index
gcm(aes)) 0x 96
the aead secret is redacted.
/proc/sys/core/net/xfrm_redact_secret is a toggle.
Once enabled, either at compile or via proc, it can not be disabled.
Redacting secret is a FIPS 140-2 requirement.
---
Signed-off-by: Antony Antony
---
v1-
On Tue, Jul 28, 2020 at 21:09:10 +0200, Stephan Mueller wrote:
> Am Dienstag, 28. Juli 2020, 17:47:30 CEST schrieb Antony Antony:
>
> Hi Antony,
>
> > when enabled, 1, redact XFRM SA secret in the netlink response to
> > xfrm_get_sa() or dump all sa.
> >
> >
On Wed, Jul 29, 2020 at 02:22:52 +1000, Herbert Xu wrote:
> On Tue, Jul 28, 2020 at 05:47:30PM +0200, Antony Antony wrote:
> > when enabled, 1, redact XFRM SA secret in the netlink response to
> > xfrm_get_sa() or dump all sa.
> >
> > e.g
> > echo 1 > /proc/sy
gcm(aes)) 0x 96
the aead secret is redacted.
/proc/sys/core/net/xfrm_redact_secret is a toggle.
Once enabled, either at compile or via proc, it can not be disabled.
Redacting secret is a FIPS 140-2 requirement.
Cc: Stephan Mueller
Signed-off-by: Antony Ant
ned-off-by: Antony Antony
---
ip/link_xfrm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ip/link_xfrm.c b/ip/link_xfrm.c
index 79a902fd..7f66bad6 100644
--- a/ip/link_xfrm.c
+++ b/ip/link_xfrm.c
@@ -34,7 +34,9 @@ static int xfrm_parse_opt(struct link_util *lu, int argc,
c
ort for setting / displaying this attribute.
> >
> > Note that 0 is a valid value therefore set XFRMA_IF_ID if any value
> > was provided in command line.
> >
> > Tested-by: Antony Antony
> > Signed-off-by: Eyal Birger
>
> This is already handled b
Tested-by: Antony Antony
On Fri, Apr 05, 2019 at 03:46:02PM -0400, Matt Ellison wrote:
> I recently submitted v3 of the patch, please take a look there.
great. I am testing v3 now.
One comment. It seems to accept -ve value for if_id and quietly set to 0
may be throw an error for -ve val
Tested-by: Antony Antony
Question: is it easy to add "if_id" to "ip link show" output?
currently:
ip link show ipsec0
4: ipsec0@eth1: mtu 1500 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1000
link/none da:25:61:2e:0c:98 brd ff:ff:ff:ff:ff:ff
proposed:
Hi Lorenzo,
I agree vti is very limiting! I am glad to hear about xfrmi.
I saw two tunnels between gateways send traffic using VTI. So I am curious
what is different in your case. Or are you dealing with something else?
Here are a couple of outputs from libreswan testing
this is the verbose ou
copy geniv when cloning the xfrm state.
x->geniv was not copied to the new state and migration would fail.
xfrm_do_migrate
..
xfrm_state_clone()
..
..
esp_init_aead()
crypto_alloc_aead()
crypto_alloc_tfm()
crypto_find_alg() return EAGAIN and failed
Signed-off-by: Ant
UPDATE_SA
message to migrate the IPsec SA. The change could be a change UDP
encapsulation port, IP address, or both.
Reported-by: Paul Wouters
Signed-off-by: Antony Antony
Reviewed-by: Richard Guy Briggs
---
include/net/xfrm.h | 6 --
net/key/af_key.c | 2 +-
net/xfrm/xfrm_policy.c
Add XFRMA_ENCAP, UDP encapsulation port, to km_migrate announcement
to userland. Only add if XFRMA_ENCAP was in user migrate request.
Signed-off-by: Antony Antony
Reviewed-by: Richard Guy Briggs
---
Changes in v2:
- fixed pfkey_send_migrate, warning reported by kbuild test robot
Add XFRMA_ENCAP, UDP encapsulation port, to km_migrate announcement
to userland. Only add if XFRMA_ENCAP was in user migrate request.
Signed-off-by: Antony Antony
---
include/net/xfrm.h | 5 +++--
net/key/af_key.c | 3 ++-
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 5
address, port, or both could
change. With this patch xfrm_do_migrate will also support port change
if necessary.
Antony Antony (2):
xfrm: extend MIGRATE with UDP encapsulation port
xfrm: add UDP encapsulation port in migrate message
include/net/xfrm.h | 11 +++
net/key/af_key.c
UPDATE_SA
message to migrate the IPsec SA. The change could be a change UDP
encapsulation port, IP address, or both.
Reported-by: Paul Wouters
Signed-off-by: Antony Antony
---
include/net/xfrm.h | 6 --
net/key/af_key.c | 2 +-
net/xfrm/xfrm_policy.c | 11 ---
net/xfrm
i=0xca1c282d,seq=0x1),
length 136
IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2),
length 136
IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2),
length 136
Signed-off-by: Antony Antony
---
Changes in v2:
- include tcpdump output showi
i=0xca1c282d,seq=0x1),
length 136
IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2),
length 136
IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2),
length 136
The attached patch fix it by copying replay and preplay.
regards,
-antony
43 matches
Mail list logo
