Hi Florian,
I ran the Android unit tests on these patches, based off ipsec-next,
and am encountering some new errors. I'll take another look to try and
isolate which patches might be causing the failures.
Best Regards,
Benedict Wong
On Wed, Mar 27, 2019 at 6:30 PM Florian Westphal
I propose backporting commit e2612cd496e7 ("xfrm: Make set-mark default
behavior backward compatible") to 4.19 and 4.20 kernels to fix a backwards
compatibility bug introduced in 9b42c1f179a6 (“xfrm: Extend the
output_mark to support input direction and masking”).
The fix is small, relatively simp
Changes v1 -> v2:
Corrected stylistic nits:
- Line break locations in ipxfrm.c
- Usage and man pages updated to reflect deleteall and list parameters
are no longer optional, as they have been individualized.
Benedict Wong (1):
xfrm: add option to hide keys in state output
ip/ipxfr
exposing keys.
Signed-off-by: Benedict Wong
---
ip/ipxfrm.c| 49 +-
ip/xfrm.h | 5 +++--
ip/xfrm_monitor.c | 7 +--
ip/xfrm_state.c| 27 -
man/man8/ip-xfrm.8 | 15 +-
5 files changed, 71
Friendly ping for review. If there are no concerns, I think this would
be useful especially in the logging/bugreport use cases.
On Mon, Jan 7, 2019 at 3:10 PM Benedict Wong wrote:
>
> (Accidentally sent previously as direct reply. Re-sending as reply-all)
>
> > ... would not it b
> >
> > Tested with additions to Android's kernel unit test suite:
> > https://android-review.googlesource.com/c/kernel/tests/+/860150
> >
> > Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input
> > direction and masking") Signed-off-
tests/+/860150
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction
and masking")
Signed-off-by: Benedict Wong
---
net/xfrm/xfrm_policy.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
ind
cceptable as is.
Benedict Wong (1):
xfrm: Make set-mark default behavior backward compatible
net/xfrm/xfrm_policy.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
--
2.20.1.97.g81188d93c3-goog
sert
wrote:
>
> On Fri, Jan 11, 2019 at 12:14:11PM -0800, Benedict Wong wrote:
> > A behavior change introduced in 9b42c1f179a6 (“xfrm: Extend the
> > output_mark to support input direction and masking”) results in a
> > change in:
> >
> > 1. Default outbound
tests/+/860150
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction
and masking")
Signed-off-by: Benedict Wong
---
net/xfrm/xfrm_policy.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
ind
s 1 and 3 imply a configuration that output mark
was not designed to support. The only valid use case for this seems
to be the loopback case (as IP addresses would apply bidirectionally).
As such, we believe that this behavioral change is acceptable as is.
Benedict Wong (1):
xfrm: Make set-mark d
s 1 and 3 imply a configuration that output mark
was not designed to support. The only valid use case for this seems
to be the loopback case (as IP addresses would apply bidirectionally).
As such, we believe that this behavioral change is acceptable as is.
Benedict Wong (1):
xfrm: Make set-mark d
tests/+/860150
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction
and masking")
Signed-off-by: Benedict Wong
---
net/xfrm/xfrm_policy.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
ind
n, Jan 7, 2019 at 2:23 PM Florian Fainelli wrote:
>
> On 1/7/19 1:31 PM, Benedict Wong wrote:
> > ip xfrm state show currently dumps keys unconditionally. This limits its
> > use in logging, as security information can be leaked.
> >
> > This patch adds a nokeys option
exposing keys.
Signed-off-by: Benedict Wong
---
ip/ipxfrm.c| 45 +
ip/xfrm.h | 5 +++--
ip/xfrm_monitor.c | 7 +--
ip/xfrm_state.c| 27 ++-
man/man8/ip-xfrm.8 | 15 ++-
5 files changed, 69
Noted. Should I wait until xfrm is converted to JSON output formatting?
Or if there are no structural and stylistic issues, should I re-send
this as a patch?
On Fri, Jan 4, 2019 at 4:21 PM Stephen Hemminger
wrote:
>
> On Fri, 4 Jan 2019 15:19:10 -0800
> Benedict Wong wrote:
>
tests/+/860150
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction
and masking")
Signed-off-by: Benedict Wong
---
net/xfrm/xfrm_policy.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
ind
s 1 and 3 imply a configuration that output mark
was not designed to support. The only valid use case for this seems
to be the loopback case (as IP addresses would apply bidirectionally).
As such, we believe that this behavioral change is acceptable as is.
Benedict Wong (1):
xfrm: Make set-mark d
exposing keys.
Signed-off-by: Benedict Wong
---
ip/ipxfrm.c| 45 +
ip/xfrm.h | 5 +++--
ip/xfrm_monitor.c | 7 +--
ip/xfrm_state.c| 27 ++-
man/man8/ip-xfrm.8 | 15 ++-
5 files changed, 69
t;[IPsec]: Strengthen policy checks")
Signed-off-by: Benedict Wong
---
drivers/net/loopback.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
index 30612497643c..a6bf54df94bd 100644
--- a/drivers/net/loopback.c
+++ b/drivers/net/loopba
the secpath, without
a matching inbound policy. Clearing the secpath ensures that all states
added to the secpath are exclusively from the inbound processing.
Tests: xfrm tunnel mode tests added for loopback:
https://android-review.googlesource.com/c/kernel/tests/+/777328
Signed-off-by: Benedict W
the Android Kernel Networking Tests,
with additional xfrmi_newlink tests here:
https://android-review.googlesource.com/c/kernel/tests/+/715755
Signed-off-by: Benedict Wong
---
net/xfrm/xfrm_interface.c | 32
1 file changed, 20 insertions(+), 12 deletions(-)
diff
Networking Tests:
https://android.googlesource.com/kernel/tests/+/master/net/test
Signed-off-by: Benedict Wong
---
include/net/dst.h | 14 ++
include/net/flow.h| 9
include/net/xfrm.h| 2 +-
net/xfrm/xfrm_interface.c | 4 +-
net/xfrm/xfrm_policy.c| 98
Networking Tests:
https://android.googlesource.com/kernel/tests/+/master/net/test
Signed-off-by: Benedict Wong
---
include/net/dst.h | 14 ++
include/net/flow.h| 7 ---
include/net/xfrm.h| 2 +-
net/xfrm/xfrm_interface.c | 4 +-
net/xfrm/xfrm_policy.c| 98
encapsulation
- Inbound decapsulation
- Rekey
- ICMP error path
- Netfilter rejections of outbound paths.
-- Benedict Wong
On Tue, Jun 12, 2018 at 12:56 AM Steffen Klassert
wrote:
>
> This patchset introduces new virtual xfrm interfaces.
> The design of virtual xfrm interfaces inter
25 matches
Mail list logo
