Re: [PATCH net] ipv4: Update exception handling for multipath routes via same device

Hi David, > @@ -2668,8 +2673,6 @@ struct rtable *ip_route_output_key_hash_rcu(struct net > *net, struct flowi4 *fl4, > fib_select_path(net, res, fl4, skb); > > dev_out = FIB_RES_DEV(*res); > - fl4->flowi4_oif = dev_out->ifindex; > - > > make_route: > rth = __mkroute_out

Re: [RFC PATCH ipsec] xfrm: don't pass too short packets to userspace with ESPINUDP encap

>> Currently, any UDP-encapsulated packet of 8 bytes or less will be >> passed to userspace, whether it starts with the non-ESP prefix or >> not (except keepalives). This includes: >> - messages of 1, 2, 3 bytes >> - messages of 4 to 8 bytes not starting with 00 00 00 00 >> >> This patch changes

Re: [PATCH ipsec] xfrm: esp6: fix encapsulation header offset computation

Pv6 encapsulation of ESP") > Fixes: 26333c37fc28 ("xfrm: add IPv6 support for espintcp") > Reported-by: Tobias Brunner > Signed-off-by: Sabrina Dubroca Thanks for the fix! Tested-by: Tobias Brunner Regards, Tobias

Re: [PATCH ipsec] xfrm: state: match with both mark and mask on user interfaces

Hi Xin, > Similar to commit 4f47e8ab6ab79 ("xfrm: policy: match with both mark and > mask on user interfaces"), this patch is to match both mark and mask for > state on these user interfaces: > > xfrm_state_lookup_byaddr_user > xfrm_state_lookup_user > xfrm_state_update > xfrm_state_find

Re: [PATCH ipsec] xfrm: policy: match with both mark and mask on user interfaces

y doing: > > mark.v == pol->mark.v && mark.m == pol->mark.m Looks good, thanks a lot for your work on this. All tests in our regression test suite complete successfully with this patch applied. Tested-by: Tobias Brunner > and leave the check: > > ((mark.v &

Re: [PATCHv2 ipsec] xfrm: fix a warning in xfrm_policy_insert_list

Hi Xin, > For 'new/update/del', we should do an exact match with > "mark.v == pol->mark.v && mark.m == pol->mark.m", as these are MSGs to > manage the policies, every policy should be able to be matched. Agreed, using an exact match for mark/mask would probably make the most sense here. > But fo

Re: [PATCH net v3 3/3] esp, ah: modernize the crypto algorithm selections

Hi Eric, > + Note that RFC 8221 considers AH itself to be "NOT RECOMMENDED". It is > + better to use ESP only, using an AEAD cipher such as AES-GCM. What's NOT RECOMMENDED according to the RFC is the combination of ESP+AH (i.e. use ESP only for confidentiality and AH for authenticati

Re: [PATCHv2 ipsec] xfrm: fix a warning in xfrm_policy_insert_list

Hi Xin, >> I guess we could workaround this issue in strongSwan by installing >> policies that share the same mark and selector with the same priority, >> so only one instance is ever installed in the kernel. But the inability >> to address the exact policy when querying/deleting still looks like

Re: [PATCHv2 ipsec] xfrm: fix a warning in xfrm_policy_insert_list

Hi Steffen, Xin, This change could be problematic. Actually, it's not really this one but the original one that causes the issue: > Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and > different priorities") However, because the code in xfrm_policy_mark_match() treated

[PATCH ipsec] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces

the XFRM interface was moved to). Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Tobias Brunner --- net/xfrm/xfrm_interface.c | 4 ++-- net/xfrm/xfrm_policy.c| 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_interfa

[PATCH net-next] ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT

If SNAT modifies the source address the resulting packet might match an IPsec policy, reinject the packet if that's the case. The exact same thing is already done for IPv4. Signed-off-by: Tobias Brunner --- net/ipv6/ip6_output.c | 8 1 file changed, 8 insertions(+) diff --git

[PATCH net 2/2] esp6: Fix integrity verification when ESN are used

When handling inbound packets, the two halves of the sequence number stored on the skb are already in network order. Fixes: 000ae7b2690e ("esp6: Switch to new AEAD interface") Signed-off-by: Tobias Brunner --- net/ipv6/esp6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) di

[PATCH net 1/2] esp4: Fix integrity verification when ESN are used

When handling inbound packets, the two halves of the sequence number stored on the skb are already in network order. Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface") Signed-off-by: Tobias Brunner --- net/ipv4/esp4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) di

[PATCH v2 net] macsec: Fix header length if SCI is added if explicitly disabled

) Signed-off-by: Tobias Brunner --- drivers/net/macsec.c | 26 ++ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 3ea47f28e143..d2e61e002926 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -397,6 +3

Re: [PATCH net] macsec: Fix header length if SCI is added if explicitily disabled

> [snip] >> @@ -440,12 +448,12 @@ static void macsec_fill_sectag(struct >> macsec_eth_header *h, >> const struct macsec_secy *secy, u32 pn) >> { >> const struct macsec_tx_sc *tx_sc = &secy->tx_sc; >> +bool sci_present = send_sci(secy); > > You're already comp

[PATCH net] macsec: Fix header length if SCI is added if explicitily disabled

the packet, while the SC flag in the TCI field of the Security Tag was still set, resulting in invalid MACsec frames. Signed-off-by: Tobias Brunner --- drivers/net/macsec.c | 22 -- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/net/macsec.c b/drivers

[PATCH ipsec] xfrm: Ignore socket policies when rebuilding hash tables

and sets thresholds seemingly before installing any socket policies. Fixes: 53c2e285f970 ("xfrm: Do not hash socket policies") Signed-off-by: Tobias Brunner --- net/xfrm/xfrm_policy.c | 4 1 file changed, 4 insertions(+) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_p