| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Sep 2023 14:58:39 +0200 From: Florian Westphal <fw@...len.de> To: <netdev@...r.kernel.org> Cc: steffen.klassert@...unet.com, herbert@...dor.apana.org.au, Florian Westphal <fw@...len.de> Subject: [PATCH ipsec-next v2 0/3] xfrm: policy: replace session decode with flow dissector Remove the ipv4+ipv6 session decode functions and use generic flow dissector to populate the flowi for the policy lookup. Changes since v1: - Can't use skb_flow_dissect(), we might see skbs that have neither skb->sk nor skb->dev set. Flow dissector WARN()s in this case, it tries to check for a bpf program assigned in that net namespace. Add a preparation patch to pass down 'struct net' in xfrm_decode_session so its available for use in patch 3. Changes since RFC: - Drop mobility header support. I don't think that anyone uses this. MOBIKE doesn't appear to need this either. - Drop fl6->flowlabel assignment, original code leaves it as 0. There is no reason for this change other than to remove code. Florian Westphal (3): xfrm: pass struct net to xfrm_decode_session wrappers xfrm: move mark and oif flowi decode into common code xfrm: policy: replace session decode with flow dissector include/net/xfrm.h | 10 +- net/ipv4/icmp.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/netfilter.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_vti.c | 4 +- net/ipv6/netfilter.c | 2 +- net/netfilter/nf_nat_proto.c | 2 +- net/xfrm/xfrm_interface_core.c | 4 +- net/xfrm/xfrm_policy.c | 287 +++++++++++++-------------------- 10 files changed, 128 insertions(+), 191 deletions(-) -- 2.41.0
Powered by blists - more mailing lists