Commit 179a6f5d authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'ipsec-next-2024-05-03' of... 

Merge tag 'ipsec-next-2024-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2024-05-03

1) Remove Obsolete UDP_ENCAP_ESPINUDP_NON_IKE Support.
   This was defined by an early version of an IETF draft
   that did not make it to a standard.

2) Introduce direction attribute for xfrm states.
   xfrm states have a direction, a stsate can be used
   either for input or output packet processing.
   Add a direction to xfrm states to make it clear
   for what a xfrm state is used.

* tag 'ipsec-next-2024-05-03' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next:
  xfrm: Restrict SA direction attribute to specific netlink message types
  xfrm: Add dir validation to "in" data path lookup
  xfrm: Add dir validation to "out" data path lookup
  xfrm: Add Direction to the SA in or out
  udpencap: Remove Obsolete UDP_ENCAP_ESPINUDP_NON_IKE Support
====================

Link: https://lore.kernel.org/r/20240503082732.2835810-1-steffen.klassert@secunet.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 46a5d3ab dcf280ea

Documentation/networking/xfrm_proc.rst

+6 −0
Original line number Diff line number Diff line
@@ -73,6 +73,9 @@ XfrmAcquireError: 
XfrmFwdHdrError:

	Forward routing of a packet is not allowed



XfrmInStateDirError:

        State direction mismatch (lookup found an output state on the input path, expected input or no direction)



Outbound errors

~~~~~~~~~~~~~~~

XfrmOutError:
@@ -111,3 +114,6 @@ XfrmOutPolError: 


XfrmOutStateInvalid:

	State is invalid, perhaps expired



XfrmOutStateDirError:

        State direction mismatch (lookup found an input state on the output path, expected output or no direction)

include/net/xfrm.h

+1 −0
Original line number Diff line number Diff line
@@ -291,6 +291,7 @@ struct xfrm_state { 
	/* Private data of this transformer, format is opaque,

	 * interpreted by xfrm_type methods. */

	void			*data;

	u8			dir;

};



static inline struct net *xs_net(struct xfrm_state *x)

include/uapi/linux/snmp.h

+2 −0
Original line number Diff line number Diff line
@@ -337,6 +337,8 @@ enum 
	LINUX_MIB_XFRMFWDHDRERROR,		/* XfrmFwdHdrError*/

	LINUX_MIB_XFRMOUTSTATEINVALID,		/* XfrmOutStateInvalid */

	LINUX_MIB_XFRMACQUIREERROR,		/* XfrmAcquireError */

	LINUX_MIB_XFRMOUTSTATEDIRERROR,		/* XfrmOutStateDirError */

	LINUX_MIB_XFRMINSTATEDIRERROR,		/* XfrmInStateDirError */

	__LINUX_MIB_XFRMMAX

};

include/uapi/linux/udp.h

+1 −1
Original line number Diff line number Diff line
@@ -36,7 +36,7 @@ struct udphdr { 
#define UDP_GRO		104	/* This socket can receive UDP GRO packets */



/* UDP encapsulation types */

#define UDP_ENCAP_ESPINUDP_NON_IKE	1 /* draft-ietf-ipsec-nat-t-ike-00/01 */

#define UDP_ENCAP_ESPINUDP_NON_IKE	1 /* unused  draft-ietf-ipsec-nat-t-ike-00/01 */

#define UDP_ENCAP_ESPINUDP	2 /* draft-ietf-ipsec-udp-encaps-06 */

#define UDP_ENCAP_L2TPINUDP	3 /* rfc2661 */

#define UDP_ENCAP_GTP0		4 /* GSM TS 09.60 */

include/uapi/linux/xfrm.h

+6 −0
Original line number Diff line number Diff line
@@ -141,6 +141,11 @@ enum { 
	XFRM_POLICY_MAX	= 3

};



enum xfrm_sa_dir {

	XFRM_SA_DIR_IN	= 1,

	XFRM_SA_DIR_OUT = 2

};



enum {

	XFRM_SHARE_ANY,		/* No limitations */

	XFRM_SHARE_SESSION,	/* For this session only */
@@ -315,6 +320,7 @@ enum xfrm_attr_type_t { 
	XFRMA_SET_MARK_MASK,	/* __u32 */

	XFRMA_IF_ID,		/* __u32 */

	XFRMA_MTIMER_THRESH,	/* __u32 in seconds for input SA */

	XFRMA_SA_DIR,		/* __u8 */

	__XFRMA_MAX



#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK	/* Compatibility */