From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@davemloft.net>
Cc: herbert@gondor.apana.org.au, kuznet@ms2.inr.ac.ru,
yoshfuji@linux-ipv6.org, netdev@oss.sgi.com
Subject: Netfilter+IPsec
Date: Thu, 24 Mar 2005 06:05:50 +0100 [thread overview]
Message-ID: <42424AAE.9080403@trash.net> (raw)
In-Reply-To: <4240EA78.5050402@trash.net>
[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]
Patrick McHardy wrote:
> It would call netif_rx(). The packet should pass all hooks as usual,
> so everything works as expected. It is cleaner than my current
> approach, but has the same problems wrt. statistics and AF_PACKET/raw
> sockets. I'll post a patch (probably tomorrow, its late here) so we
> have something concrete to talk about.
Unfortunately I have to delay again. This patch (not entirely
reviewed myself yet) contains the parts necessary for hooking
output IPsec packets for netfilter. dst_output() in ipv4/ and
ipv6/ are replaced by ip_dst_output() and ip6_dst_output(), which
pass the packets through POST_ROUTING before IPsec. All replaced
calls should happen directly after NF_HOOK(LOCAL_OUT, ...). The
packet is then marked as transformed in xfrm{4,6}_output() and
passed through LOCAL_OUT in ip_output() again. This resembles
the behaviour of tunnel-devices, a packet is first visible
in plain on OUTPUT/FORWARD -> POST_ROUTING, then encapsulated
on OUTPUT -> POST_ROUTING again. This part doesn't have any
known problems, the input patch will follow tomorrow.
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 13535 bytes --]
===== include/linux/ipv6.h 1.29 vs edited =====
--- 1.29/include/linux/ipv6.h 2005-03-16 00:27:17 +01:00
+++ edited/include/linux/ipv6.h 2005-03-24 04:41:37 +01:00
@@ -177,19 +177,20 @@
#include <linux/tcp.h>
#include <linux/udp.h>
-/*
- This structure contains results of exthdrs parsing
- as offsets from skb->nh.
- */
struct inet6_skb_parm {
+ /* results of exthdrs parsing as offsets from skb->nh. */
int iif;
__u16 ra;
__u16 hop;
__u16 dst0;
__u16 srcrt;
__u16 dst1;
+ /* flags */
+ __u16 flags;
};
+
+#define IP6SKB_XFRM_TRANSFORMED 0x1
#define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb))
===== include/linux/netfilter.h 1.18 vs edited =====
--- 1.18/include/linux/netfilter.h 2005-03-12 04:12:50 +01:00
+++ edited/include/linux/netfilter.h 2005-03-23 06:19:51 +01:00
@@ -139,9 +139,10 @@
/* This is gross, but inline doesn't cut it for avoiding the function
call in fast path: gcc doesn't inline (needs value tracking?). --RR */
#ifdef CONFIG_NETFILTER_DEBUG
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
({int __ret; \
-if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
+if (!(cond) || \
+ (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
__ret = (okfn)(skb); \
__ret;})
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
@@ -150,9 +151,9 @@
__ret = (okfn)(skb); \
__ret;})
#else
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
({int __ret; \
-if (list_empty(&nf_hooks[pf][hook]) || \
+if (!(cond) || list_empty(&nf_hooks[pf][hook]) || \
(__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
__ret = (okfn)(skb); \
__ret;})
@@ -163,6 +164,8 @@
__ret = (okfn)(skb); \
__ret;})
#endif
+#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+ NF_HOOK_COND((pf), (hook), (skb), (indev), (outdev), (okfn), 1)
int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb,
struct net_device *indev, struct net_device *outdev,
@@ -192,6 +195,7 @@
#else /* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
#endif /*CONFIG_NETFILTER*/
===== include/net/ip.h 1.38 vs edited =====
--- 1.38/include/net/ip.h 2005-01-27 07:03:17 +01:00
+++ edited/include/net/ip.h 2005-03-23 06:20:11 +01:00
@@ -30,6 +30,8 @@
#include <linux/netdevice.h>
#include <linux/inetdevice.h>
#include <linux/in_route.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
#include <net/route.h>
#include <net/arp.h>
#include <net/snmp.h>
@@ -45,6 +47,7 @@
#define IPSKB_TRANSLATED 2
#define IPSKB_FORWARDED 4
#define IPSKB_XFRM_TUNNEL_SIZE 8
+#define IPSKB_XFRM_TRANSFORMED 16
};
struct ipcm_cookie
@@ -210,6 +213,12 @@
iph->id = 0;
} else
__ip_select_ident(iph, dst, more);
+}
+
+static inline int ip_dst_output(struct sk_buff *skb)
+{
+ return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL,
+ skb->dst->dev, dst_output, skb->dst->xfrm != NULL);
}
/*
===== include/net/ipv6.h 1.44 vs edited =====
--- 1.44/include/net/ipv6.h 2005-03-03 06:12:44 +01:00
+++ edited/include/net/ipv6.h 2005-03-23 06:14:52 +01:00
@@ -17,6 +17,8 @@
#include <linux/ipv6.h>
#include <linux/hardirq.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
#include <net/ndisc.h>
#include <net/flow.h>
#include <net/snmp.h>
@@ -335,6 +337,12 @@
{
return ((a->s6_addr32[0] | a->s6_addr32[1] |
a->s6_addr32[2] | a->s6_addr32[3] ) == 0);
+}
+
+static inline int ip6_dst_output(struct sk_buff *skb)
+{
+ return NF_HOOK_COND(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL,
+ skb->dst->dev, dst_output, skb->dst->xfrm != NULL);
}
/*
===== net/ipv4/igmp.c 1.61 vs edited =====
--- 1.61/net/ipv4/igmp.c 2004-12-28 06:30:43 +01:00
+++ edited/net/ipv4/igmp.c 2005-03-23 05:53:14 +01:00
@@ -343,7 +343,7 @@
pig->csum = ip_compute_csum((void *)skb->h.igmph, igmplen);
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, skb->dev,
- dst_output);
+ ip_dst_output);
}
static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel)
@@ -674,7 +674,7 @@
ih->csum=ip_compute_csum((void *)ih, sizeof(struct igmphdr));
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
}
static void igmp_gq_timer_expire(unsigned long data)
===== net/ipv4/ip_forward.c 1.11 vs edited =====
--- 1.11/net/ipv4/ip_forward.c 2004-07-08 00:17:28 +02:00
+++ edited/net/ipv4/ip_forward.c 2005-03-23 05:53:14 +01:00
@@ -51,7 +51,7 @@
if (unlikely(opt->optlen))
ip_forward_options(skb);
- return dst_output(skb);
+ return ip_dst_output(skb);
}
int ip_forward(struct sk_buff *skb)
===== net/ipv4/ip_output.c 1.80 vs edited =====
--- 1.80/net/ipv4/ip_output.c 2005-03-18 19:43:26 +01:00
+++ edited/net/ipv4/ip_output.c 2005-03-23 06:20:28 +01:00
@@ -166,7 +166,7 @@
/* Send it out. */
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
}
static inline int ip_finish_output2(struct sk_buff *skb)
@@ -284,7 +284,7 @@
return ip_finish_output(skb);
}
-int ip_output(struct sk_buff *skb)
+static inline int ip_output2(struct sk_buff *skb)
{
IP_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
@@ -294,6 +294,16 @@
return ip_finish_output(skb);
}
+int ip_output(struct sk_buff *skb)
+{
+ int transformed = IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED;
+
+ if (transformed)
+ nf_reset(skb);
+ return NF_HOOK_COND(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
+ skb->dst->dev, ip_output2, transformed);
+}
+
int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
{
struct sock *sk = skb->sk;
@@ -374,7 +384,7 @@
skb->priority = sk->sk_priority;
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
no_route:
IP_INC_STATS(IPSTATS_MIB_OUTNOROUTES);
@@ -1189,7 +1199,7 @@
/* Netfilter gets whole the not fragmented skb. */
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
- skb->dst->dev, dst_output);
+ skb->dst->dev, ip_dst_output);
if (err) {
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
===== net/ipv4/ipmr.c 1.47 vs edited =====
--- 1.47/net/ipv4/ipmr.c 2005-03-18 19:36:11 +01:00
+++ edited/net/ipv4/ipmr.c 2005-03-23 05:53:13 +01:00
@@ -1119,7 +1119,7 @@
if (unlikely(opt->optlen))
ip_forward_options(skb);
- return dst_output(skb);
+ return ip_dst_output(skb);
}
/*
===== net/ipv4/raw.c 1.63 vs edited =====
--- 1.63/net/ipv4/raw.c 2005-03-16 00:20:37 +01:00
+++ edited/net/ipv4/raw.c 2005-03-23 05:53:13 +01:00
@@ -310,7 +310,7 @@
}
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
if (err)
===== net/ipv4/xfrm4_output.c 1.10 vs edited =====
--- 1.10/net/ipv4/xfrm4_output.c 2005-03-18 19:41:26 +01:00
+++ edited/net/ipv4/xfrm4_output.c 2005-03-23 05:53:13 +01:00
@@ -129,6 +129,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
err = NET_XMIT_BYPASS;
out_exit:
===== net/ipv4/ipvs/ip_vs_xmit.c 1.13 vs edited =====
--- 1.13/net/ipv4/ipvs/ip_vs_xmit.c 2005-03-18 19:38:59 +01:00
+++ edited/net/ipv4/ipvs/ip_vs_xmit.c 2005-03-24 05:05:57 +01:00
@@ -131,7 +131,7 @@
(skb)->nfcache |= NFC_IPVS_PROPERTY; \
(skb)->ip_summed = CHECKSUM_NONE; \
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \
- (rt)->u.dst.dev, dst_output); \
+ (rt)->u.dst.dev, ip_dst_output); \
} while (0)
===== net/ipv4/netfilter/ipt_REJECT.c 1.37 vs edited =====
--- 1.37/net/ipv4/netfilter/ipt_REJECT.c 2005-03-17 19:05:37 +01:00
+++ edited/net/ipv4/netfilter/ipt_REJECT.c 2005-03-23 06:05:51 +01:00
@@ -213,7 +213,7 @@
nf_ct_attach(nskb, oldskb);
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
- dst_output);
+ ip_dst_output);
return;
free_nskb:
===== net/ipv6/ip6_input.c 1.23 vs edited =====
--- 1.23/net/ipv6/ip6_input.c 2005-03-10 06:12:11 +01:00
+++ edited/net/ipv6/ip6_input.c 2005-03-24 05:06:19 +01:00
@@ -241,9 +241,9 @@
if (deliver) {
skb2 = skb_clone(skb, GFP_ATOMIC);
- dst_output(skb2);
+ ip6_dst_output(skb2);
} else {
- dst_output(skb);
+ ip6_dst_output(skb);
return 0;
}
}
===== net/ipv6/ip6_output.c 1.91 vs edited =====
--- 1.91/net/ipv6/ip6_output.c 2005-03-18 19:44:52 +01:00
+++ edited/net/ipv6/ip6_output.c 2005-03-24 04:52:01 +01:00
@@ -108,7 +108,7 @@
}
-static int ip6_output2(struct sk_buff *skb)
+static int ip6_output3(struct sk_buff *skb)
{
struct dst_entry *dst = skb->dst;
struct net_device *dev = dst->dev;
@@ -145,12 +145,22 @@
return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb,NULL, skb->dev,ip6_output_finish);
}
-int ip6_output(struct sk_buff *skb)
+static inline int ip6_output2(struct sk_buff *skb)
{
if (skb->len > dst_mtu(skb->dst) || dst_allfrag(skb->dst))
- return ip6_fragment(skb, ip6_output2);
+ return ip6_fragment(skb, ip6_output3);
else
- return ip6_output2(skb);
+ return ip6_output3(skb);
+}
+
+int ip6_output(struct sk_buff *skb)
+{
+ int transformed = IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED;
+
+ if (transformed)
+ nf_reset(skb);
+ return NF_HOOK_COND(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL,
+ skb->dst->dev, ip6_output2, transformed);
}
#ifdef CONFIG_NETFILTER
@@ -195,7 +205,7 @@
}
}
#endif /* CONFIG_NETFILTER */
- return dst_output(skb);
+ return ip6_dst_output(skb);
}
/*
@@ -342,7 +352,7 @@
static inline int ip6_forward_finish(struct sk_buff *skb)
{
- return dst_output(skb);
+ return ip6_dst_output(skb);
}
int ip6_forward(struct sk_buff *skb)
@@ -1146,7 +1156,7 @@
skb->dst = dst_clone(&rt->u.dst);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dst->dev, ip6_dst_output);
if (err) {
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
===== net/ipv6/ip6_tunnel.c 1.30 vs edited =====
--- 1.30/net/ipv6/ip6_tunnel.c 2005-03-15 19:19:23 +01:00
+++ edited/net/ipv6/ip6_tunnel.c 2005-03-23 06:08:09 +01:00
@@ -744,7 +744,7 @@
nf_reset(skb);
pkt_len = skb->len;
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL,
- skb->dst->dev, dst_output);
+ skb->dst->dev, ip6_dst_output);
if (err == NET_XMIT_SUCCESS || err == NET_XMIT_CN) {
stats->tx_bytes += pkt_len;
===== net/ipv6/ndisc.c 1.124 vs edited =====
--- 1.124/net/ipv6/ndisc.c 2005-03-16 23:52:27 +01:00
+++ edited/net/ipv6/ndisc.c 2005-03-23 06:08:42 +01:00
@@ -501,7 +501,7 @@
skb->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTNEIGHBORADVERTISEMENTS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
@@ -586,7 +586,7 @@
skb->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTNEIGHBORSOLICITS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
@@ -660,7 +660,7 @@
skb->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTROUTERSOLICITS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
@@ -1446,7 +1446,7 @@
buff->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, buff, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, buff, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTREDIRECTS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
===== net/ipv6/raw.c 1.79 vs edited =====
--- 1.79/net/ipv6/raw.c 2005-03-03 06:12:38 +01:00
+++ edited/net/ipv6/raw.c 2005-03-23 06:08:54 +01:00
@@ -541,7 +541,7 @@
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip6_dst_output);
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
if (err)
===== net/ipv6/xfrm6_output.c 1.11 vs edited =====
--- 1.11/net/ipv6/xfrm6_output.c 2005-03-18 19:41:26 +01:00
+++ edited/net/ipv6/xfrm6_output.c 2005-03-24 04:46:59 +01:00
@@ -131,6 +131,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
err = NET_XMIT_BYPASS;
out_exit:
next prev parent reply other threads:[~2005-03-24 5:05 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-14 22:10 [1/4] [IPSEC] Merge xfrm[46]_bundle/stale_bundle Herbert Xu
2005-02-14 22:12 ` [2/4] [IPSEC] Add xfrm_state_mtu Herbert Xu
2005-02-14 22:14 ` [3/4] [IPSEC] Add route element to xfrm_dst Herbert Xu
2005-02-14 22:16 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Herbert Xu
2005-02-15 15:53 ` James Morris
2005-02-15 20:31 ` Herbert Xu
2005-02-16 10:37 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output Herbert Xu
2005-02-16 11:08 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update top dst Herbert Xu
2005-02-16 11:38 ` [7/*] [IPSEC] Get metrics for xfrm_dst from " Herbert Xu
2005-03-07 5:47 ` David S. Miller
2005-03-07 10:41 ` Herbert Xu
2005-03-07 5:35 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update " David S. Miller
2005-03-07 10:39 ` Herbert Xu
2005-03-07 5:33 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output David S. Miller
2005-03-07 11:45 ` [10/*] [TCP] Get rid of dst_ptmu/ext2_header_len Herbert Xu
2005-03-07 17:33 ` David S. Miller
2005-03-07 5:32 ` [4/4] [IPSEC] Store MTU at each xfrm_dst David S. Miller
2005-03-07 10:35 ` [9/*] [IPSEC] Check dst validity harder in xfrm_bundle_ok Herbert Xu
2005-03-07 17:32 ` David S. Miller
2005-03-08 10:27 ` [11/*] [NET] Move dst_release out of dst->ops->check Herbert Xu
2005-03-08 12:50 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-11 2:17 ` David S. Miller
2005-03-14 10:26 ` [12/*] [IPSEC] Handle local_df in IPv4 Herbert Xu
2005-03-14 10:53 ` [13/*] [IPV4] Fix room calculation in icmp_send Herbert Xu
2005-03-14 11:10 ` [14/*] [IPV6] Reload skb->dst after xfrm6_route_forward Herbert Xu
2005-03-15 5:27 ` David S. Miller
2005-03-15 9:19 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data Herbert Xu
2005-03-15 9:58 ` [16/*] [INET] Take IPsec overhead into account in tunnels Herbert Xu
2005-03-15 10:05 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 18:24 ` David S. Miller
2005-03-15 19:02 ` Patrick McHardy
2005-03-15 20:40 ` Replace send_unreach with icmp_send Herbert Xu
2005-03-15 20:48 ` Patrick McHardy
2005-03-16 10:51 ` [IPV4] Make ipt_REJECT use icmp_send again Herbert Xu
2005-03-16 19:00 ` Patrick McHardy
2005-03-16 22:44 ` David S. Miller
2005-03-17 10:51 ` [IPV4] Send TCP reset through dst_output in ipt_REJECT Herbert Xu
2005-03-17 18:06 ` David S. Miller
2005-03-15 20:31 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 10:20 ` [16/*] [INET] Take IPsec overhead into account in tunnels Lennert Buytenhek
2005-03-15 10:27 ` Herbert Xu
2005-03-15 18:20 ` David S. Miller
2005-03-18 9:03 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit Herbert Xu
2005-03-18 9:11 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 9:19 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu Herbert Xu
2005-03-18 10:07 ` [24/*] [IPSEC] Get ttl from child instead of path Herbert Xu
2005-03-18 10:11 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric Herbert Xu
2005-03-18 11:06 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric Herbert Xu
2005-03-18 11:28 ` [27/*] [NET] Make dst_allfrag use dst instead of dst->path Herbert Xu
2005-03-18 18:47 ` David S. Miller
2005-03-18 18:46 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric David S. Miller
2005-03-18 18:44 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric David S. Miller
2005-03-18 18:43 ` [24/*] [IPSEC] Get ttl from child instead of path David S. Miller
2005-03-18 18:41 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu David S. Miller
2005-03-18 18:40 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-20 15:46 ` Patrick McHardy
2005-03-20 16:32 ` Ludo Stellingwerff
2005-03-20 17:17 ` Lennert Buytenhek
2005-03-20 17:49 ` Patrick McHardy
2005-03-20 18:11 ` Ludo Stellingwerff
2005-03-20 18:22 ` Patrick McHardy
2005-03-20 18:43 ` jamal
2005-03-20 19:10 ` Patrick McHardy
2005-03-30 9:49 ` Extending xfrm_selector (Was: [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS) Herbert Xu
2005-03-23 3:49 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-23 4:03 ` Patrick McHardy
2005-03-24 5:05 ` Patrick McHardy [this message]
2005-03-24 5:43 ` Netfilter+IPsec David S. Miller
2005-03-25 2:53 ` Netfilter+IPsec Herbert Xu
2005-03-25 5:10 ` Netfilter+IPsec Patrick McHardy
2005-03-23 9:24 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 18:39 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit David S. Miller
2005-03-15 18:18 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data David S. Miller
2005-03-16 11:31 ` Herbert Xu
2005-03-16 22:02 ` David S. Miller
2005-03-21 16:14 ` Mika Penttilä
2005-03-21 20:28 ` Herbert Xu
2005-03-21 21:29 ` Mika Penttilä
2005-03-21 22:04 ` Herbert Xu
2005-03-15 5:26 ` [13/*] [IPV4] Fix room calculation in icmp_send David S. Miller
2005-03-15 5:25 ` [12/*] [IPSEC] Handle local_df in IPv4 David S. Miller
2005-03-15 18:25 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-15 18:28 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-28 20:10 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Patrick McHardy
2005-03-28 23:30 ` [IPSEC] Move xfrm_flush_bundles into xfrm_state GC Herbert Xu
2005-03-31 0:10 ` Patrick McHardy
2005-04-01 5:21 ` David S. Miller
2005-03-28 23:39 ` Checking SPI in xfrm_state_find Herbert Xu
2005-03-31 0:13 ` Patrick McHardy
2005-03-31 0:46 ` Herbert Xu
2005-04-01 5:23 ` David S. Miller
2005-04-02 0:49 ` [IPSEC]: Kill nested read lock by deleting xfrm_init_tempsel Herbert Xu
2005-04-02 1:20 ` David S. Miller
2005-04-02 2:09 ` Herbert Xu
2005-04-03 16:48 ` Patrick McHardy
2005-04-05 10:39 ` Herbert Xu
2005-04-05 20:01 ` Patrick McHardy
2005-04-06 2:21 ` Herbert Xu
2005-04-21 23:35 ` David S. Miller
2005-04-21 23:52 ` Herbert Xu
2005-04-21 23:53 ` Patrick McHardy
2005-04-22 3:13 ` David S. Miller
2005-04-03 17:00 ` Checking SPI in xfrm_state_find Patrick McHardy
2005-02-15 8:10 ` [3/4] [IPSEC] Add route element to xfrm_dst Mika Penttilä
2005-02-15 9:53 ` Herbert Xu
2005-02-15 10:22 ` Mika Penttilä
2005-03-07 5:28 ` David S. Miller
2005-03-07 10:02 ` Herbert Xu
2005-03-07 10:16 ` [IPSEC] Kill redundan dst_release check in xfrm_dst_destroy Herbert Xu
2005-03-07 17:35 ` David S. Miller
2005-03-14 11:52 ` [3/4] [IPSEC] Add route element to xfrm_dst Patrick McHardy
2005-03-14 20:32 ` Herbert Xu
2005-03-15 19:05 ` Patrick McHardy
2005-03-07 5:23 ` [2/4] [IPSEC] Add xfrm_state_mtu David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42424AAE.9080403@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@oss.sgi.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.