From: Sabrina Dubroca <sd@queasysnail.net>
To: Christian Hopps <chopps@chopps.org>
Cc: devel@linux-ipsec.org,
Steffen Klassert <steffen.klassert@secunet.com>,
netdev@vger.kernel.org, Christian Hopps <chopps@labn.net>
Subject: Re: [PATCH ipsec-next v5 05/17] xfrm: netlink: add config (netlink) options
Date: Thu, 18 Jul 2024 15:45:52 +0200 [thread overview]
Message-ID: <ZpkckAyjSjC--i6M@hog> (raw)
In-Reply-To: <20240714202246.1573817-6-chopps@chopps.org>
2024-07-14, 16:22:33 -0400, Christian Hopps wrote:
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index a552cfa623ea..d42805314a2a 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -297,6 +297,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
> NL_SET_ERR_MSG(extack, "TFC padding can only be used in tunnel mode");
> goto out;
> }
> + if ((attrs[XFRMA_IPTFS_DROP_TIME] ||
> + attrs[XFRMA_IPTFS_REORDER_WINDOW] ||
> + attrs[XFRMA_IPTFS_DONT_FRAG] ||
> + attrs[XFRMA_IPTFS_INIT_DELAY] ||
> + attrs[XFRMA_IPTFS_MAX_QSIZE] ||
> + attrs[XFRMA_IPTFS_PKT_SIZE]) &&
> + p->mode != XFRM_MODE_IPTFS) {
> + NL_SET_ERR_MSG(extack, "IP-TFS options can only be used in IP-TFS mode");
AFAICT this only excludes the IPTFS options from ESP with a non-IPTFS
mode, but not from AH, IPcomp, etc.
> + goto out;
> + }
> break;
>
> case IPPROTO_COMP:
> @@ -417,6 +427,18 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
> goto out;
> }
>
> + if (attrs[XFRMA_IPTFS_DROP_TIME]) {
> + NL_SET_ERR_MSG(extack, "Drop time should not be set for output SA");
Maybe add "IPTFS" to all those error messages, to help narrow down the
bogus attribute.
> + err = -EINVAL;
> + goto out;
> + }
> +
> + if (attrs[XFRMA_IPTFS_REORDER_WINDOW]) {
> + NL_SET_ERR_MSG(extack, "Reorder window should not be set for output SA");
> + err = -EINVAL;
> + goto out;
> + }
> +
> if (attrs[XFRMA_REPLAY_VAL]) {
> struct xfrm_replay_state *replay;
>
> @@ -454,6 +476,30 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
> }
>
> }
> +
> + if (attrs[XFRMA_IPTFS_DONT_FRAG]) {
> + NL_SET_ERR_MSG(extack, "Don't fragment should not be set for input SA");
> + err = -EINVAL;
> + goto out;
> + }
> +
> + if (attrs[XFRMA_IPTFS_INIT_DELAY]) {
> + NL_SET_ERR_MSG(extack, "Initial delay should not be set for input SA");
> + err = -EINVAL;
> + goto out;
> + }
> +
> + if (attrs[XFRMA_IPTFS_MAX_QSIZE]) {
> + NL_SET_ERR_MSG(extack, "Max queue size should not be set for input SA");
> + err = -EINVAL;
> + goto out;
> + }
> +
> + if (attrs[XFRMA_IPTFS_PKT_SIZE]) {
> + NL_SET_ERR_MSG(extack, "Packet size should not be set for input SA");
> + err = -EINVAL;
> + goto out;
> + }
> }
>
> out:
> @@ -3177,6 +3223,12 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
> [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 },
> [XFRMA_SA_DIR] = NLA_POLICY_RANGE(NLA_U8, XFRM_SA_DIR_IN, XFRM_SA_DIR_OUT),
> [XFRMA_NAT_KEEPALIVE_INTERVAL] = { .type = NLA_U32 },
> + [XFRMA_IPTFS_DROP_TIME] = { .type = NLA_U32 },
> + [XFRMA_IPTFS_REORDER_WINDOW] = { .type = NLA_U16 },
The corresponding sysctl is a u32, should this be NLA_U32?
> + [XFRMA_IPTFS_DONT_FRAG] = { .type = NLA_FLAG },
> + [XFRMA_IPTFS_INIT_DELAY] = { .type = NLA_U32 },
> + [XFRMA_IPTFS_MAX_QSIZE] = { .type = NLA_U32 },
> + [XFRMA_IPTFS_PKT_SIZE] = { .type = NLA_U32 },
> };
> EXPORT_SYMBOL_GPL(xfrma_policy);
--
Sabrina
next prev parent reply other threads:[~2024-07-18 13:46 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-14 20:22 [PATCH ipsec-next v5 00/17] Add IP-TFS mode to xfrm Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 01/17] xfrm: config: add CONFIG_XFRM_IPTFS Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 02/17] include: uapi: add ip_tfs_*_hdr packet formats Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 03/17] include: uapi: add IPPROTO_AGGFRAG for AGGFRAG in ESP Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 04/17] xfrm: sysctl: allow configuration of global default values Christian Hopps
2024-07-18 13:13 ` Sabrina Dubroca
2024-07-18 13:15 ` Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 05/17] xfrm: netlink: add config (netlink) options Christian Hopps
2024-07-18 13:45 ` Sabrina Dubroca [this message]
2024-07-18 14:08 ` [devel-ipsec] " Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 06/17] xfrm: add mode_cbs module functionality Christian Hopps
2024-07-19 6:14 ` [devel-ipsec] " Florian Westphal
2024-07-20 0:06 ` Christian Hopps
2024-07-25 13:32 ` Sabrina Dubroca
2024-07-30 21:29 ` Christian Hopps
2024-07-31 17:10 ` Sabrina Dubroca
2024-07-31 18:32 ` Christian Hopps
2024-07-31 18:41 ` Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 07/17] xfrm: add generic iptfs defines and functionality Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 08/17] xfrm: iptfs: add new iptfs xfrm mode impl Christian Hopps
2024-07-15 12:39 ` Simon Horman
2024-07-18 5:56 ` [devel-ipsec] " Christian Hopps
2024-07-19 6:16 ` Florian Westphal
2024-07-20 0:30 ` Christian Hopps
2024-07-25 13:33 ` Sabrina Dubroca
2024-07-25 14:56 ` Christian Hopps
2024-07-31 16:29 ` Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 09/17] xfrm: iptfs: add user packet (tunnel ingress) handling Christian Hopps
2024-07-15 12:55 ` Simon Horman
2024-07-18 5:35 ` [devel-ipsec] " Christian Hopps
2024-07-18 6:32 ` Christian Hopps
2024-07-16 14:00 ` kernel test robot
2024-07-14 20:22 ` [PATCH ipsec-next v5 10/17] xfrm: iptfs: share page fragments of inner packets Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 11/17] xfrm: iptfs: add fragmenting of larger than MTU user packets Christian Hopps
2024-07-15 13:12 ` Simon Horman
2024-07-18 5:57 ` [devel-ipsec] " Christian Hopps
2024-07-18 6:56 ` Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 12/17] xfrm: iptfs: add basic receive packet (tunnel egress) handling Christian Hopps
2024-07-15 13:16 ` Simon Horman
2024-07-18 6:14 ` [devel-ipsec] " Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 13/17] xfrm: iptfs: handle received fragmented inner packets Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 14/17] xfrm: iptfs: add reusing received skb for the tunnel egress packet Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 15/17] xfrm: iptfs: add skb-fragment sharing code Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 16/17] xfrm: iptfs: handle reordering of received packets Christian Hopps
2024-07-14 20:22 ` [PATCH ipsec-next v5 17/17] xfrm: iptfs: add tracepoint functionality Christian Hopps
2024-07-15 11:53 ` kernel test robot
2024-07-17 5:21 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZpkckAyjSjC--i6M@hog \
--to=sd@queasysnail.net \
--cc=chopps@chopps.org \
--cc=chopps@labn.net \
--cc=devel@linux-ipsec.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.