From: David Miller <davem@davemloft.net>
To: steffen.klassert@secunet.com
Cc: herbert@gondor.apana.org.au, netdev@vger.kernel.org
Subject: Re: pull request (net): ipsec 2013-10-09
Date: Wed, 09 Oct 2013 13:44:01 -0400 (EDT) [thread overview]
Message-ID: <20131009.134401.2108436834464148316.davem@davemloft.net> (raw)
In-Reply-To: <1381316351-14418-1-git-send-email-steffen.klassert@secunet.com>
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 9 Oct 2013 12:59:04 +0200
> 1) We used the wrong netlink attribute to verify the
> lenght of the replay window on async events. Fix this by
> using the right netlink attribute.
>
> 2) Policy lookups can not match the output interface on forwarding.
> Add the needed informations to the flow informations.
>
> 3) We update the pmtu when we receive a ICMPV6_DEST_UNREACH message
> on IPsec with ipv6. This is wrong and leads to strange fragmented
> packets, only ICMPV6_PKT_TOOBIG messages should update the pmtu.
> Fix this by removing the ICMPV6_DEST_UNREACH check from the IPsec
> protocol error handlers.
>
> 4) The legacy IPsec anti replay mechanism supports anti replay
> windows up to 32 packets. If a user requests for a bigger
> anti replay window, we use 32 packets but pretend that we use
> the requested window size. Fix from Fan Du.
>
> 5) If asynchronous events are enabled and replay_maxdiff is set to
> zero, we generate an async event for every received packet instead
> of checking whether a timeout occurred. Fix from Thomas Egerer.
>
> 6) Policies need a refcount when the state resolution timer is armed.
> Otherwise the timer can fire after the policy is deleted.
>
> 7) We might dreference a NULL pointer if the hold_queue is empty,
> add a check to avoid this.
>
> Please pull or let me know if there are problems.
Pulled, thanks a lot Steffen.
prev parent reply other threads:[~2013-10-09 17:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-09 10:59 pull request (net): ipsec 2013-10-09 Steffen Klassert
2013-10-09 10:59 ` [PATCH 1/7] xfrm: Fix replay size checking on async events Steffen Klassert
2013-10-09 10:59 ` [PATCH 2/7] xfrm: Decode sessions with output interface Steffen Klassert
2013-10-09 10:59 ` [PATCH 3/7] ipsec: Don't update the pmtu on ICMPV6_DEST_UNREACH Steffen Klassert
2013-10-09 10:59 ` [PATCH 4/7] xfrm: Guard IPsec anti replay window against replay bitmap Steffen Klassert
2013-10-09 10:59 ` [PATCH 5/7] xfrm: Fix aevent generation for each received packet Steffen Klassert
2013-10-09 10:59 ` [PATCH 6/7] xfrm: Add refcount handling to queued policies Steffen Klassert
2013-10-09 10:59 ` [PATCH 7/7] xfrm: check for a vaild skb in xfrm_policy_queue_process Steffen Klassert
2013-10-09 17:44 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131009.134401.2108436834464148316.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).