From: Patrick McHardy <kaber@trash.net>
To: "David S. Miller" <davem@davemloft.net>
Cc: herbert@gondor.apana.org.au, kuznet@ms2.inr.ac.ru,
yoshfuji@linux-ipv6.org, netdev@oss.sgi.com
Subject: Netfilter+IPsec
Date: Thu, 24 Mar 2005 06:05:50 +0100 [thread overview]
Message-ID: <42424AAE.9080403@trash.net> (raw)
In-Reply-To: <4240EA78.5050402@trash.net>
[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]
Patrick McHardy wrote:
> It would call netif_rx(). The packet should pass all hooks as usual,
> so everything works as expected. It is cleaner than my current
> approach, but has the same problems wrt. statistics and AF_PACKET/raw
> sockets. I'll post a patch (probably tomorrow, its late here) so we
> have something concrete to talk about.
Unfortunately I have to delay again. This patch (not entirely
reviewed myself yet) contains the parts necessary for hooking
output IPsec packets for netfilter. dst_output() in ipv4/ and
ipv6/ are replaced by ip_dst_output() and ip6_dst_output(), which
pass the packets through POST_ROUTING before IPsec. All replaced
calls should happen directly after NF_HOOK(LOCAL_OUT, ...). The
packet is then marked as transformed in xfrm{4,6}_output() and
passed through LOCAL_OUT in ip_output() again. This resembles
the behaviour of tunnel-devices, a packet is first visible
in plain on OUTPUT/FORWARD -> POST_ROUTING, then encapsulated
on OUTPUT -> POST_ROUTING again. This part doesn't have any
known problems, the input patch will follow tomorrow.
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 13535 bytes --]
===== include/linux/ipv6.h 1.29 vs edited =====
--- 1.29/include/linux/ipv6.h 2005-03-16 00:27:17 +01:00
+++ edited/include/linux/ipv6.h 2005-03-24 04:41:37 +01:00
@@ -177,19 +177,20 @@
#include <linux/tcp.h>
#include <linux/udp.h>
-/*
- This structure contains results of exthdrs parsing
- as offsets from skb->nh.
- */
struct inet6_skb_parm {
+ /* results of exthdrs parsing as offsets from skb->nh. */
int iif;
__u16 ra;
__u16 hop;
__u16 dst0;
__u16 srcrt;
__u16 dst1;
+ /* flags */
+ __u16 flags;
};
+
+#define IP6SKB_XFRM_TRANSFORMED 0x1
#define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb))
===== include/linux/netfilter.h 1.18 vs edited =====
--- 1.18/include/linux/netfilter.h 2005-03-12 04:12:50 +01:00
+++ edited/include/linux/netfilter.h 2005-03-23 06:19:51 +01:00
@@ -139,9 +139,10 @@
/* This is gross, but inline doesn't cut it for avoiding the function
call in fast path: gcc doesn't inline (needs value tracking?). --RR */
#ifdef CONFIG_NETFILTER_DEBUG
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
({int __ret; \
-if ((__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
+if (!(cond) || \
+ (__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
__ret = (okfn)(skb); \
__ret;})
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
@@ -150,9 +151,9 @@
__ret = (okfn)(skb); \
__ret;})
#else
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
({int __ret; \
-if (list_empty(&nf_hooks[pf][hook]) || \
+if (!(cond) || list_empty(&nf_hooks[pf][hook]) || \
(__ret=nf_hook_slow(pf, hook, &(skb), indev, outdev, okfn, INT_MIN)) == 1) \
__ret = (okfn)(skb); \
__ret;})
@@ -163,6 +164,8 @@
__ret = (okfn)(skb); \
__ret;})
#endif
+#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
+ NF_HOOK_COND((pf), (hook), (skb), (indev), (outdev), (okfn), 1)
int nf_hook_slow(int pf, unsigned int hook, struct sk_buff **pskb,
struct net_device *indev, struct net_device *outdev,
@@ -192,6 +195,7 @@
#else /* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
#endif /*CONFIG_NETFILTER*/
===== include/net/ip.h 1.38 vs edited =====
--- 1.38/include/net/ip.h 2005-01-27 07:03:17 +01:00
+++ edited/include/net/ip.h 2005-03-23 06:20:11 +01:00
@@ -30,6 +30,8 @@
#include <linux/netdevice.h>
#include <linux/inetdevice.h>
#include <linux/in_route.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
#include <net/route.h>
#include <net/arp.h>
#include <net/snmp.h>
@@ -45,6 +47,7 @@
#define IPSKB_TRANSLATED 2
#define IPSKB_FORWARDED 4
#define IPSKB_XFRM_TUNNEL_SIZE 8
+#define IPSKB_XFRM_TRANSFORMED 16
};
struct ipcm_cookie
@@ -210,6 +213,12 @@
iph->id = 0;
} else
__ip_select_ident(iph, dst, more);
+}
+
+static inline int ip_dst_output(struct sk_buff *skb)
+{
+ return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL,
+ skb->dst->dev, dst_output, skb->dst->xfrm != NULL);
}
/*
===== include/net/ipv6.h 1.44 vs edited =====
--- 1.44/include/net/ipv6.h 2005-03-03 06:12:44 +01:00
+++ edited/include/net/ipv6.h 2005-03-23 06:14:52 +01:00
@@ -17,6 +17,8 @@
#include <linux/ipv6.h>
#include <linux/hardirq.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
#include <net/ndisc.h>
#include <net/flow.h>
#include <net/snmp.h>
@@ -335,6 +337,12 @@
{
return ((a->s6_addr32[0] | a->s6_addr32[1] |
a->s6_addr32[2] | a->s6_addr32[3] ) == 0);
+}
+
+static inline int ip6_dst_output(struct sk_buff *skb)
+{
+ return NF_HOOK_COND(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL,
+ skb->dst->dev, dst_output, skb->dst->xfrm != NULL);
}
/*
===== net/ipv4/igmp.c 1.61 vs edited =====
--- 1.61/net/ipv4/igmp.c 2004-12-28 06:30:43 +01:00
+++ edited/net/ipv4/igmp.c 2005-03-23 05:53:14 +01:00
@@ -343,7 +343,7 @@
pig->csum = ip_compute_csum((void *)skb->h.igmph, igmplen);
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, skb->dev,
- dst_output);
+ ip_dst_output);
}
static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel)
@@ -674,7 +674,7 @@
ih->csum=ip_compute_csum((void *)ih, sizeof(struct igmphdr));
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
}
static void igmp_gq_timer_expire(unsigned long data)
===== net/ipv4/ip_forward.c 1.11 vs edited =====
--- 1.11/net/ipv4/ip_forward.c 2004-07-08 00:17:28 +02:00
+++ edited/net/ipv4/ip_forward.c 2005-03-23 05:53:14 +01:00
@@ -51,7 +51,7 @@
if (unlikely(opt->optlen))
ip_forward_options(skb);
- return dst_output(skb);
+ return ip_dst_output(skb);
}
int ip_forward(struct sk_buff *skb)
===== net/ipv4/ip_output.c 1.80 vs edited =====
--- 1.80/net/ipv4/ip_output.c 2005-03-18 19:43:26 +01:00
+++ edited/net/ipv4/ip_output.c 2005-03-23 06:20:28 +01:00
@@ -166,7 +166,7 @@
/* Send it out. */
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
}
static inline int ip_finish_output2(struct sk_buff *skb)
@@ -284,7 +284,7 @@
return ip_finish_output(skb);
}
-int ip_output(struct sk_buff *skb)
+static inline int ip_output2(struct sk_buff *skb)
{
IP_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
@@ -294,6 +294,16 @@
return ip_finish_output(skb);
}
+int ip_output(struct sk_buff *skb)
+{
+ int transformed = IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED;
+
+ if (transformed)
+ nf_reset(skb);
+ return NF_HOOK_COND(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
+ skb->dst->dev, ip_output2, transformed);
+}
+
int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
{
struct sock *sk = skb->sk;
@@ -374,7 +384,7 @@
skb->priority = sk->sk_priority;
return NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
no_route:
IP_INC_STATS(IPSTATS_MIB_OUTNOROUTES);
@@ -1189,7 +1199,7 @@
/* Netfilter gets whole the not fragmented skb. */
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,
- skb->dst->dev, dst_output);
+ skb->dst->dev, ip_dst_output);
if (err) {
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
===== net/ipv4/ipmr.c 1.47 vs edited =====
--- 1.47/net/ipv4/ipmr.c 2005-03-18 19:36:11 +01:00
+++ edited/net/ipv4/ipmr.c 2005-03-23 05:53:13 +01:00
@@ -1119,7 +1119,7 @@
if (unlikely(opt->optlen))
ip_forward_options(skb);
- return dst_output(skb);
+ return ip_dst_output(skb);
}
/*
===== net/ipv4/raw.c 1.63 vs edited =====
--- 1.63/net/ipv4/raw.c 2005-03-16 00:20:37 +01:00
+++ edited/net/ipv4/raw.c 2005-03-23 05:53:13 +01:00
@@ -310,7 +310,7 @@
}
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip_dst_output);
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
if (err)
===== net/ipv4/xfrm4_output.c 1.10 vs edited =====
--- 1.10/net/ipv4/xfrm4_output.c 2005-03-18 19:41:26 +01:00
+++ edited/net/ipv4/xfrm4_output.c 2005-03-23 05:53:13 +01:00
@@ -129,6 +129,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
err = NET_XMIT_BYPASS;
out_exit:
===== net/ipv4/ipvs/ip_vs_xmit.c 1.13 vs edited =====
--- 1.13/net/ipv4/ipvs/ip_vs_xmit.c 2005-03-18 19:38:59 +01:00
+++ edited/net/ipv4/ipvs/ip_vs_xmit.c 2005-03-24 05:05:57 +01:00
@@ -131,7 +131,7 @@
(skb)->nfcache |= NFC_IPVS_PROPERTY; \
(skb)->ip_summed = CHECKSUM_NONE; \
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, (skb), NULL, \
- (rt)->u.dst.dev, dst_output); \
+ (rt)->u.dst.dev, ip_dst_output); \
} while (0)
===== net/ipv4/netfilter/ipt_REJECT.c 1.37 vs edited =====
--- 1.37/net/ipv4/netfilter/ipt_REJECT.c 2005-03-17 19:05:37 +01:00
+++ edited/net/ipv4/netfilter/ipt_REJECT.c 2005-03-23 06:05:51 +01:00
@@ -213,7 +213,7 @@
nf_ct_attach(nskb, oldskb);
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
- dst_output);
+ ip_dst_output);
return;
free_nskb:
===== net/ipv6/ip6_input.c 1.23 vs edited =====
--- 1.23/net/ipv6/ip6_input.c 2005-03-10 06:12:11 +01:00
+++ edited/net/ipv6/ip6_input.c 2005-03-24 05:06:19 +01:00
@@ -241,9 +241,9 @@
if (deliver) {
skb2 = skb_clone(skb, GFP_ATOMIC);
- dst_output(skb2);
+ ip6_dst_output(skb2);
} else {
- dst_output(skb);
+ ip6_dst_output(skb);
return 0;
}
}
===== net/ipv6/ip6_output.c 1.91 vs edited =====
--- 1.91/net/ipv6/ip6_output.c 2005-03-18 19:44:52 +01:00
+++ edited/net/ipv6/ip6_output.c 2005-03-24 04:52:01 +01:00
@@ -108,7 +108,7 @@
}
-static int ip6_output2(struct sk_buff *skb)
+static int ip6_output3(struct sk_buff *skb)
{
struct dst_entry *dst = skb->dst;
struct net_device *dev = dst->dev;
@@ -145,12 +145,22 @@
return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb,NULL, skb->dev,ip6_output_finish);
}
-int ip6_output(struct sk_buff *skb)
+static inline int ip6_output2(struct sk_buff *skb)
{
if (skb->len > dst_mtu(skb->dst) || dst_allfrag(skb->dst))
- return ip6_fragment(skb, ip6_output2);
+ return ip6_fragment(skb, ip6_output3);
else
- return ip6_output2(skb);
+ return ip6_output3(skb);
+}
+
+int ip6_output(struct sk_buff *skb)
+{
+ int transformed = IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED;
+
+ if (transformed)
+ nf_reset(skb);
+ return NF_HOOK_COND(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL,
+ skb->dst->dev, ip6_output2, transformed);
}
#ifdef CONFIG_NETFILTER
@@ -195,7 +205,7 @@
}
}
#endif /* CONFIG_NETFILTER */
- return dst_output(skb);
+ return ip6_dst_output(skb);
}
/*
@@ -342,7 +352,7 @@
static inline int ip6_forward_finish(struct sk_buff *skb)
{
- return dst_output(skb);
+ return ip6_dst_output(skb);
}
int ip6_forward(struct sk_buff *skb)
@@ -1146,7 +1156,7 @@
skb->dst = dst_clone(&rt->u.dst);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dst->dev, ip6_dst_output);
if (err) {
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
===== net/ipv6/ip6_tunnel.c 1.30 vs edited =====
--- 1.30/net/ipv6/ip6_tunnel.c 2005-03-15 19:19:23 +01:00
+++ edited/net/ipv6/ip6_tunnel.c 2005-03-23 06:08:09 +01:00
@@ -744,7 +744,7 @@
nf_reset(skb);
pkt_len = skb->len;
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL,
- skb->dst->dev, dst_output);
+ skb->dst->dev, ip6_dst_output);
if (err == NET_XMIT_SUCCESS || err == NET_XMIT_CN) {
stats->tx_bytes += pkt_len;
===== net/ipv6/ndisc.c 1.124 vs edited =====
--- 1.124/net/ipv6/ndisc.c 2005-03-16 23:52:27 +01:00
+++ edited/net/ipv6/ndisc.c 2005-03-23 06:08:42 +01:00
@@ -501,7 +501,7 @@
skb->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTNEIGHBORADVERTISEMENTS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
@@ -586,7 +586,7 @@
skb->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTNEIGHBORSOLICITS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
@@ -660,7 +660,7 @@
skb->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTROUTERSOLICITS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
@@ -1446,7 +1446,7 @@
buff->dst = dst;
idev = in6_dev_get(dst->dev);
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
- err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, buff, NULL, dst->dev, dst_output);
+ err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, buff, NULL, dst->dev, ip6_dst_output);
if (!err) {
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTREDIRECTS);
ICMP6_INC_STATS(idev, ICMP6_MIB_OUTMSGS);
===== net/ipv6/raw.c 1.79 vs edited =====
--- 1.79/net/ipv6/raw.c 2005-03-03 06:12:38 +01:00
+++ edited/net/ipv6/raw.c 2005-03-23 06:08:54 +01:00
@@ -541,7 +541,7 @@
IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
- dst_output);
+ ip6_dst_output);
if (err > 0)
err = inet->recverr ? net_xmit_errno(err) : 0;
if (err)
===== net/ipv6/xfrm6_output.c 1.11 vs edited =====
--- 1.11/net/ipv6/xfrm6_output.c 2005-03-18 19:41:26 +01:00
+++ edited/net/ipv6/xfrm6_output.c 2005-03-24 04:46:59 +01:00
@@ -131,6 +131,7 @@
err = -EHOSTUNREACH;
goto error_nolock;
}
+ IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
err = NET_XMIT_BYPASS;
out_exit:
next prev parent reply other threads:[~2005-03-24 5:05 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-14 22:10 [1/4] [IPSEC] Merge xfrm[46]_bundle/stale_bundle Herbert Xu
2005-02-14 22:12 ` [2/4] [IPSEC] Add xfrm_state_mtu Herbert Xu
2005-02-14 22:14 ` [3/4] [IPSEC] Add route element to xfrm_dst Herbert Xu
2005-02-14 22:16 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Herbert Xu
2005-02-15 15:53 ` James Morris
2005-02-15 20:31 ` Herbert Xu
2005-02-16 10:37 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output Herbert Xu
2005-02-16 11:08 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update top dst Herbert Xu
2005-02-16 11:38 ` [7/*] [IPSEC] Get metrics for xfrm_dst from " Herbert Xu
2005-03-07 5:47 ` David S. Miller
2005-03-07 10:41 ` Herbert Xu
2005-03-07 5:35 ` [6/*] [IPSEC] Fix xfrm[46]_update_pmtu to update " David S. Miller
2005-03-07 10:39 ` Herbert Xu
2005-03-07 5:33 ` [5/*] [IPSEC] Use dst_mtu in xfrm[46]_output David S. Miller
2005-03-07 11:45 ` [10/*] [TCP] Get rid of dst_ptmu/ext2_header_len Herbert Xu
2005-03-07 17:33 ` David S. Miller
2005-03-07 5:32 ` [4/4] [IPSEC] Store MTU at each xfrm_dst David S. Miller
2005-03-07 10:35 ` [9/*] [IPSEC] Check dst validity harder in xfrm_bundle_ok Herbert Xu
2005-03-07 17:32 ` David S. Miller
2005-03-08 10:27 ` [11/*] [NET] Move dst_release out of dst->ops->check Herbert Xu
2005-03-08 12:50 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-11 2:17 ` David S. Miller
2005-03-14 10:26 ` [12/*] [IPSEC] Handle local_df in IPv4 Herbert Xu
2005-03-14 10:53 ` [13/*] [IPV4] Fix room calculation in icmp_send Herbert Xu
2005-03-14 11:10 ` [14/*] [IPV6] Reload skb->dst after xfrm6_route_forward Herbert Xu
2005-03-15 5:27 ` David S. Miller
2005-03-15 9:19 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data Herbert Xu
2005-03-15 9:58 ` [16/*] [INET] Take IPsec overhead into account in tunnels Herbert Xu
2005-03-15 10:05 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 18:24 ` David S. Miller
2005-03-15 19:02 ` Patrick McHardy
2005-03-15 20:40 ` Replace send_unreach with icmp_send Herbert Xu
2005-03-15 20:48 ` Patrick McHardy
2005-03-16 10:51 ` [IPV4] Make ipt_REJECT use icmp_send again Herbert Xu
2005-03-16 19:00 ` Patrick McHardy
2005-03-16 22:44 ` David S. Miller
2005-03-17 10:51 ` [IPV4] Send TCP reset through dst_output in ipt_REJECT Herbert Xu
2005-03-17 18:06 ` David S. Miller
2005-03-15 20:31 ` [17/*] [NET] Replace dst_pmtu with dst_mtu Herbert Xu
2005-03-15 10:20 ` [16/*] [INET] Take IPsec overhead into account in tunnels Lennert Buytenhek
2005-03-15 10:27 ` Herbert Xu
2005-03-15 18:20 ` David S. Miller
2005-03-18 9:03 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit Herbert Xu
2005-03-18 9:11 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 9:19 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu Herbert Xu
2005-03-18 10:07 ` [24/*] [IPSEC] Get ttl from child instead of path Herbert Xu
2005-03-18 10:11 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric Herbert Xu
2005-03-18 11:06 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric Herbert Xu
2005-03-18 11:28 ` [27/*] [NET] Make dst_allfrag use dst instead of dst->path Herbert Xu
2005-03-18 18:47 ` David S. Miller
2005-03-18 18:46 ` [26/*] [NET] Kill dst_pmtu/dst_path_metric David S. Miller
2005-03-18 18:44 ` [25/*] [NET] Kill unnecessary uses of dst_path_metric David S. Miller
2005-03-18 18:43 ` [24/*] [IPSEC] Get ttl from child instead of path David S. Miller
2005-03-18 18:41 ` [23/*] [IPV4] Kill remaining unnecessary uses of dst_pmtu David S. Miller
2005-03-18 18:40 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-20 15:46 ` Patrick McHardy
2005-03-20 16:32 ` Ludo Stellingwerff
2005-03-20 17:17 ` Lennert Buytenhek
2005-03-20 17:49 ` Patrick McHardy
2005-03-20 18:11 ` Ludo Stellingwerff
2005-03-20 18:22 ` Patrick McHardy
2005-03-20 18:43 ` jamal
2005-03-20 19:10 ` Patrick McHardy
2005-03-30 9:49 ` Extending xfrm_selector (Was: [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS) Herbert Xu
2005-03-23 3:49 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS David S. Miller
2005-03-23 4:03 ` Patrick McHardy
2005-03-24 5:05 ` Patrick McHardy [this message]
2005-03-24 5:43 ` Netfilter+IPsec David S. Miller
2005-03-25 2:53 ` Netfilter+IPsec Herbert Xu
2005-03-25 5:10 ` Netfilter+IPsec Patrick McHardy
2005-03-23 9:24 ` [22/*] [NETFILTER] Use correct IPsec MTU in TCPMSS Herbert Xu
2005-03-18 18:39 ` [21/*] [IPv4] Fix MTU check in ipmr_queue_xmit David S. Miller
2005-03-15 18:18 ` [15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data David S. Miller
2005-03-16 11:31 ` Herbert Xu
2005-03-16 22:02 ` David S. Miller
2005-03-21 16:14 ` Mika Penttilä
2005-03-21 20:28 ` Herbert Xu
2005-03-21 21:29 ` Mika Penttilä
2005-03-21 22:04 ` Herbert Xu
2005-03-15 5:26 ` [13/*] [IPV4] Fix room calculation in icmp_send David S. Miller
2005-03-15 5:25 ` [12/*] [IPSEC] Handle local_df in IPv4 David S. Miller
2005-03-15 18:25 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-15 18:28 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-28 20:10 ` [4/4] [IPSEC] Store MTU at each xfrm_dst Patrick McHardy
2005-03-28 23:30 ` [IPSEC] Move xfrm_flush_bundles into xfrm_state GC Herbert Xu
2005-03-31 0:10 ` Patrick McHardy
2005-04-01 5:21 ` David S. Miller
2005-03-28 23:39 ` Checking SPI in xfrm_state_find Herbert Xu
2005-03-31 0:13 ` Patrick McHardy
2005-03-31 0:46 ` Herbert Xu
2005-04-01 5:23 ` David S. Miller
2005-04-02 0:49 ` [IPSEC]: Kill nested read lock by deleting xfrm_init_tempsel Herbert Xu
2005-04-02 1:20 ` David S. Miller
2005-04-02 2:09 ` Herbert Xu
2005-04-03 16:48 ` Patrick McHardy
2005-04-05 10:39 ` Herbert Xu
2005-04-05 20:01 ` Patrick McHardy
2005-04-06 2:21 ` Herbert Xu
2005-04-21 23:35 ` David S. Miller
2005-04-21 23:52 ` Herbert Xu
2005-04-21 23:53 ` Patrick McHardy
2005-04-22 3:13 ` David S. Miller
2005-04-03 17:00 ` Checking SPI in xfrm_state_find Patrick McHardy
2005-02-15 8:10 ` [3/4] [IPSEC] Add route element to xfrm_dst Mika Penttilä
2005-02-15 9:53 ` Herbert Xu
2005-02-15 10:22 ` Mika Penttilä
2005-03-07 5:28 ` David S. Miller
2005-03-07 10:02 ` Herbert Xu
2005-03-07 10:16 ` [IPSEC] Kill redundan dst_release check in xfrm_dst_destroy Herbert Xu
2005-03-07 17:35 ` David S. Miller
2005-03-14 11:52 ` [3/4] [IPSEC] Add route element to xfrm_dst Patrick McHardy
2005-03-14 20:32 ` Herbert Xu
2005-03-15 19:05 ` Patrick McHardy
2005-03-07 5:23 ` [2/4] [IPSEC] Add xfrm_state_mtu David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42424AAE.9080403@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@oss.sgi.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).