1. 05 Jan, 2020 5 commits
  2. 04 Jan, 2020 16 commits
  3. 03 Jan, 2020 11 commits
  4. 02 Jan, 2020 8 commits
    • David S. Miller's avatar
      Merge branch 'tcp-Add-support-for-L3-domains-to-MD5-auth' · 7a8d8a46
      David S. Miller authored
      David Ahern says:
      
      ====================
      tcp: Add support for L3 domains to MD5 auth
      
      With VRF, the scope of network addresses is limited to the L3 domain
      the device is associated. MD5 keys are based on addresses, so proper
      VRF support requires an L3 domain to be considered for the lookups.
      
      Leverage the new TCP_MD5SIG_EXT option to add support for a device index
      to MD5 keys. The __tcpm_pad entry in tcp_md5sig is renamed to tcpm_ifindex
      and a new flag, TCP_MD5SIG_FLAG_IFINDEX, in tcpm_flags determines if the
      entry is examined. This follows what was done for MD5 and prefixes with
      commits
         8917a777 ("tcp: md5: add TCP_MD5SIG_EXT socket option to set a key address prefix")
         6797318e ("tcp: md5: add an address prefix for key lookup")
      
      Handling both a device AND L3 domain is much more complicated for the
      response paths. This set focuses only on L3 support - requiring the
      device index to be an l3mdev (ie, VRF). Support for slave devices can
      be added later if desired, much like the progression of support for
      sockets bound to a VRF and then bound to a device in a VRF. Kernel
      code is setup to explicitly call out that current lookup is for an L3
      index, while the uapi just references a device index allowing its
      meaning to include other devices in the future.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a8d8a46
    • David Ahern's avatar
      fcnal-test: Add TCP MD5 tests for VRF · 5cad8bce
      David Ahern authored
      Add tests for new TCP MD5 API for L3 domains (VRF).
      
      A new namespace is added to create a duplicate configuration between
      the VRF and default VRF to verify overlapping config is handled properly.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5cad8bce
    • David Ahern's avatar
      fcnal-test: Add TCP MD5 tests · f0bee1eb
      David Ahern authored
      Add tests for existing TCP MD5 APIs - both single address
      config and the new extended API for prefixes.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f0bee1eb
    • David Ahern's avatar
      nettest: Add support for TCP_MD5 extensions · eb09cf03
      David Ahern authored
      Update nettest to implement TCP_MD5SIG_EXT for a prefix and a device.
      
      Add a new option, -m, to specify a prefix and length to use with MD5
      auth. The device option comes from the existing -d option. If either
      are set and MD5 auth is requested, TCP_MD5SIG_EXT is used instead of
      TCP_MD5SIG.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb09cf03
    • David Ahern's avatar
      nettest: Return 1 on MD5 failure for server mode · 1bfb45d8
      David Ahern authored
      On failure to set MD5 password, do_server should return 1 so that the
      program exits with 1 rather than 255. This used for negative testing
      when adding MD5 with device option.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1bfb45d8
    • David Ahern's avatar
      net: Add device index to tcp_md5sig · 6b102db5
      David Ahern authored
      Add support for userspace to specify a device index to limit the scope
      of an entry via the TCP_MD5SIG_EXT setsockopt. The existing __tcpm_pad
      is renamed to tcpm_ifindex and the new field is only checked if the new
      TCP_MD5SIG_FLAG_IFINDEX is set in tcpm_flags. For now, the device index
      must point to an L3 master device (e.g., VRF). The API and error
      handling are setup to allow the constraint to be relaxed in the future
      to any device index.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b102db5
    • David Ahern's avatar
      tcp: Add l3index to tcp_md5sig_key and md5 functions · dea53bb8
      David Ahern authored
      Add l3index to tcp_md5sig_key to represent the L3 domain of a key, and
      add l3index to tcp_md5_do_add and tcp_md5_do_del to fill in the key.
      
      With the key now based on an l3index, add the new parameter to the
      lookup functions and consider the l3index when looking for a match.
      
      The l3index comes from the skb when processing ingress packets leveraging
      the helpers created for socket lookups, tcp_v4_sdif and inet_iif (and the
      v6 variants). When the sdif index is set it means the packet ingressed a
      device that is part of an L3 domain and inet_iif points to the VRF device.
      For egress, the L3 domain is determined from the socket binding and
      sk_bound_dev_if.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dea53bb8
    • David Ahern's avatar
      ipv4/tcp: Pass dif and sdif to tcp_v4_inbound_md5_hash · 534322ca
      David Ahern authored
      The original ingress device index is saved to the cb space of the skb
      and the cb is moved during tcp processing. Since tcp_v4_inbound_md5_hash
      can be called before and after the cb move, pass dif and sdif to it so
      the caller can save both prior to the cb move. Both are used by a later
      patch.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      534322ca