[15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append

netdev

[15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data

To:	"David S. Miller" <davem@xxxxxxxxxxxxx>
Subject:	[15/*] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data
From:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:	Tue, 15 Mar 2005 20:19:04 +1100
Cc:	Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>, YOSHIFUJI Hideaki <yoshfuji@xxxxxxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx>, netdev@xxxxxxxxxxx
In-reply-to:	<20050314111002.GA29156@gondor.apana.org.au>
References:	<20050214221006.GA18415@gondor.apana.org.au> <20050214221200.GA18465@gondor.apana.org.au> <20050214221433.GB18465@gondor.apana.org.au> <20050214221607.GC18465@gondor.apana.org.au> <20050306213214.7d8a143d.davem@davemloft.net> <20050307103536.GB7137@gondor.apana.org.au> <20050308102741.GA23468@gondor.apana.org.au> <20050314102614.GA9610@gondor.apana.org.au> <20050314105313.GA21001@gondor.apana.org.au> <20050314111002.GA29156@gondor.apana.org.au>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040907i

Hi Dave:

This patch fixes the IPsec overhead handling in ip_append_data and
ip6_append_data.  As it is they assume that the IPsec overhead is
constant.  This is not true as with ESP the IPsec overhead will vary
as the MTU varies.

The result is that they may produce packets that will exceed the MTU
when ESP is used.  Had it taken the trailer_len into account, it would
have produced packets less than the real MTU.

By switching to dst_mtu we get the optimal result.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

xfrm-15
Description: Text document

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [4/4] [IPSEC] Store MTU at each xfrm_dst, David S. Miller *[9/] [IPSEC] Check dst validity harder in xfrm_bundle_ok*, Herbert Xu* *Re: [9/] [IPSEC] Check dst validity harder in xfrm_bundle_ok*, David S. Miller* *[11/] [NET] Move dst_release out of dst->ops->check*, Herbert Xu* *Re: [11/] [NET] Move dst_release out of dst->ops->check*, YOSHIFUJI Hideaki / 吉藤英明* *Re: [11/] [NET] Move dst_release out of dst->ops->check*, David S. Miller* *[12/] [IPSEC] Handle local_df in IPv4*, Herbert Xu* *[13/] [IPV4] Fix room calculation in icmp_send*, Herbert Xu* *[14/] [IPV6] Reload skb->dst after xfrm6_route_forward*, Herbert Xu* *Re: [14/] [IPV6] Reload skb->dst after xfrm6_route_forward*, David S. Miller* *[15/] [INET] Fix IPsec calculation in ip_append_data/ip6_append_data*, Herbert Xu* <= *[16/] [INET] Take IPsec overhead into account in tunnels*, Herbert Xu* *[17/] [NET] Replace dst_pmtu with dst_mtu*, Herbert Xu* *Re: [17/] [NET] Replace dst_pmtu with dst_mtu*, David S. Miller* *Re: [17/] [NET] Replace dst_pmtu with dst_mtu*, Patrick McHardy* Replace send_unreach with icmp_send, Herbert Xu Re: Replace send_unreach with icmp_send, Patrick McHardy [IPV4] Make ipt_REJECT use icmp_send again, Herbert Xu Re: [IPV4] Make ipt_REJECT use icmp_send again, Patrick McHardy Re: [IPV4] Make ipt_REJECT use icmp_send again, David S. Miller [IPV4] Send TCP reset through dst_output in ipt_REJECT, Herbert Xu

Previous by Date:	Re: [Infrahip] Re: [PATCH] Host Identity Protocol, Miika Komu
Next by Date:	ipv6 unresolved symbol, Meelis Roos
Previous by Thread:	*Re: [14/] [IPV6] Reload skb->dst after xfrm6_route_forward*, David S. Miller*
Next by Thread:	*[16/] [INET] Take IPsec overhead into account in tunnels*, Herbert Xu*
Indexes:	[Date] [Thread] [Top] [All Lists]