summaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_state.c
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2011-03-08 01:09:09 +0100
committerDavid S. Miller <davem@davemloft.net>2011-03-14 04:22:30 +0100
commit97e15c3a8504ea39a209778d7dcdbdf440404a91 (patch)
tree1fb53589ef65caaadbf63a7cd9417f06f4f80a12 /net/xfrm/xfrm_state.c
parentxfrm: Move IPsec replay detection functions to a separate file (diff)
downloadlinux-97e15c3a8504ea39a209778d7dcdbdf440404a91.tar.xz
linux-97e15c3a8504ea39a209778d7dcdbdf440404a91.zip
xfrm: Support anti-replay window size bigger than 32 packets
As it is, the anti-replay bitmap in struct xfrm_replay_state can only accomodate 32 packets. Even though it is possible to configure anti-replay window sizes up to 255 packets from userspace. So we reject any packet with a sequence number within the configured window but outside the bitmap. With this patch, we represent the anti-replay window as a bitmap of variable length that can be accessed via the new struct xfrm_replay_state_esn. Thus, we have no limit on the window size anymore. To use the new anti-replay window implementantion, new userspace tools are required. We leave the old implementation untouched to stay in sync with old userspace tools. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_state.c')
0 files changed, 0 insertions, 0 deletions