Merge branch 'tcp-Add-support-for-L3-domains-to-MD5-auth'
David Ahern says: ==================== tcp: Add support for L3 domains to MD5 auth With VRF, the scope of network addresses is limited to the L3 domain the device is associated. MD5 keys are based on addresses, so proper VRF support requires an L3 domain to be considered for the lookups. Leverage the new TCP_MD5SIG_EXT option to add support for a device index to MD5 keys. The __tcpm_pad entry in tcp_md5sig is renamed to tcpm_ifindex and a new flag, TCP_MD5SIG_FLAG_IFINDEX, in tcpm_flags determines if the entry is examined. This follows what was done for MD5 and prefixes with commits 8917a777 ("tcp: md5: add TCP_MD5SIG_EXT socket option to set a key address prefix") 6797318e ("tcp: md5: add an address prefix for key lookup") Handling both a device AND L3 domain is much more complicated for the response paths. This set focuses only on L3 support - requiring the device index to be an l3mdev (ie, VRF). Support for slave devices can be added later if desired, much like the progression of support for sockets bound to a VRF and then bound to a device in a VRF. Kernel code is setup to explicitly call out that current lookup is for an L3 index, while the uapi just references a device index allowing its meaning to include other devices in the future. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Please register or sign in to comment