From: David S. Miller <davem@davemloft.net>
Date: Thu, 2 Jan 2020 23:51:22 +0000 (-0800)
Subject: Merge branch 'tcp-Add-support-for-L3-domains-to-MD5-auth'
X-Git-Tag: v5.6-rc1~151^2~178
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=7a8d8a464276cd4d7053a919ab448cdc79922eab;p=linux.git

Merge branch 'tcp-Add-support-for-L3-domains-to-MD5-auth'

David Ahern says:

====================
tcp: Add support for L3 domains to MD5 auth

With VRF, the scope of network addresses is limited to the L3 domain
the device is associated. MD5 keys are based on addresses, so proper
VRF support requires an L3 domain to be considered for the lookups.

Leverage the new TCP_MD5SIG_EXT option to add support for a device index
to MD5 keys. The __tcpm_pad entry in tcp_md5sig is renamed to tcpm_ifindex
and a new flag, TCP_MD5SIG_FLAG_IFINDEX, in tcpm_flags determines if the
entry is examined. This follows what was done for MD5 and prefixes with
commits
   8917a777be3b ("tcp: md5: add TCP_MD5SIG_EXT socket option to set a key address prefix")
   6797318e623d ("tcp: md5: add an address prefix for key lookup")

Handling both a device AND L3 domain is much more complicated for the
response paths. This set focuses only on L3 support - requiring the
device index to be an l3mdev (ie, VRF). Support for slave devices can
be added later if desired, much like the progression of support for
sockets bound to a VRF and then bound to a device in a VRF. Kernel
code is setup to explicitly call out that current lookup is for an L3
index, while the uapi just references a device index allowing its
meaning to include other devices in the future.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
---

7a8d8a464276cd4d7053a919ab448cdc79922eab