diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-12-12 13:44:16 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:57:22 -0500 |
commit | d5422efe680fc55010c6ddca2370ca9548a96355 (patch) | |
tree | f72fa5eb779c8ae7d49688a9caac9b69a1f3bd58 /include/net | |
parent | 815f4e57e9fc67456624ecde0515a901368c78d2 (diff) |
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch adds the functions
xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get
the reverse flow to perform such a lookup.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/xfrm.h | 63 |
1 files changed, 58 insertions, 5 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index fe881b6e2bd0..d6dae5ae7abe 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -239,7 +239,8 @@ struct xfrm_policy_afinfo { | |||
239 | int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); | 239 | int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); |
240 | struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); | 240 | struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); |
241 | void (*decode_session)(struct sk_buff *skb, | 241 | void (*decode_session)(struct sk_buff *skb, |
242 | struct flowi *fl); | 242 | struct flowi *fl, |
243 | int reverse); | ||
243 | int (*get_tos)(struct flowi *fl); | 244 | int (*get_tos)(struct flowi *fl); |
244 | int (*fill_dst)(struct xfrm_dst *xdst, | 245 | int (*fill_dst)(struct xfrm_dst *xdst, |
245 | struct net_device *dev); | 246 | struct net_device *dev); |
@@ -844,14 +845,23 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short | |||
844 | #ifdef CONFIG_XFRM | 845 | #ifdef CONFIG_XFRM |
845 | extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); | 846 | extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); |
846 | 847 | ||
847 | static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) | 848 | static inline int __xfrm_policy_check2(struct sock *sk, int dir, |
849 | struct sk_buff *skb, | ||
850 | unsigned int family, int reverse) | ||
848 | { | 851 | { |
852 | int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); | ||
853 | |||
849 | if (sk && sk->sk_policy[XFRM_POLICY_IN]) | 854 | if (sk && sk->sk_policy[XFRM_POLICY_IN]) |
850 | return __xfrm_policy_check(sk, dir, skb, family); | 855 | return __xfrm_policy_check(sk, ndir, skb, family); |
851 | 856 | ||
852 | return (!xfrm_policy_count[dir] && !skb->sp) || | 857 | return (!xfrm_policy_count[dir] && !skb->sp) || |
853 | (skb->dst->flags & DST_NOPOLICY) || | 858 | (skb->dst->flags & DST_NOPOLICY) || |
854 | __xfrm_policy_check(sk, dir, skb, family); | 859 | __xfrm_policy_check(sk, ndir, skb, family); |
860 | } | ||
861 | |||
862 | static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) | ||
863 | { | ||
864 | return __xfrm_policy_check2(sk, dir, skb, family, 0); | ||
855 | } | 865 | } |
856 | 866 | ||
857 | static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) | 867 | static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) |
@@ -864,7 +874,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s | |||
864 | return xfrm_policy_check(sk, dir, skb, AF_INET6); | 874 | return xfrm_policy_check(sk, dir, skb, AF_INET6); |
865 | } | 875 | } |
866 | 876 | ||
867 | extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); | 877 | static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, |
878 | struct sk_buff *skb) | ||
879 | { | ||
880 | return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); | ||
881 | } | ||
882 | |||
883 | static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, | ||
884 | struct sk_buff *skb) | ||
885 | { | ||
886 | return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); | ||
887 | } | ||
888 | |||
889 | extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, | ||
890 | unsigned int family, int reverse); | ||
891 | |||
892 | static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, | ||
893 | unsigned int family) | ||
894 | { | ||
895 | return __xfrm_decode_session(skb, fl, family, 0); | ||
896 | } | ||
897 | |||
898 | static inline int xfrm_decode_session_reverse(struct sk_buff *skb, | ||
899 | struct flowi *fl, | ||
900 | unsigned int family) | ||
901 | { | ||
902 | return __xfrm_decode_session(skb, fl, family, 1); | ||
903 | } | ||
904 | |||
868 | extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); | 905 | extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); |
869 | 906 | ||
870 | static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) | 907 | static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) |
@@ -925,6 +962,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk | |||
925 | { | 962 | { |
926 | return 1; | 963 | return 1; |
927 | } | 964 | } |
965 | static inline int xfrm_decode_session_reverse(struct sk_buff *skb, | ||
966 | struct flowi *fl, | ||
967 | unsigned int family) | ||
968 | { | ||
969 | return -ENOSYS; | ||
970 | } | ||
971 | static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, | ||
972 | struct sk_buff *skb) | ||
973 | { | ||
974 | return 1; | ||
975 | } | ||
976 | static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, | ||
977 | struct sk_buff *skb) | ||
978 | { | ||
979 | return 1; | ||
980 | } | ||
928 | #endif | 981 | #endif |
929 | 982 | ||
930 | static __inline__ | 983 | static __inline__ |