aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-12-12 13:44:43 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:57:23 -0500
commit8b7817f3a959ed99d7443afc12f78a7e1fcc2063 (patch)
tree7e315dfbf5c77e67f6e7ad56f14eaddca621212b /include
parentd5422efe680fc55010c6ddca2370ca9548a96355 (diff)
[IPSEC]: Add ICMP host relookup support
RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch implements this for ICMP traffic that originates from or terminates on localhost. This is activated on outbound with the new policy flag XFRM_POLICY_ICMP, and on inbound by the new state flag XFRM_STATE_ICMP. On inbound the policy check is now performed by the ICMP protocol so that it can repeat the policy check where necessary. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/xfrm.h3
-rw-r--r--include/net/dst.h1
2 files changed, 4 insertions, 0 deletions
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index c0e41e02234f..1131eabfaa2a 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -329,6 +329,7 @@ struct xfrm_usersa_info {
329#define XFRM_STATE_DECAP_DSCP 2 329#define XFRM_STATE_DECAP_DSCP 2
330#define XFRM_STATE_NOPMTUDISC 4 330#define XFRM_STATE_NOPMTUDISC 4
331#define XFRM_STATE_WILDRECV 8 331#define XFRM_STATE_WILDRECV 8
332#define XFRM_STATE_ICMP 16
332}; 333};
333 334
334struct xfrm_usersa_id { 335struct xfrm_usersa_id {
@@ -363,6 +364,8 @@ struct xfrm_userpolicy_info {
363#define XFRM_POLICY_BLOCK 1 364#define XFRM_POLICY_BLOCK 1
364 __u8 flags; 365 __u8 flags;
365#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ 366#define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
367 /* Automatically expand selector to include matching ICMP payloads. */
368#define XFRM_POLICY_ICMP 2
366 __u8 share; 369 __u8 share;
367}; 370};
368 371
diff --git a/include/net/dst.h b/include/net/dst.h
index aaa2dbb50179..31468c9aa877 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -268,6 +268,7 @@ extern void dst_init(void);
268/* Flags for xfrm_lookup flags argument. */ 268/* Flags for xfrm_lookup flags argument. */
269enum { 269enum {
270 XFRM_LOOKUP_WAIT = 1 << 0, 270 XFRM_LOOKUP_WAIT = 1 << 0,
271 XFRM_LOOKUP_ICMP = 1 << 1,
271}; 272};
272 273
273struct flowi; 274struct flowi;