aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorMasahide NAKAMURA <nakam@linux-ipv6.org>2007-04-30 03:33:35 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-04-30 03:58:09 -0400
commit157bfc25020f7eb731f94140e099307ade47299e (patch)
tree422821e5233daf0d8347ac361f09be9f49b43de4 /include
parent34588b4c046c34773e5a1a962da7b78b05c4d1bd (diff)
[XFRM]: Restrict upper layer information by bundle.
On MIPv6 usage, XFRM sub policy is enabled. When main (IPsec) and sub (MIPv6) policy selectors have the same address set but different upper layer information (i.e. protocol number and its ports or type/code), multiple bundle should be created. However, currently we have issue to use the same bundle created for the first time with all flows covered by the case. It is useful for the bundle to have the upper layer information to be restructured correctly if it does not match with the flow. 1. Bundle was created by two policies Selector from another policy is added to xfrm_dst. If the flow does not match the selector, it goes to slow path to restructure new bundle by single policy. 2. Bundle was created by one policy Flow cache is added to xfrm_dst as originated one. If the flow does not match the cache, it goes to slow path to try searching another policy. Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/net/flow.h6
-rw-r--r--include/net/xfrm.h10
2 files changed, 16 insertions, 0 deletions
diff --git a/include/net/flow.h b/include/net/flow.h
index ce4b10d8b412..f3cc1f812619 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -97,4 +97,10 @@ extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir,
97extern void flow_cache_flush(void); 97extern void flow_cache_flush(void);
98extern atomic_t flow_cache_genid; 98extern atomic_t flow_cache_genid;
99 99
100static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
101{
102 return (fl1->proto == fl2->proto &&
103 !memcmp(&fl1->uli_u, &fl2->uli_u, sizeof(fl1->uli_u)));
104}
105
100#endif 106#endif
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 9561bf817b02..66c2d3eec03c 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -603,6 +603,10 @@ struct xfrm_dst
603 struct rt6_info rt6; 603 struct rt6_info rt6;
604 } u; 604 } u;
605 struct dst_entry *route; 605 struct dst_entry *route;
606#ifdef CONFIG_XFRM_SUB_POLICY
607 struct flowi *origin;
608 struct xfrm_selector *partner;
609#endif
606 u32 genid; 610 u32 genid;
607 u32 route_mtu_cached; 611 u32 route_mtu_cached;
608 u32 child_mtu_cached; 612 u32 child_mtu_cached;
@@ -615,6 +619,12 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
615 dst_release(xdst->route); 619 dst_release(xdst->route);
616 if (likely(xdst->u.dst.xfrm)) 620 if (likely(xdst->u.dst.xfrm))
617 xfrm_state_put(xdst->u.dst.xfrm); 621 xfrm_state_put(xdst->u.dst.xfrm);
622#ifdef CONFIG_XFRM_SUB_POLICY
623 kfree(xdst->origin);
624 xdst->origin = NULL;
625 kfree(xdst->partner);
626 xdst->partner = NULL;
627#endif
618} 628}
619 629
620extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); 630extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);