diff options
| author | David S. Miller <davem@davemloft.net> | 2014-09-22 16:41:41 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-09-22 16:41:41 -0400 |
| commit | 84de67b29882efaacd05861f41e749c5e8f0c3ed (patch) | |
| tree | e89c25f91ffab05ffdc680c5fef310b6a902a82c /include | |
| parent | 09f3756bb9a82835b0c2a9b50f36b47aa42f2c61 (diff) | |
| parent | b8c203b2d2fc961bafd53b41d5396bbcdec55998 (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2014-09-22
We generate a blackhole or queueing route if a packet
matches an IPsec policy but a state can't be resolved.
Here we assume that dst_output() is called to kill
these packets. Unfortunately this assumption is not
true in all cases, so it is possible that these packets
leave the system without the necessary transformations.
This pull request contains two patches to fix this issue:
1) Fix for blackhole routed packets.
2) Fix for queue routed packets.
Both patches are serious stable candidates.
Please pull or let me know if there are problems.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/dst.h | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/include/net/dst.h b/include/net/dst.h index 71c60f42be48..a8ae4e760778 100644 --- a/include/net/dst.h +++ b/include/net/dst.h | |||
| @@ -480,6 +480,7 @@ void dst_init(void); | |||
| 480 | /* Flags for xfrm_lookup flags argument. */ | 480 | /* Flags for xfrm_lookup flags argument. */ |
| 481 | enum { | 481 | enum { |
| 482 | XFRM_LOOKUP_ICMP = 1 << 0, | 482 | XFRM_LOOKUP_ICMP = 1 << 0, |
| 483 | XFRM_LOOKUP_QUEUE = 1 << 1, | ||
| 483 | }; | 484 | }; |
| 484 | 485 | ||
| 485 | struct flowi; | 486 | struct flowi; |
| @@ -490,7 +491,16 @@ static inline struct dst_entry *xfrm_lookup(struct net *net, | |||
| 490 | int flags) | 491 | int flags) |
| 491 | { | 492 | { |
| 492 | return dst_orig; | 493 | return dst_orig; |
| 493 | } | 494 | } |
| 495 | |||
| 496 | static inline struct dst_entry *xfrm_lookup_route(struct net *net, | ||
| 497 | struct dst_entry *dst_orig, | ||
| 498 | const struct flowi *fl, | ||
| 499 | struct sock *sk, | ||
| 500 | int flags) | ||
| 501 | { | ||
| 502 | return dst_orig; | ||
| 503 | } | ||
| 494 | 504 | ||
| 495 | static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) | 505 | static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) |
| 496 | { | 506 | { |
| @@ -502,6 +512,10 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, | |||
| 502 | const struct flowi *fl, struct sock *sk, | 512 | const struct flowi *fl, struct sock *sk, |
| 503 | int flags); | 513 | int flags); |
| 504 | 514 | ||
| 515 | struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig, | ||
| 516 | const struct flowi *fl, struct sock *sk, | ||
| 517 | int flags); | ||
| 518 | |||
| 505 | /* skb attached with this dst needs transformation if dst->xfrm is valid */ | 519 | /* skb attached with this dst needs transformation if dst->xfrm is valid */ |
| 506 | static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) | 520 | static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) |
| 507 | { | 521 | { |