diff options
| author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-08-05 02:12:42 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:27 -0400 |
| commit | beb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch) | |
| tree | 19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /net/dccp | |
| parent | 4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff) | |
[MLSXFRM]: Add flow labeling
This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.
The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.
ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dccp')
| -rw-r--r-- | net/dccp/ipv4.c | 1 | ||||
| -rw-r--r-- | net/dccp/ipv6.c | 6 |
2 files changed, 7 insertions, 0 deletions
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 7f56f7e8f571..386498053b1c 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c | |||
| @@ -678,6 +678,7 @@ static struct dst_entry* dccp_v4_route_skb(struct sock *sk, | |||
| 678 | } | 678 | } |
| 679 | }; | 679 | }; |
| 680 | 680 | ||
| 681 | security_skb_classify_flow(skb, &fl); | ||
| 681 | if (ip_route_output_flow(&rt, &fl, sk, 0)) { | 682 | if (ip_route_output_flow(&rt, &fl, sk, 0)) { |
| 682 | IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES); | 683 | IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES); |
| 683 | return NULL; | 684 | return NULL; |
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 610c722ac27f..53d255c01431 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c | |||
| @@ -201,6 +201,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr, | |||
| 201 | fl.oif = sk->sk_bound_dev_if; | 201 | fl.oif = sk->sk_bound_dev_if; |
| 202 | fl.fl_ip_dport = usin->sin6_port; | 202 | fl.fl_ip_dport = usin->sin6_port; |
| 203 | fl.fl_ip_sport = inet->sport; | 203 | fl.fl_ip_sport = inet->sport; |
| 204 | security_sk_classify_flow(sk, &fl); | ||
| 204 | 205 | ||
| 205 | if (np->opt != NULL && np->opt->srcrt != NULL) { | 206 | if (np->opt != NULL && np->opt->srcrt != NULL) { |
| 206 | const struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt; | 207 | const struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt; |
| @@ -322,6 +323,7 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, | |||
| 322 | fl.oif = sk->sk_bound_dev_if; | 323 | fl.oif = sk->sk_bound_dev_if; |
| 323 | fl.fl_ip_dport = inet->dport; | 324 | fl.fl_ip_dport = inet->dport; |
| 324 | fl.fl_ip_sport = inet->sport; | 325 | fl.fl_ip_sport = inet->sport; |
| 326 | security_sk_classify_flow(sk, &fl); | ||
| 325 | 327 | ||
| 326 | err = ip6_dst_lookup(sk, &dst, &fl); | 328 | err = ip6_dst_lookup(sk, &dst, &fl); |
| 327 | if (err) { | 329 | if (err) { |
| @@ -422,6 +424,7 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req, | |||
| 422 | fl.oif = ireq6->iif; | 424 | fl.oif = ireq6->iif; |
| 423 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; | 425 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; |
| 424 | fl.fl_ip_sport = inet_sk(sk)->sport; | 426 | fl.fl_ip_sport = inet_sk(sk)->sport; |
| 427 | security_sk_classify_flow(sk, &fl); | ||
| 425 | 428 | ||
| 426 | if (dst == NULL) { | 429 | if (dst == NULL) { |
| 427 | opt = np->opt; | 430 | opt = np->opt; |
| @@ -566,6 +569,7 @@ static void dccp_v6_ctl_send_reset(struct sk_buff *rxskb) | |||
| 566 | fl.oif = inet6_iif(rxskb); | 569 | fl.oif = inet6_iif(rxskb); |
| 567 | fl.fl_ip_dport = dh->dccph_dport; | 570 | fl.fl_ip_dport = dh->dccph_dport; |
| 568 | fl.fl_ip_sport = dh->dccph_sport; | 571 | fl.fl_ip_sport = dh->dccph_sport; |
| 572 | security_skb_classify_flow(rxskb, &fl); | ||
| 569 | 573 | ||
| 570 | /* sk = NULL, but it is safe for now. RST socket required. */ | 574 | /* sk = NULL, but it is safe for now. RST socket required. */ |
| 571 | if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) { | 575 | if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) { |
| @@ -622,6 +626,7 @@ static void dccp_v6_reqsk_send_ack(struct sk_buff *rxskb, | |||
| 622 | fl.oif = inet6_iif(rxskb); | 626 | fl.oif = inet6_iif(rxskb); |
| 623 | fl.fl_ip_dport = dh->dccph_dport; | 627 | fl.fl_ip_dport = dh->dccph_dport; |
| 624 | fl.fl_ip_sport = dh->dccph_sport; | 628 | fl.fl_ip_sport = dh->dccph_sport; |
| 629 | security_skb_classify_flow(rxskb, &fl); | ||
| 625 | 630 | ||
| 626 | if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) { | 631 | if (!ip6_dst_lookup(NULL, &skb->dst, &fl)) { |
| 627 | if (xfrm_lookup(&skb->dst, &fl, NULL, 0) >= 0) { | 632 | if (xfrm_lookup(&skb->dst, &fl, NULL, 0) >= 0) { |
| @@ -842,6 +847,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk, | |||
| 842 | fl.oif = sk->sk_bound_dev_if; | 847 | fl.oif = sk->sk_bound_dev_if; |
| 843 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; | 848 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; |
| 844 | fl.fl_ip_sport = inet_sk(sk)->sport; | 849 | fl.fl_ip_sport = inet_sk(sk)->sport; |
| 850 | security_sk_classify_flow(sk, &fl); | ||
| 845 | 851 | ||
| 846 | if (ip6_dst_lookup(sk, &dst, &fl)) | 852 | if (ip6_dst_lookup(sk, &dst, &fl)) |
| 847 | goto out; | 853 | goto out; |