diff options
| author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-08-05 02:12:42 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:27 -0400 |
| commit | beb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch) | |
| tree | 19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /net/ipv4 | |
| parent | 4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff) | |
[MLSXFRM]: Add flow labeling
This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.
The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.
ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnet
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/af_inet.c | 1 | ||||
| -rw-r--r-- | net/ipv4/icmp.c | 2 | ||||
| -rw-r--r-- | net/ipv4/inet_connection_sock.c | 1 | ||||
| -rw-r--r-- | net/ipv4/ip_output.c | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ipt_REJECT.c | 1 | ||||
| -rw-r--r-- | net/ipv4/raw.c | 1 | ||||
| -rw-r--r-- | net/ipv4/syncookies.c | 1 | ||||
| -rw-r--r-- | net/ipv4/udp.c | 1 |
8 files changed, 10 insertions, 0 deletions
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index c84a32070f8d..fc40da3b6d39 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c | |||
| @@ -1074,6 +1074,7 @@ int inet_sk_rebuild_header(struct sock *sk) | |||
| 1074 | }, | 1074 | }, |
| 1075 | }; | 1075 | }; |
| 1076 | 1076 | ||
| 1077 | security_sk_classify_flow(sk, &fl); | ||
| 1077 | err = ip_route_output_flow(&rt, &fl, sk, 0); | 1078 | err = ip_route_output_flow(&rt, &fl, sk, 0); |
| 1078 | } | 1079 | } |
| 1079 | if (!err) | 1080 | if (!err) |
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 4c86ac3d882d..6ad797c14163 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c | |||
| @@ -406,6 +406,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) | |||
| 406 | .saddr = rt->rt_spec_dst, | 406 | .saddr = rt->rt_spec_dst, |
| 407 | .tos = RT_TOS(skb->nh.iph->tos) } }, | 407 | .tos = RT_TOS(skb->nh.iph->tos) } }, |
| 408 | .proto = IPPROTO_ICMP }; | 408 | .proto = IPPROTO_ICMP }; |
| 409 | security_skb_classify_flow(skb, &fl); | ||
| 409 | if (ip_route_output_key(&rt, &fl)) | 410 | if (ip_route_output_key(&rt, &fl)) |
| 410 | goto out_unlock; | 411 | goto out_unlock; |
| 411 | } | 412 | } |
| @@ -560,6 +561,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, u32 info) | |||
| 560 | } | 561 | } |
| 561 | } | 562 | } |
| 562 | }; | 563 | }; |
| 564 | security_skb_classify_flow(skb_in, &fl); | ||
| 563 | if (ip_route_output_key(&rt, &fl)) | 565 | if (ip_route_output_key(&rt, &fl)) |
| 564 | goto out_unlock; | 566 | goto out_unlock; |
| 565 | } | 567 | } |
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index e50a1bfd7ccc..772b4eac78bc 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c | |||
| @@ -327,6 +327,7 @@ struct dst_entry* inet_csk_route_req(struct sock *sk, | |||
| 327 | { .sport = inet_sk(sk)->sport, | 327 | { .sport = inet_sk(sk)->sport, |
| 328 | .dport = ireq->rmt_port } } }; | 328 | .dport = ireq->rmt_port } } }; |
| 329 | 329 | ||
| 330 | security_sk_classify_flow(sk, &fl); | ||
| 330 | if (ip_route_output_flow(&rt, &fl, sk, 0)) { | 331 | if (ip_route_output_flow(&rt, &fl, sk, 0)) { |
| 331 | IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES); | 332 | IP_INC_STATS_BH(IPSTATS_MIB_OUTNOROUTES); |
| 332 | return NULL; | 333 | return NULL; |
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index a2ede167e045..308bdeac3455 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c | |||
| @@ -328,6 +328,7 @@ int ip_queue_xmit(struct sk_buff *skb, int ipfragok) | |||
| 328 | * keep trying until route appears or the connection times | 328 | * keep trying until route appears or the connection times |
| 329 | * itself out. | 329 | * itself out. |
| 330 | */ | 330 | */ |
| 331 | security_sk_classify_flow(sk, &fl); | ||
| 331 | if (ip_route_output_flow(&rt, &fl, sk, 0)) | 332 | if (ip_route_output_flow(&rt, &fl, sk, 0)) |
| 332 | goto no_route; | 333 | goto no_route; |
| 333 | } | 334 | } |
| @@ -1366,6 +1367,7 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar | |||
| 1366 | { .sport = skb->h.th->dest, | 1367 | { .sport = skb->h.th->dest, |
| 1367 | .dport = skb->h.th->source } }, | 1368 | .dport = skb->h.th->source } }, |
| 1368 | .proto = sk->sk_protocol }; | 1369 | .proto = sk->sk_protocol }; |
| 1370 | security_skb_classify_flow(skb, &fl); | ||
| 1369 | if (ip_route_output_key(&rt, &fl)) | 1371 | if (ip_route_output_key(&rt, &fl)) |
| 1370 | return; | 1372 | return; |
| 1371 | } | 1373 | } |
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 269bc2067cb8..7f905bf2bde5 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c | |||
| @@ -90,6 +90,7 @@ static inline struct rtable *route_reverse(struct sk_buff *skb, | |||
| 90 | fl.proto = IPPROTO_TCP; | 90 | fl.proto = IPPROTO_TCP; |
| 91 | fl.fl_ip_sport = tcph->dest; | 91 | fl.fl_ip_sport = tcph->dest; |
| 92 | fl.fl_ip_dport = tcph->source; | 92 | fl.fl_ip_dport = tcph->source; |
| 93 | security_skb_classify_flow(skb, &fl); | ||
| 93 | 94 | ||
| 94 | xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0); | 95 | xfrm_lookup((struct dst_entry **)&rt, &fl, NULL, 0); |
| 95 | 96 | ||
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 62b2762a2420..fe44cb50a1c5 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c | |||
| @@ -484,6 +484,7 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, | |||
| 484 | if (!inet->hdrincl) | 484 | if (!inet->hdrincl) |
| 485 | raw_probe_proto_opt(&fl, msg); | 485 | raw_probe_proto_opt(&fl, msg); |
| 486 | 486 | ||
| 487 | security_sk_classify_flow(sk, &fl); | ||
| 487 | err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT)); | 488 | err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT)); |
| 488 | } | 489 | } |
| 489 | if (err) | 490 | if (err) |
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index e20be3331f67..307dc3c0d635 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c | |||
| @@ -259,6 +259,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | |||
| 259 | .uli_u = { .ports = | 259 | .uli_u = { .ports = |
| 260 | { .sport = skb->h.th->dest, | 260 | { .sport = skb->h.th->dest, |
| 261 | .dport = skb->h.th->source } } }; | 261 | .dport = skb->h.th->source } } }; |
| 262 | security_sk_classify_flow(sk, &fl); | ||
| 262 | if (ip_route_output_key(&rt, &fl)) { | 263 | if (ip_route_output_key(&rt, &fl)) { |
| 263 | reqsk_free(req); | 264 | reqsk_free(req); |
| 264 | goto out; | 265 | goto out; |
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index f136cec96d95..a4d005eccc7f 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
| @@ -603,6 +603,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, | |||
| 603 | .uli_u = { .ports = | 603 | .uli_u = { .ports = |
| 604 | { .sport = inet->sport, | 604 | { .sport = inet->sport, |
| 605 | .dport = dport } } }; | 605 | .dport = dport } } }; |
| 606 | security_sk_classify_flow(sk, &fl); | ||
| 606 | err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT)); | 607 | err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT)); |
| 607 | if (err) | 608 | if (err) |
| 608 | goto out; | 609 | goto out; |