diff options
author | Patrick McHardy <kaber@trash.net> | 2006-01-07 02:03:34 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-01-07 15:57:31 -0500 |
commit | b05e106698d9966de524e78d9da1bf6407fe0c32 (patch) | |
tree | 8a7c253b7249451941674805cccdaaba299dff6f /net/ipv6 | |
parent | 951dbc8ac714b04c36296b8b5c36c8e036ce433f (diff) |
[IPV4/6]: Netfilter IPsec input hooks
When the innermost transform uses transport mode the decapsulated packet
is not visible to netfilter. Pass the packet through the PRE_ROUTING and
LOCAL_IN hooks again before handing it to upper layer protocols to make
netfilter-visibility symetrical to the output path.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/ip6_input.c | 2 | ||||
-rw-r--r-- | net/ipv6/xfrm6_input.c | 13 |
2 files changed, 14 insertions, 1 deletions
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index 13d724150f33..29f73592e68e 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c | |||
@@ -48,7 +48,7 @@ | |||
48 | 48 | ||
49 | 49 | ||
50 | 50 | ||
51 | static inline int ip6_rcv_finish( struct sk_buff *skb) | 51 | inline int ip6_rcv_finish( struct sk_buff *skb) |
52 | { | 52 | { |
53 | if (skb->dst == NULL) | 53 | if (skb->dst == NULL) |
54 | ip6_route_input(skb); | 54 | ip6_route_input(skb); |
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index 1079e47f3933..1ca2da68ef69 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c | |||
@@ -11,6 +11,8 @@ | |||
11 | 11 | ||
12 | #include <linux/module.h> | 12 | #include <linux/module.h> |
13 | #include <linux/string.h> | 13 | #include <linux/string.h> |
14 | #include <linux/netfilter.h> | ||
15 | #include <linux/netfilter_ipv6.h> | ||
14 | #include <net/dsfield.h> | 16 | #include <net/dsfield.h> |
15 | #include <net/inet_ecn.h> | 17 | #include <net/inet_ecn.h> |
16 | #include <net/ip.h> | 18 | #include <net/ip.h> |
@@ -121,6 +123,8 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi) | |||
121 | skb->sp->len += xfrm_nr; | 123 | skb->sp->len += xfrm_nr; |
122 | skb->ip_summed = CHECKSUM_NONE; | 124 | skb->ip_summed = CHECKSUM_NONE; |
123 | 125 | ||
126 | nf_reset(skb); | ||
127 | |||
124 | if (decaps) { | 128 | if (decaps) { |
125 | if (!(skb->dev->flags&IFF_LOOPBACK)) { | 129 | if (!(skb->dev->flags&IFF_LOOPBACK)) { |
126 | dst_release(skb->dst); | 130 | dst_release(skb->dst); |
@@ -129,7 +133,16 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi) | |||
129 | netif_rx(skb); | 133 | netif_rx(skb); |
130 | return -1; | 134 | return -1; |
131 | } else { | 135 | } else { |
136 | #ifdef CONFIG_NETFILTER | ||
137 | skb->nh.ipv6h->payload_len = htons(skb->len); | ||
138 | __skb_push(skb, skb->data - skb->nh.raw); | ||
139 | |||
140 | NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL, | ||
141 | ip6_rcv_finish); | ||
142 | return -1; | ||
143 | #else | ||
132 | return 1; | 144 | return 1; |
145 | #endif | ||
133 | } | 146 | } |
134 | 147 | ||
135 | drop_unlock: | 148 | drop_unlock: |