diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-10-18 00:31:50 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-10-18 00:31:50 -0400 |
commit | 1bfcb10f670f5ff5e1d9f53e59680573524cb142 (patch) | |
tree | 003b271a2c1e089ae6506d869b7a8c8f04dbde0a /net/ipv6 | |
parent | aa5d62cc8777f733f8b59b5586c0a1989813189e (diff) |
[IPSEC]: Add missing BEET checks
Currently BEET mode does not reinject the packet back into the stack
like tunnel mode does. Since BEET should behave just like tunnel mode
this is incorrect.
This patch fixes this by introducing a flags field to xfrm_mode that
tells the IPsec code whether it should terminate and reinject the packet
back into the stack.
It then sets the flag for BEET and tunnel mode.
I've also added a number of missing BEET checks elsewhere where we check
whether a given mode is a tunnel or not.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/xfrm6_input.c | 2 | ||||
-rw-r--r-- | net/ipv6/xfrm6_mode_beet.c | 1 | ||||
-rw-r--r-- | net/ipv6/xfrm6_mode_tunnel.c | 1 | ||||
-rw-r--r-- | net/ipv6/xfrm6_output.c | 2 | ||||
-rw-r--r-- | net/ipv6/xfrm6_policy.c | 3 | ||||
-rw-r--r-- | net/ipv6/xfrm6_state.c | 6 |
6 files changed, 9 insertions, 6 deletions
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index b1201c33eb12..c6ee1a3ba19a 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c | |||
@@ -71,7 +71,7 @@ int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) | |||
71 | if (x->mode->input(x, skb)) | 71 | if (x->mode->input(x, skb)) |
72 | goto drop; | 72 | goto drop; |
73 | 73 | ||
74 | if (x->props.mode == XFRM_MODE_TUNNEL) { /* XXX */ | 74 | if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) { |
75 | decaps = 1; | 75 | decaps = 1; |
76 | break; | 76 | break; |
77 | } | 77 | } |
diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c index 13bb1e856764..2bfb4f05c14c 100644 --- a/net/ipv6/xfrm6_mode_beet.c +++ b/net/ipv6/xfrm6_mode_beet.c | |||
@@ -79,6 +79,7 @@ static struct xfrm_mode xfrm6_beet_mode = { | |||
79 | .output = xfrm6_beet_output, | 79 | .output = xfrm6_beet_output, |
80 | .owner = THIS_MODULE, | 80 | .owner = THIS_MODULE, |
81 | .encap = XFRM_MODE_BEET, | 81 | .encap = XFRM_MODE_BEET, |
82 | .flags = XFRM_MODE_FLAG_TUNNEL, | ||
82 | }; | 83 | }; |
83 | 84 | ||
84 | static int __init xfrm6_beet_init(void) | 85 | static int __init xfrm6_beet_init(void) |
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c index ea2283879112..fd84e2217274 100644 --- a/net/ipv6/xfrm6_mode_tunnel.c +++ b/net/ipv6/xfrm6_mode_tunnel.c | |||
@@ -118,6 +118,7 @@ static struct xfrm_mode xfrm6_tunnel_mode = { | |||
118 | .output = xfrm6_tunnel_output, | 118 | .output = xfrm6_tunnel_output, |
119 | .owner = THIS_MODULE, | 119 | .owner = THIS_MODULE, |
120 | .encap = XFRM_MODE_TUNNEL, | 120 | .encap = XFRM_MODE_TUNNEL, |
121 | .flags = XFRM_MODE_FLAG_TUNNEL, | ||
121 | }; | 122 | }; |
122 | 123 | ||
123 | static int __init xfrm6_tunnel_init(void) | 124 | static int __init xfrm6_tunnel_init(void) |
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index a5a32c17249d..c9f42d1c2dff 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c | |||
@@ -50,7 +50,7 @@ static inline int xfrm6_output_one(struct sk_buff *skb) | |||
50 | struct ipv6hdr *iph; | 50 | struct ipv6hdr *iph; |
51 | int err; | 51 | int err; |
52 | 52 | ||
53 | if (x->props.mode == XFRM_MODE_TUNNEL) { | 53 | if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) { |
54 | err = xfrm6_tunnel_check_size(skb); | 54 | err = xfrm6_tunnel_check_size(skb); |
55 | if (err) | 55 | if (err) |
56 | goto error_nolock; | 56 | goto error_nolock; |
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 15aa4c58c315..dc4bdcb55cbe 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c | |||
@@ -178,8 +178,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int | |||
178 | __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]); | 178 | __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]); |
179 | trailer_len += xfrm[i]->props.trailer_len; | 179 | trailer_len += xfrm[i]->props.trailer_len; |
180 | 180 | ||
181 | if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL || | 181 | if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) { |
182 | xfrm[i]->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) { | ||
183 | unsigned short encap_family = xfrm[i]->props.family; | 182 | unsigned short encap_family = xfrm[i]->props.family; |
184 | switch(encap_family) { | 183 | switch(encap_family) { |
185 | case AF_INET: | 184 | case AF_INET: |
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c index cdadb4847469..e644c80515fc 100644 --- a/net/ipv6/xfrm6_state.c +++ b/net/ipv6/xfrm6_state.c | |||
@@ -93,7 +93,8 @@ __xfrm6_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n) | |||
93 | /* Rule 4: select IPsec tunnel */ | 93 | /* Rule 4: select IPsec tunnel */ |
94 | for (i = 0; i < n; i++) { | 94 | for (i = 0; i < n; i++) { |
95 | if (src[i] && | 95 | if (src[i] && |
96 | src[i]->props.mode == XFRM_MODE_TUNNEL) { | 96 | (src[i]->props.mode == XFRM_MODE_TUNNEL || |
97 | src[i]->props.mode == XFRM_MODE_BEET)) { | ||
97 | dst[j++] = src[i]; | 98 | dst[j++] = src[i]; |
98 | src[i] = NULL; | 99 | src[i] = NULL; |
99 | } | 100 | } |
@@ -146,7 +147,8 @@ __xfrm6_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n) | |||
146 | /* Rule 3: select IPsec tunnel */ | 147 | /* Rule 3: select IPsec tunnel */ |
147 | for (i = 0; i < n; i++) { | 148 | for (i = 0; i < n; i++) { |
148 | if (src[i] && | 149 | if (src[i] && |
149 | src[i]->mode == XFRM_MODE_TUNNEL) { | 150 | (src[i]->mode == XFRM_MODE_TUNNEL || |
151 | src[i]->mode == XFRM_MODE_BEET)) { | ||
150 | dst[j++] = src[i]; | 152 | dst[j++] = src[i]; |
151 | src[i] = NULL; | 153 | src[i] = NULL; |
152 | } | 154 | } |