[MLSXFRM]: Add flow labeling

This labels the flows that could utilize IPSec xfrms at the points the flows are defined so that IPSec policy and SAs at the right label can be used. The following protos are currently not handled, but they should continue to be able to use single-labeled IPSec like they currently do. ipmr ip_gre ipip igmp sit sctp ip6_tunnel (IPv6 over IPv6 tunnel device) decnet Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Venkat Yekkirala <vyekkirala@TrustedCS.com> 2006-08-05 02:12:42 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 17:53:27 -0400
commit: beb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch)
tree: 19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /net/ipv6
parent: 4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff)
9 files changed, 18 insertions, 0 deletions
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index ac85e9c532c2..82a1b1a328db 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -637,6 +637,7 @@ int inet6_sk_rebuild_header(struct sock *sk)
                fl.oif = sk->sk_bound_dev_if;
                fl.fl_ip_dport = inet->dport;
                fl.fl_ip_sport = inet->sport;
+                security_sk_classify_flow(sk, &fl);
                if (np->opt && np->opt->srcrt) {
                        struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 3b55b4c8e2d1..c73508e090a6 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -156,6 +156,8 @@ ipv4_connected:
        if (!fl.oif && (addr_type&IPV6_ADDR_MULTICAST))
                fl.oif = np->mcast_oif;
+        security_sk_classify_flow(sk, &fl);
        if (flowlabel) {
                if (flowlabel->opt && flowlabel->opt->srcrt) {
                        struct rt0_hdr *rt0 = (struct rt0_hdr *) flowlabel->opt->srcrt;
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 356a8a7ef22a..dbfce089e916 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -358,6 +358,7 @@ void icmpv6_send(struct sk_buff *skb, int type, int code, __u32 info,
        fl.oif = iif;
        fl.fl_icmp_type = type;
        fl.fl_icmp_code = code;
+        security_skb_classify_flow(skb, &fl);
        if (icmpv6_xmit_lock())
                return;
@@ -472,6 +473,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
                ipv6_addr_copy(&fl.fl6_src, saddr);
        fl.oif = skb->dev->ifindex;
        fl.fl_icmp_type = ICMPV6_ECHO_REPLY;
+        security_skb_classify_flow(skb, &fl);
        if (icmpv6_xmit_lock())
                return;
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index bf491077b822..7a51a258615d 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -157,6 +157,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok)
        fl.oif = sk->sk_bound_dev_if;
        fl.fl_ip_sport = inet->sport;
        fl.fl_ip_dport = inet->dport;
+        security_sk_classify_flow(sk, &fl);
        if (np->opt && np->opt->srcrt) {
                struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt;
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index b50055b9278d..67cfc3813c32 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -419,6 +419,7 @@ static inline void ndisc_flow_init(struct flowi *fl, u8 type,
        fl->proto               = IPPROTO_ICMPV6;
        fl->fl_icmp_type        = type;
        fl->fl_icmp_code        = 0;
+        security_sk_classify_flow(ndisc_socket->sk, fl);
 }
 static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 8629ba195d2d..c4eba1aeb323 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -96,6 +96,7 @@ static void send_reset(struct sk_buff *oldskb)
        ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr);
        fl.fl_ip_sport = otcph.dest;
        fl.fl_ip_dport = otcph.source;
+        security_skb_classify_flow(oldskb, &fl);
        dst = ip6_route_output(NULL, &fl);
        if (dst == NULL)
                return;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 15b862d8acab..d5040e172292 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -759,6 +759,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
        if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst))
                fl.oif = np->mcast_oif;
+        security_sk_classify_flow(sk, &fl);
        err = ip6_dst_lookup(sk, &dst, &fl);
        if (err)
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 802a1a6b1037..46922e57e311 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -251,6 +251,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
                final_p = &final;
        }
+        security_sk_classify_flow(sk, &fl);
        err = ip6_dst_lookup(sk, &dst, &fl);
        if (err)
                goto failure;
@@ -374,6 +376,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                        fl.oif = sk->sk_bound_dev_if;
                        fl.fl_ip_dport = inet->dport;
                        fl.fl_ip_sport = inet->sport;
+                        security_skb_classify_flow(skb, &fl);
                        if ((err = ip6_dst_lookup(sk, &dst, &fl))) {
                                sk->sk_err_soft = -err;
@@ -467,6 +470,7 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
        fl.oif = treq->iif;
        fl.fl_ip_dport = inet_rsk(req)->rmt_port;
        fl.fl_ip_sport = inet_sk(sk)->sport;
+        security_sk_classify_flow(sk, &fl);
        if (dst == NULL) {
                opt = np->opt;
@@ -625,6 +629,7 @@ static void tcp_v6_send_reset(struct sk_buff *skb)
        fl.oif = inet6_iif(skb);
        fl.fl_ip_dport = t1->dest;
        fl.fl_ip_sport = t1->source;
+        security_skb_classify_flow(skb, &fl);
        /* sk = NULL, but it is safe for now. RST socket required. */
        if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
@@ -691,6 +696,7 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32
        fl.oif = inet6_iif(skb);
        fl.fl_ip_dport = t1->dest;
        fl.fl_ip_sport = t1->source;
+        security_skb_classify_flow(skb, &fl);
        if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
                if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
@@ -923,6 +929,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                fl.oif = sk->sk_bound_dev_if;
                fl.fl_ip_dport = inet_rsk(req)->rmt_port;
                fl.fl_ip_sport = inet_sk(sk)->sport;
+                security_sk_classify_flow(sk, &fl);
                if (ip6_dst_lookup(sk, &dst, &fl))
                        goto out;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 3d54f246411e..82c7c9cde2a8 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -782,6 +782,8 @@ do_udp_sendmsg:
                connected = 0;
        }
+        security_sk_classify_flow(sk, fl);
        err = ip6_sk_dst_lookup(sk, &dst, fl);
        if (err)
                goto out;
author	Venkat Yekkirala <vyekkirala@TrustedCS.com>	2006-08-05 02:12:42 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 17:53:27 -0400
commit	beb8d13bed80f8388f1a9a107d07ddd342e627e8 (patch)
tree	19d5763b9b3b8ff3969997565e5ec0edd6e4bd33 /net/ipv6
parent	4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (diff)