diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-12-12 13:44:16 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:57:22 -0500 |
commit | d5422efe680fc55010c6ddca2370ca9548a96355 (patch) | |
tree | f72fa5eb779c8ae7d49688a9caac9b69a1f3bd58 /net/xfrm | |
parent | 815f4e57e9fc67456624ecde0515a901368c78d2 (diff) |
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch adds the functions
xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get
the reverse flow to perform such a lookup.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r-- | net/xfrm/xfrm_policy.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 3d516d57b5b2..2e10d46c0e8c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -1732,8 +1732,8 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, | |||
1732 | return start; | 1732 | return start; |
1733 | } | 1733 | } |
1734 | 1734 | ||
1735 | int | 1735 | int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, |
1736 | xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) | 1736 | unsigned int family, int reverse) |
1737 | { | 1737 | { |
1738 | struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); | 1738 | struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); |
1739 | int err; | 1739 | int err; |
@@ -1741,12 +1741,12 @@ xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family | |||
1741 | if (unlikely(afinfo == NULL)) | 1741 | if (unlikely(afinfo == NULL)) |
1742 | return -EAFNOSUPPORT; | 1742 | return -EAFNOSUPPORT; |
1743 | 1743 | ||
1744 | afinfo->decode_session(skb, fl); | 1744 | afinfo->decode_session(skb, fl, reverse); |
1745 | err = security_xfrm_decode_session(skb, &fl->secid); | 1745 | err = security_xfrm_decode_session(skb, &fl->secid); |
1746 | xfrm_policy_put_afinfo(afinfo); | 1746 | xfrm_policy_put_afinfo(afinfo); |
1747 | return err; | 1747 | return err; |
1748 | } | 1748 | } |
1749 | EXPORT_SYMBOL(xfrm_decode_session); | 1749 | EXPORT_SYMBOL(__xfrm_decode_session); |
1750 | 1750 | ||
1751 | static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) | 1751 | static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) |
1752 | { | 1752 | { |
@@ -1768,11 +1768,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, | |||
1768 | int npols = 0; | 1768 | int npols = 0; |
1769 | int xfrm_nr; | 1769 | int xfrm_nr; |
1770 | int pi; | 1770 | int pi; |
1771 | int reverse; | ||
1771 | struct flowi fl; | 1772 | struct flowi fl; |
1772 | u8 fl_dir = policy_to_flow_dir(dir); | 1773 | u8 fl_dir; |
1773 | int xerr_idx = -1; | 1774 | int xerr_idx = -1; |
1774 | 1775 | ||
1775 | if (xfrm_decode_session(skb, &fl, family) < 0) | 1776 | reverse = dir & ~XFRM_POLICY_MASK; |
1777 | dir &= XFRM_POLICY_MASK; | ||
1778 | fl_dir = policy_to_flow_dir(dir); | ||
1779 | |||
1780 | if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) | ||
1776 | return 0; | 1781 | return 0; |
1777 | nf_nat_decode_session(skb, &fl, family); | 1782 | nf_nat_decode_session(skb, &fl, family); |
1778 | 1783 | ||