aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-12-12 13:44:16 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:57:22 -0500
commitd5422efe680fc55010c6ddca2370ca9548a96355 (patch)
treef72fa5eb779c8ae7d49688a9caac9b69a1f3bd58 /net/xfrm
parent815f4e57e9fc67456624ecde0515a901368c78d2 (diff)
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch adds the functions xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get the reverse flow to perform such a lookup. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
-rw-r--r--net/xfrm/xfrm_policy.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 3d516d57b5b2..2e10d46c0e8c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1732,8 +1732,8 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
1732 return start; 1732 return start;
1733} 1733}
1734 1734
1735int 1735int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1736xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) 1736 unsigned int family, int reverse)
1737{ 1737{
1738 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1738 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1739 int err; 1739 int err;
@@ -1741,12 +1741,12 @@ xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family
1741 if (unlikely(afinfo == NULL)) 1741 if (unlikely(afinfo == NULL))
1742 return -EAFNOSUPPORT; 1742 return -EAFNOSUPPORT;
1743 1743
1744 afinfo->decode_session(skb, fl); 1744 afinfo->decode_session(skb, fl, reverse);
1745 err = security_xfrm_decode_session(skb, &fl->secid); 1745 err = security_xfrm_decode_session(skb, &fl->secid);
1746 xfrm_policy_put_afinfo(afinfo); 1746 xfrm_policy_put_afinfo(afinfo);
1747 return err; 1747 return err;
1748} 1748}
1749EXPORT_SYMBOL(xfrm_decode_session); 1749EXPORT_SYMBOL(__xfrm_decode_session);
1750 1750
1751static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 1751static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
1752{ 1752{
@@ -1768,11 +1768,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1768 int npols = 0; 1768 int npols = 0;
1769 int xfrm_nr; 1769 int xfrm_nr;
1770 int pi; 1770 int pi;
1771 int reverse;
1771 struct flowi fl; 1772 struct flowi fl;
1772 u8 fl_dir = policy_to_flow_dir(dir); 1773 u8 fl_dir;
1773 int xerr_idx = -1; 1774 int xerr_idx = -1;
1774 1775
1775 if (xfrm_decode_session(skb, &fl, family) < 0) 1776 reverse = dir & ~XFRM_POLICY_MASK;
1777 dir &= XFRM_POLICY_MASK;
1778 fl_dir = policy_to_flow_dir(dir);
1779
1780 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0)
1776 return 0; 1781 return 0;
1777 nf_nat_decode_session(skb, &fl, family); 1782 nf_nat_decode_session(skb, &fl, family);
1778 1783