aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/net/xfrm.h17
-rw-r--r--net/ipv4/xfrm4_input.c10
-rw-r--r--net/ipv6/xfrm6_input.c9
-rw-r--r--net/netfilter/xt_policy.c2
-rw-r--r--net/xfrm/xfrm_input.c4
-rw-r--r--net/xfrm/xfrm_policy.c10
6 files changed, 19 insertions, 33 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index c7612f4443ed..0d5529c382e8 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -242,7 +242,6 @@ extern int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
242 242
243extern void xfrm_state_delete_tunnel(struct xfrm_state *x); 243extern void xfrm_state_delete_tunnel(struct xfrm_state *x);
244 244
245struct xfrm_decap_state;
246struct xfrm_type 245struct xfrm_type
247{ 246{
248 char *description; 247 char *description;
@@ -606,25 +605,11 @@ static inline void xfrm_dst_destroy(struct xfrm_dst *xdst)
606 605
607extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev); 606extern void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev);
608 607
609/* Decapsulation state, used by the input to store data during
610 * decapsulation procedure, to be used later (during the policy
611 * check
612 */
613struct xfrm_decap_state {
614 char decap_data[20];
615 __u16 decap_type;
616};
617
618struct sec_decap_state {
619 struct xfrm_state *xvec;
620 struct xfrm_decap_state decap;
621};
622
623struct sec_path 608struct sec_path
624{ 609{
625 atomic_t refcnt; 610 atomic_t refcnt;
626 int len; 611 int len;
627 struct sec_decap_state x[XFRM_MAX_DEPTH]; 612 struct xfrm_state *xvec[XFRM_MAX_DEPTH];
628}; 613};
629 614
630static inline struct sec_path * 615static inline struct sec_path *
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index 04ceb6e13b9d..e1b8f4b90d80 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -68,7 +68,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
68{ 68{
69 int err; 69 int err;
70 u32 spi, seq; 70 u32 spi, seq;
71 struct sec_decap_state xfrm_vec[XFRM_MAX_DEPTH]; 71 struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
72 struct xfrm_state *x; 72 struct xfrm_state *x;
73 int xfrm_nr = 0; 73 int xfrm_nr = 0;
74 int decaps = 0; 74 int decaps = 0;
@@ -99,7 +99,6 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
99 if (xfrm_state_check_expire(x)) 99 if (xfrm_state_check_expire(x))
100 goto drop_unlock; 100 goto drop_unlock;
101 101
102 xfrm_vec[xfrm_nr].decap.decap_type = encap_type;
103 if (x->type->input(x, skb)) 102 if (x->type->input(x, skb))
104 goto drop_unlock; 103 goto drop_unlock;
105 104
@@ -114,7 +113,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
114 113
115 spin_unlock(&x->lock); 114 spin_unlock(&x->lock);
116 115
117 xfrm_vec[xfrm_nr++].xvec = x; 116 xfrm_vec[xfrm_nr++] = x;
118 117
119 iph = skb->nh.iph; 118 iph = skb->nh.iph;
120 119
@@ -156,7 +155,8 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
156 if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) 155 if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
157 goto drop; 156 goto drop;
158 157
159 memcpy(skb->sp->x+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(struct sec_decap_state)); 158 memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec,
159 xfrm_nr * sizeof(xfrm_vec[0]));
160 skb->sp->len += xfrm_nr; 160 skb->sp->len += xfrm_nr;
161 161
162 nf_reset(skb); 162 nf_reset(skb);
@@ -187,7 +187,7 @@ drop_unlock:
187 xfrm_state_put(x); 187 xfrm_state_put(x);
188drop: 188drop:
189 while (--xfrm_nr >= 0) 189 while (--xfrm_nr >= 0)
190 xfrm_state_put(xfrm_vec[xfrm_nr].xvec); 190 xfrm_state_put(xfrm_vec[xfrm_nr]);
191 191
192 kfree_skb(skb); 192 kfree_skb(skb);
193 return 0; 193 return 0;
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index ec7a96e9fa64..00cfdee18dca 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -32,7 +32,7 @@ int xfrm6_rcv_spi(struct sk_buff *skb, u32 spi)
32{ 32{
33 int err; 33 int err;
34 u32 seq; 34 u32 seq;
35 struct sec_decap_state xfrm_vec[XFRM_MAX_DEPTH]; 35 struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH];
36 struct xfrm_state *x; 36 struct xfrm_state *x;
37 int xfrm_nr = 0; 37 int xfrm_nr = 0;
38 int decaps = 0; 38 int decaps = 0;
@@ -79,7 +79,7 @@ int xfrm6_rcv_spi(struct sk_buff *skb, u32 spi)
79 79
80 spin_unlock(&x->lock); 80 spin_unlock(&x->lock);
81 81
82 xfrm_vec[xfrm_nr++].xvec = x; 82 xfrm_vec[xfrm_nr++] = x;
83 83
84 if (x->props.mode) { /* XXX */ 84 if (x->props.mode) { /* XXX */
85 if (nexthdr != IPPROTO_IPV6) 85 if (nexthdr != IPPROTO_IPV6)
@@ -118,7 +118,8 @@ int xfrm6_rcv_spi(struct sk_buff *skb, u32 spi)
118 if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) 118 if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
119 goto drop; 119 goto drop;
120 120
121 memcpy(skb->sp->x+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(struct sec_decap_state)); 121 memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec,
122 xfrm_nr * sizeof(xfrm_vec[0]));
122 skb->sp->len += xfrm_nr; 123 skb->sp->len += xfrm_nr;
123 skb->ip_summed = CHECKSUM_NONE; 124 skb->ip_summed = CHECKSUM_NONE;
124 125
@@ -149,7 +150,7 @@ drop_unlock:
149 xfrm_state_put(x); 150 xfrm_state_put(x);
150drop: 151drop:
151 while (--xfrm_nr >= 0) 152 while (--xfrm_nr >= 0)
152 xfrm_state_put(xfrm_vec[xfrm_nr].xvec); 153 xfrm_state_put(xfrm_vec[xfrm_nr]);
153 kfree_skb(skb); 154 kfree_skb(skb);
154 return -1; 155 return -1;
155} 156}
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 1099cb005fcc..a3aa62fbda6f 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -71,7 +71,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
71 return 0; 71 return 0;
72 e = &info->pol[pos]; 72 e = &info->pol[pos];
73 73
74 if (match_xfrm_state(sp->x[i].xvec, e, family)) { 74 if (match_xfrm_state(sp->xvec[i], e, family)) {
75 if (!strict) 75 if (!strict)
76 return 1; 76 return 1;
77 } else if (strict) 77 } else if (strict)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 2407a7072327..b54971059f16 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -18,7 +18,7 @@ void __secpath_destroy(struct sec_path *sp)
18{ 18{
19 int i; 19 int i;
20 for (i = 0; i < sp->len; i++) 20 for (i = 0; i < sp->len; i++)
21 xfrm_state_put(sp->x[i].xvec); 21 xfrm_state_put(sp->xvec[i]);
22 kmem_cache_free(secpath_cachep, sp); 22 kmem_cache_free(secpath_cachep, sp);
23} 23}
24EXPORT_SYMBOL(__secpath_destroy); 24EXPORT_SYMBOL(__secpath_destroy);
@@ -37,7 +37,7 @@ struct sec_path *secpath_dup(struct sec_path *src)
37 37
38 memcpy(sp, src, sizeof(*sp)); 38 memcpy(sp, src, sizeof(*sp));
39 for (i = 0; i < sp->len; i++) 39 for (i = 0; i < sp->len; i++)
40 xfrm_state_hold(sp->x[i].xvec); 40 xfrm_state_hold(sp->xvec[i]);
41 } 41 }
42 atomic_set(&sp->refcnt, 1); 42 atomic_set(&sp->refcnt, 1);
43 return sp; 43 return sp;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f5eae9febd26..c3725fe2a8fb 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -943,9 +943,9 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
943 } else 943 } else
944 start = -1; 944 start = -1;
945 for (; idx < sp->len; idx++) { 945 for (; idx < sp->len; idx++) {
946 if (xfrm_state_ok(tmpl, sp->x[idx].xvec, family)) 946 if (xfrm_state_ok(tmpl, sp->xvec[idx], family))
947 return ++idx; 947 return ++idx;
948 if (sp->x[idx].xvec->props.mode) 948 if (sp->xvec[idx]->props.mode)
949 break; 949 break;
950 } 950 }
951 return start; 951 return start;
@@ -968,7 +968,7 @@ EXPORT_SYMBOL(xfrm_decode_session);
968static inline int secpath_has_tunnel(struct sec_path *sp, int k) 968static inline int secpath_has_tunnel(struct sec_path *sp, int k)
969{ 969{
970 for (; k < sp->len; k++) { 970 for (; k < sp->len; k++) {
971 if (sp->x[k].xvec->props.mode) 971 if (sp->xvec[k]->props.mode)
972 return 1; 972 return 1;
973 } 973 }
974 974
@@ -994,8 +994,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
994 int i; 994 int i;
995 995
996 for (i=skb->sp->len-1; i>=0; i--) { 996 for (i=skb->sp->len-1; i>=0; i--) {
997 struct sec_decap_state *xvec = &(skb->sp->x[i]); 997 struct xfrm_state *x = skb->sp->xvec[i];
998 if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family)) 998 if (!xfrm_selector_match(&x->sel, &fl, family))
999 return 0; 999 return 0;
1000 } 1000 }
1001 } 1001 }