diff options
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/af_inet6.c | 1 | ||||
| -rw-r--r-- | net/ipv6/datagram.c | 2 | ||||
| -rw-r--r-- | net/ipv6/icmp.c | 2 | ||||
| -rw-r--r-- | net/ipv6/inet6_connection_sock.c | 1 | ||||
| -rw-r--r-- | net/ipv6/ndisc.c | 1 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6t_REJECT.c | 1 | ||||
| -rw-r--r-- | net/ipv6/raw.c | 1 | ||||
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 7 | ||||
| -rw-r--r-- | net/ipv6/udp.c | 2 |
9 files changed, 18 insertions, 0 deletions
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ac85e9c532c2..82a1b1a328db 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c | |||
| @@ -637,6 +637,7 @@ int inet6_sk_rebuild_header(struct sock *sk) | |||
| 637 | fl.oif = sk->sk_bound_dev_if; | 637 | fl.oif = sk->sk_bound_dev_if; |
| 638 | fl.fl_ip_dport = inet->dport; | 638 | fl.fl_ip_dport = inet->dport; |
| 639 | fl.fl_ip_sport = inet->sport; | 639 | fl.fl_ip_sport = inet->sport; |
| 640 | security_sk_classify_flow(sk, &fl); | ||
| 640 | 641 | ||
| 641 | if (np->opt && np->opt->srcrt) { | 642 | if (np->opt && np->opt->srcrt) { |
| 642 | struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt; | 643 | struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt; |
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c index 3b55b4c8e2d1..c73508e090a6 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c | |||
| @@ -156,6 +156,8 @@ ipv4_connected: | |||
| 156 | if (!fl.oif && (addr_type&IPV6_ADDR_MULTICAST)) | 156 | if (!fl.oif && (addr_type&IPV6_ADDR_MULTICAST)) |
| 157 | fl.oif = np->mcast_oif; | 157 | fl.oif = np->mcast_oif; |
| 158 | 158 | ||
| 159 | security_sk_classify_flow(sk, &fl); | ||
| 160 | |||
| 159 | if (flowlabel) { | 161 | if (flowlabel) { |
| 160 | if (flowlabel->opt && flowlabel->opt->srcrt) { | 162 | if (flowlabel->opt && flowlabel->opt->srcrt) { |
| 161 | struct rt0_hdr *rt0 = (struct rt0_hdr *) flowlabel->opt->srcrt; | 163 | struct rt0_hdr *rt0 = (struct rt0_hdr *) flowlabel->opt->srcrt; |
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 356a8a7ef22a..dbfce089e916 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c | |||
| @@ -358,6 +358,7 @@ void icmpv6_send(struct sk_buff *skb, int type, int code, __u32 info, | |||
| 358 | fl.oif = iif; | 358 | fl.oif = iif; |
| 359 | fl.fl_icmp_type = type; | 359 | fl.fl_icmp_type = type; |
| 360 | fl.fl_icmp_code = code; | 360 | fl.fl_icmp_code = code; |
| 361 | security_skb_classify_flow(skb, &fl); | ||
| 361 | 362 | ||
| 362 | if (icmpv6_xmit_lock()) | 363 | if (icmpv6_xmit_lock()) |
| 363 | return; | 364 | return; |
| @@ -472,6 +473,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb) | |||
| 472 | ipv6_addr_copy(&fl.fl6_src, saddr); | 473 | ipv6_addr_copy(&fl.fl6_src, saddr); |
| 473 | fl.oif = skb->dev->ifindex; | 474 | fl.oif = skb->dev->ifindex; |
| 474 | fl.fl_icmp_type = ICMPV6_ECHO_REPLY; | 475 | fl.fl_icmp_type = ICMPV6_ECHO_REPLY; |
| 476 | security_skb_classify_flow(skb, &fl); | ||
| 475 | 477 | ||
| 476 | if (icmpv6_xmit_lock()) | 478 | if (icmpv6_xmit_lock()) |
| 477 | return; | 479 | return; |
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c index bf491077b822..7a51a258615d 100644 --- a/net/ipv6/inet6_connection_sock.c +++ b/net/ipv6/inet6_connection_sock.c | |||
| @@ -157,6 +157,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok) | |||
| 157 | fl.oif = sk->sk_bound_dev_if; | 157 | fl.oif = sk->sk_bound_dev_if; |
| 158 | fl.fl_ip_sport = inet->sport; | 158 | fl.fl_ip_sport = inet->sport; |
| 159 | fl.fl_ip_dport = inet->dport; | 159 | fl.fl_ip_dport = inet->dport; |
| 160 | security_sk_classify_flow(sk, &fl); | ||
| 160 | 161 | ||
| 161 | if (np->opt && np->opt->srcrt) { | 162 | if (np->opt && np->opt->srcrt) { |
| 162 | struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt; | 163 | struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt; |
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index b50055b9278d..67cfc3813c32 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c | |||
| @@ -419,6 +419,7 @@ static inline void ndisc_flow_init(struct flowi *fl, u8 type, | |||
| 419 | fl->proto = IPPROTO_ICMPV6; | 419 | fl->proto = IPPROTO_ICMPV6; |
| 420 | fl->fl_icmp_type = type; | 420 | fl->fl_icmp_type = type; |
| 421 | fl->fl_icmp_code = 0; | 421 | fl->fl_icmp_code = 0; |
| 422 | security_sk_classify_flow(ndisc_socket->sk, fl); | ||
| 422 | } | 423 | } |
| 423 | 424 | ||
| 424 | static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh, | 425 | static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh, |
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 8629ba195d2d..c4eba1aeb323 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |||
| @@ -96,6 +96,7 @@ static void send_reset(struct sk_buff *oldskb) | |||
| 96 | ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr); | 96 | ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr); |
| 97 | fl.fl_ip_sport = otcph.dest; | 97 | fl.fl_ip_sport = otcph.dest; |
| 98 | fl.fl_ip_dport = otcph.source; | 98 | fl.fl_ip_dport = otcph.source; |
| 99 | security_skb_classify_flow(oldskb, &fl); | ||
| 99 | dst = ip6_route_output(NULL, &fl); | 100 | dst = ip6_route_output(NULL, &fl); |
| 100 | if (dst == NULL) | 101 | if (dst == NULL) |
| 101 | return; | 102 | return; |
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 15b862d8acab..d5040e172292 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c | |||
| @@ -759,6 +759,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk, | |||
| 759 | 759 | ||
| 760 | if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst)) | 760 | if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst)) |
| 761 | fl.oif = np->mcast_oif; | 761 | fl.oif = np->mcast_oif; |
| 762 | security_sk_classify_flow(sk, &fl); | ||
| 762 | 763 | ||
| 763 | err = ip6_dst_lookup(sk, &dst, &fl); | 764 | err = ip6_dst_lookup(sk, &dst, &fl); |
| 764 | if (err) | 765 | if (err) |
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 802a1a6b1037..46922e57e311 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -251,6 +251,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, | |||
| 251 | final_p = &final; | 251 | final_p = &final; |
| 252 | } | 252 | } |
| 253 | 253 | ||
| 254 | security_sk_classify_flow(sk, &fl); | ||
| 255 | |||
| 254 | err = ip6_dst_lookup(sk, &dst, &fl); | 256 | err = ip6_dst_lookup(sk, &dst, &fl); |
| 255 | if (err) | 257 | if (err) |
| 256 | goto failure; | 258 | goto failure; |
| @@ -374,6 +376,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, | |||
| 374 | fl.oif = sk->sk_bound_dev_if; | 376 | fl.oif = sk->sk_bound_dev_if; |
| 375 | fl.fl_ip_dport = inet->dport; | 377 | fl.fl_ip_dport = inet->dport; |
| 376 | fl.fl_ip_sport = inet->sport; | 378 | fl.fl_ip_sport = inet->sport; |
| 379 | security_skb_classify_flow(skb, &fl); | ||
| 377 | 380 | ||
| 378 | if ((err = ip6_dst_lookup(sk, &dst, &fl))) { | 381 | if ((err = ip6_dst_lookup(sk, &dst, &fl))) { |
| 379 | sk->sk_err_soft = -err; | 382 | sk->sk_err_soft = -err; |
| @@ -467,6 +470,7 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req, | |||
| 467 | fl.oif = treq->iif; | 470 | fl.oif = treq->iif; |
| 468 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; | 471 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; |
| 469 | fl.fl_ip_sport = inet_sk(sk)->sport; | 472 | fl.fl_ip_sport = inet_sk(sk)->sport; |
| 473 | security_sk_classify_flow(sk, &fl); | ||
| 470 | 474 | ||
| 471 | if (dst == NULL) { | 475 | if (dst == NULL) { |
| 472 | opt = np->opt; | 476 | opt = np->opt; |
| @@ -625,6 +629,7 @@ static void tcp_v6_send_reset(struct sk_buff *skb) | |||
| 625 | fl.oif = inet6_iif(skb); | 629 | fl.oif = inet6_iif(skb); |
| 626 | fl.fl_ip_dport = t1->dest; | 630 | fl.fl_ip_dport = t1->dest; |
| 627 | fl.fl_ip_sport = t1->source; | 631 | fl.fl_ip_sport = t1->source; |
| 632 | security_skb_classify_flow(skb, &fl); | ||
| 628 | 633 | ||
| 629 | /* sk = NULL, but it is safe for now. RST socket required. */ | 634 | /* sk = NULL, but it is safe for now. RST socket required. */ |
| 630 | if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) { | 635 | if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) { |
| @@ -691,6 +696,7 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 | |||
| 691 | fl.oif = inet6_iif(skb); | 696 | fl.oif = inet6_iif(skb); |
| 692 | fl.fl_ip_dport = t1->dest; | 697 | fl.fl_ip_dport = t1->dest; |
| 693 | fl.fl_ip_sport = t1->source; | 698 | fl.fl_ip_sport = t1->source; |
| 699 | security_skb_classify_flow(skb, &fl); | ||
| 694 | 700 | ||
| 695 | if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) { | 701 | if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) { |
| 696 | if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) { | 702 | if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) { |
| @@ -923,6 +929,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, | |||
| 923 | fl.oif = sk->sk_bound_dev_if; | 929 | fl.oif = sk->sk_bound_dev_if; |
| 924 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; | 930 | fl.fl_ip_dport = inet_rsk(req)->rmt_port; |
| 925 | fl.fl_ip_sport = inet_sk(sk)->sport; | 931 | fl.fl_ip_sport = inet_sk(sk)->sport; |
| 932 | security_sk_classify_flow(sk, &fl); | ||
| 926 | 933 | ||
| 927 | if (ip6_dst_lookup(sk, &dst, &fl)) | 934 | if (ip6_dst_lookup(sk, &dst, &fl)) |
| 928 | goto out; | 935 | goto out; |
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 3d54f246411e..82c7c9cde2a8 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c | |||
| @@ -782,6 +782,8 @@ do_udp_sendmsg: | |||
| 782 | connected = 0; | 782 | connected = 0; |
| 783 | } | 783 | } |
| 784 | 784 | ||
| 785 | security_sk_classify_flow(sk, fl); | ||
| 786 | |||
| 785 | err = ip6_sk_dst_lookup(sk, &dst, fl); | 787 | err = ip6_sk_dst_lookup(sk, &dst, fl); |
| 786 | if (err) | 788 | if (err) |
| 787 | goto out; | 789 | goto out; |