From d5422efe680fc55010c6ddca2370ca9548a96355 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 12 Dec 2007 10:44:16 -0800 Subject: [IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch adds the functions xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get the reverse flow to perform such a lookup. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/linux/xfrm.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/linux/xfrm.h') diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index b58adc52448d..c0e41e02234f 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -114,6 +114,7 @@ enum XFRM_POLICY_IN = 0, XFRM_POLICY_OUT = 1, XFRM_POLICY_FWD = 2, + XFRM_POLICY_MASK = 3, XFRM_POLICY_MAX = 3 }; -- cgit v1.2.2 From 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 12 Dec 2007 10:44:43 -0800 Subject: [IPSEC]: Add ICMP host relookup support RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch implements this for ICMP traffic that originates from or terminates on localhost. This is activated on outbound with the new policy flag XFRM_POLICY_ICMP, and on inbound by the new state flag XFRM_STATE_ICMP. On inbound the policy check is now performed by the ICMP protocol so that it can repeat the policy check where necessary. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- include/linux/xfrm.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/linux/xfrm.h') diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index c0e41e02234f..1131eabfaa2a 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -329,6 +329,7 @@ struct xfrm_usersa_info { #define XFRM_STATE_DECAP_DSCP 2 #define XFRM_STATE_NOPMTUDISC 4 #define XFRM_STATE_WILDRECV 8 +#define XFRM_STATE_ICMP 16 }; struct xfrm_usersa_id { @@ -363,6 +364,8 @@ struct xfrm_userpolicy_info { #define XFRM_POLICY_BLOCK 1 __u8 flags; #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ + /* Automatically expand selector to include matching ICMP payloads. */ +#define XFRM_POLICY_ICMP 2 __u8 share; }; -- cgit v1.2.2 From ba749ae98d5aa9d2ce9a7facde0deed454f92230 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sat, 12 Jan 2008 21:30:23 -0800 Subject: [XFRM]: alg_key_len should be unsigned to avoid integer divides alg_key_len is currently defined as 'signed int'. This unfortunatly leads to integer divides in several paths. Converting it to unsigned is safe and saves 208 bytes of text on i386. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- include/linux/xfrm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux/xfrm.h') diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index 1131eabfaa2a..f8507eed0b79 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -92,7 +92,7 @@ struct xfrm_replay_state struct xfrm_algo { char alg_name[64]; - int alg_key_len; /* in bits */ + unsigned int alg_key_len; /* in bits */ char alg_key[0]; }; -- cgit v1.2.2 From 3f4afb6443aaa1d69b2d8f0461c8191e40d54c3c Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 12 Jan 2008 21:31:29 -0800 Subject: [XFRM]: Fix struct xfrm_algo code formatting. Realign struct members. Signed-off-by: David S. Miller --- include/linux/xfrm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/linux/xfrm.h') diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index f8507eed0b79..9b5b00c4ef9d 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -91,9 +91,9 @@ struct xfrm_replay_state }; struct xfrm_algo { - char alg_name[64]; + char alg_name[64]; unsigned int alg_key_len; /* in bits */ - char alg_key[0]; + char alg_key[0]; }; struct xfrm_stats { -- cgit v1.2.2