diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-12-12 10:44:16 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 14:57:22 -0800 |
commit | d5422efe680fc55010c6ddca2370ca9548a96355 (patch) | |
tree | f72fa5eb779c8ae7d49688a9caac9b69a1f3bd58 /include | |
parent | 815f4e57e9fc67456624ecde0515a901368c78d2 (diff) |
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch adds the functions
xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get
the reverse flow to perform such a lookup.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/xfrm.h | 1 | ||||
-rw-r--r-- | include/net/xfrm.h | 63 |
2 files changed, 59 insertions, 5 deletions
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index b58adc52448..c0e41e02234 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -114,6 +114,7 @@ enum XFRM_POLICY_IN = 0, XFRM_POLICY_OUT = 1, XFRM_POLICY_FWD = 2, + XFRM_POLICY_MASK = 3, XFRM_POLICY_MAX = 3 }; diff --git a/include/net/xfrm.h b/include/net/xfrm.h index fe881b6e2bd..d6dae5ae7ab 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -239,7 +239,8 @@ struct xfrm_policy_afinfo { int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); void (*decode_session)(struct sk_buff *skb, - struct flowi *fl); + struct flowi *fl, + int reverse); int (*get_tos)(struct flowi *fl); int (*fill_dst)(struct xfrm_dst *xdst, struct net_device *dev); @@ -844,14 +845,23 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short #ifdef CONFIG_XFRM extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); -static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +static inline int __xfrm_policy_check2(struct sock *sk, int dir, + struct sk_buff *skb, + unsigned int family, int reverse) { + int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); + if (sk && sk->sk_policy[XFRM_POLICY_IN]) - return __xfrm_policy_check(sk, dir, skb, family); + return __xfrm_policy_check(sk, ndir, skb, family); return (!xfrm_policy_count[dir] && !skb->sp) || (skb->dst->flags & DST_NOPOLICY) || - __xfrm_policy_check(sk, dir, skb, family); + __xfrm_policy_check(sk, ndir, skb, family); +} + +static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) +{ + return __xfrm_policy_check2(sk, dir, skb, family, 0); } static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) @@ -864,7 +874,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s return xfrm_policy_check(sk, dir, skb, AF_INET6); } -extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); +static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); +} + +static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); +} + +extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, + unsigned int family, int reverse); + +static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, + unsigned int family) +{ + return __xfrm_decode_session(skb, fl, family, 0); +} + +static inline int xfrm_decode_session_reverse(struct sk_buff *skb, + struct flowi *fl, + unsigned int family) +{ + return __xfrm_decode_session(skb, fl, family, 1); +} + extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) @@ -925,6 +962,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk { return 1; } +static inline int xfrm_decode_session_reverse(struct sk_buff *skb, + struct flowi *fl, + unsigned int family) +{ + return -ENOSYS; +} +static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return 1; +} +static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, + struct sk_buff *skb) +{ + return 1; +} #endif static __inline__ |