microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[IPSEC]: Add missing BEET checks 

Currently BEET mode does not reinject the packet back into the stack
like tunnel mode does.  Since BEET should behave just like tunnel mode
this is incorrect.

This patch fixes this by introducing a flags field to xfrm_mode that
tells the IPsec code whether it should terminate and reinject the packet
back into the stack.

It then sets the flag for BEET and tunnel mode.

I've also added a number of missing BEET checks elsewhere where we check
whether a given mode is a tunnel or not.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Herbert Xu 2007-10-17 21:31:50 -07:00 коммит произвёл David S. Miller
Родитель aa5d62cc87
Коммит 1bfcb10f67
14 изменённых файлов: 25 добавлений и 12 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
include/net/xfrm.h
Просмотреть файл

@ -314,6 +314,12 @@ struct xfrm_mode {
struct module *owner; struct module *owner;
unsigned int encap; unsigned int encap;
int flags;
};
/* Flags for xfrm_mode. */
enum {
XFRM_MODE_FLAG_TUNNEL = 1,
}; };
extern int xfrm_register_mode(struct xfrm_mode *mode, int family); extern int xfrm_register_mode(struct xfrm_mode *mode, int family);

2
net/ipv4/xfrm4_input.c
Просмотреть файл

@ -94,7 +94,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
if (x->mode->input(x, skb)) if (x->mode->input(x, skb))
goto drop; goto drop;
if (x->props.mode == XFRM_MODE_TUNNEL) { if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
decaps = 1; decaps = 1;
break; break;
} }

1
net/ipv4/xfrm4_mode_beet.c
Просмотреть файл

@ -114,6 +114,7 @@ static struct xfrm_mode xfrm4_beet_mode = {
.output = xfrm4_beet_output, .output = xfrm4_beet_output,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.encap = XFRM_MODE_BEET, .encap = XFRM_MODE_BEET,
.flags = XFRM_MODE_FLAG_TUNNEL,
}; };
static int __init xfrm4_beet_init(void) static int __init xfrm4_beet_init(void)

1
net/ipv4/xfrm4_mode_tunnel.c
Просмотреть файл

@ -139,6 +139,7 @@ static struct xfrm_mode xfrm4_tunnel_mode = {
.output = xfrm4_tunnel_output, .output = xfrm4_tunnel_output,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.encap = XFRM_MODE_TUNNEL, .encap = XFRM_MODE_TUNNEL,
.flags = XFRM_MODE_FLAG_TUNNEL,
}; };
static int __init xfrm4_tunnel_init(void) static int __init xfrm4_tunnel_init(void)

2
net/ipv4/xfrm4_output.c
Просмотреть файл

@ -47,7 +47,7 @@ static inline int xfrm4_output_one(struct sk_buff *skb)
struct iphdr *iph; struct iphdr *iph;
int err; int err;
if (x->props.mode == XFRM_MODE_TUNNEL) { if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
err = xfrm4_tunnel_check_size(skb); err = xfrm4_tunnel_check_size(skb);
if (err) if (err)
goto error_nolock; goto error_nolock;

2
net/ipv4/xfrm4_policy.c
Просмотреть файл

@ -117,7 +117,7 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
header_len += xfrm[i]->props.header_len; header_len += xfrm[i]->props.header_len;
trailer_len += xfrm[i]->props.trailer_len; trailer_len += xfrm[i]->props.trailer_len;
if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL) { if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
unsigned short encap_family = xfrm[i]->props.family; unsigned short encap_family = xfrm[i]->props.family;
switch (encap_family) { switch (encap_family) {
case AF_INET: case AF_INET:

2
net/ipv6/xfrm6_input.c
Просмотреть файл

@ -71,7 +71,7 @@ int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
if (x->mode->input(x, skb)) if (x->mode->input(x, skb))
goto drop; goto drop;
if (x->props.mode == XFRM_MODE_TUNNEL) { /* XXX */ if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
decaps = 1; decaps = 1;
break; break;
} }

1
net/ipv6/xfrm6_mode_beet.c
Просмотреть файл

@ -79,6 +79,7 @@ static struct xfrm_mode xfrm6_beet_mode = {
.output = xfrm6_beet_output, .output = xfrm6_beet_output,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.encap = XFRM_MODE_BEET, .encap = XFRM_MODE_BEET,
.flags = XFRM_MODE_FLAG_TUNNEL,
}; };
static int __init xfrm6_beet_init(void) static int __init xfrm6_beet_init(void)

1
net/ipv6/xfrm6_mode_tunnel.c
Просмотреть файл

@ -118,6 +118,7 @@ static struct xfrm_mode xfrm6_tunnel_mode = {
.output = xfrm6_tunnel_output, .output = xfrm6_tunnel_output,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.encap = XFRM_MODE_TUNNEL, .encap = XFRM_MODE_TUNNEL,
.flags = XFRM_MODE_FLAG_TUNNEL,
}; };
static int __init xfrm6_tunnel_init(void) static int __init xfrm6_tunnel_init(void)

2
net/ipv6/xfrm6_output.c
Просмотреть файл

@ -50,7 +50,7 @@ static inline int xfrm6_output_one(struct sk_buff *skb)
struct ipv6hdr *iph; struct ipv6hdr *iph;
int err; int err;
if (x->props.mode == XFRM_MODE_TUNNEL) { if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
err = xfrm6_tunnel_check_size(skb); err = xfrm6_tunnel_check_size(skb);
if (err) if (err)
goto error_nolock; goto error_nolock;

3
net/ipv6/xfrm6_policy.c
Просмотреть файл

@ -178,8 +178,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
__xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]); __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]);
trailer_len += xfrm[i]->props.trailer_len; trailer_len += xfrm[i]->props.trailer_len;
if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL || if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
xfrm[i]->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) {
unsigned short encap_family = xfrm[i]->props.family; unsigned short encap_family = xfrm[i]->props.family;
switch(encap_family) { switch(encap_family) {
case AF_INET: case AF_INET:

6
net/ipv6/xfrm6_state.c
Просмотреть файл

@ -93,7 +93,8 @@ __xfrm6_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n)
/* Rule 4: select IPsec tunnel */ /* Rule 4: select IPsec tunnel */
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
if (src[i] && if (src[i] &&
src[i]->props.mode == XFRM_MODE_TUNNEL) { (src[i]->props.mode == XFRM_MODE_TUNNEL ||
src[i]->props.mode == XFRM_MODE_BEET)) {
dst[j++] = src[i]; dst[j++] = src[i];
src[i] = NULL; src[i] = NULL;
} }
@ -146,7 +147,8 @@ __xfrm6_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n)
/* Rule 3: select IPsec tunnel */ /* Rule 3: select IPsec tunnel */
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
if (src[i] && if (src[i] &&
src[i]->mode == XFRM_MODE_TUNNEL) { (src[i]->mode == XFRM_MODE_TUNNEL ||
src[i]->mode == XFRM_MODE_BEET)) {
dst[j++] = src[i]; dst[j++] = src[i];
src[i] = NULL; src[i] = NULL;
} }

2
net/xfrm/xfrm_output.c
Просмотреть файл

@ -82,7 +82,7 @@ int xfrm_output(struct sk_buff *skb)
} }
dst = skb->dst; dst = skb->dst;
x = dst->xfrm; x = dst->xfrm;
} while (x && (x->props.mode != XFRM_MODE_TUNNEL)); } while (x && !(x->mode->flags & XFRM_MODE_FLAG_TUNNEL));
err = 0; err = 0;

6
net/xfrm/xfrm_policy.c
Просмотреть файл

@ -1940,7 +1940,8 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
if (xdst->genid != dst->xfrm->genid) if (xdst->genid != dst->xfrm->genid)
return 0; return 0;
if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL && if (strict && fl &&
!(dst->xfrm->mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
!xfrm_state_addr_flow_check(dst->xfrm, fl, family)) !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
return 0; return 0;
@ -2291,7 +2292,8 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i])) if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
continue; continue;
n++; n++;
if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL) if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
continue; continue;
/* update endpoints */ /* update endpoints */
memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr, memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,