[IPSEC]: Add ICMP host relookup support
RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch implements this for ICMP traffic that originates from or terminates on localhost. This is activated on outbound with the new policy flag XFRM_POLICY_ICMP, and on inbound by the new state flag XFRM_STATE_ICMP. On inbound the policy check is now performed by the ICMP protocol so that it can repeat the policy check where necessary. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:

committed by
David S. Miller

parent
d5422efe68
commit
8b7817f3a9
@@ -1469,11 +1469,13 @@ restart:
|
||||
goto dropdst;
|
||||
}
|
||||
|
||||
err = -ENOENT;
|
||||
|
||||
if (!policy) {
|
||||
/* To accelerate a bit... */
|
||||
if ((dst_orig->flags & DST_NOXFRM) ||
|
||||
!xfrm_policy_count[XFRM_POLICY_OUT])
|
||||
return 0;
|
||||
goto nopol;
|
||||
|
||||
policy = flow_cache_lookup(fl, dst_orig->ops->family,
|
||||
dir, xfrm_policy_lookup);
|
||||
@@ -1483,14 +1485,18 @@ restart:
|
||||
}
|
||||
|
||||
if (!policy)
|
||||
return 0;
|
||||
goto nopol;
|
||||
|
||||
family = dst_orig->ops->family;
|
||||
policy->curlft.use_time = get_seconds();
|
||||
pols[0] = policy;
|
||||
npols ++;
|
||||
xfrm_nr += pols[0]->xfrm_nr;
|
||||
|
||||
if ((flags & XFRM_LOOKUP_ICMP) && !(policy->flags & XFRM_POLICY_ICMP))
|
||||
goto error;
|
||||
|
||||
policy->curlft.use_time = get_seconds();
|
||||
|
||||
switch (policy->action) {
|
||||
default:
|
||||
case XFRM_POLICY_BLOCK:
|
||||
@@ -1649,6 +1655,11 @@ dropdst:
|
||||
dst_release(dst_orig);
|
||||
*dst_p = NULL;
|
||||
return err;
|
||||
|
||||
nopol:
|
||||
if (flags & XFRM_LOOKUP_ICMP)
|
||||
goto dropdst;
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL(__xfrm_lookup);
|
||||
|
||||
|
Reference in New Issue
Block a user