[NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder
ip_route_me_harder doesn't use the port numbers of the xfrm lookup and uses ip_route_input for non-local addresses which doesn't do a xfrm lookup, ip6_route_me_harder doesn't do a xfrm lookup at all. Use xfrm_decode_session and do the lookup manually, make sure both only do the lookup if the packet hasn't been transformed already. Makeing sure the lookup only happens once needs a new field in the IP6CB, which exceeds the size of skb->cb. The size of skb->cb is increased to 48b. Apparently the IPv6 mobile extensions need some more room anyway. Signed-off-by:Patrick McHardy <kaber@trash.net> Signed-off-by:
Showing
- include/linux/ipv6.h 3 additions, 0 deletionsinclude/linux/ipv6.h
- include/linux/skbuff.h 1 addition, 1 deletioninclude/linux/skbuff.h
- include/net/ip.h 2 additions, 1 deletioninclude/net/ip.h
- include/net/xfrm.h 1 addition, 1 deletioninclude/net/xfrm.h
- net/ipv4/ip_gre.c 1 addition, 1 deletionnet/ipv4/ip_gre.c
- net/ipv4/ipip.c 1 addition, 1 deletionnet/ipv4/ipip.c
- net/ipv4/netfilter.c 10 additions, 2 deletionsnet/ipv4/netfilter.c
- net/ipv4/xfrm4_output.c 1 addition, 0 deletionsnet/ipv4/xfrm4_output.c
- net/ipv6/netfilter.c 8 additions, 1 deletionnet/ipv6/netfilter.c
- net/ipv6/xfrm6_output.c 1 addition, 0 deletionsnet/ipv6/xfrm6_output.c
- net/xfrm/xfrm_policy.c 5 additions, 4 deletionsnet/xfrm/xfrm_policy.c
Loading
Please register or sign in to comment