0001-Netfilter-hooks-before-XFRM-input-and-output-process.patch
| b/include/linux/netfilter.h | ||
|---|---|---|
| 47 | 47 |
NF_INET_FORWARD, |
| 48 | 48 |
NF_INET_LOCAL_OUT, |
| 49 | 49 |
NF_INET_POST_ROUTING, |
| 50 |
NF_INET_XFRM_IN, |
|
| 51 |
NF_INET_XFRM_OUT, |
|
| 50 | 52 |
NF_INET_NUMHOOKS |
| 51 | 53 |
}; |
| 52 | 54 | |
| b/include/linux/netfilter_ipv4.h | ||
|---|---|---|
| 48 | 48 |
#define NF_IP_LOCAL_OUT 3 |
| 49 | 49 |
/* Packets about to hit the wire. */ |
| 50 | 50 |
#define NF_IP_POST_ROUTING 4 |
| 51 |
#define NF_IP_NUMHOOKS 5 |
|
| 51 |
/* Packets going into XFRM input transformation. */ |
|
| 52 |
#define NF_IP_XFRM_IN 5 |
|
| 53 |
/* Packets going into XFRM output transformation. */ |
|
| 54 |
#define NF_IP_XFRM_OUT 6 |
|
| 55 |
#define NF_IP_NUMHOOKS 7 |
|
| 52 | 56 |
#endif /* ! __KERNEL__ */ |
| 53 | 57 | |
| 54 | 58 |
enum nf_ip_hook_priorities {
|
| b/include/linux/netfilter_ipv6.h | ||
|---|---|---|
| 52 | 52 |
#define NF_IP6_LOCAL_OUT 3 |
| 53 | 53 |
/* Packets about to hit the wire. */ |
| 54 | 54 |
#define NF_IP6_POST_ROUTING 4 |
| 55 |
#define NF_IP6_NUMHOOKS 5 |
|
| 55 |
/* Packets going into XFRM input transformation. */ |
|
| 56 |
#define NF_IP6_XFRM_IN 5 |
|
| 57 |
/* Packets going into XFRM output transformation. */ |
|
| 58 |
#define NF_IP6_XFRM_OUT 6 |
|
| 59 |
#define NF_IP6_NUMHOOKS 7 |
|
| 56 | 60 |
#endif /* ! __KERNEL__ */ |
| 57 | 61 | |
| 58 | 62 | |
| b/net/xfrm/xfrm_input.c | ||
|---|---|---|
| 9 | 9 | |
| 10 | 10 |
#include <linux/slab.h> |
| 11 | 11 |
#include <linux/module.h> |
| 12 |
#include <linux/netfilter.h> |
|
| 12 | 13 |
#include <linux/netdevice.h> |
| 13 | 14 |
#include <net/dst.h> |
| 14 | 15 |
#include <net/ip.h> |
| ... | ... | |
| 102 | 103 |
} |
| 103 | 104 |
EXPORT_SYMBOL(xfrm_prepare_input); |
| 104 | 105 | |
| 106 |
static int xfrm_type_input(struct sk_buff *skb) |
|
| 107 |
{
|
|
| 108 |
struct xfrm_state *x; |
|
| 109 | ||
| 110 |
x = skb->sp->xvec[skb->sp->len - 1]; |
|
| 111 |
return x->type->input(x, skb); |
|
| 112 |
} |
|
| 113 | ||
| 105 | 114 |
int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) |
| 106 | 115 |
{
|
| 107 | 116 |
struct net *net = dev_net(skb->dev); |
| ... | ... | |
| 186 | 195 | |
| 187 | 196 |
XFRM_SKB_CB(skb)->seq.input = seq; |
| 188 | 197 | |
| 189 |
nexthdr = x->type->input(x, skb); |
|
| 198 |
nexthdr = NF_HOOK(family, NF_INET_XFRM_IN, skb, |
|
| 199 |
skb->dev, NULL, xfrm_type_input); |
|
| 190 | 200 | |
| 191 |
if (nexthdr == -EINPROGRESS) |
|
| 201 |
if (nexthdr == -EINPROGRESS || nexthdr == -EPERM)
|
|
| 192 | 202 |
return 0; |
| 193 | 203 | |
| 194 | 204 |
resume: |
| b/net/xfrm/xfrm_output.c | ||
|---|---|---|
| 37 | 37 |
return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); |
| 38 | 38 |
} |
| 39 | 39 | |
| 40 |
static int xfrm_type_output(struct sk_buff *skb) |
|
| 41 |
{
|
|
| 42 |
struct xfrm_state *x = skb_dst(skb)->xfrm; |
|
| 43 | ||
| 44 |
return x->type->output(x, skb); |
|
| 45 |
} |
|
| 46 | ||
| 40 | 47 |
static int xfrm_output_one(struct sk_buff *skb, int err) |
| 41 | 48 |
{
|
| 42 | 49 |
struct dst_entry *dst = skb_dst(skb); |
| ... | ... | |
| 84 | 91 | |
| 85 | 92 |
spin_unlock_bh(&x->lock); |
| 86 | 93 | |
| 87 |
err = x->type->output(x, skb); |
|
| 88 |
if (err == -EINPROGRESS) |
|
| 94 |
err = NF_HOOK(dst->ops->family, NF_INET_XFRM_OUT, skb, |
|
| 95 |
NULL, dst->dev, xfrm_type_output); |
|
| 96 |
if (err == -EINPROGRESS || err == -EPERM) |
|
| 89 | 97 |
goto out_exit; |
| 90 | 98 | |
| 91 | 99 |
resume: |
| 92 |
- |
|