1
linux/net/ipv4
Saurabh Mohan b2942004fb ipv4/ip_vti.c: VTI fix post-decryption forwarding
With the latest kernel there are two things that must be done post decryption
 so that the packet are forwarded.
 1. Remove the mark from the packet. This will cause the packet to not match
 the ipsec-policy again. However doing this causes the post-decryption check to
 fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
 2. Remove the sp association in the skbuff so that no policy check is done on
 the packet for VTI tunnels.

Due to #2 above we must now do a security-policy check in the vti rcv path
prior to resetting the mark in the skbuff.

Signed-off-by: Saurabh Mohan <saurabh.mohan@vyatta.com>
Reported-by: Ruben Herold <ruben@puettmann.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-14 21:40:21 -05:00
..
netfilter netfilter: nf_nat: don't check for port change on ICMP tuples 2012-10-28 22:43:34 +01:00
af_inet.c ipv4: Don't add TCP-code in inet_sock_destruct 2012-09-20 17:12:27 -04:00
ah4.c ipv4: Add redirect support to all protocol icmp error handlers. 2012-07-11 21:27:49 -07:00
arp.c ipv4/route: arg delay is useless in rt_cache_flush() 2012-09-18 15:44:34 -04:00
cipso_ipv4.c cipso: don't follow a NULL pointer when setsockopt() is called 2012-07-18 09:01:12 -07:00
datagram.c
devinet.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-09-28 14:40:49 -04:00
esp4.c ipv4: Add redirect support to all protocol icmp error handlers. 2012-07-11 21:27:49 -07:00
fib_frontend.c ipv4: fix sending of redirects 2012-10-08 17:42:35 -04:00
fib_lookup.h
fib_rules.c sections: fix section conflicts in net 2012-10-06 03:04:45 +09:00
fib_semantics.c ipv4: make sure nh_pcpu_rth_output is always allocated 2012-10-08 17:42:35 -04:00
fib_trie.c ipv4/route: arg delay is useless in rt_cache_flush() 2012-09-18 15:44:34 -04:00
gre.c
icmp.c ipv4: Prepare for change of rt->rt_iif encoding. 2012-07-23 16:36:26 -07:00
igmp.c igmp: export symbol ip_mc_leave_group 2012-10-01 18:39:44 -04:00
inet_connection_sock.c ipv4: introduce rt_uses_gateway 2012-10-08 17:42:36 -04:00
inet_diag.c net: inet_diag -- Return error code if protocol handler is missed 2012-11-04 01:56:49 -04:00
inet_fragment.c ipv6: unify fragment thresh handling code 2012-09-19 17:23:28 -04:00
inet_hashtables.c
inet_lro.c
inet_timewait_sock.c net: ipv4 and ipv6: Convert printk(KERN_DEBUG to pr_debug 2012-05-16 01:01:03 -04:00
inetpeer.c Merge branch 'for-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2012-10-02 09:54:49 -07:00
ip_forward.c ipv4: introduce rt_uses_gateway 2012-10-08 17:42:36 -04:00
ip_fragment.c ipv6: unify fragment thresh handling code 2012-09-19 17:23:28 -04:00
ip_gre.c gre: fix sparse warning 2012-10-01 17:35:31 -04:00
ip_input.c net: TCP early demux cleanup 2012-07-30 14:53:21 -07:00
ip_options.c ipv4: optimize fib_compute_spec_dst call in ip_options_echo 2012-07-19 08:30:49 -07:00
ip_output.c ipv4: introduce rt_uses_gateway 2012-10-08 17:42:36 -04:00
ip_sockglue.c ipv4: avoid undefined behavior in do_ip_setsockopt() 2012-11-11 17:53:13 -05:00
ip_vti.c ipv4/ip_vti.c: VTI fix post-decryption forwarding 2012-11-14 21:40:21 -05:00
ipcomp.c ipv4: Add redirect support to all protocol icmp error handlers. 2012-07-11 21:27:49 -07:00
ipconfig.c ipconfig: fix trivial build error 2012-09-25 13:22:30 -04:00
ipip.c tunnel: drop packet if ECN present with not-ECT 2012-09-27 18:12:37 -04:00
ipmr.c sections: fix section conflicts in net 2012-10-06 03:04:45 +09:00
Kconfig net/ipv4: VTI support new module for ip_vti. 2012-07-18 09:36:12 -07:00
Makefile memcg: rename config variables 2012-07-31 18:42:43 -07:00
netfilter.c netfilter: properly annotate ipv4_netfilter_{init,fini}() 2012-09-03 13:56:04 +02:00
ping.c userns: Use kgids for sysctl_ping_group_range 2012-08-14 21:49:10 -07:00
proc.c tcp: TCP Fast Open Server - header & support functions 2012-08-31 20:02:18 -04:00
protocol.c inet: Sanitize inet{,6} protocol demux. 2012-06-19 18:56:21 -07:00
raw.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-10-02 11:11:09 -07:00
route.c ipv4: Fix flushing of cached routing informations 2012-10-18 15:34:30 -04:00
syncookies.c tcp: TCP Fast Open Server - support TFO listeners 2012-08-31 20:02:19 -04:00
sysctl_net_ipv4.c tcp: sysctl interface leaks 16 bytes of kernel memory 2012-10-11 15:12:33 -04:00
tcp_bic.c
tcp_cong.c tcp: Apply device TSO segment limit earlier 2012-08-02 00:19:17 -07:00
tcp_cubic.c
tcp_diag.c
tcp_fastopen.c tcp: TCP Fast Open Server - header & support functions 2012-08-31 20:02:18 -04:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c tcp: bool conversions 2012-05-17 14:59:59 -04:00
tcp_illinois.c net: fix divide by zero in tcp algorithm illinois 2012-11-01 11:55:59 -04:00
tcp_input.c tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() 2012-11-13 14:35:17 -05:00
tcp_ipv4.c tcp: add SYN/data info to TCP_INFO 2012-10-22 15:16:06 -04:00
tcp_lp.c
tcp_memcontrol.c memcg: decrement static keys at real destroy time 2012-05-29 16:22:28 -07:00
tcp_metrics.c tcp: Fix double sizeof in new tcp_metrics code 2012-11-01 11:59:08 -04:00
tcp_minisocks.c tcp: add SYN/data info to TCP_INFO 2012-10-22 15:16:06 -04:00
tcp_output.c tcp: use PRR to reduce cwin in CWR state 2012-09-03 14:34:02 -04:00
tcp_probe.c
tcp_scalable.c
tcp_timer.c tcp: Reject invalid ack_seq to Fast Open sockets 2012-10-23 02:42:56 -04:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c tcp: add SYN/data info to TCP_INFO 2012-10-22 15:16:06 -04:00
tunnel4.c
udp_diag.c netlink: Rename pid to portid to avoid confusion 2012-09-10 15:30:41 -04:00
udp_impl.h
udp.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-10-02 11:11:09 -07:00
udplite.c
xfrm4_input.c ipv4: Fix input route performance regression. 2012-07-26 15:50:39 -07:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c net/ipv4: VTI support rx-path hook in xfrm4_mode_tunnel. 2012-07-18 09:36:12 -07:00
xfrm4_output.c
xfrm4_policy.c ipv4: introduce rt_uses_gateway 2012-10-08 17:42:36 -04:00
xfrm4_state.c
xfrm4_tunnel.c