git.baikalelectronics.ru Git - kernel.git/commit

author	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 9 May 2011 19:36:38 +0000 (19:36 +0000)
committer	David S. Miller <davem@davemloft.net>
	Tue, 10 May 2011 22:03:34 +0000 (15:03 -0700)
commit	8beba04d4cbde648f00b0a199a8d2ebd849b205b
tree	af7ecb23077cf5b4ae1290f7d1ab5e901e7adb82	tree \| snapshot
parent	b8847f747c8c8e67afb9eed40bba710e478a8302	commit \| diff

xfrm: Assign the inner mode output function to the dst entry

As it is, we assign the outer modes output function to the dst entry
when we create the xfrm bundle. This leads to two problems on interfamily
scenarios. We might insert ipv4 packets into ip6_fragment when called
from xfrm6_output. The system crashes if we try to fragment an ipv4
packet with ip6_fragment. This issue was introduced with git commit
68a232de (ipv6: Fragment locally generated tunnel-mode IPSec6 packets
as needed). The second issue is, that we might insert ipv4 packets in
netfilter6 and vice versa on interfamily scenarios.

With this patch we assign the inner mode output function to the dst entry
when we create the xfrm bundle. So xfrm4_output/xfrm6_output from the inner
mode is used and the right fragmentation and netfilter functions are called.
We switch then to outer mode with the output_finish functions.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/xfrm.h		diff \| blob \| history
net/ipv4/xfrm4_output.c		diff \| blob \| history
net/ipv4/xfrm4_state.c		diff \| blob \| history
net/ipv6/xfrm6_output.c		diff \| blob \| history
net/ipv6/xfrm6_state.c		diff \| blob \| history
net/xfrm/xfrm_policy.c		diff \| blob \| history