Hi:
I'm revisiting the idea of more stringent policy checks. In doing so I
discovered that we check the policy twice for xfrm4_tunnel packets.
This patch fixes that by moving the policy check into ipip.c.
Cheers,
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Index: kernel-source-2.5/net/ipv4/ipip.c
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/ipip.c,v
retrieving revision 1.1.1.9
retrieving revision 1.2
diff -u -r1.1.1.9 -r1.2
--- kernel-source-2.5/net/ipv4/ipip.c 23 Aug 2003 00:03:18 -0000 1.1.1.9
+++ kernel-source-2.5/net/ipv4/ipip.c 28 Sep 2003 01:39:20 -0000 1.2
@@ -483,6 +483,11 @@
read_lock(&ipip_lock);
if ((tunnel = ipip_tunnel_lookup(iph->saddr, iph->daddr)) != NULL) {
+ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+ kfree_skb(skb);
+ return 0;
+ }
+
tunnel->stat.rx_packets++;
tunnel->stat.rx_bytes += skb->len;
skb->dev = tunnel->dev;
Index: kernel-source-2.5/net/ipv4/xfrm4_tunnel.c
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/xfrm4_tunnel.c,v
retrieving revision 1.1.1.4
retrieving revision 1.3
diff -u -r1.1.1.4 -r1.3
--- kernel-source-2.5/net/ipv4/xfrm4_tunnel.c 22 Aug 2003 23:52:14 -0000 1.1.1.4
+++ kernel-source-2.5/net/ipv4/xfrm4_tunnel.c 28 Sep 2003 01:39:20 -0000 1.3
@@ -169,6 +169,7 @@
static struct inet_protocol ipip_protocol = {
.handler = ipip_rcv,
.err_handler = ipip_err,
+ .no_policy = 1,
};
static int __init ipip_init(void)
