From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
David Miller <davem@davemloft.net>,
bunk@stusta.de, Patrick McHardy <kaber@trash.net>
Subject: [patch 19/32] XFRM: Use output device disable_xfrm for forwarded packets
Date: Fri, 08 Dec 2006 15:58:10 -0800 [thread overview]
Message-ID: <20061209000114.308422000@sous-sol.org> (raw)
In-Reply-To: 20061208235751.890503000@sous-sol.org
[-- Attachment #1: xfrm-use-output-device-disable_xfrm-for-forwarded-packets.patch --]
[-- Type: text/plain, Size: 1310 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <kaber@trash.net>
Currently the behaviour of disable_xfrm is inconsistent between
locally generated and forwarded packets. For locally generated
packets disable_xfrm disables the policy lookup if it is set on
the output device, for forwarded traffic however it looks at the
input device. This makes it impossible to disable xfrm on all
devices but a dummy device and use normal routing to direct
traffic to that device.
Always use the output device when checking disable_xfrm.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
commit 9be2b4e36fb04bbc968693ef95a75acc17cf2931
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Dec 4 19:59:00 2006 -0800
net/ipv4/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.19.orig/net/ipv4/route.c
+++ linux-2.6.19/net/ipv4/route.c
@@ -1784,7 +1784,7 @@ static inline int __mkroute_input(struct
#endif
if (in_dev->cnf.no_policy)
rth->u.dst.flags |= DST_NOPOLICY;
- if (in_dev->cnf.no_xfrm)
+ if (out_dev->cnf.no_xfrm)
rth->u.dst.flags |= DST_NOXFRM;
rth->fl.fl4_dst = daddr;
rth->rt_dst = daddr;
--
next prev parent reply other threads:[~2006-12-09 0:02 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-08 23:57 [patch 00/32] -stable review Chris Wright
2006-12-08 23:57 ` [patch 01/32] IPV6 NDISC: Calculate packet length correctly for allocation Chris Wright
2006-12-08 23:57 ` [patch 02/32] softmac: remove netif_tx_disable when scanning Chris Wright
2006-12-08 23:57 ` [patch 03/32] EBTABLES: Fix wraparounds in ebt_entries verification Chris Wright
2006-12-08 23:57 ` [patch 04/32] EBTABLES: Verify that ebt_entries have zero ->distinguisher Chris Wright
2006-12-08 23:57 ` [patch 05/32] EBTABLES: Deal with the worst-case behaviour in loop checks Chris Wright
2006-12-08 23:57 ` [patch 06/32] EBTABLES: Prevent wraparounds in checks for entry components sizes Chris Wright
2006-12-08 23:57 ` [patch 07/32] NET_SCHED: policer: restore compatibility with old iproute binaries Chris Wright
2006-12-08 23:57 ` [patch 08/32] cryptoloop: Select CRYPTO_CBC Chris Wright
2006-12-09 6:32 ` Rene Herman
2006-12-09 22:50 ` Herbert Xu
2006-12-08 23:58 ` [patch 09/32] Revert "ACPI: SCI interrupt source override" Chris Wright
2006-12-08 23:58 ` [patch 10/32] PKT_SCHED act_gact: division by zero Chris Wright
2006-12-08 23:58 ` [patch 11/32] SUNHME: Fix for sunhme failures on x86 Chris Wright
2006-12-08 23:58 ` [patch 12/32] NETFILTER: Fix {ip, ip6, arp}_tables hook validation Chris Wright
2006-12-08 23:58 ` [patch 13/32] NETFILTER: Fix iptables compat " Chris Wright
2006-12-08 23:58 ` [patch 14/32] NETFILTER: bridge netfilter: deal with martians correctly Chris Wright
2006-12-08 23:58 ` [patch 15/32] softmac: fix unbalanced mutex_lock/unlock in ieee80211softmac_wx_set_mlme Chris Wright
2006-12-08 23:58 ` [patch 16/32] IB/ucm: Fix deadlock in cleanup Chris Wright
2006-12-08 23:58 ` [patch 17/32] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304) Chris Wright
2006-12-08 23:58 ` [patch 18/32] TOKENRING: Remote memory corruptor in ibmtr.c Chris Wright
2006-12-08 23:58 ` Chris Wright [this message]
2006-12-08 23:58 ` [patch 20/32] USB: Fix oops in PhidgetServo Chris Wright
2006-12-08 23:58 ` [patch 21/32] IPSEC: Fix inetpeer leak in ipv4 xfrm dst entries Chris Wright
2006-12-08 23:58 ` [patch 22/32] IrDA: Incorrect TTP header reservation Chris Wright
2006-12-08 23:58 ` [patch 23/32] NETLINK: Restore API compatibility of address and neighbour bits Chris Wright
2006-12-08 23:58 ` [patch 24/32] add bottom_half.h Chris Wright
2006-12-09 13:50 ` Thomas Backlund
2006-12-08 23:58 ` [patch 25/32] drm-sis linkage fix Chris Wright
2006-12-08 23:58 ` [patch 26/32] compat: skip data conversion in compat_sys_mount when data_page is NULL Chris Wright
2006-12-08 23:58 ` [patch 27/32] PM: Fix swsusp debug mode testproc Chris Wright
2006-12-08 23:58 ` [patch 28/32] autofs: fix error code path in autofs_fill_sb() Chris Wright
2006-12-09 3:48 ` Ian Kent
2006-12-09 18:58 ` Chris Wright
2006-12-08 23:58 ` [patch 29/32] softirq: remove BUG_ONs which can incorrectly trigger Chris Wright
2006-12-08 23:58 ` [patch 30/32] m32r: make userspace headers platform-independent Chris Wright
2006-12-08 23:58 ` [patch 31/32] x86_64: fix boot hang due to nmi watchdog init code Chris Wright
2006-12-11 18:33 ` [stable] " Chris Wright
2006-12-08 23:58 ` [patch 32/32] forcedeth: Disable INTx when enabling MSI in forcedeth Chris Wright
2006-12-09 0:38 ` [stable] [patch 00/32] -stable review Chris Wright
2006-12-09 1:36 ` [patch 33/32] NETLINK: Put {IFA,IFLA}_{RTA,PAYLOAD} macros back for userspace Chris Wright
2006-12-09 11:26 ` [patch 00/32] -stable review Stefan Lippers-Hollmann
2006-12-09 21:42 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061209000114.308422000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@stusta.de \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox