From: Patrick McHardy <kaber@trash.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "YOSHIFUJI Hideaki / ?$B5HF#1QL@" <yoshfuji@linux-ipv6.org>,
davem@davemloft.net, netdev@oss.sgi.com
Subject: Re: [XFRM]: Fix ICMP tempsel
Date: Sun, 20 Feb 2005 09:35:14 +0100 [thread overview]
Message-ID: <42184BC2.1030907@trash.net> (raw)
In-Reply-To: <20050220073719.GA13008@gondor.apana.org.au>
[-- Attachment #1: Type: text/plain, Size: 508 bytes --]
Herbert Xu wrote:
> So here we can do something like this. Please note that this patch
> needs to be used with Patrick's earlier work. Patrick, if you're
> OK with it please merge it in with your patch.
Attached. Now I understand what Yoshifuji meant with byteorder :)
>
> By all means give xfrm_selector_fixup a better name :)
I'm not very talented with choosing good names myself, so I kept it.
On second thought .. isn't there a risk of confusing userspace by
changing the masks ?
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 7790 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/02/20 09:29:12+01:00 kaber@coreworks.de
# [XFRM]: Fix ICMP tempsel
#
# The selector ports are initialized to fl_ip_sport/fl_ip_dport instead
# of xfrm_flowi_sport(fl)/xfrm_flowi_dport(fl). This is wrong for ICMP,
# type and code should be stored in sport and dport, in struct flowi both
# are contained in fl_ip_sport.
#
# This patch adjusts struct flowi to store ICMP type/code in sport/dport,
# kills xfrm_flowi_{sport,dport} and converts the selector values only once
# when they enter the kernel.
#
# Mostly done by Herbert Xu <herbert@gondor.apana.org.au>
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/xfrm/xfrm_user.c
# 2005/02/20 09:29:04+01:00 kaber@coreworks.de +7 -1
# [XFRM]: Fix ICMP tempsel
#
# The selector ports are initialized to fl_ip_sport/fl_ip_dport instead
# of xfrm_flowi_sport(fl)/xfrm_flowi_dport(fl). This is wrong for ICMP,
# type and code should be stored in sport and dport, in struct flowi both
# are contained in fl_ip_sport.
#
# This patch adjusts struct flowi to store ICMP type/code in sport/dport,
# kills xfrm_flowi_{sport,dport} and converts the selector values only once
# when they enter the kernel.
#
# Mostly done by Herbert Xu <herbert@gondor.apana.org.au>
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/key/af_key.c
# 2005/02/20 09:29:04+01:00 kaber@coreworks.de +3 -0
# [XFRM]: Fix ICMP tempsel
#
# The selector ports are initialized to fl_ip_sport/fl_ip_dport instead
# of xfrm_flowi_sport(fl)/xfrm_flowi_dport(fl). This is wrong for ICMP,
# type and code should be stored in sport and dport, in struct flowi both
# are contained in fl_ip_sport.
#
# This patch adjusts struct flowi to store ICMP type/code in sport/dport,
# kills xfrm_flowi_{sport,dport} and converts the selector values only once
# when they enter the kernel.
#
# Mostly done by Herbert Xu <herbert@gondor.apana.org.au>
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# include/net/xfrm.h
# 2005/02/20 09:29:04+01:00 kaber@coreworks.de +15 -44
# [XFRM]: Fix ICMP tempsel
#
# The selector ports are initialized to fl_ip_sport/fl_ip_dport instead
# of xfrm_flowi_sport(fl)/xfrm_flowi_dport(fl). This is wrong for ICMP,
# type and code should be stored in sport and dport, in struct flowi both
# are contained in fl_ip_sport.
#
# This patch adjusts struct flowi to store ICMP type/code in sport/dport,
# kills xfrm_flowi_{sport,dport} and converts the selector values only once
# when they enter the kernel.
#
# Mostly done by Herbert Xu <herbert@gondor.apana.org.au>
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# include/net/flow.h
# 2005/02/20 09:29:04+01:00 kaber@coreworks.de +2 -0
# [XFRM]: Fix ICMP tempsel
#
# The selector ports are initialized to fl_ip_sport/fl_ip_dport instead
# of xfrm_flowi_sport(fl)/xfrm_flowi_dport(fl). This is wrong for ICMP,
# type and code should be stored in sport and dport, in struct flowi both
# are contained in fl_ip_sport.
#
# This patch adjusts struct flowi to store ICMP type/code in sport/dport,
# kills xfrm_flowi_{sport,dport} and converts the selector values only once
# when they enter the kernel.
#
# Mostly done by Herbert Xu <herbert@gondor.apana.org.au>
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/include/net/flow.h b/include/net/flow.h
--- a/include/net/flow.h 2005-02-20 09:30:04 +01:00
+++ b/include/net/flow.h 2005-02-20 09:30:04 +01:00
@@ -58,7 +58,9 @@
} ports;
struct {
+ __u8 pad1;
__u8 type;
+ __u8 pad2;
__u8 code;
} icmpt;
diff -Nru a/include/net/xfrm.h b/include/net/xfrm.h
--- a/include/net/xfrm.h 2005-02-20 09:30:04 +01:00
+++ b/include/net/xfrm.h 2005-02-20 09:30:04 +01:00
@@ -417,53 +417,13 @@
return 1;
}
-static __inline__
-u16 xfrm_flowi_sport(struct flowi *fl)
-{
- u16 port;
- switch(fl->proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_SCTP:
- port = fl->fl_ip_sport;
- break;
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6:
- port = htons(fl->fl_icmp_type);
- break;
- default:
- port = 0; /*XXX*/
- }
- return port;
-}
-
-static __inline__
-u16 xfrm_flowi_dport(struct flowi *fl)
-{
- u16 port;
- switch(fl->proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_SCTP:
- port = fl->fl_ip_dport;
- break;
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6:
- port = htons(fl->fl_icmp_code);
- break;
- default:
- port = 0; /*XXX*/
- }
- return port;
-}
-
static inline int
__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
{
return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
- !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
- !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+ !((fl->fl_ip_dport ^ sel->dport) & sel->dport_mask) &&
+ !((fl->fl_ip_sport ^ sel->sport) & sel->sport_mask) &&
(fl->proto == sel->proto || !sel->proto) &&
(fl->oif == sel->ifindex || !sel->ifindex);
}
@@ -473,8 +433,8 @@
{
return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
- !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
- !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+ !((fl->fl_ip_dport ^ sel->dport) & sel->dport_mask) &&
+ !((fl->fl_ip_sport ^ sel->sport) & sel->sport_mask) &&
(fl->proto == sel->proto || !sel->proto) &&
(fl->oif == sel->ifindex || !sel->ifindex);
}
@@ -490,6 +450,17 @@
return __xfrm6_selector_match(sel, fl);
}
return 0;
+}
+
+static inline void xfrm_selector_fixup(struct xfrm_selector *sel)
+{
+ switch (sel->proto) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ sel->sport_mask &= htons(0xff);
+ sel->dport_mask &= htons(0xff);
+ break;
+ }
}
/* A struct encoding bundle of transformations to apply to some set of flow.
diff -Nru a/net/key/af_key.c b/net/key/af_key.c
--- a/net/key/af_key.c 2005-02-20 09:30:04 +01:00
+++ b/net/key/af_key.c 2005-02-20 09:30:04 +01:00
@@ -1909,6 +1909,8 @@
if (xp->selector.dport)
xp->selector.dport_mask = ~0;
+ xfrm_selector_fixup(&xp->selector);
+
xp->lft.soft_byte_limit = XFRM_INF;
xp->lft.hard_byte_limit = XFRM_INF;
xp->lft.soft_packet_limit = XFRM_INF;
@@ -1999,6 +2001,7 @@
if (sel.dport)
sel.dport_mask = ~0;
+ xfrm_selector_fixup(&sel);
xp = xfrm_policy_bysel(pol->sadb_x_policy_dir-1, &sel, 1);
if (xp == NULL)
return -ENOENT;
diff -Nru a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
--- a/net/xfrm/xfrm_user.c 2005-02-20 09:30:04 +01:00
+++ b/net/xfrm/xfrm_user.c 2005-02-20 09:30:04 +01:00
@@ -204,6 +204,7 @@
{
memcpy(&x->id, &p->id, sizeof(x->id));
memcpy(&x->sel, &p->sel, sizeof(x->sel));
+ xfrm_selector_fixup(&x->sel);
memcpy(&x->lft, &p->lft, sizeof(x->lft));
x->props.mode = p->mode;
x->props.replay_window = p->replay_window;
@@ -626,6 +627,7 @@
xp->priority = p->priority;
xp->index = p->index;
memcpy(&xp->selector, &p->sel, sizeof(xp->selector));
+ xfrm_selector_fixup(&xp->selector);
memcpy(&xp->lft, &p->lft, sizeof(xp->lft));
xp->action = p->action;
xp->flags = p->flags;
@@ -808,6 +810,7 @@
struct xfrm_userpolicy_id *p;
int err;
int delete;
+ struct xfrm_selector sel;
p = NLMSG_DATA(nlh);
delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY;
@@ -818,8 +821,11 @@
if (p->index)
xp = xfrm_policy_byid(p->dir, p->index, delete);
- else
+ else {
+ memcpy(&sel, &p->sel, sizeof(sel));
+ xfrm_selector_fixup(&sel);
xp = xfrm_policy_bysel(p->dir, &p->sel, delete);
+ }
if (xp == NULL)
return -ENOENT;
next prev parent reply other threads:[~2005-02-20 8:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-19 11:43 [XFRM]: Fix ICMP tempsel Patrick McHardy
2005-02-19 12:23 ` YOSHIFUJI Hideaki / 吉藤英明
2005-02-19 18:43 ` Herbert Xu
2005-02-19 18:55 ` Patrick McHardy
2005-02-20 5:30 ` Patrick McHardy
2005-02-20 6:55 ` YOSHIFUJI Hideaki / 吉藤英明
2005-02-20 7:13 ` Patrick McHardy
2005-02-20 7:37 ` Herbert Xu
2005-02-20 8:35 ` Patrick McHardy [this message]
2005-02-20 8:58 ` YOSHIFUJI Hideaki
2005-02-20 11:12 ` Herbert Xu
2005-02-20 11:20 ` Patrick McHardy
2005-02-20 12:00 ` YOSHIFUJI Hideaki / 吉藤英明
2005-03-10 4:49 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42184BC2.1030907@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@oss.sgi.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).