linux-sg2042/net/ipv6
Masahide NAKAMURA e53820de0f [XFRM] IPV6: Restrict bundle reusing
For outbound transformation, bundle is checked whether it is
suitable for current flow to be reused or not. In such IPv6 case
as below, transformation may apply incorrect bundle for the flow instead
of creating another bundle:

- The policy selector has destination prefix length < 128
  (Two or more addresses can be matched it)
- Its bundle holds dst entry of default route whose prefix length < 128
  (Previous traffic was used such route as next hop)
- The policy and the bundle were used a transport mode state and
  this time flow address is not matched the bundled state.

This issue is found by Mobile IPv6 usage to protect mobility signaling
by IPsec, but it is not a Mobile IPv6 specific.
This patch adds strict check to xfrm_bundle_ok() for each
state mode and address when prefix length is less than 128.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-22 15:06:44 -07:00
..
netfilter [NETFILTER]: ip6_tables: consolidate dst and hbh matches 2006-09-22 14:55:37 -07:00
Kconfig [XFRM] STATE: Introduce route optimization mode. 2006-09-22 15:06:37 -07:00
Makefile [XFRM] STATE: Introduce route optimization mode. 2006-09-22 15:06:37 -07:00
addrconf.c [IPv6] route: FIB6 configuration using struct fib6_config 2006-09-22 14:55:12 -07:00
af_inet6.c [IPV6]: Cache source address as well in ipv6_pinfo{}. 2006-09-22 14:55:45 -07:00
ah6.c [XFRM] STATE: Add a hook to find offset to be inserted header in outbound. 2006-09-22 15:06:36 -07:00
anycast.c [IPV6]: Fixup ip6_del_rt() call for new args. 2006-09-22 14:55:15 -07:00
datagram.c [IPV6]: Cache source address as well in ipv6_pinfo{}. 2006-09-22 14:55:45 -07:00
esp6.c [XFRM] STATE: Add a hook to find offset to be inserted header in outbound. 2006-09-22 15:06:36 -07:00
exthdrs.c [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
exthdrs_core.c [SELINUX]: Fix ipv6_skip_exthdr() invocation causing OOPS. 2005-04-24 20:16:19 -07:00
fib6_rules.c [IPV6] ROUTE: Unify RT6_F_xxx and RT6_SELECT_F_xxx flags 2006-09-22 14:55:56 -07:00
icmp.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
inet6_connection_sock.c [IPV6]: Cache source address as well in ipv6_pinfo{}. 2006-09-22 14:55:45 -07:00
inet6_hashtables.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
ip6_fib.c [IPV6] ROUTE: Add credits about subtree fixes. 2006-09-22 14:55:55 -07:00
ip6_flowlabel.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
ip6_input.c [IPV6]: Clean skb cb on IPv6 input. 2006-07-24 23:44:44 -07:00
ip6_output.c [XFRM] STATE: Support non-fragment outbound transformation headers. 2006-09-22 15:06:41 -07:00
ip6_tunnel.c [NET]: Conversions from kmalloc+memset to k(z|c)alloc. 2006-07-21 14:51:30 -07:00
ipcomp6.c [XFRM] STATE: Add a hook to find offset to be inserted header in outbound. 2006-09-22 15:06:36 -07:00
ipv6_sockglue.c [IPV6]: Accept -1 for IPV6_TCLASS 2006-09-17 23:21:08 -07:00
ipv6_syms.c [XFRM] STATE: Common receive function for route optimization extension headers. 2006-09-22 15:06:39 -07:00
mcast.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
ndisc.c [IPV6] NDISC: Initialize fl with outbound interface to lookup rules properly. 2006-09-22 14:55:43 -07:00
netfilter.c [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
proc.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
protocol.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
raw.c [NET]: Replace CHECKSUM_HW by CHECKSUM_PARTIAL/CHECKSUM_COMPLETE 2006-09-22 14:53:53 -07:00
reassembly.c [NET/IPV4/IPV6]: Change some sysctl variables to __read_mostly 2006-09-22 14:55:03 -07:00
route.c [IPV6] ROUTE: Unify RT6_F_xxx and RT6_SELECT_F_xxx flags 2006-09-22 14:55:56 -07:00
sit.c [IPV4]: Get rid of redundant IPCB->opts initialisation 2006-07-21 14:29:53 -07:00
sysctl_net_ipv6.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
tcp_ipv6.c [IPV6]: Cache source address as well in ipv6_pinfo{}. 2006-09-22 14:55:45 -07:00
tunnel6.c [INET]: Move no-tunnel ICMP error to tunnel4/tunnel6 2006-04-09 22:25:25 -07:00
udp.c [IPV6]: Cache source address as well in ipv6_pinfo{}. 2006-09-22 14:55:45 -07:00
xfrm6_input.c [XFRM] STATE: Common receive function for route optimization extension headers. 2006-09-22 15:06:39 -07:00
xfrm6_mode_ro.c [XFRM] STATE: Introduce route optimization mode. 2006-09-22 15:06:37 -07:00
xfrm6_mode_transport.c [XFRM] STATE: Add a hook to find offset to be inserted header in outbound. 2006-09-22 15:06:36 -07:00
xfrm6_mode_tunnel.c [IPSEC] xfrm: Abstract out encapsulation modes 2006-06-17 21:28:39 -07:00
xfrm6_output.c [XFRM] IPV6: Update outbound state timestamp for each sending. 2006-09-22 15:06:43 -07:00
xfrm6_policy.c [XFRM] IPV6: Restrict bundle reusing 2006-09-22 15:06:44 -07:00
xfrm6_state.c [XFRM] STATE: Search by address using source address list. 2006-09-22 15:06:35 -07:00
xfrm6_tunnel.c [XFRM]: Add XFRM_MODE_xxx for future use. 2006-09-22 15:05:15 -07:00