summaryrefslogtreecommitdiff
path: root/net/ipv6/xfrm6_input.c
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2006-01-06 23:03:34 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>2006-01-07 12:57:31 -0800
commitb05e106698d9966de524e78d9da1bf6407fe0c32 (patch)
tree8a7c253b7249451941674805cccdaaba299dff6f /net/ipv6/xfrm6_input.c
parent951dbc8ac714b04c36296b8b5c36c8e036ce433f (diff)
downloadlwn-b05e106698d9966de524e78d9da1bf6407fe0c32.tar.gz
lwn-b05e106698d9966de524e78d9da1bf6407fe0c32.zip
[IPV4/6]: Netfilter IPsec input hooks
When the innermost transform uses transport mode the decapsulated packet is not visible to netfilter. Pass the packet through the PRE_ROUTING and LOCAL_IN hooks again before handing it to upper layer protocols to make netfilter-visibility symetrical to the output path. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/xfrm6_input.c')
-rw-r--r--net/ipv6/xfrm6_input.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 1079e47f3933..1ca2da68ef69 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -11,6 +11,8 @@
#include <linux/module.h>
#include <linux/string.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
#include <net/dsfield.h>
#include <net/inet_ecn.h>
#include <net/ip.h>
@@ -121,6 +123,8 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi)
skb->sp->len += xfrm_nr;
skb->ip_summed = CHECKSUM_NONE;
+ nf_reset(skb);
+
if (decaps) {
if (!(skb->dev->flags&IFF_LOOPBACK)) {
dst_release(skb->dst);
@@ -129,7 +133,16 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi)
netif_rx(skb);
return -1;
} else {
+#ifdef CONFIG_NETFILTER
+ skb->nh.ipv6h->payload_len = htons(skb->len);
+ __skb_push(skb, skb->data - skb->nh.raw);
+
+ NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
+ ip6_rcv_finish);
+ return -1;
+#else
return 1;
+#endif
}
drop_unlock: