mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
xfrm: Allow inserting policies with matching mark and different priorities
We currently can not insert policies with mark and mask such that some flows would be matched from both policies. We make this possible when the priority of these policies are different. If both policies match a flow, the one with the higher priority is used. Reported-by: Emmanuel Thierry <emmanuel.thierry@telecom-bretagne.eu> Reported-by: Romain Kuntz <r.kuntz@ipflavors.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Change-Id: Ib9d456b956784fbee982ed9191f22f9ed097cd47
This commit is contained in:
parent
bdcd386baf
commit
b0d18ee580
1 changed files with 16 additions and 2 deletions
|
@ -589,6 +589,21 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
|
||||||
spin_unlock_bh(&pq->hold_queue.lock);
|
spin_unlock_bh(&pq->hold_queue.lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool xfrm_policy_mark_match(struct xfrm_policy *policy,
|
||||||
|
struct xfrm_policy *pol)
|
||||||
|
{
|
||||||
|
u32 mark = policy->mark.v & policy->mark.m;
|
||||||
|
|
||||||
|
if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
if ((mark & pol->mark.m) == pol->mark.v &&
|
||||||
|
policy->priority == pol->priority)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
||||||
{
|
{
|
||||||
struct net *net = xp_net(policy);
|
struct net *net = xp_net(policy);
|
||||||
|
@ -596,7 +611,6 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
||||||
struct xfrm_policy *delpol;
|
struct xfrm_policy *delpol;
|
||||||
struct hlist_head *chain;
|
struct hlist_head *chain;
|
||||||
struct hlist_node *entry, *newpos;
|
struct hlist_node *entry, *newpos;
|
||||||
u32 mark = policy->mark.v & policy->mark.m;
|
|
||||||
|
|
||||||
write_lock_bh(&xfrm_policy_lock);
|
write_lock_bh(&xfrm_policy_lock);
|
||||||
chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
|
chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
|
||||||
|
@ -605,7 +619,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
|
||||||
hlist_for_each_entry(pol, entry, chain, bydst) {
|
hlist_for_each_entry(pol, entry, chain, bydst) {
|
||||||
if (pol->type == policy->type &&
|
if (pol->type == policy->type &&
|
||||||
!selector_cmp(&pol->selector, &policy->selector) &&
|
!selector_cmp(&pol->selector, &policy->selector) &&
|
||||||
(mark & pol->mark.m) == pol->mark.v &&
|
xfrm_policy_mark_match(policy, pol) &&
|
||||||
xfrm_sec_ctx_match(pol->security, policy->security) &&
|
xfrm_sec_ctx_match(pol->security, policy->security) &&
|
||||||
!WARN_ON(delpol)) {
|
!WARN_ON(delpol)) {
|
||||||
if (excl) {
|
if (excl) {
|
||||||
|
|
Loading…
Reference in a new issue