linux/net/ipv4
Patrick McHardy ee68cea2c2 [NETFILTER]: Fix xfrm lookup after SNAT
To find out if a packet needs to be handled by IPsec after SNAT, packets
are currently rerouted in POST_ROUTING and a new xfrm lookup is done. This
breaks SNAT of non-unicast packets to non-local addresses because the
packet is routed as incoming packet and no neighbour entry is bound to the
dst_entry. In general, it seems to be a bad idea to replace the dst_entry
after the packet was already sent to the output routine because its state
might not match what's expected.

This patch changes the xfrm lookup in POST_ROUTING to re-use the original
dst_entry without routing the packet again. This means no policy routing
can be used for transport mode transforms (which keep the original route)
when packets are SNATed to match the policy, but it looks like the best
we can do for now.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-02-15 01:34:23 -08:00
..
ipvs [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
netfilter [NETFILTER]: Fix xfrm lookup after SNAT 2006-02-15 01:34:23 -08:00
af_inet.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ah4.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
arp.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
datagram.c [NET]: Fix sparse warnings 2005-08-29 16:01:32 -07:00
devinet.c [NETLINK]: illegal use of pid in rtnetlink 2006-02-09 16:43:41 -08:00
esp4.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_frontend.c x86: Work around compiler code generation bug with -Os 2006-01-14 22:08:28 -08:00
fib_hash.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_lookup.h [IPV4]: Prepare FIB core for RCU. 2005-08-29 16:08:31 -07:00
fib_rules.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_semantics.c [NETLINK]: illegal use of pid in rtnetlink 2006-02-09 16:43:41 -08:00
fib_trie.c [IPV4] fib_trie: build fix 2006-01-03 14:38:34 -08:00
icmp.c [IPV4] ICMP: Invert default for invalid icmp msgs sysctl 2006-02-13 15:36:21 -08:00
igmp.c [PATCH] ipv4 NULL noise removal 2006-02-07 20:57:37 -05:00
inet_connection_sock.c [ICSK]: Move v4_addr2sockaddr from TCP to icsk 2006-01-03 13:10:39 -08:00
inet_diag.c [INET_DIAG]: Introduce sk_diag_fill 2006-01-09 14:56:56 -08:00
inet_hashtables.c [INET]: Generalise tcp_v4_hash_connect 2006-01-03 13:10:55 -08:00
inet_timewait_sock.c [TWSK]: Introduce struct timewait_sock_ops 2006-01-03 13:10:54 -08:00
inetpeer.c [NET]: Change some "if (x) BUG();" to "BUG_ON(x);" 2006-01-09 14:16:18 -08:00
ip_forward.c [IPV4]: Remove some dead code from ip_forward() 2005-08-29 16:03:06 -07:00
ip_fragment.c [NET]: Endian-annotate struct iphdr 2006-01-06 13:24:29 -08:00
ip_gre.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ip_input.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
ip_options.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ip_output.c [IPV4]: ip_output.c needs xfrm.h 2006-01-09 14:16:28 -08:00
ip_sockglue.c [NET]: Remove more unneeded typecasts on *malloc() 2006-01-11 16:32:14 -08:00
ipcomp.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
ipconfig.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
ipip.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ipmr.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
Kconfig [TCP] BIC: CUBIC window growth (2.0) 2006-01-03 13:10:28 -08:00
Makefile [NETFILTER]: net/ipv[46]/netfilter.c cleanups 2006-01-10 12:54:29 -08:00
multipath_drr.c [IPV4]: possible cleanups 2005-08-29 15:33:20 -07:00
multipath_random.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_rr.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_wrandom.c [IPV4] multipath_wrandom: Fix softirq-unsafe spin lock usage 2006-02-02 16:59:16 -08:00
multipath.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
netfilter.c [NETFILTER]: Fix xfrm lookup after SNAT 2006-02-15 01:34:23 -08:00
proc.c [PATCH] percpu data: only iterate over possible CPUs 2006-02-05 11:06:51 -08:00
protocol.c [TCP]: Move the tcp sock states to net/tcp_states.h 2005-08-29 15:41:54 -07:00
raw.c [PATCH] EDAC: atomic scrub operations 2006-01-18 19:20:30 -08:00
route.c [IPV4]: RT_CACHE_STAT_INC() warning fix 2006-01-17 22:46:49 -08:00
syncookies.c [ICSK]: Rename struct tcp_func to struct inet_connection_sock_af_ops 2006-01-03 13:10:38 -08:00
sysctl_net_ipv4.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
tcp_bic.c [TCP] BIC: spelling and whitespace 2006-01-03 13:10:27 -08:00
tcp_cong.c [TCP]: less inline's 2006-01-03 16:03:49 -08:00
tcp_cubic.c [TCP] cubic: use Newton-Raphson 2006-01-03 13:11:09 -08:00
tcp_diag.c [INET_DIAG]: Move the tcp_diag interface to the proper place 2005-08-29 15:57:54 -07:00
tcp_highspeed.c [TCP]: TCP highspeed build error 2005-11-17 14:11:18 -08:00
tcp_htcp.c [TCP] H-TCP: Fix accounting 2006-01-30 20:54:39 -08:00
tcp_hybla.c [TCP]: fix congestion window update when using TSO deferal 2005-11-10 16:53:30 -08:00
tcp_input.c [TCP]: rcvbuf lock when tcp_moderate_rcvbuf enabled 2006-02-09 17:06:57 -08:00
tcp_ipv4.c [NET]: Do not export inet_bind_bucket_create twice. 2006-01-31 17:47:02 -08:00
tcp_minisocks.c [IPV6]: Introduce inet6_timewait_sock 2006-01-03 13:10:47 -08:00
tcp_output.c [TCP]: less inline's 2006-01-03 16:03:49 -08:00
tcp_scalable.c [TCP]: add tcp_slow_start helper 2005-11-10 17:07:24 -08:00
tcp_timer.c [TCP]: spelling fixes 2005-11-10 17:13:47 -08:00
tcp_vegas.c [TCP] tcp_vegas: Fix slow start 2006-01-04 13:59:32 -08:00
tcp_westwood.c [INET_DIAG]: Rename tcp_diag.[ch] to inet_diag.[ch] 2005-08-29 15:57:48 -07:00
tcp.c [IP_SOCKGLUE]: Remove most of the tcp specific calls 2006-01-03 13:10:58 -08:00
udp.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
xfrm4_input.c [IPV4/6]: Netfilter IPsec input hooks 2006-01-07 12:57:31 -08:00
xfrm4_output.c [NETFILTER]: Redo policy lookups after NAT when neccessary 2006-01-07 12:57:35 -08:00
xfrm4_policy.c [PATCH] remove bogus asm/bug.h includes. 2006-02-07 20:56:35 -05:00
xfrm4_state.c [XFRM]: IPsec tunnel wildcard address support 2006-01-13 14:34:36 -08:00
xfrm4_tunnel.c [NET]: Make ipip/ip6_tunnel independant of XFRM 2005-07-19 14:03:34 -07:00