diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-12-12 10:44:43 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 14:57:23 -0800 |
commit | 8b7817f3a959ed99d7443afc12f78a7e1fcc2063 (patch) | |
tree | 7e315dfbf5c77e67f6e7ad56f14eaddca621212b /include/linux/xfrm.h | |
parent | d5422efe680fc55010c6ddca2370ca9548a96355 (diff) | |
download | op-kernel-dev-8b7817f3a959ed99d7443afc12f78a7e1fcc2063.zip op-kernel-dev-8b7817f3a959ed99d7443afc12f78a7e1fcc2063.tar.gz |
[IPSEC]: Add ICMP host relookup support
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch implements this
for ICMP traffic that originates from or terminates on localhost.
This is activated on outbound with the new policy flag XFRM_POLICY_ICMP,
and on inbound by the new state flag XFRM_STATE_ICMP.
On inbound the policy check is now performed by the ICMP protocol so
that it can repeat the policy check where necessary.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/xfrm.h')
-rw-r--r-- | include/linux/xfrm.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index c0e41e0..1131eab 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h @@ -329,6 +329,7 @@ struct xfrm_usersa_info { #define XFRM_STATE_DECAP_DSCP 2 #define XFRM_STATE_NOPMTUDISC 4 #define XFRM_STATE_WILDRECV 8 +#define XFRM_STATE_ICMP 16 }; struct xfrm_usersa_id { @@ -363,6 +364,8 @@ struct xfrm_userpolicy_info { #define XFRM_POLICY_BLOCK 1 __u8 flags; #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */ + /* Automatically expand selector to include matching ICMP payloads. */ +#define XFRM_POLICY_ICMP 2 __u8 share; }; |