• M
    [XFRM]: Restrict upper layer information by bundle. · 157bfc25
    Masahide NAKAMURA 提交于
    On MIPv6 usage, XFRM sub policy is enabled.
    When main (IPsec) and sub (MIPv6) policy selectors have the same
    address set but different upper layer information (i.e. protocol
    number and its ports or type/code), multiple bundle should be created.
    However, currently we have issue to use the same bundle created for
    the first time with all flows covered by the case.
    
    It is useful for the bundle to have the upper layer information
    to be restructured correctly if it does not match with the flow.
    
    1. Bundle was created by two policies
    Selector from another policy is added to xfrm_dst.
    If the flow does not match the selector, it goes to slow path to
    restructure new bundle by single policy.
    
    2. Bundle was created by one policy
    Flow cache is added to xfrm_dst as originated one. If the flow does
    not match the cache, it goes to slow path to try searching another
    policy.
    Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    157bfc25
xfrm_policy.c 59.2 KB