提交 acba48e1 编写于 作者: D David S. Miller

[XFRM]: Respect priority in policy lookups.

Even if we find an exact match in the hash table,
we must inspect the inexact list to look for a match
with a better priority.

Noticed by Masahide NAKAMURA <nakam@linux-ipv6.org>.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 65e3d726
...@@ -908,6 +908,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl, ...@@ -908,6 +908,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl,
xfrm_address_t *daddr, *saddr; xfrm_address_t *daddr, *saddr;
struct hlist_node *entry; struct hlist_node *entry;
struct hlist_head *chain; struct hlist_head *chain;
u32 priority = ~0U;
daddr = xfrm_flowi_daddr(fl, family); daddr = xfrm_flowi_daddr(fl, family);
saddr = xfrm_flowi_saddr(fl, family); saddr = xfrm_flowi_saddr(fl, family);
...@@ -919,21 +920,21 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl, ...@@ -919,21 +920,21 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(u8 type, struct flowi *fl,
ret = NULL; ret = NULL;
hlist_for_each_entry(pol, entry, chain, bydst) { hlist_for_each_entry(pol, entry, chain, bydst) {
if (xfrm_policy_match(pol, fl, type, family, dir)) { if (xfrm_policy_match(pol, fl, type, family, dir)) {
xfrm_pol_hold(pol);
ret = pol; ret = pol;
priority = ret->priority;
break; break;
} }
} }
if (!ret) { chain = &xfrm_policy_inexact[dir];
chain = &xfrm_policy_inexact[dir]; hlist_for_each_entry(pol, entry, chain, bydst) {
hlist_for_each_entry(pol, entry, chain, bydst) { if (xfrm_policy_match(pol, fl, type, family, dir) &&
if (xfrm_policy_match(pol, fl, type, family, dir)) { pol->priority < priority) {
xfrm_pol_hold(pol); ret = pol;
ret = pol; break;
break;
}
} }
} }
if (ret)
xfrm_pol_hold(ret);
read_unlock_bh(&xfrm_policy_lock); read_unlock_bh(&xfrm_policy_lock);
return ret; return ret;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册