diff options
| author | David S. Miller <davem@sunset.davemloft.net> | 2006-08-14 01:55:53 (GMT) |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-08-14 01:55:53 (GMT) |
| commit | d49c73c729e2ef644558a1f441c044bfacdc9744 (patch) | |
| tree | db35cd20d57fe5d9a7fcac5f40539902b6abbdf9 /net/ipv6/netfilter | |
| parent | 1c7628bd7a458faf7c96ef521f6d3a5ea9b106b8 (diff) | |
| download | linux-fsl-qoriq-d49c73c729e2ef644558a1f441c044bfacdc9744.tar.xz | |
[IPSEC]: Validate properly in xfrm_dst_check()
If dst->obsolete is -1, this is a signal from the
bundle creator that we want the XFRM dst and the
dsts that it references to be validated on every
use.
I misunderstood this intention when I changed
xfrm_dst_check() to always return NULL.
Now, when we purge a dst entry, by running dst_free()
on it. This will set the dst->obsolete to a positive
integer, and we want to return NULL in that case so
that the socket does a relookup for the route.
Thus, if dst->obsolete<0, let stale_bundle() validate
the state, else always return NULL.
In general, we need to do things more intelligently
here because we flush too much state during rule
changes. Herbert Xu has some ideas wherein the key
manager gives us some help in this area. We can also
use smarter state management algorithms inside of
the kernel as well.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/netfilter')
0 files changed, 0 insertions, 0 deletions