From patchwork Tue May 19 21:03:40 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sascha Hlusiak <contact@saschahlusiak.de>
X-Patchwork-Id: 27422
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@bilbo.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 7AD62B7067
	for <patchwork-incoming@bilbo.ozlabs.org>;
	Wed, 20 May 2009 07:07:18 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 6D19CDE142; Wed, 20 May 2009 07:07:18 +1000 (EST)
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 14E5CDE140
	for <patchwork-incoming@ozlabs.org>;
	Wed, 20 May 2009 07:07:18 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754627AbZESVHM (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 19 May 2009 17:07:12 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754545AbZESVHK
	(ORCPT <rfc822; netdev-outgoing>); Tue, 19 May 2009 17:07:10 -0400
Received: from moutng.kundenserver.de ([212.227.126.187]:63515 "EHLO
	moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754385AbZESVHJ (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 19 May 2009 17:07:09 -0400
Received: from localhost.localdomain (g226199194.adsl.alicedsl.de
	[92.226.199.194])
	by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis)
	id 0MKv5w-1M6WWj34FO-0001fm; Tue, 19 May 2009 23:07:09 +0200
From: Sascha Hlusiak <contact@saschahlusiak.de>
To: netdev@vger.kernel.org
Cc: Sascha Hlusiak <contact@saschahlusiak.de>
Subject: [PATCH 2/5] sit: strictly restrict incoming traffic to tunnel link
	device
Date: Tue, 19 May 2009 23:03:40 +0200
Message-Id: <1242767023-9501-2-git-send-email-contact@saschahlusiak.de>
X-Mailer: git-send-email 1.6.3
In-Reply-To: <1242767023-9501-1-git-send-email-contact@saschahlusiak.de>
References: <1242767023-9501-1-git-send-email-contact@saschahlusiak.de>
X-Provags-ID: V01U2FsdGVkX1+IysH9/XmB8hed2zWctv+vw9ScchacQnZivGl
	jsiVx5pjOSjzlJrHSukDVyC5p6qOxMVd7MwOBVvf2t7vEZzgSk
	/ggnwPW3vO5gcrLhWHWBs0uJKmBsWbe
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Check link device when looking up a tunnel. When a tunnel is
linked to a interface, traffic from a different interface must not
reach the tunnel.

This also allows creating of multiple tunnels with the same
endpoints, if the link device differs.

Signed-off-by: Sascha Hlusiak <contact@saschahlusiak.de>
---
 net/ipv6/sit.c |   30 +++++++++++++++++++++---------
 1 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index e625041..dfedd56 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -80,7 +80,7 @@ struct sit_net {
 static DEFINE_RWLOCK(ipip6_lock);
 
 static struct ip_tunnel * ipip6_tunnel_lookup(struct net *net,
-		__be32 remote, __be32 local)
+		struct net_device *dev, __be32 remote, __be32 local)
 {
 	unsigned h0 = HASH(remote);
 	unsigned h1 = HASH(local);
@@ -89,18 +89,25 @@ static struct ip_tunnel * ipip6_tunnel_lookup(struct net *net,
 
 	for (t = sitn->tunnels_r_l[h0^h1]; t; t = t->next) {
 		if (local == t->parms.iph.saddr &&
-		    remote == t->parms.iph.daddr && (t->dev->flags&IFF_UP))
+		    remote == t->parms.iph.daddr &&
+		    (!dev || !t->parms.link || dev->iflink == t->parms.link) &&
+		    (t->dev->flags & IFF_UP))
 			return t;
 	}
 	for (t = sitn->tunnels_r[h0]; t; t = t->next) {
-		if (remote == t->parms.iph.daddr && (t->dev->flags&IFF_UP))
+		if (remote == t->parms.iph.daddr &&
+		    (!dev || !t->parms.link || dev->iflink == t->parms.link) &&
+		    (t->dev->flags & IFF_UP))
 			return t;
 	}
 	for (t = sitn->tunnels_l[h1]; t; t = t->next) {
-		if (local == t->parms.iph.saddr && (t->dev->flags&IFF_UP))
+		if (local == t->parms.iph.saddr &&
+		    (!dev || !t->parms.link || dev->iflink == t->parms.link) &&
+		    (t->dev->flags & IFF_UP))
 			return t;
 	}
-	if ((t = sitn->tunnels_wc[0]) != NULL && (t->dev->flags&IFF_UP))
+	t = sitn->tunnels_wc[0];
+	if ((t != NULL) && (t->dev->flags & IFF_UP))
 		return t;
 	return NULL;
 }
@@ -166,7 +173,8 @@ static struct ip_tunnel * ipip6_tunnel_locate(struct net *net,
 
 	for (tp = __ipip6_bucket(sitn, parms); (t = *tp) != NULL; tp = &t->next) {
 		if (local == t->parms.iph.saddr &&
-		    remote == t->parms.iph.daddr) {
+		    remote == t->parms.iph.daddr &&
+		    parms->link == t->parms.link) {
 			if (create)
 				return NULL;
 			else
@@ -451,7 +459,10 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
 	err = -ENOENT;
 
 	read_lock(&ipip6_lock);
-	t = ipip6_tunnel_lookup(dev_net(skb->dev), iph->daddr, iph->saddr);
+	t = ipip6_tunnel_lookup(dev_net(skb->dev),
+				skb->dev,
+				iph->daddr,
+				iph->saddr);
 	if (t == NULL || t->parms.iph.daddr == 0)
 		goto out;
 
@@ -486,8 +497,9 @@ static int ipip6_rcv(struct sk_buff *skb)
 	iph = ip_hdr(skb);
 
 	read_lock(&ipip6_lock);
-	if ((tunnel = ipip6_tunnel_lookup(dev_net(skb->dev),
-					iph->saddr, iph->daddr)) != NULL) {
+	tunnel = ipip6_tunnel_lookup(dev_net(skb->dev), skb->dev,
+				     iph->saddr, iph->daddr);
+	if (tunnel != NULL) {
 		secpath_reset(skb);
 		skb->mac_header = skb->network_header;
 		skb_reset_network_header(skb);