@@ -282,10 +282,10 @@ struct xfrm_policy_afinfo {
struct dst_ops *dst_ops;
void (*garbage_collect)(struct net *net);
struct dst_entry *(*dst_lookup)(struct net *net,
- int tos, int oif,
+ const struct flowi *fl,
const xfrm_address_t *saddr,
const xfrm_address_t *daddr);
- int (*get_saddr)(struct net *net, int oif,
+ int (*get_saddr)(struct net *net, const struct flowi *fl,
xfrm_address_t *saddr,
xfrm_address_t *daddr);
void (*decode_session)(struct sk_buff *skb,
@@ -18,9 +18,10 @@
#include <net/l3mdev.h>
static struct xfrm_policy_afinfo xfrm4_policy_afinfo;
+static int xfrm4_get_tos(const struct flowi *fl);
static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct
flowi4 *fl4,
- int tos, int oif,
+ const struct flowi *fl,
const xfrm_address_t *saddr,
const xfrm_address_t *daddr)
{
@@ -28,8 +29,9 @@ static struct dst_entry *__xfrm4_dst_lookup(struct
net *net, struct flowi4 *fl4,
memset(fl4, 0, sizeof(*fl4));
fl4->daddr = daddr->a4;
- fl4->flowi4_tos = tos;
- fl4->flowi4_oif = oif;
+ fl4->flowi4_tos = xfrm4_get_tos(fl);
+ fl4->flowi4_oif = fl->flowi_oif;
+ fl4->flowi4_mark = fl->u.ip4.flowi4_mark;
if (saddr)
fl4->saddr = saddr->a4;
@@ -42,22 +44,22 @@ static struct dst_entry *__xfrm4_dst_lookup(struct
net *net, struct flowi4 *fl4,
return ERR_CAST(rt);
}
-static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos, int oif,
+static struct dst_entry *xfrm4_dst_lookup(struct net *net, const
struct flowi *fl,
const xfrm_address_t *saddr,
const xfrm_address_t *daddr)
{
struct flowi4 fl4;
- return __xfrm4_dst_lookup(net, &fl4, tos, oif, saddr, daddr);
+ return __xfrm4_dst_lookup(net, &fl4, fl, saddr, daddr);
}
-static int xfrm4_get_saddr(struct net *net, int oif,
+static int xfrm4_get_saddr(struct net *net, const struct flowi *fl,
xfrm_address_t *saddr, xfrm_address_t *daddr)
{
struct dst_entry *dst;
struct flowi4 fl4;
- dst = __xfrm4_dst_lookup(net, &fl4, 0, oif, NULL, daddr);
+ dst = __xfrm4_dst_lookup(net, &fl4, fl, NULL, daddr);
if (IS_ERR(dst))
return -EHOSTUNREACH;
@@ -27,7 +27,7 @@
static struct xfrm_policy_afinfo xfrm6_policy_afinfo;
-static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif,
+static struct dst_entry *xfrm6_dst_lookup(struct net *net, const
struct flowi *fl,
const xfrm_address_t *saddr,
const xfrm_address_t *daddr)
{
@@ -36,7 +36,7 @@ static struct dst_entry *xfrm6_dst_lookup(struct net
*net, int tos, int oif,
int err;
memset(&fl6, 0, sizeof(fl6));
- fl6.flowi6_oif = oif;
+ fl6.flowi6_oif = fl->flowi_oif;
fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF;
memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr));
if (saddr)
@@ -53,13 +53,13 @@ static struct dst_entry *xfrm6_dst_lookup(struct
net *net, int tos, int oif,
return dst;
}
-static int xfrm6_get_saddr(struct net *net, int oif,
+static int xfrm6_get_saddr(struct net *net, const struct flowi *fl,
xfrm_address_t *saddr, xfrm_address_t *daddr)
{
struct dst_entry *dst;
struct net_device *dev;
- dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr);
+ dst = xfrm6_dst_lookup(net, fl, NULL, daddr);
if (IS_ERR(dst))
return -EHOSTUNREACH;
@@ -116,7 +116,7 @@ static void xfrm_policy_put_afinfo(struct
xfrm_policy_afinfo *afinfo)
}
static inline struct dst_entry *__xfrm_dst_lookup(struct net *net,
- int tos, int oif,
+ const struct flowi *fl,
const xfrm_address_t *saddr,
const xfrm_address_t *daddr,
If route table includes routing based on fwmark, xfrm will not take it into account when routing ipsec traffic. We address this issue by adding fwmark information before calling route lookup. Also simplify lookup by passing the entire flow struct rather than tos, oif, and fwmark as individual params. --- include/net/xfrm.h | 4 ++-- net/ipv4/xfrm4_policy.c | 16 +++++++++------- net/ipv6/xfrm6_policy.c | 8 ++++---- net/xfrm/xfrm_policy.c | 16 ++++++++-------- 4 files changed, 23 insertions(+), 21 deletions(-) int family) @@ -128,7 +128,7 @@ static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, if (unlikely(afinfo == NULL)) return ERR_PTR(-EAFNOSUPPORT); - dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr); + dst = afinfo->dst_lookup(net, fl, saddr, daddr); xfrm_policy_put_afinfo(afinfo); @@ -136,7 +136,7 @@ static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, } static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, - int tos, int oif, + const struct flowi *fl, xfrm_address_t *prev_saddr, xfrm_address_t *prev_daddr, int family) @@ -155,7 +155,7 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, daddr = x->coaddr; } - dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family); + dst = __xfrm_dst_lookup(net, fl, saddr, daddr, family); if (!IS_ERR(dst)) { if (prev_saddr != saddr) @@ -1395,7 +1395,7 @@ int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) } static int -xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local, +xfrm_get_saddr(struct net *net, const struct flowi *fl, xfrm_address_t *local, xfrm_address_t *remote, unsigned short family) { int err; @@ -1403,7 +1403,7 @@ xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local, if (unlikely(afinfo == NULL)) return -EINVAL; - err = afinfo->get_saddr(net, oif, local, remote); + err = afinfo->get_saddr(net, fl, local, remote); xfrm_policy_put_afinfo(afinfo); return err; } @@ -1432,7 +1432,7 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, remote = &tmpl->id.daddr; local = &tmpl->saddr; if (xfrm_addr_any(local, tmpl->encap_family)) { - error = xfrm_get_saddr(net, fl->flowi_oif, + error = xfrm_get_saddr(net, fl, &tmp, remote, tmpl->encap_family); if (error) @@ -1712,7 +1712,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) { family = xfrm[i]->props.family; - dst = xfrm_dst_lookup(xfrm[i], tos, fl->flowi_oif, + dst = xfrm_dst_lookup(xfrm[i], fl, &saddr, &daddr, family); err = PTR_ERR(dst); if (IS_ERR(dst))