diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2014-03-14 07:28:08 +0100 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2014-03-14 07:28:08 +0100 |
commit | fa9ad96d4905c3e2013bcce18c104108275c4c08 (patch) | |
tree | b78fbf428db9ae9e175c23e35f37d752b05f77ea /include/net | |
parent | 7cf9fdb5c771c61771e4e39efe18e2dbc8c8bfa4 (diff) | |
download | blackbird-op-linux-fa9ad96d4905c3e2013bcce18c104108275c4c08.tar.gz blackbird-op-linux-fa9ad96d4905c3e2013bcce18c104108275c4c08.zip |
vti6: Update the ipv6 side to use its own receive hook.
With this patch, vti6 uses the IPsec protocol multiplexer to
register its own receive side hooks for ESP, AH and IPCOMP.
Vti6 now does the following on receive side:
1. Do an input policy check for the IPsec packet we received.
This is required because this packet could be already
prosecces by IPsec, so an inbuond policy check is needed.
2. Mark the packet with the i_key. The policy and the state
must match this key now. Policy and state belong to the vti
namespace and policy enforcement is done at the further layers.
3. Call the generic xfrm layer to do decryption and decapsulation.
4. Wait for a callback from the xfrm layer to properly clean the
skb to not leak informations on namespace transitions and
update the device statistics.
On transmit side:
1. Mark the packet with the o_key. The policy and the state
must match this key now.
2. Do a xfrm_lookup on the original packet with the mark applied.
3. Check if we got an IPsec route.
4. Clean the skb to not leak informations on namespace
transitions.
5. Attach the dst_enty we got from the xfrm_lookup to the skb.
6. Call dst_output to do the IPsec processing.
7. Do the device statistics.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include/net')
0 files changed, 0 insertions, 0 deletions