linux/net/ipv6
Steffen Klassert f92ee61982 xfrm: Generate blackhole routes only from route lookup functions
Currently we genarate a blackhole route route whenever we have
matching policies but can not resolve the states. Here we assume
that dst_output() is called to kill the balckholed packets.
Unfortunately this assumption is not true in all cases, so
it is possible that these packets leave the system unwanted.

We fix this by generating blackhole routes only from the
route lookup functions, here we can guarantee a call to
dst_output() afterwards.

Fixes: 2774c131b1 ("xfrm: Handle blackhole route creation via afinfo.")
Reported-by: Konstantinos Kolelis <k.kolelis@sirrix.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2014-09-16 10:08:40 +02:00
..
netfilter netfilter: fix missing dependencies in NETFILTER_XT_TARGET_LOG 2014-09-02 13:59:54 -07:00
addrconf_core.c net: clean up snmp stats code 2014-05-07 16:06:05 -04:00
addrconf.c ipv6: clean up anycast when an interface is destroyed 2014-09-12 17:33:06 -04:00
addrlabel.c list: fix order of arguments for hlist_add_after(_rcu) 2014-08-06 18:01:24 -07:00
af_inet6.c ipv6: Implement automatic flow label generation on transmit 2014-07-07 21:14:21 -07:00
ah6.c ah6: Use the IPsec protocol multiplexer API 2014-03-14 07:28:07 +01:00
anycast.c ipv6: clean up anycast when an interface is destroyed 2014-09-12 17:33:06 -04:00
datagram.c net: Save TX flow hash in sock and set in skbuf on xmit 2014-07-07 21:14:21 -07:00
esp6.c esp6: Use the IPsec protocol multiplexer API 2014-03-14 07:28:07 +01:00
exthdrs_core.c ipv6: ipv6_find_hdr restore prev functionality 2014-02-27 18:27:26 -05:00
exthdrs_offload.c ipv6: Fix exthdrs offload registration. 2014-03-06 16:35:55 -05:00
exthdrs.c
fib6_rules.c ipv6: move IPV6_TCLASS_SHIFT into ipv6.h and define a helper 2014-01-15 15:53:18 -08:00
icmp.c net: fix the counter ICMP_MIB_INERRORS/ICMP6_MIB_INERRORS 2014-07-31 22:04:18 -07:00
inet6_connection_sock.c net: support marking accepting TCP sockets 2014-05-13 18:35:09 -04:00
inet6_hashtables.c
ip6_checksum.c udp: Generic functions to set checksum 2014-06-04 22:46:38 -07:00
ip6_fib.c net: ipv6: fib: don't sleep inside atomic lock 2014-08-22 10:54:49 -07:00
ip6_flowlabel.c net: ipv6: Introduce ip6_sk_dst_hoplimit. 2014-04-30 13:31:26 -04:00
ip6_gre.c net: set name_assign_type in alloc_netdev() 2014-07-15 16:12:48 -07:00
ip6_icmp.c
ip6_input.c net: Fix memory leak if TPROXY used with TCP early demux 2014-01-27 16:22:11 -08:00
ip6_offload.c gre: Call gso_make_checksum 2014-06-04 22:46:38 -07:00
ip6_offload.h
ip6_output.c xfrm: Generate blackhole routes only from route lookup functions 2014-09-16 10:08:40 +02:00
ip6_tunnel.c net: set name_assign_type in alloc_netdev() 2014-07-15 16:12:48 -07:00
ip6_vti.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2014-07-30 20:05:54 -07:00
ip6mr.c net: set name_assign_type in alloc_netdev() 2014-07-15 16:12:48 -07:00
ipcomp6.c ipcomp6: Use the IPsec protocol multiplexer API 2014-03-14 07:28:07 +01:00
ipv6_sockglue.c ipv6: remove unnecessary break after return 2014-07-15 16:27:01 -07:00
Kconfig ip6_vti: Fix build when NET_IP_TUNNEL is not set. 2014-02-20 14:29:49 +01:00
Makefile xfrm6: Add IPsec protocol multiplexer 2014-03-14 07:28:07 +01:00
mcast.c ipv6: fix rtnl locking in setsockopt for anycast and multicast 2014-09-05 11:52:28 -07:00
mip6.c
ndisc.c neigh: remove exceptional & on function name 2014-07-24 23:23:31 -07:00
netfilter.c netfilter: Fix potential use after free in ip6_route_me_harder() 2014-05-09 02:36:39 +02:00
output_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-06-11 16:02:55 -07:00
ping.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
proc.c inet: frag: don't account number of fragment queues 2014-07-27 22:34:36 -07:00
protocol.c
raw.c net: use inet6_iif instead of IP6CB()->iif 2014-07-31 22:37:06 -07:00
reassembly.c inet: frags: use kmem_cache for inet_frag_queue 2014-08-02 15:31:31 -07:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-05-24 00:32:30 -04:00
sit.c sit: Fix ipip6_tunnel_lookup device matching criteria 2014-08-14 14:38:54 -07:00
syncookies.c net: remove inet6_reqsk_alloc 2014-06-27 15:53:35 -07:00
sysctl_net_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-08-05 18:46:26 -07:00
tcp_ipv6.c tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() 2014-08-14 14:38:54 -07:00
tcpv6_offload.c net-gre-gro: Fix a bug that breaks the forwarding path 2014-07-16 14:45:26 -07:00
tunnel6.c
udp_impl.h
udp_offload.c gre: Call gso_make_checksum 2014-06-04 22:46:38 -07:00
udp.c net: use inet6_iif instead of IP6CB()->iif 2014-07-31 22:37:06 -07:00
udplite.c net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm6: Remove xfrm_tunnel_notifier 2014-03-14 07:28:08 +01:00
xfrm6_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-05-24 00:32:30 -04:00
xfrm6_policy.c xfrm6: Add IPsec protocol multiplexer 2014-03-14 07:28:07 +01:00
xfrm6_protocol.c xfrm6: Properly handle unsupported protocols 2014-05-06 07:08:38 +02:00
xfrm6_state.c
xfrm6_tunnel.c