In ip6ip6_tnl_xmit(), we do not xfrm_lookup() when the dst has been
stored in cache.
If cache is filled before a security policy such ipsec transport mode on
end points
is added, and no routing changes happen, how to invalidate the cache to
trigger a
new xfrm_lookup()?
I would check flow_cachegenid when testing the cache, like this patch.
But I wonder
if we can get rid of new field in ip6_tnl and retrieve directly genid
from cached
dst entry, if ever this patch is really needed :-)
Comments are welcome.
Jean-Mickael
--
[IPV6] ip6ip6_tnl_dst_check() : invalidate dst cache whenever xfrm
policies change
Signed-off-by: [EMAIL PROTECTED]
diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h
index 29c9da7..5bc6e98 100644
--- a/include/net/ip6_tunnel.h
+++ b/include/net/ip6_tunnel.h
@@ -27,6 +27,7 @@ struct ip6_tnl {
struct flowi fl; /* flowi template for xmit */
struct dst_entry *dst_cache; /* cached dst */
u32 dst_cookie;
+ u32 fl_genid;
};
/* Tunnel encapsulation limit destination sub-option */
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 4859753..ded9c52 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -92,8 +92,9 @@ static inline struct dst_entry *ip6_tnl_
{
struct dst_entry *dst = t->dst_cache;
- if (dst && dst->obsolete &&
- dst->ops->check(dst, t->dst_cookie) == NULL) {
+ if ((dst && dst->obsolete &&
+ dst->ops->check(dst, t->dst_cookie) == NULL) ||
+ t->fl_genid != atomic_read(&flow_cache_genid)) {
t->dst_cache = NULL;
dst_release(dst);
return NULL;
@@ -114,6 +115,7 @@ static inline void ip6_tnl_dst_store(str
t->dst_cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
dst_release(t->dst_cache);
t->dst_cache = dst;
+ t->fl_genid = atomic_read(&flow_cache_genid);
}
/**
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
