From e821464cbc24ece210fc446deac090f8e4aeb220 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 30 Jun 2003 22:28:59 +1000 Subject: [IPSEC] split xfrm_state_replace + fixes Split xfrm_state_replace into xfrm_state_add and xfrm_state_replace. Fixes: 1. Only update update lifetime and encap options if the state is valid. 2. Disallow updates to states that do not exist. 3. Bail if afinfo cannot be found. This brings SADB_UPDATE in line with what is required by RFC2367. It is also needed by SFS NAT-T support as it needs to update valid states when the encap ports move. I've tweaked the logic slightly so that SADB_UPDATE will fail on a larval state that hasn't undergone SADB_GETSPI. This is what RFC2367 calls for and it simplifies the code in that we don't have to call find_acq for SADB_UPDATE. This doesn't affect any of the three KMs as they either don't use SADB_UPDATE or call SADB_GETSPI before doing an update. --- include/net/xfrm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 46a7c3be09e8..515f88909601 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -767,7 +767,8 @@ extern struct xfrm_state *xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t unsigned short family); extern int xfrm_state_check_expire(struct xfrm_state *x); extern void xfrm_state_insert(struct xfrm_state *x); -extern int xfrm_state_replace(struct xfrm_state *x, int excl); +extern int xfrm_state_add(struct xfrm_state *x); +extern int xfrm_state_update(struct xfrm_state *x); extern int xfrm_state_check_space(struct xfrm_state *x, struct sk_buff *skb); extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); -- cgit v1.2.3