Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/

[platform/kernel/linux-rpi.git] / net / xfrm / xfrm_policy.c

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 7f881f5..37d17a7 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3157,6 +3157,11 @@ ok:
        return dst;
 
 nopol:
+       if (!(dst_orig->dev->flags & IFF_LOOPBACK) &&
+           !xfrm_default_allow(net, dir)) {
+               err = -EPERM;
+               goto error;
+       }
        if (!(flags & XFRM_LOOKUP_ICMP)) {
                dst = dst_orig;
                goto ok;
@@ -3545,6 +3550,11 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        }
 
        if (!pol) {
+               if (!xfrm_default_allow(net, dir)) {
+                       XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
+                       return 0;
+               }
+
                if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) {
                        xfrm_secpath_reject(xerr_idx, skb, &fl);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
@@ -3599,6 +3609,12 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
                                tpp[ti++] = &pols[pi]->xfrm_vec[i];
                }
                xfrm_nr = ti;
+
+               if (!xfrm_default_allow(net, dir) && !xfrm_nr) {
+                       XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
+                       goto reject;
+               }
+
                if (npols > 1) {
                        xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
                        tpp = stp;