• Paul Moore's avatar
    cipso: handle CIPSO options correctly when NetLabel is disabled · 20e2a864
    Paul Moore authored
    When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system
    receives a CIPSO tagged packet it is dropped (cipso_v4_validate()
    returns non-zero).  In most cases this is the correct and desired
    behavior, however, in the case where we are simply forwarding the
    traffic, e.g. acting as a network bridge, this becomes a problem.
    
    This patch fixes the forwarding problem by providing the basic CIPSO
    validation code directly in ip_options_compile() without the need for
    the NetLabel or CIPSO code.  The new validation code can not perform
    any of the CIPSO option label/value verification that
    cipso_v4_validate() does, but it can verify the basic CIPSO option
    format.
    
    The behavior when NetLabel is enabled is unchanged.
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    20e2a864
cipso_ipv4.h 7.9 KB