| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame^] | 1 | /* |
| 2 | * xfrm4_input.c |
| 3 | * |
| 4 | * Changes: |
| 5 | * YOSHIFUJI Hideaki @USAGI |
| 6 | * Split up af-specific portion |
| 7 | * Derek Atkins <derek@ihtfp.com> |
| 8 | * Add Encapsulation support |
| 9 | * |
| 10 | */ |
| 11 | |
| 12 | #include <linux/module.h> |
| 13 | #include <linux/string.h> |
| 14 | #include <net/inet_ecn.h> |
| 15 | #include <net/ip.h> |
| 16 | #include <net/xfrm.h> |
| 17 | |
| 18 | int xfrm4_rcv(struct sk_buff *skb) |
| 19 | { |
| 20 | return xfrm4_rcv_encap(skb, 0); |
| 21 | } |
| 22 | |
| 23 | EXPORT_SYMBOL(xfrm4_rcv); |
| 24 | |
| 25 | static inline void ipip_ecn_decapsulate(struct sk_buff *skb) |
| 26 | { |
| 27 | struct iphdr *outer_iph = skb->nh.iph; |
| 28 | struct iphdr *inner_iph = skb->h.ipiph; |
| 29 | |
| 30 | if (INET_ECN_is_ce(outer_iph->tos)) |
| 31 | IP_ECN_set_ce(inner_iph); |
| 32 | } |
| 33 | |
| 34 | static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq) |
| 35 | { |
| 36 | switch (nexthdr) { |
| 37 | case IPPROTO_IPIP: |
| 38 | if (!pskb_may_pull(skb, sizeof(struct iphdr))) |
| 39 | return -EINVAL; |
| 40 | *spi = skb->nh.iph->saddr; |
| 41 | *seq = 0; |
| 42 | return 0; |
| 43 | } |
| 44 | |
| 45 | return xfrm_parse_spi(skb, nexthdr, spi, seq); |
| 46 | } |
| 47 | |
| 48 | int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type) |
| 49 | { |
| 50 | int err; |
| 51 | u32 spi, seq; |
| 52 | struct sec_decap_state xfrm_vec[XFRM_MAX_DEPTH]; |
| 53 | struct xfrm_state *x; |
| 54 | int xfrm_nr = 0; |
| 55 | int decaps = 0; |
| 56 | |
| 57 | if ((err = xfrm4_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) != 0) |
| 58 | goto drop; |
| 59 | |
| 60 | do { |
| 61 | struct iphdr *iph = skb->nh.iph; |
| 62 | |
| 63 | if (xfrm_nr == XFRM_MAX_DEPTH) |
| 64 | goto drop; |
| 65 | |
| 66 | x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, iph->protocol, AF_INET); |
| 67 | if (x == NULL) |
| 68 | goto drop; |
| 69 | |
| 70 | spin_lock(&x->lock); |
| 71 | if (unlikely(x->km.state != XFRM_STATE_VALID)) |
| 72 | goto drop_unlock; |
| 73 | |
| 74 | if (x->props.replay_window && xfrm_replay_check(x, seq)) |
| 75 | goto drop_unlock; |
| 76 | |
| 77 | if (xfrm_state_check_expire(x)) |
| 78 | goto drop_unlock; |
| 79 | |
| 80 | xfrm_vec[xfrm_nr].decap.decap_type = encap_type; |
| 81 | if (x->type->input(x, &(xfrm_vec[xfrm_nr].decap), skb)) |
| 82 | goto drop_unlock; |
| 83 | |
| 84 | /* only the first xfrm gets the encap type */ |
| 85 | encap_type = 0; |
| 86 | |
| 87 | if (x->props.replay_window) |
| 88 | xfrm_replay_advance(x, seq); |
| 89 | |
| 90 | x->curlft.bytes += skb->len; |
| 91 | x->curlft.packets++; |
| 92 | |
| 93 | spin_unlock(&x->lock); |
| 94 | |
| 95 | xfrm_vec[xfrm_nr++].xvec = x; |
| 96 | |
| 97 | iph = skb->nh.iph; |
| 98 | |
| 99 | if (x->props.mode) { |
| 100 | if (iph->protocol != IPPROTO_IPIP) |
| 101 | goto drop; |
| 102 | if (!pskb_may_pull(skb, sizeof(struct iphdr))) |
| 103 | goto drop; |
| 104 | if (skb_cloned(skb) && |
| 105 | pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) |
| 106 | goto drop; |
| 107 | if (x->props.flags & XFRM_STATE_DECAP_DSCP) |
| 108 | ipv4_copy_dscp(iph, skb->h.ipiph); |
| 109 | if (!(x->props.flags & XFRM_STATE_NOECN)) |
| 110 | ipip_ecn_decapsulate(skb); |
| 111 | skb->mac.raw = memmove(skb->data - skb->mac_len, |
| 112 | skb->mac.raw, skb->mac_len); |
| 113 | skb->nh.raw = skb->data; |
| 114 | memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); |
| 115 | decaps = 1; |
| 116 | break; |
| 117 | } |
| 118 | |
| 119 | if ((err = xfrm_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) < 0) |
| 120 | goto drop; |
| 121 | } while (!err); |
| 122 | |
| 123 | /* Allocate new secpath or COW existing one. */ |
| 124 | |
| 125 | if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { |
| 126 | struct sec_path *sp; |
| 127 | sp = secpath_dup(skb->sp); |
| 128 | if (!sp) |
| 129 | goto drop; |
| 130 | if (skb->sp) |
| 131 | secpath_put(skb->sp); |
| 132 | skb->sp = sp; |
| 133 | } |
| 134 | if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) |
| 135 | goto drop; |
| 136 | |
| 137 | memcpy(skb->sp->x+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(struct sec_decap_state)); |
| 138 | skb->sp->len += xfrm_nr; |
| 139 | |
| 140 | if (decaps) { |
| 141 | if (!(skb->dev->flags&IFF_LOOPBACK)) { |
| 142 | dst_release(skb->dst); |
| 143 | skb->dst = NULL; |
| 144 | } |
| 145 | netif_rx(skb); |
| 146 | return 0; |
| 147 | } else { |
| 148 | return -skb->nh.iph->protocol; |
| 149 | } |
| 150 | |
| 151 | drop_unlock: |
| 152 | spin_unlock(&x->lock); |
| 153 | xfrm_state_put(x); |
| 154 | drop: |
| 155 | while (--xfrm_nr >= 0) |
| 156 | xfrm_state_put(xfrm_vec[xfrm_nr].xvec); |
| 157 | |
| 158 | kfree_skb(skb); |
| 159 | return 0; |
| 160 | } |