/[pkg-openswan]/trunk/linux/net/ipsec/ipsec_tunnel.c
ViewVC logotype

Contents of /trunk/linux/net/ipsec/ipsec_tunnel.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 613 - (show annotations) (download)
Thu May 27 18:26:17 2010 UTC (2 years, 11 months ago) by harald-jenny-guest
File MIME type: text/plain
File size: 63998 byte(s) 
new upstream release
1 /*
2 * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs.
5 *
6 * OCF/receive state machine written by
7 * David McCullough <dmccullough@cyberguard.com>
8 * Copyright (C) 2004-2005 Intel Corporation. All Rights Reserved.
9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the
12 * Free Software Foundation; either version 2 of the License, or (at your
13 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
17 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * for more details.
19 */
20
21 #define __NO_VERSION__
22 #include <linux/module.h>
23 #ifndef AUTOCONF_INCLUDED
24 #include <linux/config.h>
25 #endif /* for CONFIG_IP_FORWARD */
26 #include <linux/version.h>
27 #include <linux/kernel.h> /* printk() */
28
29 #include "openswan/ipsec_param.h"
30
31 #ifdef MALLOC_SLAB
32 # include <linux/slab.h> /* kmalloc() */
33 #else /* MALLOC_SLAB */
34 # include <linux/malloc.h> /* kmalloc() */
35 #endif /* MALLOC_SLAB */
36 #include <linux/errno.h> /* error codes */
37 #include <linux/types.h> /* size_t */
38 #include <linux/file.h>
39 #include <linux/interrupt.h> /* mark_bh */
40
41 #include <net/tcp.h>
42 #include <net/udp.h>
43 #include <linux/skbuff.h>
44
45 #include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
46 #include <linux/etherdevice.h> /* eth_type_trans */
47 #include <linux/ip.h> /* struct iphdr */
48 #include <net/arp.h>
49 #include <linux/skbuff.h>
50
51 #include <openswan.h>
52
53 # include <linux/in6.h>
54 # define IS_MYADDR RTN_LOCAL
55 # include <net/dst.h>
56 # define PHYSDEV_TYPE
57
58 #ifndef NETDEV_TX_BUSY
59 # ifdef NETDEV_XMIT_CN
60 # define NETDEV_TX_BUSY NETDEV_XMIT_CN
61 # else
62 # define NETDEV_TX_BUSY 1
63 # endif
64 #endif
65
66 #include <net/icmp.h> /* icmp_send() */
67 #include <net/ip.h>
68 #include <net/arp.h>
69 #ifdef NETDEV_23
70 # include <linux/netfilter_ipv4.h>
71 #endif /* NETDEV_23 */
72
73 #include <linux/if_arp.h>
74 #include <net/arp.h>
75
76 #include "openswan/ipsec_kversion.h"
77 #include "openswan/radij.h"
78 #include "openswan/ipsec_life.h"
79 #include "openswan/ipsec_xform.h"
80 #include "openswan/ipsec_eroute.h"
81 #include "openswan/ipsec_encap.h"
82 #include "openswan/ipsec_radij.h"
83 #include "openswan/ipsec_sa.h"
84 #include "openswan/ipsec_tunnel.h"
85 #include "openswan/ipsec_xmit.h"
86 #include "openswan/ipsec_rcv.h"
87 #include "openswan/ipsec_ipe4.h"
88 #include "openswan/ipsec_ah.h"
89 #include "openswan/ipsec_esp.h"
90 #include "openswan/ipsec_kern24.h"
91
92 #include <openswan/pfkeyv2.h>
93 #include <openswan/pfkey.h>
94
95 #include "openswan/ipsec_proto.h"
96 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
97 #include <linux/udp.h>
98 #endif
99
100 static __u32 zeroes[64];
101
102 /* forward references */
103 DEBUG_NO_STATIC int ipsec_tunnel_attach(struct net_device *dev, struct net_device *physdev);
104 DEBUG_NO_STATIC int ipsec_tunnel_detach(struct net_device *dev);
105 extern const struct net_device_ops klips_device_ops;
106
107 #ifdef CONFIG_KLIPS_DEBUG
108 int debug_tunnel = 0;
109 #endif /* CONFIG_KLIPS_DEBUG */
110
111 DEBUG_NO_STATIC int
112 ipsec_tunnel_open(struct net_device *dev)
113 {
114 struct ipsecpriv *prv = netdev_priv(dev);
115
116 /*
117 * Can't open until attached.
118 */
119
120 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
121 "klips_debug:ipsec_tunnel_open: "
122 "dev = %s, prv->dev = %s\n",
123 dev->name, prv->dev?prv->dev->name:"NONE");
124
125 if (prv->dev == NULL)
126 return -ENODEV;
127
128 KLIPS_INC_USE;
129 return 0;
130 }
131
132 DEBUG_NO_STATIC int
133 ipsec_tunnel_close(struct net_device *dev)
134 {
135 KLIPS_DEC_USE;
136 return 0;
137 }
138
139 static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
140 {
141
142 #ifdef NETDEV_25 /* 2.6 kernels */
143 return dst_output(skb);
144 #else
145 return ip_send(skb);
146 #endif
147 }
148
149 #ifdef HAVE_NETDEV_HEADER_OPS
150
151 int klips_header(struct sk_buff *skb, struct net_device *dev,
152 unsigned short type,
153 const void *daddr, const void *saddr, unsigned len)
154 {
155 struct ipsecpriv *prv = netdev_priv(dev);
156 struct net_device *tmp;
157 int ret;
158 struct net_device_stats *stats; /* This device's statistics */
159
160 if(skb == NULL) {
161 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
162 "klips_debug:ipsec_tunnel_hard_header: "
163 "no skb...\n");
164 return -ENODATA;
165 }
166
167 if(dev == NULL) {
168 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
169 "klips_debug:ipsec_tunnel_hard_header: "
170 "no device...\n");
171 return -ENODEV;
172 }
173
174 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
175 "klips_debug:ipsec_tunnel_hard_header: "
176 "skb->dev=%s dev=%s.\n",
177 skb->dev ? skb->dev->name : "NULL",
178 dev->name);
179
180 if(prv == NULL) {
181 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
182 "klips_debug:ipsec_tunnel_hard_header: "
183 "no private space associated with dev=%s\n",
184 dev->name ? dev->name : "NULL");
185 return -ENODEV;
186 }
187
188 stats = (struct net_device_stats *) &(prv->mystats);
189
190 if(prv->dev == NULL) {
191 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
192 "klips_debug:ipsec_tunnel_hard_header: "
193 "no physical device associated with dev=%s\n",
194 dev->name ? dev->name : "NULL");
195 stats->tx_dropped++;
196 return -ENODEV;
197 }
198
199 if(prv->dev->header_ops == NULL ||
200 prv->dev->header_ops->create == NULL) {
201 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
202 "klips_debug:ipsec_tunnel_hard_header: "
203 "cannot revector dev=%s op=%p func=%p",
204 dev->name ? dev->name : "NULL",
205 prv->dev->header_ops, prv->dev->header_ops ?
206 prv->dev->header_ops->create : 0);
207 stats->tx_dropped++;
208 return -ENODEV;
209 }
210
211 /* check if we have to send a IPv6 packet. It might be a Router
212 Solicitation, where the building of the packet happens in
213 reverse order:
214 1. ll hdr,
215 2. IPv6 hdr,
216 3. ICMPv6 hdr
217 -> skb->nh.raw is still uninitialized when this function is
218 called!! If this is no IPv6 packet, we can print debugging
219 messages, otherwise we skip all debugging messages and just
220 build the ll header */
221 if(type != ETH_P_IPV6) {
222 /* execute this only, if we don't have to build the
223 header for a IPv6 packet */
224 if(!prv->dev) {
225 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
226 "klips_debug:ipsec_tunnel_hard_header: "
227 "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
228 saddr,
229 daddr,
230 len,
231 type,
232 dev->name);
233 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
234 "ip=%08x->%08x\n",
235 (__u32)ntohl(ip_hdr(skb)->saddr),
236 (__u32)ntohl(ip_hdr(skb)->daddr) );
237 stats->tx_dropped++;
238 return -ENODEV;
239 }
240
241 #define da ((struct net_device *)(prv->dev))->dev_addr
242 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
243 "klips_debug:ipsec_tunnel_hard_header: "
244 "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
245 saddr,
246 daddr,
247 len,
248 type,
249 dev->name,
250 prv->dev->name,
251 da[0], da[1], da[2], da[3], da[4], da[5]);
252 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
253 "ip=%08x->%08x\n",
254 (__u32)ntohl(ip_hdr(skb)->saddr),
255 (__u32)ntohl(ip_hdr(skb)->daddr) );
256 } else {
257 KLIPS_PRINT(debug_tunnel,
258 "klips_debug:ipsec_tunnel_hard_header: "
259 "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
260 }
261 tmp = skb->dev;
262 skb->dev = prv->dev;
263 ret = prv->dev->header_ops->create(skb, prv->dev, type,
264 (void *)daddr, (void *)saddr, len);
265 skb->dev = tmp;
266 return ret;
267 }
268
269 int klips_header_parse(const struct sk_buff *skb, unsigned char *haddr)
270 {
271 struct ipsecpriv *prv = netdev_priv(skb->dev);
272 struct net_device_stats *stats; /* This device's statistics */
273 int ret;
274
275 stats = (struct net_device_stats *) &(prv->mystats);
276 if(prv->dev == NULL) {
277 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
278 "klips_debug:klips_header_parse: "
279 "no physical device associated with dev=%s",
280 skb->dev->name ? skb->dev->name : "NULL");
281 stats->tx_dropped++;
282 return -ENODEV;
283 }
284
285 if(prv->dev->header_ops == NULL ||
286 prv->dev->header_ops->parse == NULL) {
287 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
288 "klips_debug:klips_header_parse: "
289 "cannot revector dev=%s op=%p func=%p",
290 skb->dev->name ? skb->dev->name : "NULL",
291 prv->dev->header_ops, prv->dev->header_ops ?
292 prv->dev->header_ops->parse : 0);
293 stats->tx_dropped++;
294 return -ENODEV;
295 }
296
297
298 {
299 #if 0
300 struct net_device *tmp;
301 tmp = skb->dev;
302 skb->dev = prv->dev;
303 #endif
304 ret = prv->dev->header_ops->parse(skb, haddr);
305 #if 0
306 skb->dev = tmp;
307 #endif
308 }
309 return ret;
310 }
311
312 DEBUG_NO_STATIC int
313 klips_rebuild_header(struct sk_buff *skb)
314 {
315 struct ipsecpriv *prv = netdev_priv(skb->dev);
316 struct net_device *tmp;
317 int ret;
318 struct net_device_stats *stats; /* This device's statistics */
319
320 if(skb->dev == NULL) {
321 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
322 "klips_debug:ipsec_tunnel_rebuild_header: "
323 "no device...");
324 return -ENODEV;
325 }
326
327 if(prv == NULL) {
328 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
329 "klips_debug:ipsec_tunnel_rebuild_header: "
330 "no private space associated with dev=%s",
331 skb->dev->name ? skb->dev->name : "NULL");
332 return -ENODEV;
333 }
334
335 stats = (struct net_device_stats *) &(prv->mystats);
336
337 if(prv->dev == NULL) {
338 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
339 "klips_debug:ipsec_tunnel_rebuild_header: "
340 "no physical device associated with dev=%s",
341 skb->dev->name ? skb->dev->name : "NULL");
342 stats->tx_dropped++;
343 return -ENODEV;
344 }
345
346 if(prv->dev->header_ops == NULL ||
347 prv->dev->header_ops->rebuild == NULL) {
348 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
349 "klips_debug:ipsec_tunnel_rebuild_header: "
350 "cannot revector dev=%s op=%p func=%p",
351 skb->dev->name ? skb->dev->name : "NULL",
352 prv->dev->header_ops, prv->dev->header_ops ?
353 prv->dev->header_ops->rebuild : 0);
354 stats->tx_dropped++;
355 return -ENODEV;
356 }
357
358 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
359 "klips_debug:ipsec_tunnel: "
360 "Revectored rebuild_header dev=%s->%s ",
361 skb->dev->name, prv->dev->name);
362 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
363 "ip=%08x->%08x\n",
364 (__u32)ntohl(ip_hdr(skb)->saddr),
365 (__u32)ntohl(ip_hdr(skb)->daddr) );
366 tmp = skb->dev;
367 skb->dev = prv->dev;
368
369 ret = prv->dev->header_ops->rebuild(skb);
370 skb->dev = tmp;
371 return ret;
372 }
373
374 int klips_header_cache(const struct neighbour *neigh, struct hh_cache *hh)
375 {
376 const struct net_device *dev = neigh->dev;
377 struct ipsecpriv *prv = netdev_priv(dev);
378 struct net_device_stats *stats;
379
380 stats = (struct net_device_stats *) &(prv->mystats);
381 if(prv->dev == NULL) {
382 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
383 "klips_debug:klips_header_cache: "
384 "no physical device associated with dev=%s",
385 dev->name ? dev->name : "NULL");
386 stats->tx_dropped++;
387 return -1;
388 }
389
390 if(prv->dev->header_ops == NULL ||
391 prv->dev->header_ops->cache == NULL) {
392 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
393 "klips_debug:klips_header_cache: "
394 "cannot revector dev=%s op=%p func=%p",
395 dev->name ? dev->name : "NULL",
396 prv->dev->header_ops, prv->dev->header_ops ?
397 prv->dev->header_ops->cache : 0);
398 stats->tx_dropped++;
399 return -1;
400 }
401
402 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
403 "klips_debug:ipsec_tunnel: "
404 "Revectored cache_update\n");
405 return prv->dev->header_ops->cache(neigh, hh);
406 }
407
408 DEBUG_NO_STATIC void
409 klips_header_cache_update(struct hh_cache *hh,
410 const struct net_device *dev,
411 const unsigned char * haddr)
412 {
413 struct ipsecpriv *prv = netdev_priv(dev);
414
415 struct net_device_stats *stats; /* This device's statistics */
416
417 if(dev == NULL) {
418 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
419 "klips_debug:ipsec_tunnel_cache_update: "
420 "no device...");
421 return;
422 }
423
424 if(prv == NULL) {
425 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
426 "klips_debug:ipsec_tunnel_cache_update: "
427 "no private space associated with dev=%s",
428 dev->name ? dev->name : "NULL");
429 return;
430 }
431
432 stats = (struct net_device_stats *) &(prv->mystats);
433
434 if(prv->dev == NULL) {
435 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
436 "klips_debug:ipsec_tunnel_cache_update: "
437 "no physical device associated with dev=%s",
438 dev->name ? dev->name : "NULL");
439 stats->tx_dropped++;
440 return;
441 }
442
443 if(prv->dev->header_ops == NULL ||
444 prv->dev->header_ops->cache_update == NULL) {
445 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
446 "klips_debug:ipsec_tunnel_cache_update: "
447 "cannot revector dev=%s op=%p func=%p",
448 dev->name ? dev->name : "NULL",
449 prv->dev->header_ops, prv->dev->header_ops ?
450 prv->dev->header_ops->cache_update : 0);
451 stats->tx_dropped++;
452 return;
453 }
454
455 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
456 "klips_debug:ipsec_tunnel: "
457 "Revectored cache_update\n");
458 prv->dev->header_ops->cache_update(hh, prv->dev, haddr);
459 return;
460 }
461
462
463 const struct header_ops klips_header_ops ____cacheline_aligned = {
464 .create = klips_header,
465 .parse = klips_header_parse,
466 .rebuild = klips_rebuild_header,
467 .cache = klips_header_cache,
468 .cache_update = klips_header_cache_update,
469 };
470
471 #endif /* HAVE_NETDEV_HEADER_OPS */
472
473 enum ipsec_xmit_value
474 ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs)
475 {
476 /* ixs->physdev->hard_header_len is unreliable and should not be used */
477 ixs->hard_header_len = (unsigned char *)(ixs->iph) - ixs->skb->data;
478
479 if(ixs->hard_header_len < 0) {
480 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
481 "klips_error:ipsec_xmit_strip_hard_header: "
482 "Negative hard_header_len (%d)?!\n", ixs->hard_header_len);
483 ixs->stats->tx_dropped++;
484 return IPSEC_XMIT_BADHHLEN;
485 }
486
487 /* while ixs->physdev->hard_header_len is unreliable and
488 * should not be trusted, it accurate and required for ATM, GRE and
489 * some other interfaces to work. Thanks to Willy Tarreau
490 * <willy@w.ods.org>.
491 */
492 if(ixs->hard_header_len == 0) { /* no hard header present */
493 ixs->hard_header_stripped = 1;
494 ixs->hard_header_len = ixs->physdev->hard_header_len;
495 }
496
497 if (debug_tunnel & DB_TN_XMIT) {
498 int i;
499 char c;
500
501 printk(KERN_INFO "klips_debug:ipsec_xmit_strip_hard_header: "
502 ">>> skb->len=%ld hard_header_len:%d",
503 (unsigned long int)ixs->skb->len, ixs->hard_header_len);
504 c = ' ';
505 for (i=0; i < ixs->hard_header_len; i++) {
506 printk("%c%02x", c, ixs->skb->data[i]);
507 c = ':';
508 }
509 printk(" \n");
510 }
511
512 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
513
514 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
515 "klips_debug:ipsec_xmit_strip_hard_header: "
516 "Original head,tailroom: %d,%d\n",
517 skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
518
519 return IPSEC_XMIT_OK;
520 }
521
522 enum ipsec_xmit_value
523 ipsec_tunnel_SAlookup(struct ipsec_xmit_state *ixs)
524 {
525 unsigned int bypass;
526
527 bypass = FALSE;
528
529 /*
530 * First things first -- look us up in the erouting tables.
531 */
532 ixs->matcher.sen_len = sizeof (struct sockaddr_encap);
533 ixs->matcher.sen_family = AF_ENCAP;
534 ixs->matcher.sen_type = SENT_IP4;
535 ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
536 ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
537 ixs->matcher.sen_proto = ixs->iph->protocol;
538 ipsec_extract_ports(ixs->iph, &ixs->matcher);
539
540 /*
541 * The spinlock is to prevent any other process from accessing or deleting
542 * the eroute while we are using and updating it.
543 */
544 spin_lock_bh(&eroute_lock);
545
546 ixs->eroute = ipsec_findroute(&ixs->matcher);
547
548 if(ixs->iph->protocol == IPPROTO_UDP) {
549 struct udphdr *t = NULL;
550
551 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
552 "klips_debug:udp port check: "
553 "fragoff: %d len: %d>%ld \n",
554 ntohs(ixs->iph->frag_off) & IP_OFFSET,
555 (ixs->skb->len - ixs->hard_header_len),
556 (unsigned long int) ((ixs->iph->ihl << 2) + sizeof(struct udphdr)));
557
558 if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
559 ((ixs->skb->len - ixs->hard_header_len) >=
560 ((ixs->iph->ihl << 2) + sizeof(struct udphdr))))
561 {
562 t =((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
563 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
564 "klips_debug:udp port in packet: "
565 "port %d -> %d\n",
566 ntohs(t->source), ntohs(t->dest));
567 }
568
569 ixs->sport=0; ixs->dport=0;
570
571 if(ixs->skb->sk) {
572 #ifdef NET_26
573 #ifdef HAVE_INET_SK_SPORT
574 ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport);
575 ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport);
576 #else
577 struct udp_sock *us;
578
579 us = (struct udp_sock *)ixs->skb->sk;
580
581 ixs->sport = ntohs(us->inet.sport);
582 ixs->dport = ntohs(us->inet.dport);
583 #endif
584 #else
585 ixs->sport = ntohs(ixs->skb->sk->sport);
586 ixs->dport = ntohs(ixs->skb->sk->dport);
587 #endif
588
589 }
590
591 if(t != NULL) {
592 if(ixs->sport == 0) {
593 ixs->sport = ntohs(t->source);
594 }
595 if(ixs->dport == 0) {
596 ixs->dport = ntohs(t->dest);
597 }
598 }
599 }
600
601 /*
602 * practically identical to above, but let's be careful about
603 * tcp vs udp headers
604 */
605 if(ixs->iph->protocol == IPPROTO_TCP) {
606 struct tcphdr *t = NULL;
607
608 if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
609 ((ixs->skb->len - ixs->hard_header_len) >=
610 ((ixs->iph->ihl << 2) + sizeof(struct tcphdr)))) {
611 t =((struct tcphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
612 }
613
614 ixs->sport=0; ixs->dport=0;
615
616 if(ixs->skb->sk) {
617 #ifdef NET_26
618 #ifdef HAVE_INET_SK_SPORT
619 ixs->sport = ntohs(inet_sk(ixs->skb->sk)->sport);
620 ixs->dport = ntohs(inet_sk(ixs->skb->sk)->dport);
621 #else
622 struct tcp_tw_bucket *tw;
623 tw = (struct tcp_tw_bucket *)ixs->skb->sk;
624 ixs->sport = ntohs(tw->tw_sport);
625 ixs->dport = ntohs(tw->tw_dport);
626 #endif
627 #else
628 ixs->sport = ntohs(ixs->skb->sk->sport);
629 ixs->dport = ntohs(ixs->skb->sk->dport);
630 #endif
631 }
632
633 if(t != NULL) {
634 if(ixs->sport == 0) {
635 ixs->sport = ntohs(t->source);
636 }
637 if(ixs->dport == 0) {
638 ixs->dport = ntohs(t->dest);
639 }
640 }
641 }
642
643 /* default to a %drop eroute */
644 ixs->outgoing_said.proto = IPPROTO_INT;
645 ixs->outgoing_said.spi = htonl(SPI_DROP);
646 ixs->outgoing_said.dst.u.v4.sin_addr.s_addr = INADDR_ANY;
647 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
648 "klips_debug:ipsec_xmit_SAlookup: "
649 "checking for local udp/500 IKE packet "
650 "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
651 ntohl((unsigned int)ixs->iph->saddr),
652 ixs->eroute,
653 ntohl((unsigned int)ixs->iph->daddr),
654 ixs->eroute ? ntohl((unsigned int)ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr) : 0,
655 ixs->iph->protocol,
656 ixs->sport,
657 ixs->dport);
658
659 /*
660 * cheat for now...are we udp/500? If so, let it through
661 * without interference since it is most likely an IKE packet.
662 */
663
664 if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
665 && (ixs->eroute==NULL
666 || ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
667 || INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
668 && (ixs->iph->protocol == IPPROTO_UDP &&
669 (ixs->sport == 500 || ixs->sport == 4500))) {
670 /* Whatever the eroute, this is an IKE message
671 * from us (i.e. not being forwarded).
672 * Furthermore, if there is a tunnel eroute,
673 * the destination is the peer for this eroute.
674 * So %pass the packet: modify the default %drop.
675 */
676
677 ixs->outgoing_said.spi = htonl(SPI_PASS);
678 if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
679 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
680 "klips_debug:ipsec_xmit_SAlookup: "
681 "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
682 }
683 bypass = TRUE;
684 }
685
686 #ifdef KLIPS_EXCEPT_DNS53
687 /*
688 *
689 * if we are udp/53 or tcp/53, also let it through a %trap or %hold,
690 * since it is DNS, but *also* follow the %trap.
691 *
692 * we do not do this for tunnels, only %trap's and %hold's.
693 *
694 */
695
696 if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
697 && (ixs->eroute==NULL
698 || ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
699 || INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
700 && ((ixs->iph->protocol == IPPROTO_UDP
701 || ixs->iph->protocol == IPPROTO_TCP)
702 && ixs->dport == 53)) {
703
704 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
705 "klips_debug:ipsec_xmit_SAlookup: "
706 "possible DNS packet\n");
707
708 if(ixs->eroute)
709 {
710 if(ixs->eroute->er_said.spi == htonl(SPI_TRAP)
711 || ixs->eroute->er_said.spi == htonl(SPI_HOLD))
712 {
713 ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
714 bypass = TRUE;
715 }
716 }
717 else
718 {
719 ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
720 bypass = TRUE;
721 }
722
723 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
724 "klips_debug:ipsec_xmit_SAlookup: "
725 "bypass = %d\n", bypass);
726
727 if(bypass
728 && !(ixs->skb->sk)
729 && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0))
730 {
731 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
732 "klips_debug:ipsec_xmit_SAlookup: "
733 "local port 53 (probably DNS) passthrough:"
734 "base fragment, rest of fragments will "
735 "probably get filtered.\n");
736 }
737 }
738 #endif
739
740 if (bypass==FALSE && ixs->eroute) {
741 ixs->eroute->er_count++;
742 ixs->eroute->er_lasttime = jiffies/HZ;
743 if(ixs->eroute->er_said.proto==IPPROTO_INT
744 && ixs->eroute->er_said.spi==htonl(SPI_HOLD))
745 {
746 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
747 "klips_debug:ipsec_xmit_SAlookup: "
748 "shunt SA of HOLD: skb stored in HOLD.\n");
749 if(ixs->eroute->er_last != NULL) {
750 ipsec_kfree_skb(ixs->eroute->er_last);
751 ixs->stats->tx_dropped++;
752 }
753 ixs->eroute->er_last = ixs->skb;
754 ixs->skb = NULL;
755 spin_unlock_bh(&eroute_lock);
756 return IPSEC_XMIT_STOLEN;
757 }
758 ixs->outgoing_said = ixs->eroute->er_said;
759 ixs->eroute_pid = ixs->eroute->er_pid;
760
761 /* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
762 if(ixs->outgoing_said.proto==IPPROTO_INT
763 && (ixs->outgoing_said.spi==htonl(SPI_TRAP)
764 || (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) {
765 int len;
766
767 ixs->ips.ips_ident_s.type = ixs->eroute->er_ident_s.type;
768 ixs->ips.ips_ident_s.id = ixs->eroute->er_ident_s.id;
769 ixs->ips.ips_ident_s.len = ixs->eroute->er_ident_s.len;
770 if (ixs->ips.ips_ident_s.len)
771 {
772 len = ixs->ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
773 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
774 "klips_debug:ipsec_xmit_SAlookup: "
775 "allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n",
776 len);
777 if ((ixs->ips.ips_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
778 printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
779 "Failed, tried to allocate %d bytes for source ident.\n",
780 len);
781 ixs->stats->tx_dropped++;
782 spin_unlock_bh(&eroute_lock);
783 return IPSEC_XMIT_ERRMEMALLOC;
784 }
785 memcpy(ixs->ips.ips_ident_s.data, ixs->eroute->er_ident_s.data, len);
786 }
787 ixs->ips.ips_ident_d.type = ixs->eroute->er_ident_d.type;
788 ixs->ips.ips_ident_d.id = ixs->eroute->er_ident_d.id;
789 ixs->ips.ips_ident_d.len = ixs->eroute->er_ident_d.len;
790 if (ixs->ips.ips_ident_d.len)
791 {
792 len = ixs->ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
793 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
794 "klips_debug:ipsec_xmit_SAlookup: "
795 "allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n",
796 len);
797 if ((ixs->ips.ips_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
798 printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
799 "Failed, tried to allocate %d bytes for dest ident.\n",
800 len);
801 ixs->stats->tx_dropped++;
802 spin_unlock_bh(&eroute_lock);
803 return IPSEC_XMIT_ERRMEMALLOC;
804 }
805 memcpy(ixs->ips.ips_ident_d.data, ixs->eroute->er_ident_d.data, len);
806 }
807 }
808 }
809
810 spin_unlock_bh(&eroute_lock);
811 return IPSEC_XMIT_OK;
812 }
813
814
815 enum ipsec_xmit_value
816 ipsec_tunnel_restore_hard_header(struct ipsec_xmit_state*ixs)
817 {
818 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
819 "klips_debug:ipsec_xmit_restore_hard_header: "
820 "After recursive xforms -- head,tailroom: %d,%d\n",
821 skb_headroom(ixs->skb),
822 skb_tailroom(ixs->skb));
823
824 if(ixs->saved_header) {
825 if(skb_headroom(ixs->skb) < ixs->hard_header_len) {
826 printk(KERN_WARNING
827 "klips_error:ipsec_xmit_restore_hard_header: "
828 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
829 ixs->hard_header_len,
830 skb_headroom(ixs->skb));
831 ixs->stats->tx_errors++;
832 return IPSEC_XMIT_PUSHPULLERR;
833
834 }
835 skb_push(ixs->skb, ixs->hard_header_len);
836 {
837 int i;
838 for (i = 0; i < ixs->hard_header_len; i++) {
839 ixs->skb->data[i] = ixs->saved_header[i];
840 }
841 }
842 }
843
844 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
845 "klips_debug:ipsec_xmit_restore_hard_header: "
846 "With hard_header, final head,tailroom: %d,%d\n",
847 skb_headroom(ixs->skb),
848 skb_tailroom(ixs->skb));
849
850 return IPSEC_XMIT_OK;
851 }
852
853
854 /*
855 * when encap processing is complete it call this for us to continue
856 */
857
858 void
859 ipsec_tunnel_xsm_complete(
860 struct ipsec_xmit_state *ixs,
861 enum ipsec_xmit_value stat)
862 {
863 if(stat != IPSEC_XMIT_OK) {
864 if(stat == IPSEC_XMIT_PASS) {
865 goto bypass;
866 }
867
868 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
869 "klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: %d\n",
870 stat);
871 goto cleanup;
872 }
873
874 ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
875 ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
876 ixs->matcher.sen_proto = ixs->iph->protocol;
877 ipsec_extract_ports(ixs->iph, &ixs->matcher);
878
879 spin_lock_bh(&eroute_lock);
880 ixs->eroute = ipsec_findroute(&ixs->matcher);
881 if(ixs->eroute) {
882 ixs->outgoing_said = ixs->eroute->er_said;
883 ixs->eroute_pid = ixs->eroute->er_pid;
884 ixs->eroute->er_count++;
885 ixs->eroute->er_lasttime = jiffies/HZ;
886 }
887 spin_unlock_bh(&eroute_lock);
888
889 KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
890 /* ((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc)) */
891 (ixs->orgedst != ixs->outgoing_said.dst.u.v4.sin_addr.s_addr) &&
892 ixs->outgoing_said.dst.u.v4.sin_addr.s_addr &&
893 ixs->eroute,
894 "klips_debug:ipsec_tunnel_start_xmit: "
895 "We are recursing here.\n");
896
897 if (/*((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc))*/
898 (ixs->orgedst != ixs->outgoing_said.dst.u.v4.sin_addr.s_addr) &&
899 ixs->outgoing_said.dst.u.v4.sin_addr.s_addr &&
900 ixs->eroute) {
901 ipsec_xsm(ixs);
902 return;
903 }
904
905 #ifdef NAT_TRAVERSAL
906 stat = ipsec_nat_encap(ixs);
907 if(stat != IPSEC_XMIT_OK) {
908 goto cleanup;
909 }
910 #endif
911
912 stat = ipsec_tunnel_restore_hard_header(ixs);
913 if(stat != IPSEC_XMIT_OK) {
914 goto cleanup;
915 }
916
917 bypass:
918 stat = ipsec_tunnel_send(ixs);
919
920 cleanup:
921 ipsec_xmit_cleanup(ixs);
922 ipsec_xmit_state_delete(ixs);
923 }
924
925
926 /*
927 * This function assumes it is being called from dev_queue_xmit()
928 * and that skb is filled properly by that function.
929 */
930 int
931 ipsec_tunnel_start_xmit(struct sk_buff *skb, struct net_device *dev)
932 {
933 struct ipsec_xmit_state *ixs = NULL;
934 enum ipsec_xmit_value stat;
935
936 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
937 "\n\nipsec_tunnel_start_xmit: STARTING");
938
939 stat = IPSEC_XMIT_ERRMEMALLOC;
940 ixs = ipsec_xmit_state_new();
941 if (! ixs) {
942 netif_stop_queue(dev);
943 return NETDEV_TX_BUSY;
944 }
945
946 ixs->dev = dev;
947 ixs->skb = skb;
948
949 stat = ipsec_xmit_sanity_check_dev(ixs);
950 if(stat != IPSEC_XMIT_OK) {
951 goto cleanup;
952 }
953
954 stat = ipsec_xmit_sanity_check_skb(ixs);
955 if(stat != IPSEC_XMIT_OK) {
956 goto cleanup;
957 }
958
959 stat = ipsec_tunnel_strip_hard_header(ixs);
960 if(stat != IPSEC_XMIT_OK) {
961 goto cleanup;
962 }
963
964 stat = ipsec_tunnel_SAlookup(ixs);
965 if(stat != IPSEC_XMIT_OK) {
966 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
967 "klips_debug:ipsec_tunnel_start_xmit: SAlookup failed: %d\n",
968 stat);
969 goto cleanup;
970 }
971
972 ixs->innersrc = ixs->iph->saddr;
973
974 ixs->xsm_complete = ipsec_tunnel_xsm_complete;
975
976 ipsec_xsm(ixs);
977 return 0;
978
979 cleanup:
980 ipsec_xmit_cleanup(ixs);
981 ipsec_xmit_state_delete(ixs);
982 return 0;
983 }
984
985 DEBUG_NO_STATIC struct net_device_stats *
986 ipsec_tunnel_get_stats(struct net_device *dev)
987 {
988 return &(((struct ipsecpriv *)netdev_priv(dev))->mystats);
989 }
990
991 /*
992 * Revectored calls.
993 * For each of these calls, a field exists in our private structure.
994 */
995
996 DEBUG_NO_STATIC int
997 ipsec_tunnel_hard_header(struct sk_buff *skb, struct net_device *dev,
998 unsigned short type, const void *daddr, const void *saddr, unsigned len)
999 {
1000 struct ipsecpriv *prv = netdev_priv(dev);
1001 struct net_device *tmp;
1002 int ret;
1003 struct net_device_stats *stats; /* This device's statistics */
1004
1005 if(skb == NULL) {
1006 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1007 "klips_debug:ipsec_tunnel_hard_header: "
1008 "no skb...\n");
1009 return -ENODATA;
1010 }
1011
1012 if(dev == NULL) {
1013 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1014 "klips_debug:ipsec_tunnel_hard_header: "
1015 "no device...\n");
1016 return -ENODEV;
1017 }
1018
1019 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1020 "klips_debug:ipsec_tunnel_hard_header: "
1021 "skb->dev=%s dev=%s.\n",
1022 skb->dev ? skb->dev->name : "NULL",
1023 dev->name);
1024
1025 if(prv == NULL) {
1026 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1027 "klips_debug:ipsec_tunnel_hard_header: "
1028 "no private space associated with dev=%s\n",
1029 dev->name ? dev->name : "NULL");
1030 return -ENODEV;
1031 }
1032
1033 stats = (struct net_device_stats *) &(prv->mystats);
1034
1035 if(prv->dev == NULL) {
1036 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1037 "klips_debug:ipsec_tunnel_hard_header: "
1038 "no physical device associated with dev=%s\n",
1039 dev->name ? dev->name : "NULL");
1040 stats->tx_dropped++;
1041 return -ENODEV;
1042 }
1043
1044 /* check if we have to send a IPv6 packet. It might be a Router
1045 Solicitation, where the building of the packet happens in
1046 reverse order:
1047 1. ll hdr,
1048 2. IPv6 hdr,
1049 3. ICMPv6 hdr
1050 -> skb->nh.raw is still uninitialized when this function is
1051 called!! If this is no IPv6 packet, we can print debugging
1052 messages, otherwise we skip all debugging messages and just
1053 build the ll header */
1054 if(type != ETH_P_IPV6) {
1055 /* execute this only, if we don't have to build the
1056 header for a IPv6 packet */
1057 #ifdef HAVE_NETDEV_HEADER_OPS
1058 if(!prv->header_ops->create)
1059 #else
1060 if(!prv->hard_header)
1061 #endif
1062 {
1063 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1064 "klips_debug:ipsec_tunnel_hard_header: "
1065 "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
1066 saddr,
1067 daddr,
1068 len,
1069 type,
1070 dev->name);
1071 #ifdef NET_21
1072 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
1073 "ip=%08x->%08x\n",
1074 (__u32)ntohl(ip_hdr(skb)->saddr),
1075 (__u32)ntohl(ip_hdr(skb)->daddr) );
1076 #else /* NET_21 */
1077 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
1078 "ip=%08x->%08x\n",
1079 (__u32)ntohl(skb->ip_hdr->saddr),
1080 (__u32)ntohl(skb->ip_hdr->daddr) );
1081 #endif /* NET_21 */
1082 stats->tx_dropped++;
1083 return -ENODEV;
1084 }
1085
1086 #define da ((struct net_device *)(prv->dev))->dev_addr
1087 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1088 "klips_debug:ipsec_tunnel_hard_header: "
1089 "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
1090 saddr,
1091 daddr,
1092 len,
1093 type,
1094 dev->name,
1095 prv->dev->name,
1096 da[0], da[1], da[2], da[3], da[4], da[5]);
1097 #ifdef NET_21
1098 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
1099 "ip=%08x->%08x\n",
1100 (__u32)ntohl(ip_hdr(skb)->saddr),
1101 (__u32)ntohl(ip_hdr(skb)->daddr) );
1102 #else /* NET_21 */
1103 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
1104 "ip=%08x->%08x\n",
1105 (__u32)ntohl(skb->ip_hdr->saddr),
1106 (__u32)ntohl(skb->ip_hdr->daddr) );
1107 #endif /* NET_21 */
1108 } else {
1109 KLIPS_PRINT(debug_tunnel,
1110 "klips_debug:ipsec_tunnel_hard_header: "
1111 "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
1112 }
1113 tmp = skb->dev;
1114 skb->dev = prv->dev;
1115 #ifdef HAVE_NETDEV_HEADER_OPS
1116 ret = prv->header_ops->create(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
1117 #else
1118 ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
1119 #endif
1120 skb->dev = tmp;
1121 return ret;
1122 }
1123
1124 DEBUG_NO_STATIC int
1125 #ifdef NET_21
1126 ipsec_tunnel_rebuild_header(struct sk_buff *skb)
1127 #else /* NET_21 */
1128 ipsec_tunnel_rebuild_header(void *buff, struct net_device *dev,
1129 unsigned long raddr, struct sk_buff *skb)
1130 #endif /* NET_21 */
1131 {
1132 struct ipsecpriv *prv = netdev_priv(skb->dev);
1133 struct net_device *tmp;
1134 int ret;
1135 struct net_device_stats *stats; /* This device's statistics */
1136
1137 if(skb->dev == NULL) {
1138 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1139 "klips_debug:ipsec_tunnel_rebuild_header: "
1140 "no device...");
1141 return -ENODEV;
1142 }
1143
1144 if(prv == NULL) {
1145 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1146 "klips_debug:ipsec_tunnel_rebuild_header: "
1147 "no private space associated with dev=%s",
1148 skb->dev->name ? skb->dev->name : "NULL");
1149 return -ENODEV;
1150 }
1151
1152 stats = (struct net_device_stats *) &(prv->mystats);
1153
1154 if(prv->dev == NULL) {
1155 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1156 "klips_debug:ipsec_tunnel_rebuild_header: "
1157 "no physical device associated with dev=%s",
1158 skb->dev->name ? skb->dev->name : "NULL");
1159 stats->tx_dropped++;
1160 return -ENODEV;
1161 }
1162
1163 #ifdef HAVE_NETDEV_HEADER_OPS
1164 if(!prv->header_ops->rebuild)
1165 #else
1166 if(!prv->rebuild_header)
1167 #endif
1168 {
1169 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1170 "klips_debug:ipsec_tunnel_rebuild_header: "
1171 "physical device has been detached, packet dropped skb->dev=%s->NULL ",
1172 skb->dev->name);
1173 #ifdef NET_21
1174 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1175 "ip=%08x->%08x\n",
1176 (__u32)ntohl(ip_hdr(skb)->saddr),
1177 (__u32)ntohl(ip_hdr(skb)->daddr) );
1178 #else /* NET_21 */
1179 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1180 "ip=%08x->%08x\n",
1181 (__u32)ntohl(skb->ip_hdr->saddr),
1182 (__u32)ntohl(skb->ip_hdr->daddr) );
1183 #endif /* NET_21 */
1184 stats->tx_dropped++;
1185 return -ENODEV;
1186 }
1187
1188 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1189 "klips_debug:ipsec_tunnel: "
1190 "Revectored rebuild_header dev=%s->%s ",
1191 skb->dev->name, prv->dev->name);
1192 #ifdef NET_21
1193 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1194 "ip=%08x->%08x\n",
1195 (__u32)ntohl(ip_hdr(skb)->saddr),
1196 (__u32)ntohl(ip_hdr(skb)->daddr) );
1197 #else /* NET_21 */
1198 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1199 "ip=%08x->%08x\n",
1200 (__u32)ntohl(skb->ip_hdr->saddr),
1201 (__u32)ntohl(skb->ip_hdr->daddr) );
1202 #endif /* NET_21 */
1203 tmp = skb->dev;
1204 skb->dev = prv->dev;
1205
1206 #ifdef HAVE_NETDEV_HEADER_OPS
1207 ret = prv->header_ops->rebuild(skb);
1208 #else
1209 #ifdef NET_21
1210 ret = prv->rebuild_header(skb);
1211 #else /* NET_21 */
1212 ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
1213 #endif /* NET_21 */
1214 #endif
1215 skb->dev = tmp;
1216 return ret;
1217 }
1218
1219 #ifdef HAVE_SET_MAC_ADDR
1220 DEBUG_NO_STATIC int
1221 ipsec_tunnel_set_mac_address(struct net_device *dev, void *addr)
1222 {
1223 struct ipsecpriv *prv = netdev_priv(dev);
1224
1225 struct net_device_stats *stats; /* This device's statistics */
1226
1227 if(dev == NULL) {
1228 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1229 "klips_debug:ipsec_tunnel_set_mac_address: "
1230 "no device...");
1231 return -ENODEV;
1232 }
1233
1234 if(prv == NULL) {
1235 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1236 "klips_debug:ipsec_tunnel_set_mac_address: "
1237 "no private space associated with dev=%s",
1238 dev->name ? dev->name : "NULL");
1239 return -ENODEV;
1240 }
1241
1242 stats = (struct net_device_stats *) &(prv->mystats);
1243
1244 if(prv->dev == NULL) {
1245 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1246 "klips_debug:ipsec_tunnel_set_mac_address: "
1247 "no physical device associated with dev=%s",
1248 dev->name ? dev->name : "NULL");
1249 stats->tx_dropped++;
1250 return -ENODEV;
1251 }
1252
1253 if(!prv->dev) {
1254 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1255 "klips_debug:ipsec_tunnel_set_mac_address: "
1256 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
1257 dev->name);
1258 return -ENODEV;
1259 }
1260
1261 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1262 "klips_debug:ipsec_tunnel_set_mac_address: "
1263 "Revectored dev=%s->%s addr=0p%p\n",
1264 dev->name, prv->dev->name, addr);
1265 return prv->set_mac_address(prv->dev, addr);
1266
1267 }
1268 #endif /* HAVE_SET_MAC_ADDR */
1269
1270 #ifndef NET_21
1271 DEBUG_NO_STATIC void
1272 ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct net_device *dev,
1273 unsigned short htype, __u32 daddr)
1274 {
1275 struct ipsecpriv *prv = (struct ipsecpriv *) netdev_priv(dev);
1276
1277 struct net_device_stats *stats; /* This device's statistics */
1278
1279 if(dev == NULL) {
1280 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1281 "klips_debug:ipsec_tunnel_cache_bind: "
1282 "no device...");
1283 return;
1284 }
1285
1286 if(prv == NULL) {
1287 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1288 "klips_debug:ipsec_tunnel_cache_bind: "
1289 "no private space associated with dev=%s",
1290 dev->name ? dev->name : "NULL");
1291 return;
1292 }
1293
1294 stats = (struct net_device_stats *) &(prv->mystats);
1295
1296 if(prv->dev == NULL) {
1297 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1298 "klips_debug:ipsec_tunnel_cache_bind: "
1299 "no physical device associated with dev=%s",
1300 dev->name ? dev->name : "NULL");
1301 stats->tx_dropped++;
1302 return;
1303 }
1304
1305 if(!prv->header_cache_bind) {
1306 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1307 "klips_debug:ipsec_tunnel_cache_bind: "
1308 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
1309 dev->name);
1310 stats->tx_dropped++;
1311 return;
1312 }
1313
1314 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1315 "klips_debug:ipsec_tunnel_cache_bind: "
1316 "Revectored \n");
1317 prv->header_cache_bind(hhp, prv->dev, htype, daddr);
1318 return;
1319 }
1320 #endif /* !NET_21 */
1321
1322
1323 DEBUG_NO_STATIC void
1324 ipsec_tunnel_cache_update(struct hh_cache *hh, const struct net_device *dev,
1325 const unsigned char * haddr)
1326 {
1327 struct ipsecpriv *prv = netdev_priv(dev);
1328
1329 struct net_device_stats *stats; /* This device's statistics */
1330
1331 if(dev == NULL) {
1332 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1333 "klips_debug:ipsec_tunnel_cache_update: "
1334 "no device...");
1335 return;
1336 }
1337
1338 if(prv == NULL) {
1339 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1340 "klips_debug:ipsec_tunnel_cache_update: "
1341 "no private space associated with dev=%s",
1342 dev->name ? dev->name : "NULL");
1343 return;
1344 }
1345
1346 stats = (struct net_device_stats *) &(prv->mystats);
1347
1348 if(prv->dev == NULL) {
1349 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1350 "klips_debug:ipsec_tunnel_cache_update: "
1351 "no physical device associated with dev=%s",
1352 dev->name ? dev->name : "NULL");
1353 stats->tx_dropped++;
1354 return;
1355 }
1356
1357 #ifdef HAVE_NETDEV_HEADER_OPS
1358 if(!prv->header_ops->cache_update)
1359 #else
1360 if(!prv->header_cache_update)
1361 #endif
1362 {
1363 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1364 "klips_debug:ipsec_tunnel_cache_update: "
1365 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
1366 dev->name);
1367 return;
1368 }
1369
1370 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1371 "klips_debug:ipsec_tunnel: "
1372 "Revectored cache_update\n");
1373 #ifdef HAVE_NETDEV_HEADER_OPS
1374 prv->header_ops->cache_update(hh, prv->dev, haddr);
1375 #else
1376 prv->header_cache_update(hh, prv->dev, haddr);
1377 #endif
1378 return;
1379 }
1380
1381 #ifdef HAVE_NETDEV_HEADER_OPS
1382 const struct header_ops ipsec_tunnel_header_ops = {
1383 .create = ipsec_tunnel_hard_header,
1384 .rebuild = ipsec_tunnel_rebuild_header,
1385 .cache_update = ipsec_tunnel_cache_update,
1386 };
1387 #endif
1388
1389 #ifdef NET_21
1390 DEBUG_NO_STATIC int
1391 ipsec_tunnel_neigh_setup(struct neighbour *n)
1392 {
1393 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1394 "klips_debug:ipsec_tunnel_neigh_setup:\n");
1395
1396 if (n->nud_state == NUD_NONE) {
1397 n->ops = &arp_broken_ops;
1398 n->output = n->ops->output;
1399 }
1400 return 0;
1401 }
1402
1403 DEBUG_NO_STATIC int
1404 ipsec_tunnel_neigh_setup_dev(struct net_device *dev, struct neigh_parms *p)
1405 {
1406 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1407 "klips_debug:ipsec_tunnel_neigh_setup_dev: "
1408 "setting up %s\n",
1409 dev ? dev->name : "NULL");
1410
1411 if (p->tbl->family == AF_INET) {
1412 p->neigh_setup = ipsec_tunnel_neigh_setup;
1413 p->ucast_probes = 0;
1414 p->mcast_probes = 0;
1415 }
1416 return 0;
1417 }
1418 #endif /* NET_21 */
1419
1420 /*
1421 * We call the detach routine to detach the ipsec tunnel from another device.
1422 */
1423
1424 DEBUG_NO_STATIC int
1425 ipsec_tunnel_detach(struct net_device *dev)
1426 {
1427 int i;
1428 struct ipsecpriv *prv = netdev_priv(dev);
1429
1430 if(dev == NULL) {
1431 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1432 "klips_debug:ipsec_tunnel_detach: "
1433 "no device...");
1434 return -ENODEV;
1435 }
1436
1437 if(prv == NULL) {
1438 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1439 "klips_debug:ipsec_tunnel_detach: "
1440 "no private space associated with dev=%s",
1441 dev->name ? dev->name : "NULL");
1442 return -ENODATA;
1443 }
1444
1445 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1446 "klips_debug:ipsec_tunnel_detach: "
1447 "physical device %s being detached from virtual device %s\n",
1448 prv->dev ? prv->dev->name : "NULL",
1449 dev->name);
1450
1451 ipsec_dev_put(prv->dev);
1452 prv->dev = NULL;
1453 prv->hard_start_xmit = NULL;
1454 prv->get_stats = NULL;
1455
1456 #ifdef HAVE_NETDEV_HEADER_OPS
1457 prv->header_ops = NULL;
1458 #else
1459 prv->hard_header = NULL;
1460 prv->rebuild_header = NULL;
1461 prv->header_cache_update = NULL;
1462 #ifndef NET_21
1463 prv->header_cache_bind = NULL;
1464 #else
1465 /* prv->neigh_setup = NULL; */
1466 #endif
1467 #endif
1468 prv->set_mac_address = NULL;
1469 dev->hard_header_len = 0;
1470
1471 #ifdef DETACH_AND_DOWN
1472 #ifdef HAVE_NETDEV_HEADER_OPS
1473 dev->header_ops = NULL;
1474 #else
1475 dev->hard_header = NULL;
1476 dev->rebuild_header = NULL;
1477 dev->header_cache_update = NULL;
1478 #ifndef NET_21
1479 dev->header_cache_bind = NULL;
1480 #else
1481 dev->neigh_setup = NULL;
1482 #endif
1483 #endif
1484 #ifdef HAVE_SET_MAC_ADDR
1485 dev->set_mac_address = NULL;
1486 #endif
1487 dev->mtu = 0;
1488 #endif /* DETACH_AND_DOWN */
1489
1490 prv->mtu = 0;
1491 for (i=0; i<MAX_ADDR_LEN; i++) {
1492 dev->dev_addr[i] = 0;
1493 }
1494 dev->addr_len = 0;
1495 #ifdef PHYSDEV_TYPE
1496 dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */
1497 #endif /* PHYSDEV_TYPE */
1498
1499 return 0;
1500 }
1501
1502 /*
1503 * We call the clear routine to detach all ipsec tunnels from other devices.
1504 */
1505 DEBUG_NO_STATIC int
1506 ipsec_tunnel_clear(void)
1507 {
1508 int i;
1509 struct net_device *ipsecdev = NULL, *prvdev;
1510 struct ipsecpriv *prv;
1511 int ret;
1512
1513 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1514 "klips_debug:ipsec_tunnel_clear: .\n");
1515
1516 for(i = 0; i < IPSEC_NUM_IF; i++) {
1517 ipsecdev = ipsecdevices[i];
1518 if(ipsecdev != NULL) {
1519 if((prv = (struct ipsecpriv *)netdev_priv(ipsecdev))) {
1520 prvdev = (struct net_device *)(prv->dev);
1521 if(prvdev) {
1522 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1523 "klips_debug:ipsec_tunnel_clear: "
1524 "physical device for device %s is %s\n",
1525 ipsecdev->name, prvdev->name);
1526 if((ret = ipsec_tunnel_detach(ipsecdev))) {
1527 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1528 "klips_debug:ipsec_tunnel_clear: "
1529 "error %d detatching device %s from device %s.\n",
1530 ret, ipsecdev->name, prvdev->name);
1531 return ret;
1532 }
1533 }
1534 }
1535 }
1536 }
1537 return 0;
1538 }
1539
1540 /*
1541 * Used mostly for KLIPS to setup interface, for also with NETKEY when using
1542 * 2.6.23+ UDP XFRM code to mark sockets UDP_ENCAP_ESPINUDP_NON_IKE
1543 */
1544 DEBUG_NO_STATIC int
1545 ipsec_tunnel_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
1546 {
1547 /* struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;*/
1548 /* overlay our struct ipsectunnel onto ifr.ifr_ifru union (hope it fits!) */
1549 struct ipsectunnelconf *cf=(struct ipsectunnelconf *)ifr->ifr_ifru.ifru_newname;
1550 struct ipsecpriv *prv = netdev_priv(dev);
1551 struct net_device *them; /* physical device */
1552 #ifdef CONFIG_IP_ALIAS
1553 char *colon;
1554 char realphysname[IFNAMSIZ];
1555 #endif /* CONFIG_IP_ALIAS */
1556
1557 if(dev == NULL) {
1558 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1559 "klips_debug:ipsec_tunnel_ioctl: "
1560 "device not supplied.\n");
1561 return -ENODEV;
1562 }
1563
1564 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1565 "klips_debug:ipsec_tunnel_ioctl: "
1566 "tncfg service call #%d for dev=%s\n",
1567 cmd,
1568 dev->name ? dev->name : "NULL");
1569 switch (cmd) {
1570 #if defined(KLIPS)
1571 /* attach a virtual ipsec? device to a physical device */
1572 case IPSEC_SET_DEV:
1573 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1574 "klips_debug:ipsec_tunnel_ioctl: "
1575 "calling ipsec_tunnel_attatch...\n");
1576 #ifdef CONFIG_IP_ALIAS
1577 /* If this is an IP alias interface, get its real physical name */
1578 strncpy(realphysname, cf->cf_name, IFNAMSIZ);
1579 realphysname[IFNAMSIZ-1] = 0;
1580 colon = strchr(realphysname, ':');
1581 if (colon) *colon = 0;
1582 them = ipsec_dev_get(realphysname);
1583 #else /* CONFIG_IP_ALIAS */
1584 them = ipsec_dev_get(cf->cf_name);
1585 #endif /* CONFIG_IP_ALIAS */
1586
1587 if (them == NULL) {
1588 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1589 "klips_debug:ipsec_tunnel_ioctl: "
1590 "physical device %s requested is null\n",
1591 cf->cf_name);
1592 return -ENXIO;
1593 }
1594
1595 #if 0
1596 if (them->flags & IFF_UP) {
1597 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1598 "klips_debug:ipsec_tunnel_ioctl: "
1599 "physical device %s requested is not up.\n",
1600 cf->cf_name);
1601 ipsec_dev_put(them);
1602 return -ENXIO;
1603 }
1604 #endif
1605
1606 if (prv && prv->dev) {
1607 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1608 "klips_debug:ipsec_tunnel_ioctl: "
1609 "virtual device is already connected to %s.\n",
1610 prv->dev->name ? prv->dev->name : "NULL");
1611 ipsec_dev_put(them);
1612 return -EBUSY;
1613 }
1614 return ipsec_tunnel_attach(dev, them);
1615
1616 case IPSEC_DEL_DEV:
1617 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1618 "klips_debug:ipsec_tunnel_ioctl: "
1619 "calling ipsec_tunnel_detatch.\n");
1620 if (! prv->dev) {
1621 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1622 "klips_debug:ipsec_tunnel_ioctl: "
1623 "physical device not connected.\n");
1624 return -ENODEV;
1625 }
1626 return ipsec_tunnel_detach(dev);
1627
1628 case IPSEC_CLR_DEV:
1629 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1630 "klips_debug:ipsec_tunnel_ioctl: "
1631 "calling ipsec_tunnel_clear.\n");
1632 return ipsec_tunnel_clear();
1633 #endif /* KLIPS */
1634
1635 #ifdef HAVE_UDP_ENCAP_CONVERT
1636 /*
1637 * we get two int args in ifr_data, the socket fd (0)
1638 * and the type of encapsulation needed (1).
1639 */
1640 case IPSEC_UDP_ENCAP_CONVERT:
1641 {
1642 /*unsigned int *ifp =(unsigned int *)&ifr->ifr_data;*/
1643 /* overlay our struct ipsectunnel onto ifr.ifr_ifru union (hope it fits!) */
1644 unsigned int *ifp =(unsigned int *)ifr->ifr_ifru.ifru_newname;
1645 const struct socket *sock;
1646 int err = 0;
1647
1648 /* translate # to socket structure */
1649 sock = sockfd_lookup(ifp[0], &err);
1650 if (!sock)
1651 goto encap_out;
1652
1653 /* check that it's a UDP socket */
1654 udp_sk(sock->sk)->encap_type = ifp[1];
1655 udp_sk(sock->sk)->encap_rcv = klips26_udp_encap_rcv;
1656
1657 KLIPS_PRINT(debug_tunnel
1658 , "UDP socket: %u set to %s (0x%x) encap mode\n"
1659 , ifp[0]
1660 , ifp[1] == UDP_ENCAP_ESPINUDP_NON_IKE ?
1661 "UDP_ENCAP_ESPINUDP_NON_IKE" : "UDP_ENCAP_ESPINUDP_NON_ESP"
1662 , ifp[1]
1663 );
1664
1665 err = 0;
1666
1667 encap_out:
1668 return err;
1669 }
1670 #endif /* HAVE_UDP_ENCAP_CONVERT */
1671
1672 default:
1673 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1674 "klips_debug:ipsec_tunnel_ioctl: "
1675 "unknown command %d.\n",
1676 cmd);
1677 return -EOPNOTSUPP;
1678
1679 }
1680 }
1681
1682 struct net_device *ipsec_get_device(int inst)
1683 {
1684 struct net_device *ipsec_dev;
1685
1686 ipsec_dev = NULL;
1687
1688 if(inst < IPSEC_NUM_IF) {
1689 ipsec_dev = ipsecdevices[inst];
1690 }
1691
1692 return ipsec_dev;
1693 }
1694
1695 int
1696 ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
1697 {
1698 struct net_device *dev = ptr;
1699 struct net_device *ipsec_dev;
1700 struct ipsecpriv *priv;
1701 int i;
1702
1703 if (dev == NULL) {
1704 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1705 "klips_debug:ipsec_device_event: "
1706 "dev=NULL for event type %ld.\n",
1707 event);
1708 return(NOTIFY_DONE);
1709 }
1710
1711 /* check for loopback devices */
1712 if (dev && (dev->flags & IFF_LOOPBACK)) {
1713 return(NOTIFY_DONE);
1714 }
1715
1716 switch (event) {
1717 case NETDEV_DOWN:
1718 /* look very carefully at the scope of these compiler
1719 directives before changing anything... -- RGB */
1720 #ifdef NET_21
1721 case NETDEV_UNREGISTER:
1722 switch (event) {
1723 case NETDEV_DOWN:
1724 #endif /* NET_21 */
1725 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1726 "klips_debug:ipsec_device_event: "
1727 "NETDEV_DOWN dev=%s flags=%x\n",
1728 dev->name,
1729 dev->flags);
1730 if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
1731 printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
1732 dev->name);
1733 }
1734 #ifdef NET_21
1735 break;
1736 case NETDEV_UNREGISTER:
1737 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1738 "klips_debug:ipsec_device_event: "
1739 "NETDEV_UNREGISTER dev=%s flags=%x\n",
1740 dev->name,
1741 dev->flags);
1742 break;
1743 }
1744 #endif /* NET_21 */
1745
1746 /* find the attached physical device and detach it. */
1747 for(i = 0; i < IPSEC_NUM_IF; i++) {
1748 ipsec_dev = ipsecdevices[i];
1749
1750 if(ipsec_dev) {
1751 priv = (struct ipsecpriv *)netdev_priv(ipsec_dev);
1752 if(priv) {
1753 ;
1754 if(((struct net_device *)(priv->dev)) == dev) {
1755 /* dev_close(ipsec_dev); */
1756 /* return */ ipsec_tunnel_detach(ipsec_dev);
1757 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1758 "klips_debug:ipsec_device_event: "
1759 "device '%s' has been detached.\n",
1760 ipsec_dev->name);
1761 break;
1762 }
1763 } else {
1764 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1765 "klips_debug:ipsec_device_event: "
1766 "device '%s' has no private data space!\n",
1767 ipsec_dev->name);
1768 }
1769 }
1770 }
1771 break;
1772 case NETDEV_UP:
1773 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1774 "klips_debug:ipsec_device_event: "
1775 "NETDEV_UP dev=%s\n",
1776 dev->name);
1777 break;
1778 #ifdef NET_21
1779 case NETDEV_REBOOT:
1780 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1781 "klips_debug:ipsec_device_event: "
1782 "NETDEV_REBOOT dev=%s\n",
1783 dev->name);
1784 break;
1785 case NETDEV_CHANGE:
1786 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1787 "klips_debug:ipsec_device_event: "
1788 "NETDEV_CHANGE dev=%s flags=%x\n",
1789 dev->name,
1790 dev->flags);
1791 break;
1792 case NETDEV_REGISTER:
1793 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1794 "klips_debug:ipsec_device_event: "
1795 "NETDEV_REGISTER dev=%s\n",
1796 dev->name);
1797 break;
1798 case NETDEV_CHANGEMTU:
1799 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1800 "klips_debug:ipsec_device_event: "
1801 "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
1802 dev->name,
1803 dev->mtu);
1804 break;
1805 case NETDEV_CHANGEADDR:
1806 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1807 "klips_debug:ipsec_device_event: "
1808 "NETDEV_CHANGEADDR dev=%s\n",
1809 dev->name);
1810 break;
1811 case NETDEV_GOING_DOWN:
1812 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1813 "klips_debug:ipsec_device_event: "
1814 "NETDEV_GOING_DOWN dev=%s\n",
1815 dev->name);
1816 break;
1817 case NETDEV_CHANGENAME:
1818 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1819 "klips_debug:ipsec_device_event: "
1820 "NETDEV_CHANGENAME dev=%s\n",
1821 dev->name);
1822 break;
1823 #endif /* NET_21 */
1824 default:
1825 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1826 "klips_debug:ipsec_device_event: "
1827 "event type %ld unrecognised for dev=%s\n",
1828 event,
1829 dev->name);
1830 break;
1831 }
1832 return NOTIFY_DONE;
1833 }
1834
1835 /*
1836 * Called when an ipsec tunnel device is initialized.
1837 * The ipsec tunnel device structure is passed to us.
1838 */
1839
1840 int
1841 ipsec_tunnel_init(struct net_device *dev)
1842 {
1843 int i;
1844
1845 KLIPS_PRINT(debug_tunnel,
1846 "klips_debug:ipsec_tunnel_init: "
1847 "allocating %lu bytes initialising device: %s\n",
1848 (unsigned long) sizeof(struct ipsecpriv),
1849 dev->name ? dev->name : "NULL");
1850
1851 #ifdef alloc_netdev
1852 dev->destructor = free_netdev;
1853 #endif
1854
1855 #ifndef HAVE_NETDEV_PRIV
1856 {
1857 struct ipsecpriv *priv_dev;
1858 priv_dev = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
1859 if (priv_dev == NULL)
1860 return;
1861 dev->priv = priv_net;
1862 }
1863 #endif
1864 memset((caddr_t)netdev_priv(dev), 0, sizeof(struct ipsecpriv));
1865
1866 for(i = 0; i < sizeof(zeroes); i++) {
1867 ((__u8*)(zeroes))[i] = 0;
1868 }
1869
1870 #ifdef HAVE_NETDEV_HEADER_OPS
1871 dev->header_ops = NULL;
1872 #else
1873 dev->hard_header = NULL;
1874 dev->rebuild_header = NULL;
1875 #ifndef NET_21
1876 dev->header_cache_bind = NULL;
1877 #endif /* !NET_21 */
1878 dev->header_cache_update= NULL;
1879 #endif
1880 #ifdef HAVE_NET_DEVICE_OPS
1881 dev->netdev_ops = &klips_device_ops;
1882 #else
1883 dev->open = ipsec_tunnel_open;
1884 dev->stop = ipsec_tunnel_close;
1885 dev->hard_start_xmit = ipsec_tunnel_start_xmit;
1886 dev->get_stats = ipsec_tunnel_get_stats;
1887 #ifdef HAVE_SET_MAC_ADDR
1888 dev->set_mac_address = NULL;
1889 #endif
1890 dev->do_ioctl = ipsec_tunnel_ioctl;
1891 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
1892 #endif
1893
1894 #ifdef NET_21
1895 /* prv->neigh_setup = NULL; */
1896 #endif /* NET_21 */
1897 dev->hard_header_len = 0;
1898 dev->mtu = 0;
1899 dev->addr_len = 0;
1900 dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
1901 dev->tx_queue_len = 10; /* Small queue */
1902 #ifdef IFF_XMIT_DST_RELEASE
1903 dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
1904 #endif
1905 memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN); /* what if this is not attached to ethernet? */
1906
1907 /* New-style flags. */
1908 dev->flags = IFF_NOARP /* 0 */ /* Petr Novak */;
1909
1910 /* We're done. Have I forgotten anything? */
1911 return 0;
1912 }
1913
1914 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1915 /* Module specific interface (but it links with the rest of IPSEC) */
1916 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1917
1918 int
1919 ipsec_tunnel_probe(struct net_device *dev)
1920 {
1921 ipsec_tunnel_init(dev);
1922 return 0;
1923 }
1924
1925 #ifdef alloc_netdev
1926 static void ipsec_tunnel_netdev_setup(struct net_device *dev)
1927 {
1928 }
1929 #endif
1930
1931 struct net_device *ipsecdevices[IPSEC_NUM_IFMAX];
1932 int ipsecdevices_max=-1;
1933
1934 int
1935 ipsec_tunnel_createnum(int ifnum)
1936 {
1937 char name[IFNAMSIZ];
1938 struct net_device *dev_ipsec;
1939 int vifentry;
1940
1941 if(ifnum > IPSEC_NUM_IFMAX) {
1942 return -ENOENT;
1943 }
1944
1945 if(ipsecdevices[ifnum]!=NULL) {
1946 return -EEXIST;
1947 }
1948
1949 /* no identical device */
1950 if(ifnum > ipsecdevices_max) {
1951 ipsecdevices_max=ifnum;
1952 }
1953 vifentry = ifnum;
1954
1955 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1956 "klips_debug:ipsec_tunnel_init_devices: "
1957 "creating and registering IPSEC_NUM_IF=%u device\n",
1958 ifnum);
1959
1960 sprintf(name, IPSEC_DEV_FORMAT, ifnum);
1961 #ifdef alloc_netdev
1962 dev_ipsec = alloc_netdev(sizeof(struct ipsecpriv), name, ipsec_tunnel_netdev_setup);
1963 #else
1964 dev_ipsec = (struct net_device*)kmalloc(sizeof(struct net_device), GFP_KERNEL);
1965 #endif
1966 if (dev_ipsec == NULL) {
1967 printk(KERN_ERR "klips_debug:ipsec_tunnel_init_devices: "
1968 "failed to allocate memory for device %s, quitting device init.\n",
1969 name);
1970 return -ENOMEM;
1971 }
1972 #ifndef alloc_netdev
1973 memset((caddr_t)dev_ipsec, 0, sizeof(struct net_device));
1974 #ifdef NETDEV_23
1975 strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name));
1976 #else /* NETDEV_23 */
1977 dev_ipsec->name = (char*)kmalloc(IFNAMSIZ, GFP_KERNEL);
1978 if (dev_ipsec->name == NULL) {
1979 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1980 "klips_debug:ipsec_tunnel_init_devices: "
1981 "failed to allocate memory for device %s name, quitting device init.\n",
1982 name);
1983 return -ENOMEM;
1984 }
1985 memset((caddr_t)dev_ipsec->name, 0, IFNAMSIZ);
1986 strncpy(dev_ipsec->name, name, IFNAMSIZ);
1987 #endif /* NETDEV_23 */
1988 #ifdef PAUL_FIXME
1989 dev_ipsec->next = NULL;
1990 #endif
1991 #endif /* alloc_netdev */
1992 #ifndef USE_NETDEV_OPS
1993 dev_ipsec->init = &ipsec_tunnel_probe;
1994 #else
1995 dev_ipsec->netdev_ops = &klips_device_ops;
1996 #endif
1997 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1998 "klips_debug:ipsec_tunnel_init_devices: "
1999 "registering device %s\n",
2000 dev_ipsec->name);
2001
2002 /* reference and hold the device reference */
2003 dev_hold(dev_ipsec);
2004 ipsecdevices[vifentry]=dev_ipsec;
2005
2006 if (register_netdev(dev_ipsec) != 0) {
2007 KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT,
2008 "klips_debug:ipsec_tunnel_init_devices: "
2009 "registering device %s failed, quitting device init.\n",
2010 dev_ipsec->name);
2011 return -EIO;
2012 } else {
2013 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2014 "klips_debug:ipsec_tunnel_init_devices: "
2015 "registering device %s succeeded, continuing...\n",
2016 dev_ipsec->name);
2017 }
2018 return 0;
2019 }
2020
2021
2022 int
2023 ipsec_tunnel_init_devices(void)
2024 {
2025 int i;
2026 int error;
2027
2028 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
2029 "klips_debug:ipsec_tunnel_init_devices: "
2030 "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
2031 IPSEC_NUM_IF,
2032 (unsigned long) (sizeof(struct net_device) + IFNAMSIZ),
2033 IFNAMSIZ);
2034
2035 for(i = 0; i < IPSEC_NUM_IF; i++) {
2036 error = ipsec_tunnel_createnum(i);
2037
2038 if(error) break;
2039 }
2040 return 0;
2041 }
2042
2043 int
2044 ipsec_tunnel_deletenum(int vifnum)
2045 {
2046 struct net_device *dev_ipsec;
2047
2048 if(vifnum > IPSEC_NUM_IFMAX) {
2049 return -ENOENT;
2050 }
2051
2052 dev_ipsec = ipsecdevices[vifnum];
2053 if(dev_ipsec == NULL) {
2054 return -ENOENT;
2055 }
2056
2057 /* release reference */
2058 ipsecdevices[vifnum]=NULL;
2059 ipsec_dev_put(dev_ipsec);
2060
2061 KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
2062 dev_ipsec->name,
2063 atomic_read(&dev_ipsec->refcnt));
2064 unregister_netdev(dev_ipsec);
2065 KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", dev_ipsec->name);
2066 #ifndef NETDEV_23
2067 kfree(dev_ipsec->name);
2068 dev_ipsec->name=NULL;
2069 #endif /* !NETDEV_23 */
2070 #ifndef alloc_netdev
2071 kfree(dev_ipsec->priv);
2072 dev_ipsec->priv=NULL;
2073 #endif /* alloc_netdev */
2074
2075 return 0;
2076 }
2077
2078
2079 struct net_device *
2080 ipsec_tunnel_get_device(int vifnum)
2081 {
2082 struct net_device *nd;
2083
2084 if(vifnum < ipsecdevices_max) {
2085 nd = ipsecdevices[vifnum];
2086
2087 if(nd) dev_hold(nd);
2088 return nd;
2089 } else {
2090 return NULL;
2091 }
2092 }
2093
2094 /* void */
2095 int
2096 ipsec_tunnel_cleanup_devices(void)
2097 {
2098 int error = 0;
2099 int i;
2100 struct net_device *dev_ipsec;
2101
2102 for(i = 0; i < IPSEC_NUM_IF; i++) {
2103 dev_ipsec = ipsecdevices[i];
2104 if(dev_ipsec == NULL) {
2105 continue;
2106 }
2107
2108 /* release reference */
2109 ipsecdevices[i]=NULL;
2110 ipsec_dev_put(dev_ipsec);
2111
2112 KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
2113 dev_ipsec->name,
2114 atomic_read(&dev_ipsec->refcnt));
2115 unregister_netdev(dev_ipsec);
2116 KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", dev_ipsec->name);
2117 #ifndef NETDEV_23
2118 kfree(dev_ipsec->name);
2119 dev_ipsec->name=NULL;
2120 #endif /* !NETDEV_23 */
2121 #ifndef alloc_netdev
2122 kfree(dev_ipsec->priv);
2123 dev_ipsec->priv=NULL;
2124 #endif /* alloc_netdev */
2125 }
2126 return error;
2127 }
2128
2129 // ------------------------------------------------------------------------
2130 // this handles creating and managing state for xmit path
2131
2132 static spinlock_t ixs_cache_lock = SPIN_LOCK_UNLOCKED;
2133 #ifdef HAVE_KMEM_CACHE_MACRO
2134 static struct kmem_cache *ixs_cache_allocator = NULL;
2135 #else
2136 static kmem_cache_t *ixs_cache_allocator = NULL;
2137 #endif
2138 static unsigned ixs_cache_allocated_count = 0;
2139
2140 #if !defined(MODULE_PARM) && defined(module_param)
2141 /*
2142 * As of 2.6.17 MODULE_PARM no longer exists, use module_param instead.
2143 */
2144 #define MODULE_PARM(a,b) module_param(a,int,0644)
2145 #endif
2146
2147 int ipsec_ixs_cache_allocated_count_max = 1000;
2148 MODULE_PARM(ipsec_ixs_cache_allocated_count_max, "i");
2149 MODULE_PARM_DESC(ipsec_ixs_cache_allocated_count_max,
2150 "Maximum outstanding transmit packets");
2151
2152 int
2153 ipsec_xmit_state_cache_init (void)
2154 {
2155 if (ixs_cache_allocator)
2156 return -EBUSY;
2157
2158 spin_lock_init(&ixs_cache_lock);
2159 #ifdef HAVE_KMEM_CACHE_MACRO
2160 /* ixs_cache_allocator = KMEM_CACHE(ipsec_ixs,0); */
2161 ixs_cache_allocator = kmem_cache_create ("ipsec_ixs",
2162 sizeof (struct ipsec_xmit_state), 0,
2163 0, NULL);
2164 #else
2165 ixs_cache_allocator = kmem_cache_create ("ipsec_ixs",
2166 sizeof (struct ipsec_xmit_state), 0,
2167 0, NULL, NULL);
2168 #endif
2169 if (! ixs_cache_allocator)
2170 return -ENOMEM;
2171
2172 return 0;
2173 }
2174
2175 void
2176 ipsec_xmit_state_cache_cleanup (void)
2177 {
2178 if (unlikely (ixs_cache_allocated_count))
2179 printk ("ipsec: deleting ipsec_ixs kmem_cache while in use\n");
2180
2181 if (ixs_cache_allocator) {
2182 kmem_cache_destroy (ixs_cache_allocator);
2183 ixs_cache_allocator = NULL;
2184 }
2185 ixs_cache_allocated_count = 0;
2186 }
2187
2188 struct ipsec_xmit_state *
2189 ipsec_xmit_state_new (void)
2190 {
2191 struct ipsec_xmit_state *ixs;
2192
2193 spin_lock_bh (&ixs_cache_lock);
2194
2195 if (ixs_cache_allocated_count >= ipsec_ixs_cache_allocated_count_max) {
2196 spin_unlock_bh (&ixs_cache_lock);
2197 KLIPS_PRINT(debug_tunnel,
2198 "klips_debug:ipsec_xmit_state_new: "
2199 "exceeded maximum outstanding TX packet cnt %d\n",
2200 ixs_cache_allocated_count);
2201 return NULL;
2202 }
2203
2204 ixs = kmem_cache_alloc (ixs_cache_allocator, GFP_ATOMIC);
2205
2206 if (likely (ixs != NULL))
2207 ixs_cache_allocated_count++;
2208
2209 spin_unlock_bh (&ixs_cache_lock);
2210
2211 if (unlikely (NULL == ixs))
2212 goto bail;
2213
2214 // initialize the object
2215 #if 1 /* optimised to only clear the required bits */
2216 memset((caddr_t)ixs, 0, sizeof(*ixs));
2217 #else
2218 ixs->pass = 0;
2219 ixs->state = 0;
2220 ixs->next_state = 0;
2221 ixs->ipsp = NULL;
2222 ixs->sa_len = 0;
2223 ixs->stats = NULL;
2224 ixs->ips.ips_ident_s.data = NULL;
2225 ixs->ips.ips_ident_d.data = NULL;
2226 ixs->outgoing_said.proto = 0;
2227 #ifdef NAT_TRAVERSAL
2228 ixs->natt_type = 0, ixs->natt_head = 0;
2229 ixs->natt_sport = 0, ixs->natt_dport = 0;
2230 #endif
2231 ixs->tot_headroom = 0;
2232 ixs->tot_tailroom = 0;
2233 ixs->eroute = NULL;
2234 ixs->hard_header_stripped = 0;
2235 ixs->hard_header_len = 0;
2236 ixs->cur_mtu = 0; /* FIXME: can we do something better ? */
2237
2238 ixs->oskb = NULL;
2239 ixs->saved_header = NULL; /* saved copy of the hard header */
2240 ixs->route = NULL;
2241 #endif /* memset */
2242
2243 bail:
2244 return ixs;
2245 }
2246
2247 void
2248 ipsec_xmit_state_delete (struct ipsec_xmit_state *ixs)
2249 {
2250 if (unlikely (! ixs))
2251 return;
2252
2253 if (ixs->dev && netif_queue_stopped(ixs->dev))
2254 netif_wake_queue(ixs->dev);
2255
2256 spin_lock_bh (&ixs_cache_lock);
2257
2258 ixs_cache_allocated_count--;
2259 kmem_cache_free (ixs_cache_allocator, ixs);
2260
2261 spin_unlock_bh (&ixs_cache_lock);
2262 }
2263
2264 #ifdef HAVE_NET_DEVICE_OPS
2265 const struct net_device_ops klips_device_ops = {
2266 /* Add our tunnel functions to the device */
2267 .ndo_init = ipsec_tunnel_probe,
2268 .ndo_open = ipsec_tunnel_open,
2269 .ndo_stop = ipsec_tunnel_close,
2270 .ndo_start_xmit = ipsec_tunnel_start_xmit,
2271 .ndo_get_stats = ipsec_tunnel_get_stats,
2272 .ndo_neigh_setup = ipsec_tunnel_neigh_setup_dev,
2273 .ndo_do_ioctl = ipsec_tunnel_ioctl,
2274
2275 #ifdef HAVE_SET_MAC_ADDR
2276 .ndo_set_mac_address = ipsec_tunnel_set_mac_address,
2277 #endif
2278 };
2279 #endif
2280
2281 /*
2282 * We call the attach routine to attach another device.
2283 */
2284
2285 DEBUG_NO_STATIC int
2286 ipsec_tunnel_attach(struct net_device *dev, struct net_device *physdev)
2287 {
2288 int i;
2289 struct ipsecpriv *prv = netdev_priv(dev);
2290
2291 if(dev == NULL) {
2292 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2293 "klips_debug:ipsec_tunnel_attach: "
2294 "no device...");
2295 return -ENODEV;
2296 }
2297
2298 if(prv == NULL) {
2299 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
2300 "klips_debug:ipsec_tunnel_attach: "
2301 "no private space associated with dev=%s",
2302 dev->name ? dev->name : "NULL");
2303 return -ENODATA;
2304 }
2305
2306 #ifdef HAVE_NETDEV_HEADER_OPS
2307 dev->header_ops = &klips_header_ops;
2308 #endif
2309 #ifdef HAVE_NET_DEVICE_OPS
2310 dev->netdev_ops = &klips_device_ops;
2311 #else
2312 # ifdef HAVE_SET_MAC_ADDR
2313 dev->set_mac_address = ipsec_tunnel_set_mac_address;
2314 # endif
2315 #endif /* HAVE_NET_DEVICE_OPS */
2316 prv->dev = physdev;
2317
2318 #ifdef HAVE_NET_DEVICE_OPS
2319 prv->hard_start_xmit = physdev->netdev_ops->ndo_start_xmit;
2320 prv->get_stats = physdev->netdev_ops->ndo_get_stats;
2321 #else
2322 prv->hard_start_xmit = physdev->hard_start_xmit;
2323 prv->get_stats = physdev->get_stats;
2324 #endif
2325 dev->hard_header_len = physdev->hard_header_len;
2326
2327 /* prv->neigh_setup = physdev->neigh_setup; */
2328 dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
2329 prv->mtu = physdev->mtu;
2330
2331 #ifdef PHYSDEV_TYPE
2332 dev->type = physdev->type; /* ARPHRD_TUNNEL; */
2333 #endif /* PHYSDEV_TYPE */
2334
2335 dev->addr_len = physdev->addr_len;
2336 for (i=0; i<dev->addr_len; i++) {
2337 dev->dev_addr[i] = physdev->dev_addr[i];
2338 }
2339 #ifdef CONFIG_KLIPS_DEBUG
2340 if(debug_tunnel & DB_TN_INIT) {
2341 printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
2342 "physical device %s being attached has HW address: %2x",
2343 physdev->name, physdev->dev_addr[0]);
2344 for (i=1; i < physdev->addr_len; i++) {
2345 printk(":%02x", physdev->dev_addr[i]);
2346 }
2347 printk("\n");
2348 }
2349 #endif /* CONFIG_KLIPS_DEBUG */
2350
2351 return 0;
2352 }
2353
2354
2355 /*
2356 * Local Variables:
2357 * c-style: linux
2358 * End:
2359 */
  ViewVC Help
Powered by ViewVC 1.1.5