diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-10-08 20:16:30 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:54:53 -0400 |
commit | 406ef77c893ebd882209be4e393d64b01fe72054 (patch) | |
tree | 815d753889769b355fba7e648abef7ad1422559e | |
parent | bc31d3b2c7d7f2a03721a05cb3c9a3ce8b1e2e5a (diff) |
[IPSEC]: Move common output code to xfrm_output
Most of the code in xfrm4_output_one and xfrm6_output_one are identical so
this patch moves them into a common xfrm_output function which will live
in net/xfrm.
In fact this would seem to fix a bug as on IPv4 we never reset the network
header after a transform which may upset netfilter later on.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/xfrm.h | 1 | ||||
-rw-r--r-- | net/ipv4/xfrm4_output.c | 40 | ||||
-rw-r--r-- | net/ipv6/xfrm6_output.c | 45 | ||||
-rw-r--r-- | net/xfrm/Makefile | 2 | ||||
-rw-r--r-- | net/xfrm/xfrm_output.c | 73 |
5 files changed, 84 insertions, 77 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 760d2432be6..f5147ddb818 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -1016,6 +1016,7 @@ extern void xfrm_replay_notify(struct xfrm_state *x, int event); | |||
1016 | extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb); | 1016 | extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb); |
1017 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); | 1017 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); |
1018 | extern int xfrm_init_state(struct xfrm_state *x); | 1018 | extern int xfrm_init_state(struct xfrm_state *x); |
1019 | extern int xfrm_output(struct sk_buff *skb); | ||
1019 | extern int xfrm4_rcv(struct sk_buff *skb); | 1020 | extern int xfrm4_rcv(struct sk_buff *skb); |
1020 | extern int xfrm4_output(struct sk_buff *skb); | 1021 | extern int xfrm4_output(struct sk_buff *skb); |
1021 | extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); | 1022 | extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); |
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index 44ef208a75c..04805c7d79c 100644 --- a/net/ipv4/xfrm4_output.c +++ b/net/ipv4/xfrm4_output.c | |||
@@ -12,7 +12,6 @@ | |||
12 | #include <linux/if_ether.h> | 12 | #include <linux/if_ether.h> |
13 | #include <linux/kernel.h> | 13 | #include <linux/kernel.h> |
14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
15 | #include <linux/spinlock.h> | ||
16 | #include <linux/netfilter_ipv4.h> | 15 | #include <linux/netfilter_ipv4.h> |
17 | #include <net/ip.h> | 16 | #include <net/ip.h> |
18 | #include <net/xfrm.h> | 17 | #include <net/xfrm.h> |
@@ -41,58 +40,27 @@ out: | |||
41 | return ret; | 40 | return ret; |
42 | } | 41 | } |
43 | 42 | ||
44 | static int xfrm4_output_one(struct sk_buff *skb) | 43 | static inline int xfrm4_output_one(struct sk_buff *skb) |
45 | { | 44 | { |
46 | struct dst_entry *dst = skb->dst; | 45 | struct dst_entry *dst = skb->dst; |
47 | struct xfrm_state *x = dst->xfrm; | 46 | struct xfrm_state *x = dst->xfrm; |
48 | int err; | 47 | int err; |
49 | 48 | ||
50 | if (skb->ip_summed == CHECKSUM_PARTIAL) { | ||
51 | err = skb_checksum_help(skb); | ||
52 | if (err) | ||
53 | goto error_nolock; | ||
54 | } | ||
55 | |||
56 | if (x->props.mode == XFRM_MODE_TUNNEL) { | 49 | if (x->props.mode == XFRM_MODE_TUNNEL) { |
57 | err = xfrm4_tunnel_check_size(skb); | 50 | err = xfrm4_tunnel_check_size(skb); |
58 | if (err) | 51 | if (err) |
59 | goto error_nolock; | 52 | goto error_nolock; |
60 | } | 53 | } |
61 | 54 | ||
62 | do { | 55 | err = xfrm_output(skb); |
63 | spin_lock_bh(&x->lock); | 56 | if (err) |
64 | err = xfrm_state_check(x, skb); | 57 | goto error_nolock; |
65 | if (err) | ||
66 | goto error; | ||
67 | |||
68 | err = x->mode->output(x, skb); | ||
69 | if (err) | ||
70 | goto error; | ||
71 | |||
72 | err = x->type->output(x, skb); | ||
73 | if (err) | ||
74 | goto error; | ||
75 | |||
76 | x->curlft.bytes += skb->len; | ||
77 | x->curlft.packets++; | ||
78 | |||
79 | spin_unlock_bh(&x->lock); | ||
80 | |||
81 | if (!(skb->dst = dst_pop(dst))) { | ||
82 | err = -EHOSTUNREACH; | ||
83 | goto error_nolock; | ||
84 | } | ||
85 | dst = skb->dst; | ||
86 | x = dst->xfrm; | ||
87 | } while (x && (x->props.mode != XFRM_MODE_TUNNEL)); | ||
88 | 58 | ||
89 | IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; | 59 | IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; |
90 | err = 0; | 60 | err = 0; |
91 | 61 | ||
92 | out_exit: | 62 | out_exit: |
93 | return err; | 63 | return err; |
94 | error: | ||
95 | spin_unlock_bh(&x->lock); | ||
96 | error_nolock: | 64 | error_nolock: |
97 | kfree_skb(skb); | 65 | kfree_skb(skb); |
98 | goto out_exit; | 66 | goto out_exit; |
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index 56364a5f676..f21596f8998 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c | |||
@@ -9,9 +9,9 @@ | |||
9 | * 2 of the License, or (at your option) any later version. | 9 | * 2 of the License, or (at your option) any later version. |
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include <linux/if_ether.h> | ||
12 | #include <linux/compiler.h> | 13 | #include <linux/compiler.h> |
13 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
14 | #include <linux/spinlock.h> | ||
15 | #include <linux/icmpv6.h> | 15 | #include <linux/icmpv6.h> |
16 | #include <linux/netfilter_ipv6.h> | 16 | #include <linux/netfilter_ipv6.h> |
17 | #include <net/ipv6.h> | 17 | #include <net/ipv6.h> |
@@ -43,62 +43,27 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb) | |||
43 | return ret; | 43 | return ret; |
44 | } | 44 | } |
45 | 45 | ||
46 | static int xfrm6_output_one(struct sk_buff *skb) | 46 | static inline int xfrm6_output_one(struct sk_buff *skb) |
47 | { | 47 | { |
48 | struct dst_entry *dst = skb->dst; | 48 | struct dst_entry *dst = skb->dst; |
49 | struct xfrm_state *x = dst->xfrm; | 49 | struct xfrm_state *x = dst->xfrm; |
50 | int err; | 50 | int err; |
51 | 51 | ||
52 | if (skb->ip_summed == CHECKSUM_PARTIAL) { | ||
53 | err = skb_checksum_help(skb); | ||
54 | if (err) | ||
55 | goto error_nolock; | ||
56 | } | ||
57 | |||
58 | if (x->props.mode == XFRM_MODE_TUNNEL) { | 52 | if (x->props.mode == XFRM_MODE_TUNNEL) { |
59 | err = xfrm6_tunnel_check_size(skb); | 53 | err = xfrm6_tunnel_check_size(skb); |
60 | if (err) | 54 | if (err) |
61 | goto error_nolock; | 55 | goto error_nolock; |
62 | } | 56 | } |
63 | 57 | ||
64 | do { | 58 | err = xfrm_output(skb); |
65 | spin_lock_bh(&x->lock); | 59 | if (err) |
66 | err = xfrm_state_check(x, skb); | 60 | goto error_nolock; |
67 | if (err) | ||
68 | goto error; | ||
69 | |||
70 | err = x->mode->output(x, skb); | ||
71 | if (err) | ||
72 | goto error; | ||
73 | |||
74 | err = x->type->output(x, skb); | ||
75 | if (err) | ||
76 | goto error; | ||
77 | |||
78 | x->curlft.bytes += skb->len; | ||
79 | x->curlft.packets++; | ||
80 | if (x->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) | ||
81 | x->lastused = get_seconds(); | ||
82 | |||
83 | spin_unlock_bh(&x->lock); | ||
84 | |||
85 | skb_reset_network_header(skb); | ||
86 | |||
87 | if (!(skb->dst = dst_pop(dst))) { | ||
88 | err = -EHOSTUNREACH; | ||
89 | goto error_nolock; | ||
90 | } | ||
91 | dst = skb->dst; | ||
92 | x = dst->xfrm; | ||
93 | } while (x && (x->props.mode != XFRM_MODE_TUNNEL)); | ||
94 | 61 | ||
95 | IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; | 62 | IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; |
96 | err = 0; | 63 | err = 0; |
97 | 64 | ||
98 | out_exit: | 65 | out_exit: |
99 | return err; | 66 | return err; |
100 | error: | ||
101 | spin_unlock_bh(&x->lock); | ||
102 | error_nolock: | 67 | error_nolock: |
103 | kfree_skb(skb); | 68 | kfree_skb(skb); |
104 | goto out_exit; | 69 | goto out_exit; |
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile index de3c1a625a4..45744a3d3a5 100644 --- a/net/xfrm/Makefile +++ b/net/xfrm/Makefile | |||
@@ -3,6 +3,6 @@ | |||
3 | # | 3 | # |
4 | 4 | ||
5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ | 5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ |
6 | xfrm_input.o xfrm_algo.o | 6 | xfrm_input.o xfrm_output.o xfrm_algo.o |
7 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o | 7 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o |
8 | 8 | ||
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c new file mode 100644 index 00000000000..75f289b488a --- /dev/null +++ b/net/xfrm/xfrm_output.c | |||
@@ -0,0 +1,73 @@ | |||
1 | /* | ||
2 | * xfrm_output.c - Common IPsec encapsulation code. | ||
3 | * | ||
4 | * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au> | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or | ||
7 | * modify it under the terms of the GNU General Public License | ||
8 | * as published by the Free Software Foundation; either version | ||
9 | * 2 of the License, or (at your option) any later version. | ||
10 | */ | ||
11 | |||
12 | #include <linux/errno.h> | ||
13 | #include <linux/module.h> | ||
14 | #include <linux/netdevice.h> | ||
15 | #include <linux/skbuff.h> | ||
16 | #include <linux/spinlock.h> | ||
17 | #include <linux/time.h> | ||
18 | #include <net/dst.h> | ||
19 | #include <net/xfrm.h> | ||
20 | |||
21 | int xfrm_output(struct sk_buff *skb) | ||
22 | { | ||
23 | struct dst_entry *dst = skb->dst; | ||
24 | struct xfrm_state *x = dst->xfrm; | ||
25 | int err; | ||
26 | |||
27 | if (skb->ip_summed == CHECKSUM_PARTIAL) { | ||
28 | err = skb_checksum_help(skb); | ||
29 | if (err) | ||
30 | goto error_nolock; | ||
31 | } | ||
32 | |||
33 | do { | ||
34 | spin_lock_bh(&x->lock); | ||
35 | err = xfrm_state_check(x, skb); | ||
36 | if (err) | ||
37 | goto error; | ||
38 | |||
39 | err = x->mode->output(x, skb); | ||
40 | if (err) | ||
41 | goto error; | ||
42 | |||
43 | err = x->type->output(x, skb); | ||
44 | if (err) | ||
45 | goto error; | ||
46 | |||
47 | x->curlft.bytes += skb->len; | ||
48 | x->curlft.packets++; | ||
49 | |||
50 | if (x->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) | ||
51 | x->lastused = get_seconds(); | ||
52 | |||
53 | spin_unlock_bh(&x->lock); | ||
54 | |||
55 | skb_reset_network_header(skb); | ||
56 | |||
57 | if (!(skb->dst = dst_pop(dst))) { | ||
58 | err = -EHOSTUNREACH; | ||
59 | goto error_nolock; | ||
60 | } | ||
61 | dst = skb->dst; | ||
62 | x = dst->xfrm; | ||
63 | } while (x && (x->props.mode != XFRM_MODE_TUNNEL)); | ||
64 | |||
65 | err = 0; | ||
66 | |||
67 | error_nolock: | ||
68 | return err; | ||
69 | error: | ||
70 | spin_unlock_bh(&x->lock); | ||
71 | goto error_nolock; | ||
72 | } | ||
73 | EXPORT_SYMBOL_GPL(xfrm_output); | ||