aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-12-12 13:44:16 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:57:22 -0500
commitd5422efe680fc55010c6ddca2370ca9548a96355 (patch)
treef72fa5eb779c8ae7d49688a9caac9b69a1f3bd58
parent815f4e57e9fc67456624ecde0515a901368c78d2 (diff)
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch adds the functions xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get the reverse flow to perform such a lookup. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/xfrm.h1
-rw-r--r--include/net/xfrm.h63
-rw-r--r--net/ipv4/xfrm4_policy.c10
-rw-r--r--net/ipv6/xfrm6_policy.c10
-rw-r--r--net/xfrm/xfrm_policy.c17
5 files changed, 80 insertions, 21 deletions
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index b58adc52448d..c0e41e02234f 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -114,6 +114,7 @@ enum
114 XFRM_POLICY_IN = 0, 114 XFRM_POLICY_IN = 0,
115 XFRM_POLICY_OUT = 1, 115 XFRM_POLICY_OUT = 1,
116 XFRM_POLICY_FWD = 2, 116 XFRM_POLICY_FWD = 2,
117 XFRM_POLICY_MASK = 3,
117 XFRM_POLICY_MAX = 3 118 XFRM_POLICY_MAX = 3
118}; 119};
119 120
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index fe881b6e2bd0..d6dae5ae7abe 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -239,7 +239,8 @@ struct xfrm_policy_afinfo {
239 int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); 239 int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
240 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); 240 struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
241 void (*decode_session)(struct sk_buff *skb, 241 void (*decode_session)(struct sk_buff *skb,
242 struct flowi *fl); 242 struct flowi *fl,
243 int reverse);
243 int (*get_tos)(struct flowi *fl); 244 int (*get_tos)(struct flowi *fl);
244 int (*fill_dst)(struct xfrm_dst *xdst, 245 int (*fill_dst)(struct xfrm_dst *xdst,
245 struct net_device *dev); 246 struct net_device *dev);
@@ -844,14 +845,23 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short
844#ifdef CONFIG_XFRM 845#ifdef CONFIG_XFRM
845extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); 846extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
846 847
847static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) 848static inline int __xfrm_policy_check2(struct sock *sk, int dir,
849 struct sk_buff *skb,
850 unsigned int family, int reverse)
848{ 851{
852 int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
853
849 if (sk && sk->sk_policy[XFRM_POLICY_IN]) 854 if (sk && sk->sk_policy[XFRM_POLICY_IN])
850 return __xfrm_policy_check(sk, dir, skb, family); 855 return __xfrm_policy_check(sk, ndir, skb, family);
851 856
852 return (!xfrm_policy_count[dir] && !skb->sp) || 857 return (!xfrm_policy_count[dir] && !skb->sp) ||
853 (skb->dst->flags & DST_NOPOLICY) || 858 (skb->dst->flags & DST_NOPOLICY) ||
854 __xfrm_policy_check(sk, dir, skb, family); 859 __xfrm_policy_check(sk, ndir, skb, family);
860}
861
862static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
863{
864 return __xfrm_policy_check2(sk, dir, skb, family, 0);
855} 865}
856 866
857static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) 867static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
@@ -864,7 +874,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s
864 return xfrm_policy_check(sk, dir, skb, AF_INET6); 874 return xfrm_policy_check(sk, dir, skb, AF_INET6);
865} 875}
866 876
867extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); 877static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
878 struct sk_buff *skb)
879{
880 return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
881}
882
883static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
884 struct sk_buff *skb)
885{
886 return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
887}
888
889extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
890 unsigned int family, int reverse);
891
892static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
893 unsigned int family)
894{
895 return __xfrm_decode_session(skb, fl, family, 0);
896}
897
898static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
899 struct flowi *fl,
900 unsigned int family)
901{
902 return __xfrm_decode_session(skb, fl, family, 1);
903}
904
868extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); 905extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
869 906
870static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) 907static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
@@ -925,6 +962,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk
925{ 962{
926 return 1; 963 return 1;
927} 964}
965static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
966 struct flowi *fl,
967 unsigned int family)
968{
969 return -ENOSYS;
970}
971static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
972 struct sk_buff *skb)
973{
974 return 1;
975}
976static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
977 struct sk_buff *skb)
978{
979 return 1;
980}
928#endif 981#endif
929 982
930static __inline__ 983static __inline__
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 10b72d185bb9..5ccae3a463c2 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -115,7 +115,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
115} 115}
116 116
117static void 117static void
118_decode_session4(struct sk_buff *skb, struct flowi *fl) 118_decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
119{ 119{
120 struct iphdr *iph = ip_hdr(skb); 120 struct iphdr *iph = ip_hdr(skb);
121 u8 *xprth = skb_network_header(skb) + iph->ihl * 4; 121 u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
@@ -131,8 +131,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl)
131 if (pskb_may_pull(skb, xprth + 4 - skb->data)) { 131 if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
132 __be16 *ports = (__be16 *)xprth; 132 __be16 *ports = (__be16 *)xprth;
133 133
134 fl->fl_ip_sport = ports[0]; 134 fl->fl_ip_sport = ports[!!reverse];
135 fl->fl_ip_dport = ports[1]; 135 fl->fl_ip_dport = ports[!reverse];
136 } 136 }
137 break; 137 break;
138 138
@@ -174,8 +174,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl)
174 } 174 }
175 } 175 }
176 fl->proto = iph->protocol; 176 fl->proto = iph->protocol;
177 fl->fl4_dst = iph->daddr; 177 fl->fl4_dst = reverse ? iph->saddr : iph->daddr;
178 fl->fl4_src = iph->saddr; 178 fl->fl4_src = reverse ? iph->daddr : iph->saddr;
179 fl->fl4_tos = iph->tos; 179 fl->fl4_tos = iph->tos;
180} 180}
181 181
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 181cf91538f1..d26b7dc3f33b 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -123,7 +123,7 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
123} 123}
124 124
125static inline void 125static inline void
126_decode_session6(struct sk_buff *skb, struct flowi *fl) 126_decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
127{ 127{
128 u16 offset = skb_network_header_len(skb); 128 u16 offset = skb_network_header_len(skb);
129 struct ipv6hdr *hdr = ipv6_hdr(skb); 129 struct ipv6hdr *hdr = ipv6_hdr(skb);
@@ -132,8 +132,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl)
132 u8 nexthdr = nh[IP6CB(skb)->nhoff]; 132 u8 nexthdr = nh[IP6CB(skb)->nhoff];
133 133
134 memset(fl, 0, sizeof(struct flowi)); 134 memset(fl, 0, sizeof(struct flowi));
135 ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr); 135 ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr);
136 ipv6_addr_copy(&fl->fl6_src, &hdr->saddr); 136 ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr);
137 137
138 while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { 138 while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
139 nh = skb_network_header(skb); 139 nh = skb_network_header(skb);
@@ -156,8 +156,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl)
156 if (pskb_may_pull(skb, nh + offset + 4 - skb->data)) { 156 if (pskb_may_pull(skb, nh + offset + 4 - skb->data)) {
157 __be16 *ports = (__be16 *)exthdr; 157 __be16 *ports = (__be16 *)exthdr;
158 158
159 fl->fl_ip_sport = ports[0]; 159 fl->fl_ip_sport = ports[!!reverse];
160 fl->fl_ip_dport = ports[1]; 160 fl->fl_ip_dport = ports[!reverse];
161 } 161 }
162 fl->proto = nexthdr; 162 fl->proto = nexthdr;
163 return; 163 return;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 3d516d57b5b2..2e10d46c0e8c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1732,8 +1732,8 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
1732 return start; 1732 return start;
1733} 1733}
1734 1734
1735int 1735int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
1736xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) 1736 unsigned int family, int reverse)
1737{ 1737{
1738 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1738 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1739 int err; 1739 int err;
@@ -1741,12 +1741,12 @@ xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family
1741 if (unlikely(afinfo == NULL)) 1741 if (unlikely(afinfo == NULL))
1742 return -EAFNOSUPPORT; 1742 return -EAFNOSUPPORT;
1743 1743
1744 afinfo->decode_session(skb, fl); 1744 afinfo->decode_session(skb, fl, reverse);
1745 err = security_xfrm_decode_session(skb, &fl->secid); 1745 err = security_xfrm_decode_session(skb, &fl->secid);
1746 xfrm_policy_put_afinfo(afinfo); 1746 xfrm_policy_put_afinfo(afinfo);
1747 return err; 1747 return err;
1748} 1748}
1749EXPORT_SYMBOL(xfrm_decode_session); 1749EXPORT_SYMBOL(__xfrm_decode_session);
1750 1750
1751static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) 1751static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
1752{ 1752{
@@ -1768,11 +1768,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1768 int npols = 0; 1768 int npols = 0;
1769 int xfrm_nr; 1769 int xfrm_nr;
1770 int pi; 1770 int pi;
1771 int reverse;
1771 struct flowi fl; 1772 struct flowi fl;
1772 u8 fl_dir = policy_to_flow_dir(dir); 1773 u8 fl_dir;
1773 int xerr_idx = -1; 1774 int xerr_idx = -1;
1774 1775
1775 if (xfrm_decode_session(skb, &fl, family) < 0) 1776 reverse = dir & ~XFRM_POLICY_MASK;
1777 dir &= XFRM_POLICY_MASK;
1778 fl_dir = policy_to_flow_dir(dir);
1779
1780 if (__xfrm_decode_session(skb, &fl, family, reverse) < 0)
1776 return 0; 1781 return 0;
1777 nf_nat_decode_session(skb, &fl, family); 1782 nf_nat_decode_session(skb, &fl, family);
1778 1783