diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-12-12 13:44:16 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:57:22 -0500 |
commit | d5422efe680fc55010c6ddca2370ca9548a96355 (patch) | |
tree | f72fa5eb779c8ae7d49688a9caac9b69a1f3bd58 | |
parent | 815f4e57e9fc67456624ecde0515a901368c78d2 (diff) |
[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any
policies using the reverse of its payload. This patch adds the functions
xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get
the reverse flow to perform such a lookup.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/xfrm.h | 1 | ||||
-rw-r--r-- | include/net/xfrm.h | 63 | ||||
-rw-r--r-- | net/ipv4/xfrm4_policy.c | 10 | ||||
-rw-r--r-- | net/ipv6/xfrm6_policy.c | 10 | ||||
-rw-r--r-- | net/xfrm/xfrm_policy.c | 17 |
5 files changed, 80 insertions, 21 deletions
diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h index b58adc52448d..c0e41e02234f 100644 --- a/include/linux/xfrm.h +++ b/include/linux/xfrm.h | |||
@@ -114,6 +114,7 @@ enum | |||
114 | XFRM_POLICY_IN = 0, | 114 | XFRM_POLICY_IN = 0, |
115 | XFRM_POLICY_OUT = 1, | 115 | XFRM_POLICY_OUT = 1, |
116 | XFRM_POLICY_FWD = 2, | 116 | XFRM_POLICY_FWD = 2, |
117 | XFRM_POLICY_MASK = 3, | ||
117 | XFRM_POLICY_MAX = 3 | 118 | XFRM_POLICY_MAX = 3 |
118 | }; | 119 | }; |
119 | 120 | ||
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index fe881b6e2bd0..d6dae5ae7abe 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
@@ -239,7 +239,8 @@ struct xfrm_policy_afinfo { | |||
239 | int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); | 239 | int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr); |
240 | struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); | 240 | struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy); |
241 | void (*decode_session)(struct sk_buff *skb, | 241 | void (*decode_session)(struct sk_buff *skb, |
242 | struct flowi *fl); | 242 | struct flowi *fl, |
243 | int reverse); | ||
243 | int (*get_tos)(struct flowi *fl); | 244 | int (*get_tos)(struct flowi *fl); |
244 | int (*fill_dst)(struct xfrm_dst *xdst, | 245 | int (*fill_dst)(struct xfrm_dst *xdst, |
245 | struct net_device *dev); | 246 | struct net_device *dev); |
@@ -844,14 +845,23 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short | |||
844 | #ifdef CONFIG_XFRM | 845 | #ifdef CONFIG_XFRM |
845 | extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); | 846 | extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family); |
846 | 847 | ||
847 | static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) | 848 | static inline int __xfrm_policy_check2(struct sock *sk, int dir, |
849 | struct sk_buff *skb, | ||
850 | unsigned int family, int reverse) | ||
848 | { | 851 | { |
852 | int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0); | ||
853 | |||
849 | if (sk && sk->sk_policy[XFRM_POLICY_IN]) | 854 | if (sk && sk->sk_policy[XFRM_POLICY_IN]) |
850 | return __xfrm_policy_check(sk, dir, skb, family); | 855 | return __xfrm_policy_check(sk, ndir, skb, family); |
851 | 856 | ||
852 | return (!xfrm_policy_count[dir] && !skb->sp) || | 857 | return (!xfrm_policy_count[dir] && !skb->sp) || |
853 | (skb->dst->flags & DST_NOPOLICY) || | 858 | (skb->dst->flags & DST_NOPOLICY) || |
854 | __xfrm_policy_check(sk, dir, skb, family); | 859 | __xfrm_policy_check(sk, ndir, skb, family); |
860 | } | ||
861 | |||
862 | static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) | ||
863 | { | ||
864 | return __xfrm_policy_check2(sk, dir, skb, family, 0); | ||
855 | } | 865 | } |
856 | 866 | ||
857 | static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) | 867 | static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) |
@@ -864,7 +874,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s | |||
864 | return xfrm_policy_check(sk, dir, skb, AF_INET6); | 874 | return xfrm_policy_check(sk, dir, skb, AF_INET6); |
865 | } | 875 | } |
866 | 876 | ||
867 | extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); | 877 | static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, |
878 | struct sk_buff *skb) | ||
879 | { | ||
880 | return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1); | ||
881 | } | ||
882 | |||
883 | static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, | ||
884 | struct sk_buff *skb) | ||
885 | { | ||
886 | return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1); | ||
887 | } | ||
888 | |||
889 | extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, | ||
890 | unsigned int family, int reverse); | ||
891 | |||
892 | static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, | ||
893 | unsigned int family) | ||
894 | { | ||
895 | return __xfrm_decode_session(skb, fl, family, 0); | ||
896 | } | ||
897 | |||
898 | static inline int xfrm_decode_session_reverse(struct sk_buff *skb, | ||
899 | struct flowi *fl, | ||
900 | unsigned int family) | ||
901 | { | ||
902 | return __xfrm_decode_session(skb, fl, family, 1); | ||
903 | } | ||
904 | |||
868 | extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); | 905 | extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family); |
869 | 906 | ||
870 | static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) | 907 | static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family) |
@@ -925,6 +962,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk | |||
925 | { | 962 | { |
926 | return 1; | 963 | return 1; |
927 | } | 964 | } |
965 | static inline int xfrm_decode_session_reverse(struct sk_buff *skb, | ||
966 | struct flowi *fl, | ||
967 | unsigned int family) | ||
968 | { | ||
969 | return -ENOSYS; | ||
970 | } | ||
971 | static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir, | ||
972 | struct sk_buff *skb) | ||
973 | { | ||
974 | return 1; | ||
975 | } | ||
976 | static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir, | ||
977 | struct sk_buff *skb) | ||
978 | { | ||
979 | return 1; | ||
980 | } | ||
928 | #endif | 981 | #endif |
929 | 982 | ||
930 | static __inline__ | 983 | static __inline__ |
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 10b72d185bb9..5ccae3a463c2 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c | |||
@@ -115,7 +115,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev) | |||
115 | } | 115 | } |
116 | 116 | ||
117 | static void | 117 | static void |
118 | _decode_session4(struct sk_buff *skb, struct flowi *fl) | 118 | _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) |
119 | { | 119 | { |
120 | struct iphdr *iph = ip_hdr(skb); | 120 | struct iphdr *iph = ip_hdr(skb); |
121 | u8 *xprth = skb_network_header(skb) + iph->ihl * 4; | 121 | u8 *xprth = skb_network_header(skb) + iph->ihl * 4; |
@@ -131,8 +131,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl) | |||
131 | if (pskb_may_pull(skb, xprth + 4 - skb->data)) { | 131 | if (pskb_may_pull(skb, xprth + 4 - skb->data)) { |
132 | __be16 *ports = (__be16 *)xprth; | 132 | __be16 *ports = (__be16 *)xprth; |
133 | 133 | ||
134 | fl->fl_ip_sport = ports[0]; | 134 | fl->fl_ip_sport = ports[!!reverse]; |
135 | fl->fl_ip_dport = ports[1]; | 135 | fl->fl_ip_dport = ports[!reverse]; |
136 | } | 136 | } |
137 | break; | 137 | break; |
138 | 138 | ||
@@ -174,8 +174,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl) | |||
174 | } | 174 | } |
175 | } | 175 | } |
176 | fl->proto = iph->protocol; | 176 | fl->proto = iph->protocol; |
177 | fl->fl4_dst = iph->daddr; | 177 | fl->fl4_dst = reverse ? iph->saddr : iph->daddr; |
178 | fl->fl4_src = iph->saddr; | 178 | fl->fl4_src = reverse ? iph->daddr : iph->saddr; |
179 | fl->fl4_tos = iph->tos; | 179 | fl->fl4_tos = iph->tos; |
180 | } | 180 | } |
181 | 181 | ||
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 181cf91538f1..d26b7dc3f33b 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c | |||
@@ -123,7 +123,7 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev) | |||
123 | } | 123 | } |
124 | 124 | ||
125 | static inline void | 125 | static inline void |
126 | _decode_session6(struct sk_buff *skb, struct flowi *fl) | 126 | _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse) |
127 | { | 127 | { |
128 | u16 offset = skb_network_header_len(skb); | 128 | u16 offset = skb_network_header_len(skb); |
129 | struct ipv6hdr *hdr = ipv6_hdr(skb); | 129 | struct ipv6hdr *hdr = ipv6_hdr(skb); |
@@ -132,8 +132,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl) | |||
132 | u8 nexthdr = nh[IP6CB(skb)->nhoff]; | 132 | u8 nexthdr = nh[IP6CB(skb)->nhoff]; |
133 | 133 | ||
134 | memset(fl, 0, sizeof(struct flowi)); | 134 | memset(fl, 0, sizeof(struct flowi)); |
135 | ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr); | 135 | ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr); |
136 | ipv6_addr_copy(&fl->fl6_src, &hdr->saddr); | 136 | ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr); |
137 | 137 | ||
138 | while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { | 138 | while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) { |
139 | nh = skb_network_header(skb); | 139 | nh = skb_network_header(skb); |
@@ -156,8 +156,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl) | |||
156 | if (pskb_may_pull(skb, nh + offset + 4 - skb->data)) { | 156 | if (pskb_may_pull(skb, nh + offset + 4 - skb->data)) { |
157 | __be16 *ports = (__be16 *)exthdr; | 157 | __be16 *ports = (__be16 *)exthdr; |
158 | 158 | ||
159 | fl->fl_ip_sport = ports[0]; | 159 | fl->fl_ip_sport = ports[!!reverse]; |
160 | fl->fl_ip_dport = ports[1]; | 160 | fl->fl_ip_dport = ports[!reverse]; |
161 | } | 161 | } |
162 | fl->proto = nexthdr; | 162 | fl->proto = nexthdr; |
163 | return; | 163 | return; |
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 3d516d57b5b2..2e10d46c0e8c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -1732,8 +1732,8 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start, | |||
1732 | return start; | 1732 | return start; |
1733 | } | 1733 | } |
1734 | 1734 | ||
1735 | int | 1735 | int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, |
1736 | xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family) | 1736 | unsigned int family, int reverse) |
1737 | { | 1737 | { |
1738 | struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); | 1738 | struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); |
1739 | int err; | 1739 | int err; |
@@ -1741,12 +1741,12 @@ xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family | |||
1741 | if (unlikely(afinfo == NULL)) | 1741 | if (unlikely(afinfo == NULL)) |
1742 | return -EAFNOSUPPORT; | 1742 | return -EAFNOSUPPORT; |
1743 | 1743 | ||
1744 | afinfo->decode_session(skb, fl); | 1744 | afinfo->decode_session(skb, fl, reverse); |
1745 | err = security_xfrm_decode_session(skb, &fl->secid); | 1745 | err = security_xfrm_decode_session(skb, &fl->secid); |
1746 | xfrm_policy_put_afinfo(afinfo); | 1746 | xfrm_policy_put_afinfo(afinfo); |
1747 | return err; | 1747 | return err; |
1748 | } | 1748 | } |
1749 | EXPORT_SYMBOL(xfrm_decode_session); | 1749 | EXPORT_SYMBOL(__xfrm_decode_session); |
1750 | 1750 | ||
1751 | static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) | 1751 | static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp) |
1752 | { | 1752 | { |
@@ -1768,11 +1768,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, | |||
1768 | int npols = 0; | 1768 | int npols = 0; |
1769 | int xfrm_nr; | 1769 | int xfrm_nr; |
1770 | int pi; | 1770 | int pi; |
1771 | int reverse; | ||
1771 | struct flowi fl; | 1772 | struct flowi fl; |
1772 | u8 fl_dir = policy_to_flow_dir(dir); | 1773 | u8 fl_dir; |
1773 | int xerr_idx = -1; | 1774 | int xerr_idx = -1; |
1774 | 1775 | ||
1775 | if (xfrm_decode_session(skb, &fl, family) < 0) | 1776 | reverse = dir & ~XFRM_POLICY_MASK; |
1777 | dir &= XFRM_POLICY_MASK; | ||
1778 | fl_dir = policy_to_flow_dir(dir); | ||
1779 | |||
1780 | if (__xfrm_decode_session(skb, &fl, family, reverse) < 0) | ||
1776 | return 0; | 1781 | return 0; |
1777 | nf_nat_decode_session(skb, &fl, family); | 1782 | nf_nat_decode_session(skb, &fl, family); |
1778 | 1783 | ||