[IPSEC]: Add missing BEET checks

Currently BEET mode does not reinject the packet back into the stack like tunnel mode does. Since BEET should behave just like tunnel mode this is incorrect. This patch fixes this by introducing a flags field to xfrm_mode that tells the IPsec code whether it should terminate and reinject the packet back into the stack. It then sets the flag for BEET and tunnel mode. I've also added a number of missing BEET checks elsewhere where we check whether a given mode is a tunnel or not. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2007-10-18 00:31:50 -0400
committer: David S. Miller <davem@davemloft.net> 2007-10-18 00:31:50 -0400
commit: 1bfcb10f670f5ff5e1d9f53e59680573524cb142 (patch)
tree: 003b271a2c1e089ae6506d869b7a8c8f04dbde0a
parent: aa5d62cc8777f733f8b59b5586c0a1989813189e (diff)
14 files changed, 25 insertions, 12 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 7f156a0b94c8..2143f2911a21 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -314,6 +314,12 @@ struct xfrm_mode {
        struct module *owner;
        unsigned int encap;
+        int flags;
+};
+/* Flags for xfrm_mode. */
+enum {
+        XFRM_MODE_FLAG_TUNNEL = 1,
 };
 extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index 5cb0b5995bc8..bc5dc0747cd2 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -94,7 +94,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
                if (x->mode->input(x, skb))
                        goto drop;
-                if (x->props.mode == XFRM_MODE_TUNNEL) {
+                if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
                        decaps = 1;
                        break;
                }
diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
index 73d2338bec55..e42e122414be 100644
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -114,6 +114,7 @@ static struct xfrm_mode xfrm4_beet_mode = {
        .output = xfrm4_beet_output,
        .owner = THIS_MODULE,
        .encap = XFRM_MODE_BEET,
+        .flags = XFRM_MODE_FLAG_TUNNEL,
 };
 static int __init xfrm4_beet_init(void)
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 1ae9d32276f0..e4deecba6dd2 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -139,6 +139,7 @@ static struct xfrm_mode xfrm4_tunnel_mode = {
        .output = xfrm4_tunnel_output,
        .owner = THIS_MODULE,
        .encap = XFRM_MODE_TUNNEL,
+        .flags = XFRM_MODE_FLAG_TUNNEL,
 };
 static int __init xfrm4_tunnel_init(void)
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index a4edd666318b..dcbc2743069c 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -47,7 +47,7 @@ static inline int xfrm4_output_one(struct sk_buff *skb)
        struct iphdr *iph;
        int err;
-        if (x->props.mode == XFRM_MODE_TUNNEL) {
+        if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
                err = xfrm4_tunnel_check_size(skb);
                if (err)
                        goto error_nolock;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 329825ca68fe..2373d673df60 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -117,7 +117,7 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
                header_len += xfrm[i]->props.header_len;
                trailer_len += xfrm[i]->props.trailer_len;
-                if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL) {
+                if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
                        unsigned short encap_family = xfrm[i]->props.family;
                        switch (encap_family) {
                        case AF_INET:
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index b1201c33eb12..c6ee1a3ba19a 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -71,7 +71,7 @@ int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
                if (x->mode->input(x, skb))
                        goto drop;
-                if (x->props.mode == XFRM_MODE_TUNNEL) { /* XXX */
+                if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
                        decaps = 1;
                        break;
                }
diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
index 13bb1e856764..2bfb4f05c14c 100644
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -79,6 +79,7 @@ static struct xfrm_mode xfrm6_beet_mode = {
        .output = xfrm6_beet_output,
        .owner = THIS_MODULE,
        .encap = XFRM_MODE_BEET,
+        .flags = XFRM_MODE_FLAG_TUNNEL,
 };
 static int __init xfrm6_beet_init(void)
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index ea2283879112..fd84e2217274 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -118,6 +118,7 @@ static struct xfrm_mode xfrm6_tunnel_mode = {
        .output = xfrm6_tunnel_output,
        .owner = THIS_MODULE,
        .encap = XFRM_MODE_TUNNEL,
+        .flags = XFRM_MODE_FLAG_TUNNEL,
 };
 static int __init xfrm6_tunnel_init(void)
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index a5a32c17249d..c9f42d1c2dff 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -50,7 +50,7 @@ static inline int xfrm6_output_one(struct sk_buff *skb)
        struct ipv6hdr *iph;
        int err;
-        if (x->props.mode == XFRM_MODE_TUNNEL) {
+        if (x->mode->flags & XFRM_MODE_FLAG_TUNNEL) {
                err = xfrm6_tunnel_check_size(skb);
                if (err)
                        goto error_nolock;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 15aa4c58c315..dc4bdcb55cbe 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -178,8 +178,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
                __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]);
                trailer_len += xfrm[i]->props.trailer_len;
-                if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL ||
+                if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
-                    xfrm[i]->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) {
                        unsigned short encap_family = xfrm[i]->props.family;
                        switch(encap_family) {
                        case AF_INET:
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index cdadb4847469..e644c80515fc 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -93,7 +93,8 @@ __xfrm6_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n)
        /* Rule 4: select IPsec tunnel */
        for (i = 0; i < n; i++) {
                if (src[i] &&
-                    src[i]->props.mode == XFRM_MODE_TUNNEL) {
+                    (src[i]->props.mode == XFRM_MODE_TUNNEL ||
+                     src[i]->props.mode == XFRM_MODE_BEET)) {
                        dst[j++] = src[i];
                        src[i] = NULL;
                }
@@ -146,7 +147,8 @@ __xfrm6_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n)
        /* Rule 3: select IPsec tunnel */
        for (i = 0; i < n; i++) {
                if (src[i] &&
-                    src[i]->mode == XFRM_MODE_TUNNEL) {
+                    (src[i]->mode == XFRM_MODE_TUNNEL ||
+                     src[i]->mode == XFRM_MODE_BEET)) {
                        dst[j++] = src[i];
                        src[i] = NULL;
                }
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 0eb3377602e9..8bf71ba2345f 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -82,7 +82,7 @@ int xfrm_output(struct sk_buff *skb)
                }
                dst = skb->dst;
                x = dst->xfrm;
-        } while (x && (x->props.mode != XFRM_MODE_TUNNEL));
+        } while (x && !(x->mode->flags & XFRM_MODE_FLAG_TUNNEL));
        err = 0;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ca24c90d3796..1d66fb42c9cb 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1940,7 +1940,8 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
                if (xdst->genid != dst->xfrm->genid)
                        return 0;
-                if (strict && fl && dst->xfrm->props.mode != XFRM_MODE_TUNNEL &&
+                if (strict && fl &&
+                    !(dst->xfrm->mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
                    !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
                        return 0;
@@ -2291,7 +2292,8 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
                        if (!migrate_tmpl_match(mp, &pol->xfrm_vec[i]))
                                continue;
                        n++;
-                        if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL)
+                        if (pol->xfrm_vec[i].mode != XFRM_MODE_TUNNEL &&
+                            pol->xfrm_vec[i].mode != XFRM_MODE_BEET)
                                continue;
                        /* update endpoints */
                        memcpy(&pol->xfrm_vec[i].id.daddr, &mp->new_daddr,
author	Herbert Xu <herbert@gondor.apana.org.au>	2007-10-18 00:31:50 -0400
committer	David S. Miller <davem@davemloft.net>	2007-10-18 00:31:50 -0400
commit	1bfcb10f670f5ff5e1d9f53e59680573524cb142 (patch)
tree	003b271a2c1e089ae6506d869b7a8c8f04dbde0a
parent	aa5d62cc8777f733f8b59b5586c0a1989813189e (diff)