diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-10-08 20:16:30 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:54:53 -0400 |
| commit | 406ef77c893ebd882209be4e393d64b01fe72054 (patch) | |
| tree | 815d753889769b355fba7e648abef7ad1422559e | |
| parent | bc31d3b2c7d7f2a03721a05cb3c9a3ce8b1e2e5a (diff) | |
[IPSEC]: Move common output code to xfrm_output
Most of the code in xfrm4_output_one and xfrm6_output_one are identical so
this patch moves them into a common xfrm_output function which will live
in net/xfrm.
In fact this would seem to fix a bug as on IPv4 we never reset the network
header after a transform which may upset netfilter later on.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/xfrm.h | 1 | ||||
| -rw-r--r-- | net/ipv4/xfrm4_output.c | 40 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_output.c | 45 | ||||
| -rw-r--r-- | net/xfrm/Makefile | 2 | ||||
| -rw-r--r-- | net/xfrm/xfrm_output.c | 73 |
5 files changed, 84 insertions, 77 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 760d2432be6b..f5147ddb818e 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h | |||
| @@ -1016,6 +1016,7 @@ extern void xfrm_replay_notify(struct xfrm_state *x, int event); | |||
| 1016 | extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb); | 1016 | extern int xfrm_state_check(struct xfrm_state *x, struct sk_buff *skb); |
| 1017 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); | 1017 | extern int xfrm_state_mtu(struct xfrm_state *x, int mtu); |
| 1018 | extern int xfrm_init_state(struct xfrm_state *x); | 1018 | extern int xfrm_init_state(struct xfrm_state *x); |
| 1019 | extern int xfrm_output(struct sk_buff *skb); | ||
| 1019 | extern int xfrm4_rcv(struct sk_buff *skb); | 1020 | extern int xfrm4_rcv(struct sk_buff *skb); |
| 1020 | extern int xfrm4_output(struct sk_buff *skb); | 1021 | extern int xfrm4_output(struct sk_buff *skb); |
| 1021 | extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); | 1022 | extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler, unsigned short family); |
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index 44ef208a75cb..04805c7d79c3 100644 --- a/net/ipv4/xfrm4_output.c +++ b/net/ipv4/xfrm4_output.c | |||
| @@ -12,7 +12,6 @@ | |||
| 12 | #include <linux/if_ether.h> | 12 | #include <linux/if_ether.h> |
| 13 | #include <linux/kernel.h> | 13 | #include <linux/kernel.h> |
| 14 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
| 15 | #include <linux/spinlock.h> | ||
| 16 | #include <linux/netfilter_ipv4.h> | 15 | #include <linux/netfilter_ipv4.h> |
| 17 | #include <net/ip.h> | 16 | #include <net/ip.h> |
| 18 | #include <net/xfrm.h> | 17 | #include <net/xfrm.h> |
| @@ -41,58 +40,27 @@ out: | |||
| 41 | return ret; | 40 | return ret; |
| 42 | } | 41 | } |
| 43 | 42 | ||
| 44 | static int xfrm4_output_one(struct sk_buff *skb) | 43 | static inline int xfrm4_output_one(struct sk_buff *skb) |
| 45 | { | 44 | { |
| 46 | struct dst_entry *dst = skb->dst; | 45 | struct dst_entry *dst = skb->dst; |
| 47 | struct xfrm_state *x = dst->xfrm; | 46 | struct xfrm_state *x = dst->xfrm; |
| 48 | int err; | 47 | int err; |
| 49 | 48 | ||
| 50 | if (skb->ip_summed == CHECKSUM_PARTIAL) { | ||
| 51 | err = skb_checksum_help(skb); | ||
| 52 | if (err) | ||
| 53 | goto error_nolock; | ||
| 54 | } | ||
| 55 | |||
| 56 | if (x->props.mode == XFRM_MODE_TUNNEL) { | 49 | if (x->props.mode == XFRM_MODE_TUNNEL) { |
| 57 | err = xfrm4_tunnel_check_size(skb); | 50 | err = xfrm4_tunnel_check_size(skb); |
| 58 | if (err) | 51 | if (err) |
| 59 | goto error_nolock; | 52 | goto error_nolock; |
| 60 | } | 53 | } |
| 61 | 54 | ||
| 62 | do { | 55 | err = xfrm_output(skb); |
| 63 | spin_lock_bh(&x->lock); | 56 | if (err) |
| 64 | err = xfrm_state_check(x, skb); | 57 | goto error_nolock; |
| 65 | if (err) | ||
| 66 | goto error; | ||
| 67 | |||
| 68 | err = x->mode->output(x, skb); | ||
| 69 | if (err) | ||
| 70 | goto error; | ||
| 71 | |||
| 72 | err = x->type->output(x, skb); | ||
| 73 | if (err) | ||
| 74 | goto error; | ||
| 75 | |||
| 76 | x->curlft.bytes += skb->len; | ||
| 77 | x->curlft.packets++; | ||
| 78 | |||
| 79 | spin_unlock_bh(&x->lock); | ||
| 80 | |||
| 81 | if (!(skb->dst = dst_pop(dst))) { | ||
| 82 | err = -EHOSTUNREACH; | ||
| 83 | goto error_nolock; | ||
| 84 | } | ||
| 85 | dst = skb->dst; | ||
| 86 | x = dst->xfrm; | ||
| 87 | } while (x && (x->props.mode != XFRM_MODE_TUNNEL)); | ||
| 88 | 58 | ||
| 89 | IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; | 59 | IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; |
| 90 | err = 0; | 60 | err = 0; |
| 91 | 61 | ||
| 92 | out_exit: | 62 | out_exit: |
| 93 | return err; | 63 | return err; |
| 94 | error: | ||
| 95 | spin_unlock_bh(&x->lock); | ||
| 96 | error_nolock: | 64 | error_nolock: |
| 97 | kfree_skb(skb); | 65 | kfree_skb(skb); |
| 98 | goto out_exit; | 66 | goto out_exit; |
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index 56364a5f676a..f21596f89984 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c | |||
| @@ -9,9 +9,9 @@ | |||
| 9 | * 2 of the License, or (at your option) any later version. | 9 | * 2 of the License, or (at your option) any later version. |
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include <linux/if_ether.h> | ||
| 12 | #include <linux/compiler.h> | 13 | #include <linux/compiler.h> |
| 13 | #include <linux/skbuff.h> | 14 | #include <linux/skbuff.h> |
| 14 | #include <linux/spinlock.h> | ||
| 15 | #include <linux/icmpv6.h> | 15 | #include <linux/icmpv6.h> |
| 16 | #include <linux/netfilter_ipv6.h> | 16 | #include <linux/netfilter_ipv6.h> |
| 17 | #include <net/ipv6.h> | 17 | #include <net/ipv6.h> |
| @@ -43,62 +43,27 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb) | |||
| 43 | return ret; | 43 | return ret; |
| 44 | } | 44 | } |
| 45 | 45 | ||
| 46 | static int xfrm6_output_one(struct sk_buff *skb) | 46 | static inline int xfrm6_output_one(struct sk_buff *skb) |
| 47 | { | 47 | { |
| 48 | struct dst_entry *dst = skb->dst; | 48 | struct dst_entry *dst = skb->dst; |
| 49 | struct xfrm_state *x = dst->xfrm; | 49 | struct xfrm_state *x = dst->xfrm; |
| 50 | int err; | 50 | int err; |
| 51 | 51 | ||
| 52 | if (skb->ip_summed == CHECKSUM_PARTIAL) { | ||
| 53 | err = skb_checksum_help(skb); | ||
| 54 | if (err) | ||
| 55 | goto error_nolock; | ||
| 56 | } | ||
| 57 | |||
| 58 | if (x->props.mode == XFRM_MODE_TUNNEL) { | 52 | if (x->props.mode == XFRM_MODE_TUNNEL) { |
| 59 | err = xfrm6_tunnel_check_size(skb); | 53 | err = xfrm6_tunnel_check_size(skb); |
| 60 | if (err) | 54 | if (err) |
| 61 | goto error_nolock; | 55 | goto error_nolock; |
| 62 | } | 56 | } |
| 63 | 57 | ||
| 64 | do { | 58 | err = xfrm_output(skb); |
| 65 | spin_lock_bh(&x->lock); | 59 | if (err) |
| 66 | err = xfrm_state_check(x, skb); | 60 | goto error_nolock; |
| 67 | if (err) | ||
| 68 | goto error; | ||
| 69 | |||
| 70 | err = x->mode->output(x, skb); | ||
| 71 | if (err) | ||
| 72 | goto error; | ||
| 73 | |||
| 74 | err = x->type->output(x, skb); | ||
| 75 | if (err) | ||
| 76 | goto error; | ||
| 77 | |||
| 78 | x->curlft.bytes += skb->len; | ||
| 79 | x->curlft.packets++; | ||
| 80 | if (x->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) | ||
| 81 | x->lastused = get_seconds(); | ||
| 82 | |||
| 83 | spin_unlock_bh(&x->lock); | ||
| 84 | |||
| 85 | skb_reset_network_header(skb); | ||
| 86 | |||
| 87 | if (!(skb->dst = dst_pop(dst))) { | ||
| 88 | err = -EHOSTUNREACH; | ||
| 89 | goto error_nolock; | ||
| 90 | } | ||
| 91 | dst = skb->dst; | ||
| 92 | x = dst->xfrm; | ||
| 93 | } while (x && (x->props.mode != XFRM_MODE_TUNNEL)); | ||
| 94 | 61 | ||
| 95 | IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; | 62 | IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; |
| 96 | err = 0; | 63 | err = 0; |
| 97 | 64 | ||
| 98 | out_exit: | 65 | out_exit: |
| 99 | return err; | 66 | return err; |
| 100 | error: | ||
| 101 | spin_unlock_bh(&x->lock); | ||
| 102 | error_nolock: | 67 | error_nolock: |
| 103 | kfree_skb(skb); | 68 | kfree_skb(skb); |
| 104 | goto out_exit; | 69 | goto out_exit; |
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile index de3c1a625a46..45744a3d3a51 100644 --- a/net/xfrm/Makefile +++ b/net/xfrm/Makefile | |||
| @@ -3,6 +3,6 @@ | |||
| 3 | # | 3 | # |
| 4 | 4 | ||
| 5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ | 5 | obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \ |
| 6 | xfrm_input.o xfrm_algo.o | 6 | xfrm_input.o xfrm_output.o xfrm_algo.o |
| 7 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o | 7 | obj-$(CONFIG_XFRM_USER) += xfrm_user.o |
| 8 | 8 | ||
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c new file mode 100644 index 000000000000..75f289b488a7 --- /dev/null +++ b/net/xfrm/xfrm_output.c | |||
| @@ -0,0 +1,73 @@ | |||
| 1 | /* | ||
| 2 | * xfrm_output.c - Common IPsec encapsulation code. | ||
| 3 | * | ||
| 4 | * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au> | ||
| 5 | * | ||
| 6 | * This program is free software; you can redistribute it and/or | ||
| 7 | * modify it under the terms of the GNU General Public License | ||
| 8 | * as published by the Free Software Foundation; either version | ||
| 9 | * 2 of the License, or (at your option) any later version. | ||
| 10 | */ | ||
| 11 | |||
| 12 | #include <linux/errno.h> | ||
| 13 | #include <linux/module.h> | ||
| 14 | #include <linux/netdevice.h> | ||
| 15 | #include <linux/skbuff.h> | ||
| 16 | #include <linux/spinlock.h> | ||
| 17 | #include <linux/time.h> | ||
| 18 | #include <net/dst.h> | ||
| 19 | #include <net/xfrm.h> | ||
| 20 | |||
| 21 | int xfrm_output(struct sk_buff *skb) | ||
| 22 | { | ||
| 23 | struct dst_entry *dst = skb->dst; | ||
| 24 | struct xfrm_state *x = dst->xfrm; | ||
| 25 | int err; | ||
| 26 | |||
| 27 | if (skb->ip_summed == CHECKSUM_PARTIAL) { | ||
| 28 | err = skb_checksum_help(skb); | ||
| 29 | if (err) | ||
| 30 | goto error_nolock; | ||
| 31 | } | ||
| 32 | |||
| 33 | do { | ||
| 34 | spin_lock_bh(&x->lock); | ||
| 35 | err = xfrm_state_check(x, skb); | ||
| 36 | if (err) | ||
| 37 | goto error; | ||
| 38 | |||
| 39 | err = x->mode->output(x, skb); | ||
| 40 | if (err) | ||
| 41 | goto error; | ||
| 42 | |||
| 43 | err = x->type->output(x, skb); | ||
| 44 | if (err) | ||
| 45 | goto error; | ||
| 46 | |||
| 47 | x->curlft.bytes += skb->len; | ||
| 48 | x->curlft.packets++; | ||
| 49 | |||
| 50 | if (x->props.mode == XFRM_MODE_ROUTEOPTIMIZATION) | ||
| 51 | x->lastused = get_seconds(); | ||
| 52 | |||
| 53 | spin_unlock_bh(&x->lock); | ||
| 54 | |||
| 55 | skb_reset_network_header(skb); | ||
| 56 | |||
| 57 | if (!(skb->dst = dst_pop(dst))) { | ||
| 58 | err = -EHOSTUNREACH; | ||
| 59 | goto error_nolock; | ||
| 60 | } | ||
| 61 | dst = skb->dst; | ||
| 62 | x = dst->xfrm; | ||
| 63 | } while (x && (x->props.mode != XFRM_MODE_TUNNEL)); | ||
| 64 | |||
| 65 | err = 0; | ||
| 66 | |||
| 67 | error_nolock: | ||
| 68 | return err; | ||
| 69 | error: | ||
| 70 | spin_unlock_bh(&x->lock); | ||
| 71 | goto error_nolock; | ||
| 72 | } | ||
| 73 | EXPORT_SYMBOL_GPL(xfrm_output); | ||