ah4/esp4: set transport header correctly for IPsec tunnel mode.

IPsec tunnel does not set ECN field to CE in inner header when the ECN field in the outer header is CE, and the ECN field in the inner header is ECT(0) or ECT(1). The cause is ipip_hdr() does not return the correct address of inner header since skb->transport-header is not the inner header after esp_input_done2(), or ah_input(). Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
author: Li RongQing <roy.qing.li@gmail.com> 2012-12-28 03:07:16 -0500
committer: Steffen Klassert <steffen.klassert@secunet.com> 2013-01-08 06:41:30 -0500
commit: 7143dfac692cd25d48a24dbe8323bc17af95b4ec (patch)
tree: b7bd65be7b147b50b4c09f9c1523ed7097586750 /net/ipv4/ah4.c
parent: c7e2e1d72ed7707239d20525e0ebcad7e3303659 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index a0d8392491c3..a154d0a08c79 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -269,7 +269,11 @@ static void ah_input_done(struct crypto_async_request *base, int err)
        skb->network_header += ah_hlen;
        memcpy(skb_network_header(skb), work_iph, ihl);
        __skb_pull(skb, ah_hlen + ihl);
-        skb_set_transport_header(skb, -ihl);
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -ihl);
 out:
        kfree(AH_SKB_CB(skb)->tmp);
        xfrm_input_resume(skb, err);
@@ -381,7 +385,10 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
        skb->network_header += ah_hlen;
        memcpy(skb_network_header(skb), work_iph, ihl);
        __skb_pull(skb, ah_hlen + ihl);
-        skb_set_transport_header(skb, -ihl);
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -ihl);
        err = nexthdr;
author	Li RongQing <roy.qing.li@gmail.com>	2012-12-28 03:07:16 -0500
committer	Steffen Klassert <steffen.klassert@secunet.com>	2013-01-08 06:41:30 -0500
commit	7143dfac692cd25d48a24dbe8323bc17af95b4ec (patch)
tree	b7bd65be7b147b50b4c09f9c1523ed7097586750 /net/ipv4/ah4.c
parent	c7e2e1d72ed7707239d20525e0ebcad7e3303659 (diff)

diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index a0d8392491c3..a154d0a08c79 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c
@@ -269,7 +269,11 @@ static void ah_input_done(struct crypto_async_request *base, int err)
269	skb->network_header += ah_hlen;	269	skb->network_header += ah_hlen;
270	memcpy(skb_network_header(skb), work_iph, ihl);	270	memcpy(skb_network_header(skb), work_iph, ihl);
271	__skb_pull(skb, ah_hlen + ihl);	271	__skb_pull(skb, ah_hlen + ihl);
272	skb_set_transport_header(skb, -ihl);	272
		273	if (x->props.mode == XFRM_MODE_TUNNEL)
		274	skb_reset_transport_header(skb);
		275	else
		276	skb_set_transport_header(skb, -ihl);
273	out:	277	out:
274	kfree(AH_SKB_CB(skb)->tmp);	278	kfree(AH_SKB_CB(skb)->tmp);
275	xfrm_input_resume(skb, err);	279	xfrm_input_resume(skb, err);
@@ -381,7 +385,10 @@ static int ah_input(struct xfrm_state x, struct sk_buff skb)
381	skb->network_header += ah_hlen;	385	skb->network_header += ah_hlen;
382	memcpy(skb_network_header(skb), work_iph, ihl);	386	memcpy(skb_network_header(skb), work_iph, ihl);
383	__skb_pull(skb, ah_hlen + ihl);	387	__skb_pull(skb, ah_hlen + ihl);
384	skb_set_transport_header(skb, -ihl);	388	if (x->props.mode == XFRM_MODE_TUNNEL)
		389	skb_reset_transport_header(skb);
		390	else
		391	skb_set_transport_header(skb, -ihl);
385		392
386	err = nexthdr;	393	err = nexthdr;
387		394