[IPSEC] xfrm: Abstract out encapsulation modes

This patch adds the structure xfrm_mode. It is meant to represent the operations carried out by transport/tunnel modes. By doing this we allow additional encapsulation modes to be added without clogging up the xfrm_input/xfrm_output paths. Candidate modes include 4-to-6 tunnel mode, 6-to-4 tunnel mode, and BEET modes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2006-05-28 02:05:54 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-18 00:28:39 -0400
commit: b59f45d0b2878ab76f8053b0973654e6621828ee (patch)
tree: 40dc5e2ede2620f7935fb3dae0d0eb199851f611 /net/ipv4
parent: 546be2405be119ef55467aace45f337a16e5d424 (diff)
6 files changed, 219 insertions, 84 deletions
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index e40f75322377..35eb70b1448d 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -414,6 +414,24 @@ config INET_TUNNEL
        tristate
        default n
+config INET_XFRM_MODE_TRANSPORT
+        tristate "IP: IPsec transport mode"
+        default y
+        select XFRM
+        ---help---
+          Support for IPsec transport mode.
+          If unsure, say Y.
+config INET_XFRM_MODE_TUNNEL
+        tristate "IP: IPsec tunnel mode"
+        default y
+        select XFRM
+        ---help---
+          Support for IPsec tunnel mode.
+          If unsure, say Y.
 config INET_DIAG
        tristate "INET: socket monitoring interface"
        default y
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index 9ef50a0b9d2c..4cc94482eacc 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -24,6 +24,8 @@ obj-$(CONFIG_INET_ESP) += esp4.o
 obj-$(CONFIG_INET_IPCOMP) += ipcomp.o
 obj-$(CONFIG_INET_XFRM_TUNNEL) += xfrm4_tunnel.o
 obj-$(CONFIG_INET_TUNNEL) += tunnel4.o
+obj-$(CONFIG_INET_XFRM_MODE_TRANSPORT) += xfrm4_mode_transport.o
+obj-$(CONFIG_INET_XFRM_MODE_TUNNEL) += xfrm4_mode_tunnel.o
 obj-$(CONFIG_IP_PNP) += ipconfig.o
 obj-$(CONFIG_IP_ROUTE_MULTIPATH_RR) += multipath_rr.o
 obj-$(CONFIG_IP_ROUTE_MULTIPATH_RANDOM) += multipath_random.o
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index 3e174c83bfe7..817ed84511a6 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -13,7 +13,6 @@
 #include <linux/string.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
-#include <net/inet_ecn.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
@@ -24,15 +23,6 @@ int xfrm4_rcv(struct sk_buff *skb)
 EXPORT_SYMBOL(xfrm4_rcv);
-static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
-{
-        struct iphdr *outer_iph = skb->nh.iph;
-        struct iphdr *inner_iph = skb->h.ipiph;
-        if (INET_ECN_is_ce(outer_iph->tos))
-                IP_ECN_set_ce(inner_iph);
-}
 static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
 {
        switch (nexthdr) {
@@ -113,24 +103,10 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
                xfrm_vec[xfrm_nr++] = x;
-                iph = skb->nh.iph;
+                if (x->mode->input(x, skb))
+                        goto drop;
                if (x->props.mode) {
-                        if (iph->protocol != IPPROTO_IPIP)
-                                goto drop;
-                        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                                goto drop;
-                        if (skb_cloned(skb) &&
-                            pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
-                                goto drop;
-                        if (x->props.flags & XFRM_STATE_DECAP_DSCP)
-                                ipv4_copy_dscp(iph, skb->h.ipiph);
-                        if (!(x->props.flags & XFRM_STATE_NOECN))
-                                ipip_ecn_decapsulate(skb);
-                        skb->mac.raw = memmove(skb->data - skb->mac_len,
-                                               skb->mac.raw, skb->mac_len);
-                        skb->nh.raw = skb->data;
-                        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
                        decaps = 1;
                        break;
                }
diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
new file mode 100644
index 000000000000..e46d9a4ccc55
--- /dev/null
+++ b/net/ipv4/xfrm4_mode_transport.c
@@ -0,0 +1,69 @@
+/*
+ * xfrm4_mode_transport.c - Transport mode encapsulation for IPv4.
+ *
+ * Copyright (c) 2004-2006 Herbert Xu <herbert@gondor.apana.org.au>
+ */
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/stringify.h>
+#include <net/dst.h>
+#include <net/ip.h>
+#include <net/xfrm.h>
+/* Add encapsulation header.
+ *
+ * The IP header will be moved forward to make space for the encapsulation
+ * header.
+ *
+ * On exit, skb->h will be set to the start of the payload to be processed
+ * by x->type->output and skb->nh will be set to the top IP header.
+ */
+static int xfrm4_transport_output(struct sk_buff *skb)
+{
+        struct xfrm_state *x;
+        struct iphdr *iph;
+        int ihl;
+        iph = skb->nh.iph;
+        skb->h.ipiph = iph;
+        ihl = iph->ihl * 4;
+        skb->h.raw += ihl;
+        x = skb->dst->xfrm;
+        skb->nh.raw = memmove(skb_push(skb, x->props.header_len), iph, ihl);
+        return 0;
+}
+static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+{
+        return 0;
+}
+static struct xfrm_mode xfrm4_transport_mode = {
+        .input = xfrm4_transport_input,
+        .output = xfrm4_transport_output,
+        .owner = THIS_MODULE,
+        .encap = XFRM_MODE_TRANSPORT,
+};
+static int __init xfrm4_transport_init(void)
+{
+        return xfrm_register_mode(&xfrm4_transport_mode, AF_INET);
+}
+static void __exit xfrm4_transport_exit(void)
+{
+        int err;
+        err = xfrm_unregister_mode(&xfrm4_transport_mode, AF_INET);
+        BUG_ON(err);
+}
+module_init(xfrm4_transport_init);
+module_exit(xfrm4_transport_exit);
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_XFRM_MODE(AF_INET, XFRM_MODE_TRANSPORT);
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
new file mode 100644
index 000000000000..f8d880beb12f
--- /dev/null
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -0,0 +1,125 @@
+/*
+ * xfrm4_mode_tunnel.c - Tunnel mode encapsulation for IPv4.
+ *
+ * Copyright (c) 2004-2006 Herbert Xu <herbert@gondor.apana.org.au>
+ */
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/stringify.h>
+#include <net/dst.h>
+#include <net/inet_ecn.h>
+#include <net/ip.h>
+#include <net/xfrm.h>
+static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
+{
+        struct iphdr *outer_iph = skb->nh.iph;
+        struct iphdr *inner_iph = skb->h.ipiph;
+        if (INET_ECN_is_ce(outer_iph->tos))
+                IP_ECN_set_ce(inner_iph);
+}
+/* Add encapsulation header.
+ *
+ * The top IP header will be constructed per RFC 2401.  The following fields
+ * in it shall be filled in by x->type->output:
+ *      tot_len
+ *      check
+ *
+ * On exit, skb->h will be set to the start of the payload to be processed
+ * by x->type->output and skb->nh will be set to the top IP header.
+ */
+static int xfrm4_tunnel_output(struct sk_buff *skb)
+{
+        struct dst_entry *dst = skb->dst;
+        struct xfrm_state *x = dst->xfrm;
+        struct iphdr *iph, *top_iph;
+        int flags;
+        iph = skb->nh.iph;
+        skb->h.ipiph = iph;
+        skb->nh.raw = skb_push(skb, x->props.header_len);
+        top_iph = skb->nh.iph;
+        top_iph->ihl = 5;
+        top_iph->version = 4;
+        /* DS disclosed */
+        top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
+        flags = x->props.flags;
+        if (flags & XFRM_STATE_NOECN)
+                IP_ECN_clear(top_iph);
+        top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
+                0 : (iph->frag_off & htons(IP_DF));
+        if (!top_iph->frag_off)
+                __ip_select_ident(top_iph, dst->child, 0);
+        top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
+        top_iph->saddr = x->props.saddr.a4;
+        top_iph->daddr = x->id.daddr.a4;
+        top_iph->protocol = IPPROTO_IPIP;
+        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+        return 0;
+}
+static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+{
+        struct iphdr *iph = skb->nh.iph;
+        int err = -EINVAL;
+        if (iph->protocol != IPPROTO_IPIP)
+                goto out;
+        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+                goto out;
+        if (skb_cloned(skb) &&
+            (err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
+                goto out;
+        if (x->props.flags & XFRM_STATE_DECAP_DSCP)
+                ipv4_copy_dscp(iph, skb->h.ipiph);
+        if (!(x->props.flags & XFRM_STATE_NOECN))
+                ipip_ecn_decapsulate(skb);
+        skb->mac.raw = memmove(skb->data - skb->mac_len,
+                               skb->mac.raw, skb->mac_len);
+        skb->nh.raw = skb->data;
+        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+        err = 0;
+out:
+        return err;
+}
+static struct xfrm_mode xfrm4_tunnel_mode = {
+        .input = xfrm4_tunnel_input,
+        .output = xfrm4_tunnel_output,
+        .owner = THIS_MODULE,
+        .encap = XFRM_MODE_TUNNEL,
+};
+static int __init xfrm4_tunnel_init(void)
+{
+        return xfrm_register_mode(&xfrm4_tunnel_mode, AF_INET);
+}
+static void __exit xfrm4_tunnel_exit(void)
+{
+        int err;
+        err = xfrm_unregister_mode(&xfrm4_tunnel_mode, AF_INET);
+        BUG_ON(err);
+}
+module_init(xfrm4_tunnel_init);
+module_exit(xfrm4_tunnel_exit);
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_XFRM_MODE(AF_INET, XFRM_MODE_TUNNEL);
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 4ef8efaf6a67..ac9d91d4bb05 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -12,67 +12,10 @@
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <linux/netfilter_ipv4.h>
-#include <net/inet_ecn.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
 #include <net/icmp.h>
-/* Add encapsulation header.
- *
- * In transport mode, the IP header will be moved forward to make space
- * for the encapsulation header.
- *
- * In tunnel mode, the top IP header will be constructed per RFC 2401.
- * The following fields in it shall be filled in by x->type->output:
- *      tot_len
- *      check
- *
- * On exit, skb->h will be set to the start of the payload to be processed
- * by x->type->output and skb->nh will be set to the top IP header.
- */
-static void xfrm4_encap(struct sk_buff *skb)
-{
-        struct dst_entry *dst = skb->dst;
-        struct xfrm_state *x = dst->xfrm;
-        struct iphdr *iph, *top_iph;
-        int flags;
-        iph = skb->nh.iph;
-        skb->h.ipiph = iph;
-        skb->nh.raw = skb_push(skb, x->props.header_len);
-        top_iph = skb->nh.iph;
-        if (!x->props.mode) {
-                skb->h.raw += iph->ihl*4;
-                memmove(top_iph, iph, iph->ihl*4);
-                return;
-        }
-        top_iph->ihl = 5;
-        top_iph->version = 4;
-        /* DS disclosed */
-        top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
-        flags = x->props.flags;
-        if (flags & XFRM_STATE_NOECN)
-                IP_ECN_clear(top_iph);
-        top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
-                0 : (iph->frag_off & htons(IP_DF));
-        if (!top_iph->frag_off)
-                __ip_select_ident(top_iph, dst->child, 0);
-        top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
-        top_iph->saddr = x->props.saddr.a4;
-        top_iph->daddr = x->id.daddr.a4;
-        top_iph->protocol = IPPROTO_IPIP;
-        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
-}
 static int xfrm4_tunnel_check_size(struct sk_buff *skb)
 {
        int mtu, ret = 0;
@@ -121,7 +64,9 @@ static int xfrm4_output_one(struct sk_buff *skb)
                if (err)
                        goto error;
-                xfrm4_encap(skb);
+                err = x->mode->output(skb);
+                if (err)
+                        goto error;
                err = x->type->output(x, skb);
                if (err)
author	Herbert Xu <herbert@gondor.apana.org.au>	2006-05-28 02:05:54 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-18 00:28:39 -0400
commit	b59f45d0b2878ab76f8053b0973654e6621828ee (patch)
tree	40dc5e2ede2620f7935fb3dae0d0eb199851f611 /net/ipv4
parent	546be2405be119ef55467aace45f337a16e5d424 (diff)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index e40f75322377..35eb70b1448d 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig
@@ -414,6 +414,24 @@ config INET_TUNNEL
414	tristate	414	tristate
415	default n	415	default n
416		416
		417	config INET_XFRM_MODE_TRANSPORT
		418	tristate "IP: IPsec transport mode"
		419	default y
		420	select XFRM
		421	---help---
		422	Support for IPsec transport mode.
		423
		424	If unsure, say Y.
		425
		426	config INET_XFRM_MODE_TUNNEL
		427	tristate "IP: IPsec tunnel mode"
		428	default y
		429	select XFRM
		430	---help---
		431	Support for IPsec tunnel mode.
		432
		433	If unsure, say Y.
		434
417	config INET_DIAG	435	config INET_DIAG
418	tristate "INET: socket monitoring interface"	436	tristate "INET: socket monitoring interface"
419	default y	437	default y


diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile index 9ef50a0b9d2c..4cc94482eacc 100644 --- a/net/ipv4/Makefile +++ b/net/ipv4/Makefile
@@ -24,6 +24,8 @@ obj-$(CONFIG_INET_ESP) += esp4.o
24	obj-$(CONFIG_INET_IPCOMP) += ipcomp.o	24	obj-$(CONFIG_INET_IPCOMP) += ipcomp.o
25	obj-$(CONFIG_INET_XFRM_TUNNEL) += xfrm4_tunnel.o	25	obj-$(CONFIG_INET_XFRM_TUNNEL) += xfrm4_tunnel.o
26	obj-$(CONFIG_INET_TUNNEL) += tunnel4.o	26	obj-$(CONFIG_INET_TUNNEL) += tunnel4.o
		27	obj-$(CONFIG_INET_XFRM_MODE_TRANSPORT) += xfrm4_mode_transport.o
		28	obj-$(CONFIG_INET_XFRM_MODE_TUNNEL) += xfrm4_mode_tunnel.o
27	obj-$(CONFIG_IP_PNP) += ipconfig.o	29	obj-$(CONFIG_IP_PNP) += ipconfig.o
28	obj-$(CONFIG_IP_ROUTE_MULTIPATH_RR) += multipath_rr.o	30	obj-$(CONFIG_IP_ROUTE_MULTIPATH_RR) += multipath_rr.o
29	obj-$(CONFIG_IP_ROUTE_MULTIPATH_RANDOM) += multipath_random.o	31	obj-$(CONFIG_IP_ROUTE_MULTIPATH_RANDOM) += multipath_random.o


diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index 3e174c83bfe7..817ed84511a6 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c
@@ -13,7 +13,6 @@
13	#include <linux/string.h>	13	#include <linux/string.h>
14	#include <linux/netfilter.h>	14	#include <linux/netfilter.h>
15	#include <linux/netfilter_ipv4.h>	15	#include <linux/netfilter_ipv4.h>
16	#include <net/inet_ecn.h>
17	#include <net/ip.h>	16	#include <net/ip.h>
18	#include <net/xfrm.h>	17	#include <net/xfrm.h>
19		18
@@ -24,15 +23,6 @@ int xfrm4_rcv(struct sk_buff *skb)
24		23
25	EXPORT_SYMBOL(xfrm4_rcv);	24	EXPORT_SYMBOL(xfrm4_rcv);
26		25
27	static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
28	{
29	struct iphdr *outer_iph = skb->nh.iph;
30	struct iphdr *inner_iph = skb->h.ipiph;
31
32	if (INET_ECN_is_ce(outer_iph->tos))
33	IP_ECN_set_ce(inner_iph);
34	}
35
36	static int xfrm4_parse_spi(struct sk_buff skb, u8 nexthdr, u32 spi, u32 *seq)	26	static int xfrm4_parse_spi(struct sk_buff skb, u8 nexthdr, u32 spi, u32 *seq)
37	{	27	{
38	switch (nexthdr) {	28	switch (nexthdr) {
@@ -113,24 +103,10 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
113		103
114	xfrm_vec[xfrm_nr++] = x;	104	xfrm_vec[xfrm_nr++] = x;
115		105
116	iph = skb->nh.iph;	106	if (x->mode->input(x, skb))
		107	goto drop;
117		108
118	if (x->props.mode) {	109	if (x->props.mode) {
119	if (iph->protocol != IPPROTO_IPIP)
120	goto drop;
121	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
122	goto drop;
123	if (skb_cloned(skb) &&
124	pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
125	goto drop;
126	if (x->props.flags & XFRM_STATE_DECAP_DSCP)
127	ipv4_copy_dscp(iph, skb->h.ipiph);
128	if (!(x->props.flags & XFRM_STATE_NOECN))
129	ipip_ecn_decapsulate(skb);
130	skb->mac.raw = memmove(skb->data - skb->mac_len,
131	skb->mac.raw, skb->mac_len);
132	skb->nh.raw = skb->data;
133	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
134	decaps = 1;	110	decaps = 1;
135	break;	111	break;
136	}	112	}


diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c new file mode 100644 index 000000000000..e46d9a4ccc55 --- /dev/null +++ b/net/ipv4/xfrm4_mode_transport.c
@@ -0,0 +1,69 @@
		1	/*
		2	* xfrm4_mode_transport.c - Transport mode encapsulation for IPv4.
		3	*
		4	* Copyright (c) 2004-2006 Herbert Xu <herbert@gondor.apana.org.au>
		5	*/
		6
		7	#include <linux/init.h>
		8	#include <linux/kernel.h>
		9	#include <linux/module.h>
		10	#include <linux/skbuff.h>
		11	#include <linux/stringify.h>
		12	#include <net/dst.h>
		13	#include <net/ip.h>
		14	#include <net/xfrm.h>
		15
		16	/* Add encapsulation header.
		17	*
		18	* The IP header will be moved forward to make space for the encapsulation
		19	* header.
		20	*
		21	* On exit, skb->h will be set to the start of the payload to be processed
		22	* by x->type->output and skb->nh will be set to the top IP header.
		23	*/
		24	static int xfrm4_transport_output(struct sk_buff *skb)
		25	{
		26	struct xfrm_state *x;
		27	struct iphdr *iph;
		28	int ihl;
		29
		30	iph = skb->nh.iph;
		31	skb->h.ipiph = iph;
		32
		33	ihl = iph->ihl * 4;
		34	skb->h.raw += ihl;
		35
		36	x = skb->dst->xfrm;
		37	skb->nh.raw = memmove(skb_push(skb, x->props.header_len), iph, ihl);
		38	return 0;
		39	}
		40
		41	static int xfrm4_transport_input(struct xfrm_state x, struct sk_buff skb)
		42	{
		43	return 0;
		44	}
		45
		46	static struct xfrm_mode xfrm4_transport_mode = {
		47	.input = xfrm4_transport_input,
		48	.output = xfrm4_transport_output,
		49	.owner = THIS_MODULE,
		50	.encap = XFRM_MODE_TRANSPORT,
		51	};
		52
		53	static int __init xfrm4_transport_init(void)
		54	{
		55	return xfrm_register_mode(&xfrm4_transport_mode, AF_INET);
		56	}
		57
		58	static void __exit xfrm4_transport_exit(void)
		59	{
		60	int err;
		61
		62	err = xfrm_unregister_mode(&xfrm4_transport_mode, AF_INET);
		63	BUG_ON(err);
		64	}
		65
		66	module_init(xfrm4_transport_init);
		67	module_exit(xfrm4_transport_exit);
		68	MODULE_LICENSE("GPL");
		69	MODULE_ALIAS_XFRM_MODE(AF_INET, XFRM_MODE_TRANSPORT);


diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c new file mode 100644 index 000000000000..f8d880beb12f --- /dev/null +++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -0,0 +1,125 @@
		1	/*
		2	* xfrm4_mode_tunnel.c - Tunnel mode encapsulation for IPv4.
		3	*
		4	* Copyright (c) 2004-2006 Herbert Xu <herbert@gondor.apana.org.au>
		5	*/
		6
		7	#include <linux/init.h>
		8	#include <linux/kernel.h>
		9	#include <linux/module.h>
		10	#include <linux/skbuff.h>
		11	#include <linux/stringify.h>
		12	#include <net/dst.h>
		13	#include <net/inet_ecn.h>
		14	#include <net/ip.h>
		15	#include <net/xfrm.h>
		16
		17	static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
		18	{
		19	struct iphdr *outer_iph = skb->nh.iph;
		20	struct iphdr *inner_iph = skb->h.ipiph;
		21
		22	if (INET_ECN_is_ce(outer_iph->tos))
		23	IP_ECN_set_ce(inner_iph);
		24	}
		25
		26	/* Add encapsulation header.
		27	*
		28	* The top IP header will be constructed per RFC 2401. The following fields
		29	* in it shall be filled in by x->type->output:
		30	* tot_len
		31	* check
		32	*
		33	* On exit, skb->h will be set to the start of the payload to be processed
		34	* by x->type->output and skb->nh will be set to the top IP header.
		35	*/
		36	static int xfrm4_tunnel_output(struct sk_buff *skb)
		37	{
		38	struct dst_entry *dst = skb->dst;
		39	struct xfrm_state *x = dst->xfrm;
		40	struct iphdr iph, top_iph;
		41	int flags;
		42
		43	iph = skb->nh.iph;
		44	skb->h.ipiph = iph;
		45
		46	skb->nh.raw = skb_push(skb, x->props.header_len);
		47	top_iph = skb->nh.iph;
		48
		49	top_iph->ihl = 5;
		50	top_iph->version = 4;
		51
		52	/* DS disclosed */
		53	top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
		54
		55	flags = x->props.flags;
		56	if (flags & XFRM_STATE_NOECN)
		57	IP_ECN_clear(top_iph);
		58
		59	top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
		60	0 : (iph->frag_off & htons(IP_DF));
		61	if (!top_iph->frag_off)
		62	__ip_select_ident(top_iph, dst->child, 0);
		63
		64	top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
		65
		66	top_iph->saddr = x->props.saddr.a4;
		67	top_iph->daddr = x->id.daddr.a4;
		68	top_iph->protocol = IPPROTO_IPIP;
		69
		70	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
		71	return 0;
		72	}
		73
		74	static int xfrm4_tunnel_input(struct xfrm_state x, struct sk_buff skb)
		75	{
		76	struct iphdr *iph = skb->nh.iph;
		77	int err = -EINVAL;
		78
		79	if (iph->protocol != IPPROTO_IPIP)
		80	goto out;
		81	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
		82	goto out;
		83
		84	if (skb_cloned(skb) &&
		85	(err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
		86	goto out;
		87
		88	if (x->props.flags & XFRM_STATE_DECAP_DSCP)
		89	ipv4_copy_dscp(iph, skb->h.ipiph);
		90	if (!(x->props.flags & XFRM_STATE_NOECN))
		91	ipip_ecn_decapsulate(skb);
		92	skb->mac.raw = memmove(skb->data - skb->mac_len,
		93	skb->mac.raw, skb->mac_len);
		94	skb->nh.raw = skb->data;
		95	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
		96	err = 0;
		97
		98	out:
		99	return err;
		100	}
		101
		102	static struct xfrm_mode xfrm4_tunnel_mode = {
		103	.input = xfrm4_tunnel_input,
		104	.output = xfrm4_tunnel_output,
		105	.owner = THIS_MODULE,
		106	.encap = XFRM_MODE_TUNNEL,
		107	};
		108
		109	static int __init xfrm4_tunnel_init(void)
		110	{
		111	return xfrm_register_mode(&xfrm4_tunnel_mode, AF_INET);
		112	}
		113
		114	static void __exit xfrm4_tunnel_exit(void)
		115	{
		116	int err;
		117
		118	err = xfrm_unregister_mode(&xfrm4_tunnel_mode, AF_INET);
		119	BUG_ON(err);
		120	}
		121
		122	module_init(xfrm4_tunnel_init);
		123	module_exit(xfrm4_tunnel_exit);
		124	MODULE_LICENSE("GPL");
		125	MODULE_ALIAS_XFRM_MODE(AF_INET, XFRM_MODE_TUNNEL);


diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c index 4ef8efaf6a67..ac9d91d4bb05 100644 --- a/net/ipv4/xfrm4_output.c +++ b/net/ipv4/xfrm4_output.c
@@ -12,67 +12,10 @@
12	#include <linux/skbuff.h>	12	#include <linux/skbuff.h>
13	#include <linux/spinlock.h>	13	#include <linux/spinlock.h>
14	#include <linux/netfilter_ipv4.h>	14	#include <linux/netfilter_ipv4.h>
15	#include <net/inet_ecn.h>
16	#include <net/ip.h>	15	#include <net/ip.h>
17	#include <net/xfrm.h>	16	#include <net/xfrm.h>
18	#include <net/icmp.h>	17	#include <net/icmp.h>
19		18
20	/* Add encapsulation header.
21	*
22	* In transport mode, the IP header will be moved forward to make space
23	* for the encapsulation header.
24	*
25	* In tunnel mode, the top IP header will be constructed per RFC 2401.
26	* The following fields in it shall be filled in by x->type->output:
27	* tot_len
28	* check
29	*
30	* On exit, skb->h will be set to the start of the payload to be processed
31	* by x->type->output and skb->nh will be set to the top IP header.
32	*/
33	static void xfrm4_encap(struct sk_buff *skb)
34	{
35	struct dst_entry *dst = skb->dst;
36	struct xfrm_state *x = dst->xfrm;
37	struct iphdr iph, top_iph;
38	int flags;
39
40	iph = skb->nh.iph;
41	skb->h.ipiph = iph;
42
43	skb->nh.raw = skb_push(skb, x->props.header_len);
44	top_iph = skb->nh.iph;
45
46	if (!x->props.mode) {
47	skb->h.raw += iph->ihl*4;
48	memmove(top_iph, iph, iph->ihl*4);
49	return;
50	}
51
52	top_iph->ihl = 5;
53	top_iph->version = 4;
54
55	/* DS disclosed */
56	top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
57
58	flags = x->props.flags;
59	if (flags & XFRM_STATE_NOECN)
60	IP_ECN_clear(top_iph);
61
62	top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
63	0 : (iph->frag_off & htons(IP_DF));
64	if (!top_iph->frag_off)
65	__ip_select_ident(top_iph, dst->child, 0);
66
67	top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
68
69	top_iph->saddr = x->props.saddr.a4;
70	top_iph->daddr = x->id.daddr.a4;
71	top_iph->protocol = IPPROTO_IPIP;
72
73	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
74	}
75
76	static int xfrm4_tunnel_check_size(struct sk_buff *skb)	19	static int xfrm4_tunnel_check_size(struct sk_buff *skb)
77	{	20	{
78	int mtu, ret = 0;	21	int mtu, ret = 0;
@@ -121,7 +64,9 @@ static int xfrm4_output_one(struct sk_buff *skb)
121	if (err)	64	if (err)
122	goto error;	65	goto error;
123		66
124	xfrm4_encap(skb);	67	err = x->mode->output(skb);
		68	if (err)
		69	goto error;
125		70
126	err = x->type->output(x, skb);	71	err = x->type->output(x, skb);
127	if (err)	72	if (err)