aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorKazunori MIYAZAWA <kazunori@miyazawa.org>2008-03-24 17:51:51 -0400
committerDavid S. Miller <davem@davemloft.net>2008-03-24 17:51:51 -0400
commitdf9dcb4588aca9cc243cf1f3f454361a84e1cbdb (patch)
tree53dabed7cffee752109808cbea2f812e0a6d7faf /net
parentfa86d322d89995fef1bfb5cc768b89d8c22ea0d9 (diff)
[IPSEC]: Fix inter address family IPsec tunnel handling.
Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/xfrm4_mode_tunnel.c2
-rw-r--r--net/ipv4/xfrm4_output.c2
-rw-r--r--net/ipv6/xfrm6_mode_tunnel.c2
-rw-r--r--net/ipv6/xfrm6_output.c2
-rw-r--r--net/key/af_key.c2
-rw-r--r--net/xfrm/xfrm_input.c22
-rw-r--r--net/xfrm/xfrm_output.c18
-rw-r--r--net/xfrm/xfrm_state.c54
-rw-r--r--net/xfrm/xfrm_user.c7
9 files changed, 90 insertions, 21 deletions
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 8dee617ee900..584e6d74e3a9 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -41,7 +41,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
41 top_iph->ihl = 5; 41 top_iph->ihl = 5;
42 top_iph->version = 4; 42 top_iph->version = 4;
43 43
44 top_iph->protocol = x->inner_mode->afinfo->proto; 44 top_iph->protocol = xfrm_af2proto(skb->dst->ops->family);
45 45
46 /* DS disclosed */ 46 /* DS disclosed */
47 top_iph->tos = INET_ECN_encapsulate(XFRM_MODE_SKB_CB(skb)->tos, 47 top_iph->tos = INET_ECN_encapsulate(XFRM_MODE_SKB_CB(skb)->tos,
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index d5a58a818021..8c3180adddbf 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -56,7 +56,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
56{ 56{
57 int err; 57 int err;
58 58
59 err = x->inner_mode->afinfo->extract_output(x, skb); 59 err = xfrm_inner_extract_output(x, skb);
60 if (err) 60 if (err)
61 return err; 61 return err;
62 62
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index 0c742faaa30b..e20529b4c825 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -45,7 +45,7 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
45 45
46 memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl, 46 memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl,
47 sizeof(top_iph->flow_lbl)); 47 sizeof(top_iph->flow_lbl));
48 top_iph->nexthdr = x->inner_mode->afinfo->proto; 48 top_iph->nexthdr = xfrm_af2proto(skb->dst->ops->family);
49 49
50 dsfield = XFRM_MODE_SKB_CB(skb)->tos; 50 dsfield = XFRM_MODE_SKB_CB(skb)->tos;
51 dsfield = INET_ECN_encapsulate(dsfield, dsfield); 51 dsfield = INET_ECN_encapsulate(dsfield, dsfield);
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 79ccfb080733..0af823cf7f1f 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -62,7 +62,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
62{ 62{
63 int err; 63 int err;
64 64
65 err = x->inner_mode->afinfo->extract_output(x, skb); 65 err = xfrm_inner_extract_output(x, skb);
66 if (err) 66 if (err)
67 return err; 67 return err;
68 68
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 8b5f486ac80f..e9ef9af4a53b 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct sadb_msg *hdr,
1219 x->sel.prefixlen_s = addr->sadb_address_prefixlen; 1219 x->sel.prefixlen_s = addr->sadb_address_prefixlen;
1220 } 1220 }
1221 1221
1222 if (!x->sel.family) 1222 if (x->props.mode == XFRM_MODE_TRANSPORT)
1223 x->sel.family = x->props.family; 1223 x->sel.family = x->props.family;
1224 1224
1225 if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) { 1225 if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 62188c6a06dd..75279402ccf4 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -84,14 +84,21 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
84 84
85int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb) 85int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
86{ 86{
87 struct xfrm_mode *inner_mode = x->inner_mode;
87 int err; 88 int err;
88 89
89 err = x->outer_mode->afinfo->extract_input(x, skb); 90 err = x->outer_mode->afinfo->extract_input(x, skb);
90 if (err) 91 if (err)
91 return err; 92 return err;
92 93
93 skb->protocol = x->inner_mode->afinfo->eth_proto; 94 if (x->sel.family == AF_UNSPEC) {
94 return x->inner_mode->input2(x, skb); 95 inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
96 if (inner_mode == NULL)
97 return -EAFNOSUPPORT;
98 }
99
100 skb->protocol = inner_mode->afinfo->eth_proto;
101 return inner_mode->input2(x, skb);
95} 102}
96EXPORT_SYMBOL(xfrm_prepare_input); 103EXPORT_SYMBOL(xfrm_prepare_input);
97 104
@@ -101,6 +108,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
101 __be32 seq; 108 __be32 seq;
102 struct xfrm_state *x; 109 struct xfrm_state *x;
103 xfrm_address_t *daddr; 110 xfrm_address_t *daddr;
111 struct xfrm_mode *inner_mode;
104 unsigned int family; 112 unsigned int family;
105 int decaps = 0; 113 int decaps = 0;
106 int async = 0; 114 int async = 0;
@@ -207,7 +215,15 @@ resume:
207 215
208 XFRM_MODE_SKB_CB(skb)->protocol = nexthdr; 216 XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
209 217
210 if (x->inner_mode->input(x, skb)) { 218 inner_mode = x->inner_mode;
219
220 if (x->sel.family == AF_UNSPEC) {
221 inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
222 if (inner_mode == NULL)
223 goto drop;
224 }
225
226 if (inner_mode->input(x, skb)) {
211 XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR); 227 XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR);
212 goto drop; 228 goto drop;
213 } 229 }
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 569d377932c4..2519129c6d21 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -124,7 +124,7 @@ int xfrm_output_resume(struct sk_buff *skb, int err)
124 if (!x) 124 if (!x)
125 return dst_output(skb); 125 return dst_output(skb);
126 126
127 err = nf_hook(x->inner_mode->afinfo->family, 127 err = nf_hook(skb->dst->ops->family,
128 NF_INET_POST_ROUTING, skb, 128 NF_INET_POST_ROUTING, skb,
129 NULL, skb->dst->dev, xfrm_output2); 129 NULL, skb->dst->dev, xfrm_output2);
130 if (unlikely(err != 1)) 130 if (unlikely(err != 1))
@@ -193,4 +193,20 @@ int xfrm_output(struct sk_buff *skb)
193 193
194 return xfrm_output2(skb); 194 return xfrm_output2(skb);
195} 195}
196
197int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
198{
199 struct xfrm_mode *inner_mode;
200 if (x->sel.family == AF_UNSPEC)
201 inner_mode = xfrm_ip2inner_mode(x,
202 xfrm_af2proto(skb->dst->ops->family));
203 else
204 inner_mode = x->inner_mode;
205
206 if (inner_mode == NULL)
207 return -EAFNOSUPPORT;
208 return inner_mode->afinfo->extract_output(x, skb);
209}
210
196EXPORT_SYMBOL_GPL(xfrm_output); 211EXPORT_SYMBOL_GPL(xfrm_output);
212EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 7ba65e82941c..58f1f9347b54 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -388,6 +388,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
388 kfree(x->coaddr); 388 kfree(x->coaddr);
389 if (x->inner_mode) 389 if (x->inner_mode)
390 xfrm_put_mode(x->inner_mode); 390 xfrm_put_mode(x->inner_mode);
391 if (x->inner_mode_iaf)
392 xfrm_put_mode(x->inner_mode_iaf);
391 if (x->outer_mode) 393 if (x->outer_mode)
392 xfrm_put_mode(x->outer_mode); 394 xfrm_put_mode(x->outer_mode);
393 if (x->type) { 395 if (x->type) {
@@ -523,6 +525,8 @@ struct xfrm_state *xfrm_state_alloc(void)
523 x->lft.hard_packet_limit = XFRM_INF; 525 x->lft.hard_packet_limit = XFRM_INF;
524 x->replay_maxage = 0; 526 x->replay_maxage = 0;
525 x->replay_maxdiff = 0; 527 x->replay_maxdiff = 0;
528 x->inner_mode = NULL;
529 x->inner_mode_iaf = NULL;
526 spin_lock_init(&x->lock); 530 spin_lock_init(&x->lock);
527 } 531 }
528 return x; 532 return x;
@@ -796,7 +800,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
796 selector. 800 selector.
797 */ 801 */
798 if (x->km.state == XFRM_STATE_VALID) { 802 if (x->km.state == XFRM_STATE_VALID) {
799 if (!xfrm_selector_match(&x->sel, fl, x->sel.family) || 803 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
800 !security_xfrm_state_pol_flow_match(x, pol, fl)) 804 !security_xfrm_state_pol_flow_match(x, pol, fl))
801 continue; 805 continue;
802 if (!best || 806 if (!best ||
@@ -1944,6 +1948,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1944int xfrm_init_state(struct xfrm_state *x) 1948int xfrm_init_state(struct xfrm_state *x)
1945{ 1949{
1946 struct xfrm_state_afinfo *afinfo; 1950 struct xfrm_state_afinfo *afinfo;
1951 struct xfrm_mode *inner_mode;
1947 int family = x->props.family; 1952 int family = x->props.family;
1948 int err; 1953 int err;
1949 1954
@@ -1962,13 +1967,48 @@ int xfrm_init_state(struct xfrm_state *x)
1962 goto error; 1967 goto error;
1963 1968
1964 err = -EPROTONOSUPPORT; 1969 err = -EPROTONOSUPPORT;
1965 x->inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
1966 if (x->inner_mode == NULL)
1967 goto error;
1968 1970
1969 if (!(x->inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && 1971 if (x->sel.family != AF_UNSPEC) {
1970 family != x->sel.family) 1972 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
1971 goto error; 1973 if (inner_mode == NULL)
1974 goto error;
1975
1976 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
1977 family != x->sel.family) {
1978 xfrm_put_mode(inner_mode);
1979 goto error;
1980 }
1981
1982 x->inner_mode = inner_mode;
1983 } else {
1984 struct xfrm_mode *inner_mode_iaf;
1985
1986 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
1987 if (inner_mode == NULL)
1988 goto error;
1989
1990 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
1991 xfrm_put_mode(inner_mode);
1992 goto error;
1993 }
1994
1995 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
1996 if (inner_mode_iaf == NULL)
1997 goto error;
1998
1999 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2000 xfrm_put_mode(inner_mode_iaf);
2001 goto error;
2002 }
2003
2004 if (x->props.family == AF_INET) {
2005 x->inner_mode = inner_mode;
2006 x->inner_mode_iaf = inner_mode_iaf;
2007 } else {
2008 x->inner_mode = inner_mode_iaf;
2009 x->inner_mode_iaf = inner_mode;
2010 }
2011 }
1972 2012
1973 x->type = xfrm_get_type(x->id.proto, family); 2013 x->type = xfrm_get_type(x->id.proto, family);
1974 if (x->type == NULL) 2014 if (x->type == NULL)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index f971ca5645f8..5d96f2728dc6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -288,12 +288,9 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
288 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); 288 memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
289 x->props.flags = p->flags; 289 x->props.flags = p->flags;
290 290
291 /* 291 if (x->props.mode == XFRM_MODE_TRANSPORT)
292 * Set inner address family if the KM left it as zero.
293 * See comment in validate_tmpl.
294 */
295 if (!x->sel.family)
296 x->sel.family = p->family; 292 x->sel.family = p->family;
293
297} 294}
298 295
299/* 296/*