Commit c82f963e authored by Miika Komu's avatar Miika Komu Committed by David S. Miller

[IPSEC]: IPv6 over IPv4 IPsec tunnel

This is the patch to support IPv6 over IPv4 IPsec
Signed-off-by: default avatarMiika Komu <miika@iki.fi>
Signed-off-by: default avatarDiego Beltrami <Diego.Beltrami@hiit.fi>
Signed-off-by: default avatarKazunori Miyazawa <miyazawa@linux-ipv6.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cdca7265
...@@ -23,6 +23,12 @@ static inline void ipip_ecn_decapsulate(struct sk_buff *skb) ...@@ -23,6 +23,12 @@ static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
IP_ECN_set_ce(inner_iph); IP_ECN_set_ce(inner_iph);
} }
static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
{
if (INET_ECN_is_ce(iph->tos))
IP6_ECN_set_ce(skb->nh.ipv6h);
}
/* Add encapsulation header. /* Add encapsulation header.
* *
* The top IP header will be constructed per RFC 2401. The following fields * The top IP header will be constructed per RFC 2401. The following fields
...@@ -36,6 +42,7 @@ static inline void ipip_ecn_decapsulate(struct sk_buff *skb) ...@@ -36,6 +42,7 @@ static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
{ {
struct dst_entry *dst = skb->dst; struct dst_entry *dst = skb->dst;
struct xfrm_dst *xdst = (struct xfrm_dst*)dst;
struct iphdr *iph, *top_iph; struct iphdr *iph, *top_iph;
int flags; int flags;
...@@ -48,15 +55,27 @@ static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -48,15 +55,27 @@ static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
top_iph->ihl = 5; top_iph->ihl = 5;
top_iph->version = 4; top_iph->version = 4;
flags = x->props.flags;
/* DS disclosed */ /* DS disclosed */
if (xdst->route->ops->family == AF_INET) {
top_iph->protocol = IPPROTO_IPIP;
top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos); top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
0 : (iph->frag_off & htons(IP_DF));
}
#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
else {
struct ipv6hdr *ipv6h = (struct ipv6hdr*)iph;
top_iph->protocol = IPPROTO_IPV6;
top_iph->tos = INET_ECN_encapsulate(iph->tos, ipv6_get_dsfield(ipv6h));
top_iph->frag_off = 0;
}
#endif
flags = x->props.flags;
if (flags & XFRM_STATE_NOECN) if (flags & XFRM_STATE_NOECN)
IP_ECN_clear(top_iph); IP_ECN_clear(top_iph);
top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
0 : (iph->frag_off & htons(IP_DF));
if (!top_iph->frag_off) if (!top_iph->frag_off)
__ip_select_ident(top_iph, dst->child, 0); __ip_select_ident(top_iph, dst->child, 0);
...@@ -64,7 +83,6 @@ static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -64,7 +83,6 @@ static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
top_iph->saddr = x->props.saddr.a4; top_iph->saddr = x->props.saddr.a4;
top_iph->daddr = x->id.daddr.a4; top_iph->daddr = x->id.daddr.a4;
top_iph->protocol = IPPROTO_IPIP;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
return 0; return 0;
...@@ -75,8 +93,16 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -75,8 +93,16 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
struct iphdr *iph = skb->nh.iph; struct iphdr *iph = skb->nh.iph;
int err = -EINVAL; int err = -EINVAL;
if (iph->protocol != IPPROTO_IPIP) switch(iph->protocol){
case IPPROTO_IPIP:
#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
case IPPROTO_IPV6:
break;
#endif
default:
goto out; goto out;
}
if (!pskb_may_pull(skb, sizeof(struct iphdr))) if (!pskb_may_pull(skb, sizeof(struct iphdr)))
goto out; goto out;
...@@ -84,10 +110,19 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -84,10 +110,19 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
(err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC))) (err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
goto out; goto out;
if (iph->protocol == IPPROTO_IPIP) {
if (x->props.flags & XFRM_STATE_DECAP_DSCP) if (x->props.flags & XFRM_STATE_DECAP_DSCP)
ipv4_copy_dscp(iph, skb->h.ipiph); ipv4_copy_dscp(iph, skb->h.ipiph);
if (!(x->props.flags & XFRM_STATE_NOECN)) if (!(x->props.flags & XFRM_STATE_NOECN))
ipip_ecn_decapsulate(skb); ipip_ecn_decapsulate(skb);
}
#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
else {
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip6_ecn_decapsulate(iph, skb);
skb->protocol = htons(ETH_P_IPV6);
}
#endif
skb->mac.raw = memmove(skb->data - skb->mac_len, skb->mac.raw = memmove(skb->data - skb->mac_len,
skb->mac.raw, skb->mac_len); skb->mac.raw, skb->mac_len);
skb->nh.raw = skb->data; skb->nh.raw = skb->data;
......
...@@ -131,13 +131,11 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int ...@@ -131,13 +131,11 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
struct dst_entry *dst, *dst_prev; struct dst_entry *dst, *dst_prev;
struct rt6_info *rt0 = (struct rt6_info*)(*dst_p); struct rt6_info *rt0 = (struct rt6_info*)(*dst_p);
struct rt6_info *rt = rt0; struct rt6_info *rt = rt0;
struct in6_addr *remote = &fl->fl6_dst;
struct in6_addr *local = &fl->fl6_src;
struct flowi fl_tunnel = { struct flowi fl_tunnel = {
.nl_u = { .nl_u = {
.ip6_u = { .ip6_u = {
.saddr = *local, .saddr = fl->fl6_src,
.daddr = *remote .daddr = fl->fl6_dst,
} }
} }
}; };
...@@ -153,7 +151,6 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int ...@@ -153,7 +151,6 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
for (i = 0; i < nx; i++) { for (i = 0; i < nx; i++) {
struct dst_entry *dst1 = dst_alloc(&xfrm6_dst_ops); struct dst_entry *dst1 = dst_alloc(&xfrm6_dst_ops);
struct xfrm_dst *xdst; struct xfrm_dst *xdst;
int tunnel = 0;
if (unlikely(dst1 == NULL)) { if (unlikely(dst1 == NULL)) {
err = -ENOBUFS; err = -ENOBUFS;
...@@ -177,19 +174,27 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int ...@@ -177,19 +174,27 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
dst1->next = dst_prev; dst1->next = dst_prev;
dst_prev = dst1; dst_prev = dst1;
if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
remote = __xfrm6_bundle_addr_remote(xfrm[i], remote);
local = __xfrm6_bundle_addr_local(xfrm[i], local);
tunnel = 1;
}
__xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]); __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]);
trailer_len += xfrm[i]->props.trailer_len; trailer_len += xfrm[i]->props.trailer_len;
if (tunnel) { if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL) {
ipv6_addr_copy(&fl_tunnel.fl6_dst, remote); unsigned short encap_family = xfrm[i]->props.family;
ipv6_addr_copy(&fl_tunnel.fl6_src, local); switch(encap_family) {
case AF_INET:
fl_tunnel.fl4_dst = xfrm[i]->id.daddr.a4;
fl_tunnel.fl4_src = xfrm[i]->props.saddr.a4;
break;
case AF_INET6:
ipv6_addr_copy(&fl_tunnel.fl6_dst, (struct in6_addr*)&xfrm[i]->id.daddr.a6);
ipv6_addr_copy(&fl_tunnel.fl6_src, (struct in6_addr*)&xfrm[i]->props.saddr.a6);
break;
default:
BUG_ON(1);
}
err = xfrm_dst_lookup((struct xfrm_dst **) &rt, err = xfrm_dst_lookup((struct xfrm_dst **) &rt,
&fl_tunnel, AF_INET6); &fl_tunnel, encap_family);
if (err) if (err)
goto error; goto error;
} else } else
...@@ -208,6 +213,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int ...@@ -208,6 +213,7 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
i = 0; i = 0;
for (; dst_prev != &rt->u.dst; dst_prev = dst_prev->child) { for (; dst_prev != &rt->u.dst; dst_prev = dst_prev->child) {
struct xfrm_dst *x = (struct xfrm_dst*)dst_prev; struct xfrm_dst *x = (struct xfrm_dst*)dst_prev;
struct xfrm_state_afinfo *afinfo;
dst_prev->xfrm = xfrm[i++]; dst_prev->xfrm = xfrm[i++];
dst_prev->dev = rt->u.dst.dev; dst_prev->dev = rt->u.dst.dev;
...@@ -224,7 +230,17 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int ...@@ -224,7 +230,17 @@ __xfrm6_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
/* Copy neighbour for reachability confirmation */ /* Copy neighbour for reachability confirmation */
dst_prev->neighbour = neigh_clone(rt->u.dst.neighbour); dst_prev->neighbour = neigh_clone(rt->u.dst.neighbour);
dst_prev->input = rt->u.dst.input; dst_prev->input = rt->u.dst.input;
dst_prev->output = xfrm6_output; /* XXX: When IPv4 is implemented as module and can be unloaded,
* we should manage reference to xfrm4_output in afinfo->output.
* Miyazawa
*/
afinfo = xfrm_state_get_afinfo(dst_prev->xfrm->props.family);
if (!afinfo) {
dst = *dst_p;
goto error;
};
dst_prev->output = afinfo->output;
xfrm_state_put_afinfo(afinfo);
/* Sheit... I remember I did this right. Apparently, /* Sheit... I remember I did this right. Apparently,
* it was magically lost, so this code needs audit */ * it was magically lost, so this code needs audit */
x->u.rt6.rt6i_flags = rt0->rt6i_flags&(RTCF_BROADCAST|RTCF_MULTICAST|RTCF_LOCAL); x->u.rt6.rt6i_flags = rt0->rt6i_flags&(RTCF_BROADCAST|RTCF_MULTICAST|RTCF_LOCAL);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment