[IPSEC]: Added xfrm_decode_session_reverse and xfrmX_policy_check_reverse
RFC 4301 requires us to relookup ICMP traffic that does not match any policies using the reverse of its payload. This patch adds the functions xfrm_decode_session_reverse and xfrmX_policy_check_reverse so we can get the reverse flow to perform such a lookup. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
815f4e57e9
commit
d5422efe68
@ -114,6 +114,7 @@ enum
|
|||||||
XFRM_POLICY_IN = 0,
|
XFRM_POLICY_IN = 0,
|
||||||
XFRM_POLICY_OUT = 1,
|
XFRM_POLICY_OUT = 1,
|
||||||
XFRM_POLICY_FWD = 2,
|
XFRM_POLICY_FWD = 2,
|
||||||
|
XFRM_POLICY_MASK = 3,
|
||||||
XFRM_POLICY_MAX = 3
|
XFRM_POLICY_MAX = 3
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -239,7 +239,8 @@ struct xfrm_policy_afinfo {
|
|||||||
int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
|
int (*get_saddr)(xfrm_address_t *saddr, xfrm_address_t *daddr);
|
||||||
struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
|
struct dst_entry *(*find_bundle)(struct flowi *fl, struct xfrm_policy *policy);
|
||||||
void (*decode_session)(struct sk_buff *skb,
|
void (*decode_session)(struct sk_buff *skb,
|
||||||
struct flowi *fl);
|
struct flowi *fl,
|
||||||
|
int reverse);
|
||||||
int (*get_tos)(struct flowi *fl);
|
int (*get_tos)(struct flowi *fl);
|
||||||
int (*fill_dst)(struct xfrm_dst *xdst,
|
int (*fill_dst)(struct xfrm_dst *xdst,
|
||||||
struct net_device *dev);
|
struct net_device *dev);
|
||||||
@ -844,14 +845,23 @@ xfrm_state_addr_cmp(struct xfrm_tmpl *tmpl, struct xfrm_state *x, unsigned short
|
|||||||
#ifdef CONFIG_XFRM
|
#ifdef CONFIG_XFRM
|
||||||
extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
|
extern int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb, unsigned short family);
|
||||||
|
|
||||||
static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
|
static inline int __xfrm_policy_check2(struct sock *sk, int dir,
|
||||||
|
struct sk_buff *skb,
|
||||||
|
unsigned int family, int reverse)
|
||||||
{
|
{
|
||||||
|
int ndir = dir | (reverse ? XFRM_POLICY_MASK + 1 : 0);
|
||||||
|
|
||||||
if (sk && sk->sk_policy[XFRM_POLICY_IN])
|
if (sk && sk->sk_policy[XFRM_POLICY_IN])
|
||||||
return __xfrm_policy_check(sk, dir, skb, family);
|
return __xfrm_policy_check(sk, ndir, skb, family);
|
||||||
|
|
||||||
return (!xfrm_policy_count[dir] && !skb->sp) ||
|
return (!xfrm_policy_count[dir] && !skb->sp) ||
|
||||||
(skb->dst->flags & DST_NOPOLICY) ||
|
(skb->dst->flags & DST_NOPOLICY) ||
|
||||||
__xfrm_policy_check(sk, dir, skb, family);
|
__xfrm_policy_check(sk, ndir, skb, family);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
|
||||||
|
{
|
||||||
|
return __xfrm_policy_check2(sk, dir, skb, family, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
|
static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb)
|
||||||
@ -864,7 +874,34 @@ static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *s
|
|||||||
return xfrm_policy_check(sk, dir, skb, AF_INET6);
|
return xfrm_policy_check(sk, dir, skb, AF_INET6);
|
||||||
}
|
}
|
||||||
|
|
||||||
extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family);
|
static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
|
||||||
|
struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
return __xfrm_policy_check2(sk, dir, skb, AF_INET, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
|
||||||
|
struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
return __xfrm_policy_check2(sk, dir, skb, AF_INET6, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
extern int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
|
||||||
|
unsigned int family, int reverse);
|
||||||
|
|
||||||
|
static inline int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
|
||||||
|
unsigned int family)
|
||||||
|
{
|
||||||
|
return __xfrm_decode_session(skb, fl, family, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
|
||||||
|
struct flowi *fl,
|
||||||
|
unsigned int family)
|
||||||
|
{
|
||||||
|
return __xfrm_decode_session(skb, fl, family, 1);
|
||||||
|
}
|
||||||
|
|
||||||
extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
|
extern int __xfrm_route_forward(struct sk_buff *skb, unsigned short family);
|
||||||
|
|
||||||
static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
|
static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
|
||||||
@ -925,6 +962,22 @@ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *sk
|
|||||||
{
|
{
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
static inline int xfrm_decode_session_reverse(struct sk_buff *skb,
|
||||||
|
struct flowi *fl,
|
||||||
|
unsigned int family)
|
||||||
|
{
|
||||||
|
return -ENOSYS;
|
||||||
|
}
|
||||||
|
static inline int xfrm4_policy_check_reverse(struct sock *sk, int dir,
|
||||||
|
struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
|
||||||
|
struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static __inline__
|
static __inline__
|
||||||
|
@ -115,7 +115,7 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
_decode_session4(struct sk_buff *skb, struct flowi *fl)
|
_decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
|
||||||
{
|
{
|
||||||
struct iphdr *iph = ip_hdr(skb);
|
struct iphdr *iph = ip_hdr(skb);
|
||||||
u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
|
u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
|
||||||
@ -131,8 +131,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl)
|
|||||||
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
|
if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
|
||||||
__be16 *ports = (__be16 *)xprth;
|
__be16 *ports = (__be16 *)xprth;
|
||||||
|
|
||||||
fl->fl_ip_sport = ports[0];
|
fl->fl_ip_sport = ports[!!reverse];
|
||||||
fl->fl_ip_dport = ports[1];
|
fl->fl_ip_dport = ports[!reverse];
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -174,8 +174,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
fl->proto = iph->protocol;
|
fl->proto = iph->protocol;
|
||||||
fl->fl4_dst = iph->daddr;
|
fl->fl4_dst = reverse ? iph->saddr : iph->daddr;
|
||||||
fl->fl4_src = iph->saddr;
|
fl->fl4_src = reverse ? iph->daddr : iph->saddr;
|
||||||
fl->fl4_tos = iph->tos;
|
fl->fl4_tos = iph->tos;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -123,7 +123,7 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static inline void
|
static inline void
|
||||||
_decode_session6(struct sk_buff *skb, struct flowi *fl)
|
_decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
|
||||||
{
|
{
|
||||||
u16 offset = skb_network_header_len(skb);
|
u16 offset = skb_network_header_len(skb);
|
||||||
struct ipv6hdr *hdr = ipv6_hdr(skb);
|
struct ipv6hdr *hdr = ipv6_hdr(skb);
|
||||||
@ -132,8 +132,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl)
|
|||||||
u8 nexthdr = nh[IP6CB(skb)->nhoff];
|
u8 nexthdr = nh[IP6CB(skb)->nhoff];
|
||||||
|
|
||||||
memset(fl, 0, sizeof(struct flowi));
|
memset(fl, 0, sizeof(struct flowi));
|
||||||
ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr);
|
ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr);
|
||||||
ipv6_addr_copy(&fl->fl6_src, &hdr->saddr);
|
ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr);
|
||||||
|
|
||||||
while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
|
while (pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
|
||||||
nh = skb_network_header(skb);
|
nh = skb_network_header(skb);
|
||||||
@ -156,8 +156,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl)
|
|||||||
if (pskb_may_pull(skb, nh + offset + 4 - skb->data)) {
|
if (pskb_may_pull(skb, nh + offset + 4 - skb->data)) {
|
||||||
__be16 *ports = (__be16 *)exthdr;
|
__be16 *ports = (__be16 *)exthdr;
|
||||||
|
|
||||||
fl->fl_ip_sport = ports[0];
|
fl->fl_ip_sport = ports[!!reverse];
|
||||||
fl->fl_ip_dport = ports[1];
|
fl->fl_ip_dport = ports[!reverse];
|
||||||
}
|
}
|
||||||
fl->proto = nexthdr;
|
fl->proto = nexthdr;
|
||||||
return;
|
return;
|
||||||
|
@ -1732,8 +1732,8 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
|
|||||||
return start;
|
return start;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
|
||||||
xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
|
unsigned int family, int reverse)
|
||||||
{
|
{
|
||||||
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
|
||||||
int err;
|
int err;
|
||||||
@ -1741,12 +1741,12 @@ xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family
|
|||||||
if (unlikely(afinfo == NULL))
|
if (unlikely(afinfo == NULL))
|
||||||
return -EAFNOSUPPORT;
|
return -EAFNOSUPPORT;
|
||||||
|
|
||||||
afinfo->decode_session(skb, fl);
|
afinfo->decode_session(skb, fl, reverse);
|
||||||
err = security_xfrm_decode_session(skb, &fl->secid);
|
err = security_xfrm_decode_session(skb, &fl->secid);
|
||||||
xfrm_policy_put_afinfo(afinfo);
|
xfrm_policy_put_afinfo(afinfo);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_decode_session);
|
EXPORT_SYMBOL(__xfrm_decode_session);
|
||||||
|
|
||||||
static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
|
static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
|
||||||
{
|
{
|
||||||
@ -1768,11 +1768,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
|||||||
int npols = 0;
|
int npols = 0;
|
||||||
int xfrm_nr;
|
int xfrm_nr;
|
||||||
int pi;
|
int pi;
|
||||||
|
int reverse;
|
||||||
struct flowi fl;
|
struct flowi fl;
|
||||||
u8 fl_dir = policy_to_flow_dir(dir);
|
u8 fl_dir;
|
||||||
int xerr_idx = -1;
|
int xerr_idx = -1;
|
||||||
|
|
||||||
if (xfrm_decode_session(skb, &fl, family) < 0)
|
reverse = dir & ~XFRM_POLICY_MASK;
|
||||||
|
dir &= XFRM_POLICY_MASK;
|
||||||
|
fl_dir = policy_to_flow_dir(dir);
|
||||||
|
|
||||||
|
if (__xfrm_decode_session(skb, &fl, family, reverse) < 0)
|
||||||
return 0;
|
return 0;
|
||||||
nf_nat_decode_session(skb, &fl, family);
|
nf_nat_decode_session(skb, &fl, family);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user