[IPSEC]: Fix inter address family IPsec tunnel handling.
Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Kazunori MIYAZAWA
David S. Miller
parent
fa86d322d8
commit
df9dcb4588
@ -204,6 +204,7 @@ struct xfrm_state
|
|||||||
* transformer. */
|
* transformer. */
|
||||||
const struct xfrm_type *type;
|
const struct xfrm_type *type;
|
||||||
struct xfrm_mode *inner_mode;
|
struct xfrm_mode *inner_mode;
|
||||||
|
struct xfrm_mode *inner_mode_iaf;
|
||||||
struct xfrm_mode *outer_mode;
|
struct xfrm_mode *outer_mode;
|
||||||
|
|
||||||
/* Security context */
|
/* Security context */
|
||||||
@ -387,6 +388,27 @@ enum {
|
|||||||
extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
|
extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
|
||||||
extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
|
extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
|
||||||
|
|
||||||
|
static inline int xfrm_af2proto(unsigned int family)
|
||||||
|
{
|
||||||
|
switch(family) {
|
||||||
|
case AF_INET:
|
||||||
|
return IPPROTO_IPIP;
|
||||||
|
case AF_INET6:
|
||||||
|
return IPPROTO_IPV6;
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
|
||||||
|
{
|
||||||
|
if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
|
||||||
|
(ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
|
||||||
|
return x->inner_mode;
|
||||||
|
else
|
||||||
|
return x->inner_mode_iaf;
|
||||||
|
}
|
||||||
|
|
||||||
struct xfrm_tmpl
|
struct xfrm_tmpl
|
||||||
{
|
{
|
||||||
/* id in template is interpreted as:
|
/* id in template is interpreted as:
|
||||||
@ -1253,6 +1275,7 @@ extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
|
|||||||
extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
|
extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
|
||||||
extern int xfrm_output_resume(struct sk_buff *skb, int err);
|
extern int xfrm_output_resume(struct sk_buff *skb, int err);
|
||||||
extern int xfrm_output(struct sk_buff *skb);
|
extern int xfrm_output(struct sk_buff *skb);
|
||||||
|
extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
|
||||||
extern int xfrm4_extract_header(struct sk_buff *skb);
|
extern int xfrm4_extract_header(struct sk_buff *skb);
|
||||||
extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
|
extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
|
||||||
extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
|
extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
|
||||||
|
|||||||
@ -41,7 +41,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
top_iph->ihl = 5;
|
top_iph->ihl = 5;
|
||||||
top_iph->version = 4;
|
top_iph->version = 4;
|
||||||
|
|
||||||
top_iph->protocol = x->inner_mode->afinfo->proto;
|
top_iph->protocol = xfrm_af2proto(skb->dst->ops->family);
|
||||||
|
|
||||||
/* DS disclosed */
|
/* DS disclosed */
|
||||||
top_iph->tos = INET_ECN_encapsulate(XFRM_MODE_SKB_CB(skb)->tos,
|
top_iph->tos = INET_ECN_encapsulate(XFRM_MODE_SKB_CB(skb)->tos,
|
||||||
|
|||||||
@ -56,7 +56,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
{
|
{
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
err = x->inner_mode->afinfo->extract_output(x, skb);
|
err = xfrm_inner_extract_output(x, skb);
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
|
|||||||
@ -45,7 +45,7 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
|
|
||||||
memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl,
|
memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl,
|
||||||
sizeof(top_iph->flow_lbl));
|
sizeof(top_iph->flow_lbl));
|
||||||
top_iph->nexthdr = x->inner_mode->afinfo->proto;
|
top_iph->nexthdr = xfrm_af2proto(skb->dst->ops->family);
|
||||||
|
|
||||||
dsfield = XFRM_MODE_SKB_CB(skb)->tos;
|
dsfield = XFRM_MODE_SKB_CB(skb)->tos;
|
||||||
dsfield = INET_ECN_encapsulate(dsfield, dsfield);
|
dsfield = INET_ECN_encapsulate(dsfield, dsfield);
|
||||||
|
|||||||
@ -62,7 +62,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
{
|
{
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
err = x->inner_mode->afinfo->extract_output(x, skb);
|
err = xfrm_inner_extract_output(x, skb);
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
|
|||||||
@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct sadb_msg *hdr,
|
|||||||
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
|
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!x->sel.family)
|
if (x->props.mode == XFRM_MODE_TRANSPORT)
|
||||||
x->sel.family = x->props.family;
|
x->sel.family = x->props.family;
|
||||||
|
|
||||||
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
|
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
|
||||||
|
|||||||
@ -84,14 +84,21 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
|
|||||||
|
|
||||||
int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
|
int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
|
struct xfrm_mode *inner_mode = x->inner_mode;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
err = x->outer_mode->afinfo->extract_input(x, skb);
|
err = x->outer_mode->afinfo->extract_input(x, skb);
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
skb->protocol = x->inner_mode->afinfo->eth_proto;
|
if (x->sel.family == AF_UNSPEC) {
|
||||||
return x->inner_mode->input2(x, skb);
|
inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
|
||||||
|
if (inner_mode == NULL)
|
||||||
|
return -EAFNOSUPPORT;
|
||||||
|
}
|
||||||
|
|
||||||
|
skb->protocol = inner_mode->afinfo->eth_proto;
|
||||||
|
return inner_mode->input2(x, skb);
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(xfrm_prepare_input);
|
EXPORT_SYMBOL(xfrm_prepare_input);
|
||||||
|
|
||||||
@ -101,6 +108,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
|
|||||||
__be32 seq;
|
__be32 seq;
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
xfrm_address_t *daddr;
|
xfrm_address_t *daddr;
|
||||||
|
struct xfrm_mode *inner_mode;
|
||||||
unsigned int family;
|
unsigned int family;
|
||||||
int decaps = 0;
|
int decaps = 0;
|
||||||
int async = 0;
|
int async = 0;
|
||||||
@ -207,7 +215,15 @@ resume:
|
|||||||
|
|
||||||
XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
|
XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
|
||||||
|
|
||||||
if (x->inner_mode->input(x, skb)) {
|
inner_mode = x->inner_mode;
|
||||||
|
|
||||||
|
if (x->sel.family == AF_UNSPEC) {
|
||||||
|
inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
|
||||||
|
if (inner_mode == NULL)
|
||||||
|
goto drop;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (inner_mode->input(x, skb)) {
|
||||||
XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR);
|
XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR);
|
||||||
goto drop;
|
goto drop;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -124,7 +124,7 @@ int xfrm_output_resume(struct sk_buff *skb, int err)
|
|||||||
if (!x)
|
if (!x)
|
||||||
return dst_output(skb);
|
return dst_output(skb);
|
||||||
|
|
||||||
err = nf_hook(x->inner_mode->afinfo->family,
|
err = nf_hook(skb->dst->ops->family,
|
||||||
NF_INET_POST_ROUTING, skb,
|
NF_INET_POST_ROUTING, skb,
|
||||||
NULL, skb->dst->dev, xfrm_output2);
|
NULL, skb->dst->dev, xfrm_output2);
|
||||||
if (unlikely(err != 1))
|
if (unlikely(err != 1))
|
||||||
@ -193,4 +193,20 @@ int xfrm_output(struct sk_buff *skb)
|
|||||||
|
|
||||||
return xfrm_output2(skb);
|
return xfrm_output2(skb);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
struct xfrm_mode *inner_mode;
|
||||||
|
if (x->sel.family == AF_UNSPEC)
|
||||||
|
inner_mode = xfrm_ip2inner_mode(x,
|
||||||
|
xfrm_af2proto(skb->dst->ops->family));
|
||||||
|
else
|
||||||
|
inner_mode = x->inner_mode;
|
||||||
|
|
||||||
|
if (inner_mode == NULL)
|
||||||
|
return -EAFNOSUPPORT;
|
||||||
|
return inner_mode->afinfo->extract_output(x, skb);
|
||||||
|
}
|
||||||
|
|
||||||
EXPORT_SYMBOL_GPL(xfrm_output);
|
EXPORT_SYMBOL_GPL(xfrm_output);
|
||||||
|
EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);
|
||||||
|
|||||||
@ -388,6 +388,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
|
|||||||
kfree(x->coaddr);
|
kfree(x->coaddr);
|
||||||
if (x->inner_mode)
|
if (x->inner_mode)
|
||||||
xfrm_put_mode(x->inner_mode);
|
xfrm_put_mode(x->inner_mode);
|
||||||
|
if (x->inner_mode_iaf)
|
||||||
|
xfrm_put_mode(x->inner_mode_iaf);
|
||||||
if (x->outer_mode)
|
if (x->outer_mode)
|
||||||
xfrm_put_mode(x->outer_mode);
|
xfrm_put_mode(x->outer_mode);
|
||||||
if (x->type) {
|
if (x->type) {
|
||||||
@ -523,6 +525,8 @@ struct xfrm_state *xfrm_state_alloc(void)
|
|||||||
x->lft.hard_packet_limit = XFRM_INF;
|
x->lft.hard_packet_limit = XFRM_INF;
|
||||||
x->replay_maxage = 0;
|
x->replay_maxage = 0;
|
||||||
x->replay_maxdiff = 0;
|
x->replay_maxdiff = 0;
|
||||||
|
x->inner_mode = NULL;
|
||||||
|
x->inner_mode_iaf = NULL;
|
||||||
spin_lock_init(&x->lock);
|
spin_lock_init(&x->lock);
|
||||||
}
|
}
|
||||||
return x;
|
return x;
|
||||||
@ -796,7 +800,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
|
|||||||
selector.
|
selector.
|
||||||
*/
|
*/
|
||||||
if (x->km.state == XFRM_STATE_VALID) {
|
if (x->km.state == XFRM_STATE_VALID) {
|
||||||
if (!xfrm_selector_match(&x->sel, fl, x->sel.family) ||
|
if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
|
||||||
!security_xfrm_state_pol_flow_match(x, pol, fl))
|
!security_xfrm_state_pol_flow_match(x, pol, fl))
|
||||||
continue;
|
continue;
|
||||||
if (!best ||
|
if (!best ||
|
||||||
@ -1944,6 +1948,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
|
|||||||
int xfrm_init_state(struct xfrm_state *x)
|
int xfrm_init_state(struct xfrm_state *x)
|
||||||
{
|
{
|
||||||
struct xfrm_state_afinfo *afinfo;
|
struct xfrm_state_afinfo *afinfo;
|
||||||
|
struct xfrm_mode *inner_mode;
|
||||||
int family = x->props.family;
|
int family = x->props.family;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
@ -1962,13 +1967,48 @@ int xfrm_init_state(struct xfrm_state *x)
|
|||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
err = -EPROTONOSUPPORT;
|
err = -EPROTONOSUPPORT;
|
||||||
x->inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
|
|
||||||
if (x->inner_mode == NULL)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
if (!(x->inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
|
if (x->sel.family != AF_UNSPEC) {
|
||||||
family != x->sel.family)
|
inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
|
||||||
goto error;
|
if (inner_mode == NULL)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
|
||||||
|
family != x->sel.family) {
|
||||||
|
xfrm_put_mode(inner_mode);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
x->inner_mode = inner_mode;
|
||||||
|
} else {
|
||||||
|
struct xfrm_mode *inner_mode_iaf;
|
||||||
|
|
||||||
|
inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
|
||||||
|
if (inner_mode == NULL)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
|
||||||
|
xfrm_put_mode(inner_mode);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
|
||||||
|
if (inner_mode_iaf == NULL)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
|
||||||
|
xfrm_put_mode(inner_mode_iaf);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (x->props.family == AF_INET) {
|
||||||
|
x->inner_mode = inner_mode;
|
||||||
|
x->inner_mode_iaf = inner_mode_iaf;
|
||||||
|
} else {
|
||||||
|
x->inner_mode = inner_mode_iaf;
|
||||||
|
x->inner_mode_iaf = inner_mode;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
x->type = xfrm_get_type(x->id.proto, family);
|
x->type = xfrm_get_type(x->id.proto, family);
|
||||||
if (x->type == NULL)
|
if (x->type == NULL)
|
||||||
|
|||||||
@ -288,12 +288,9 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
|
|||||||
memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
|
memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
|
||||||
x->props.flags = p->flags;
|
x->props.flags = p->flags;
|
||||||
|
|
||||||
/*
|
if (x->props.mode == XFRM_MODE_TRANSPORT)
|
||||||
* Set inner address family if the KM left it as zero.
|
|
||||||
* See comment in validate_tmpl.
|
|
||||||
*/
|
|
||||||
if (!x->sel.family)
|
|
||||||
x->sel.family = p->family;
|
x->sel.family = p->family;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user