net/ipv4/xfrm4_input.c

   1 /*
   2  * xfrm4_input.c
   3  *
   4  * Changes:
   5  *      YOSHIFUJI Hideaki @USAGI
   6  *              Split up af-specific portion
   7  *      Derek Atkins <derek@ihtfp.com>
   8  *              Add Encapsulation support
   9  *
  10  */
  11
  12 #include <linux/module.h>
  13 #include <linux/string.h>
  14 #include <net/inet_ecn.h>
  15 #include <net/ip.h>
  16 #include <net/xfrm.h>
  17
  18 int xfrm4_rcv(struct sk_buff *skb)
  19 {
  20         return xfrm4_rcv_encap(skb, 0);
  21 }
  22
  23 EXPORT_SYMBOL(xfrm4_rcv);
  24
  25 static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
  26 {
  27         struct iphdr *outer_iph = skb->nh.iph;
  28         struct iphdr *inner_iph = skb->h.ipiph;
  29
  30         if (INET_ECN_is_ce(outer_iph->tos))
  31                 IP_ECN_set_ce(inner_iph);
  32 }
  33
  34 static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
  35 {
  36         switch (nexthdr) {
  37         case IPPROTO_IPIP:
  38                 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
  39                         return -EINVAL;
  40                 *spi = skb->nh.iph->saddr;
  41                 *seq = 0;
  42                 return 0;
  43         }
  44
  45         return xfrm_parse_spi(skb, nexthdr, spi, seq);
  46 }
  47
  48 int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
  49 {
  50         int err;
  51         u32 spi, seq;
  52         struct sec_decap_state xfrm_vec[XFRM_MAX_DEPTH];
  53         struct xfrm_state *x;
  54         int xfrm_nr = 0;
  55         int decaps = 0;
  56
  57         if ((err = xfrm4_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) != 0)
  58                 goto drop;
  59
  60         do {
  61                 struct iphdr *iph = skb->nh.iph;
  62
  63                 if (xfrm_nr == XFRM_MAX_DEPTH)
  64                         goto drop;
  65
  66                 x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, iph->protocol, AF_INET);
  67                 if (x == NULL)
  68                         goto drop;
  69
  70                 spin_lock(&x->lock);
  71                 if (unlikely(x->km.state != XFRM_STATE_VALID))
  72                         goto drop_unlock;
  73
  74                 if (x->props.replay_window && xfrm_replay_check(x, seq))
  75                         goto drop_unlock;
  76
  77                 if (xfrm_state_check_expire(x))
  78                         goto drop_unlock;
  79
  80                 xfrm_vec[xfrm_nr].decap.decap_type = encap_type;
  81                 if (x->type->input(x, &(xfrm_vec[xfrm_nr].decap), skb))
  82                         goto drop_unlock;
  83
  84                 /* only the first xfrm gets the encap type */
  85                 encap_type = 0;
  86
  87                 if (x->props.replay_window)
  88                         xfrm_replay_advance(x, seq);
  89
  90                 x->curlft.bytes += skb->len;
  91                 x->curlft.packets++;
  92
  93                 spin_unlock(&x->lock);
  94
  95                 xfrm_vec[xfrm_nr++].xvec = x;
  96
  97                 iph = skb->nh.iph;
  98
  99                 if (x->props.mode) {
 100                         if (iph->protocol != IPPROTO_IPIP)
 101                                 goto drop;
 102                         if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 103                                 goto drop;
 104                         if (skb_cloned(skb) &&
 105                             pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
 106                                 goto drop;
 107                         if (x->props.flags & XFRM_STATE_DECAP_DSCP)
 108                                 ipv4_copy_dscp(iph, skb->h.ipiph);
 109                         if (!(x->props.flags & XFRM_STATE_NOECN))
 110                                 ipip_ecn_decapsulate(skb);
 111                         skb->mac.raw = memmove(skb->data - skb->mac_len,
 112                                                skb->mac.raw, skb->mac_len);
 113                         skb->nh.raw = skb->data;
 114                         memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
 115                         decaps = 1;
 116                         break;
 117                 }
 118
 119                 if ((err = xfrm_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) < 0)
 120                         goto drop;
 121         } while (!err);
 122
 123         /* Allocate new secpath or COW existing one. */
 124
 125         if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
 126                 struct sec_path *sp;
 127                 sp = secpath_dup(skb->sp);
 128                 if (!sp)
 129                         goto drop;
 130                 if (skb->sp)
 131                         secpath_put(skb->sp);
 132                 skb->sp = sp;
 133         }
 134         if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH)
 135                 goto drop;
 136
 137         memcpy(skb->sp->x+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(struct sec_decap_state));
 138         skb->sp->len += xfrm_nr;
 139
 140         if (decaps) {
 141                 if (!(skb->dev->flags&IFF_LOOPBACK)) {
 142                         dst_release(skb->dst);
 143                         skb->dst = NULL;
 144                 }
 145                 netif_rx(skb);
 146                 return 0;
 147         } else {
 148                 return -skb->nh.iph->protocol;
 149         }
 150
 151 drop_unlock:
 152         spin_unlock(&x->lock);
 153         xfrm_state_put(x);
 154 drop:
 155         while (--xfrm_nr >= 0)
 156                 xfrm_state_put(xfrm_vec[xfrm_nr].xvec);
 157
 158         kfree_skb(skb);
 159         return 0;
 160 }