Line 0
Link Here
|
|
|
1 |
/* |
2 |
* IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c |
3 |
* Copyright (C) 1996, 1997 John Ioannidis. |
4 |
* Copyright (C) 1998, 1999, 2000, 2001, 2002 Richard Guy Briggs. |
5 |
* |
6 |
* This program is free software; you can redistribute it and/or modify it |
7 |
* under the terms of the GNU General Public License as published by the |
8 |
* Free Software Foundation; either version 2 of the License, or (at your |
9 |
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
10 |
* |
11 |
* This program is distributed in the hope that it will be useful, but |
12 |
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
13 |
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
14 |
* for more details. |
15 |
*/ |
16 |
|
17 |
char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.200.16.1 2003/04/05 14:36:08 mcr Exp $"; |
18 |
|
19 |
#define __NO_VERSION__ |
20 |
#include <linux/module.h> |
21 |
#include <linux/config.h> /* for CONFIG_IP_FORWARD */ |
22 |
#include <linux/version.h> |
23 |
#include <linux/kernel.h> /* printk() */ |
24 |
|
25 |
#include "freeswan/ipsec_param.h" |
26 |
|
27 |
#ifdef MALLOC_SLAB |
28 |
# include <linux/slab.h> /* kmalloc() */ |
29 |
#else /* MALLOC_SLAB */ |
30 |
# include <linux/malloc.h> /* kmalloc() */ |
31 |
#endif /* MALLOC_SLAB */ |
32 |
#include <linux/errno.h> /* error codes */ |
33 |
#include <linux/types.h> /* size_t */ |
34 |
#include <linux/interrupt.h> /* mark_bh */ |
35 |
|
36 |
#include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */ |
37 |
#include <linux/etherdevice.h> /* eth_type_trans */ |
38 |
#include <linux/ip.h> /* struct iphdr */ |
39 |
#include <linux/tcp.h> /* struct tcphdr */ |
40 |
#include <linux/udp.h> /* struct udphdr */ |
41 |
#include <linux/skbuff.h> |
42 |
#include <freeswan.h> |
43 |
#ifdef NET_21 |
44 |
# define MSS_HACK_ /* experimental */ |
45 |
# include <asm/uaccess.h> |
46 |
# include <linux/in6.h> |
47 |
# define ip_chk_addr inet_addr_type |
48 |
# define IS_MYADDR RTN_LOCAL |
49 |
# include <net/dst.h> |
50 |
# undef dev_kfree_skb |
51 |
# define dev_kfree_skb(a,b) kfree_skb(a) |
52 |
# define proto_priv cb |
53 |
# define PHYSDEV_TYPE |
54 |
#endif /* NET_21 */ |
55 |
#include <asm/checksum.h> |
56 |
#include <net/icmp.h> /* icmp_send() */ |
57 |
#include <net/ip.h> |
58 |
#ifdef NETDEV_23 |
59 |
# include <linux/netfilter_ipv4.h> |
60 |
#endif /* NETDEV_23 */ |
61 |
|
62 |
#include <linux/if_arp.h> |
63 |
#ifdef MSS_HACK |
64 |
# include <net/tcp.h> /* TCP options */ |
65 |
#endif /* MSS_HACK */ |
66 |
|
67 |
#include "freeswan/radij.h" |
68 |
#include "freeswan/ipsec_life.h" |
69 |
#include "freeswan/ipsec_xform.h" |
70 |
#include "freeswan/ipsec_eroute.h" |
71 |
#include "freeswan/ipsec_encap.h" |
72 |
#include "freeswan/ipsec_radij.h" |
73 |
#include "freeswan/ipsec_netlink.h" |
74 |
#include "freeswan/ipsec_sa.h" |
75 |
#include "freeswan/ipsec_tunnel.h" |
76 |
#include "freeswan/ipsec_ipe4.h" |
77 |
#include "freeswan/ipsec_ah.h" |
78 |
#include "freeswan/ipsec_esp.h" |
79 |
|
80 |
#ifdef CONFIG_IPSEC_IPCOMP |
81 |
#include "freeswan/ipcomp.h" |
82 |
#endif /* CONFIG_IPSEC_IPCOMP */ |
83 |
|
84 |
#include <pfkeyv2.h> |
85 |
#include <pfkey.h> |
86 |
|
87 |
#include "freeswan/ipsec_proto.h" |
88 |
|
89 |
|
90 |
/* |
91 |
* Stupid kernel API differences in APIs. Not only do some |
92 |
* kernels not have ip_select_ident, but some have differing APIs, |
93 |
* and SuSE has one with one parameter, but no way of checking to |
94 |
* see what is really what. |
95 |
*/ |
96 |
|
97 |
#ifdef SUSE_LINUX_2_4_19_IS_STUPID |
98 |
#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph) |
99 |
#else |
100 |
|
101 |
/* simplest case, nothing */ |
102 |
#if !defined(IP_SELECT_IDENT) |
103 |
#define KLIPS_IP_SELECT_IDENT(iph, skb) do { iph->id = htons(ip_id_count++); } while(0) |
104 |
#endif |
105 |
|
106 |
/* kernels > 2.3.37-ish */ |
107 |
#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW) |
108 |
#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst) |
109 |
#endif |
110 |
|
111 |
/* kernels > 2.4.2 */ |
112 |
#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW) |
113 |
#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL) |
114 |
#endif |
115 |
|
116 |
#endif |
117 |
|
118 |
|
119 |
static __u32 zeroes[64]; |
120 |
|
121 |
#ifdef CONFIG_IPSEC_DEBUG |
122 |
int debug_tunnel = 0; |
123 |
int sysctl_ipsec_debug_verbose = 0; |
124 |
#endif /* CONFIG_IPSEC_DEBUG */ |
125 |
|
126 |
int sysctl_ipsec_icmp = 0; |
127 |
int sysctl_ipsec_tos = 0; |
128 |
|
129 |
/* |
130 |
* If the IP packet (iph) is a carrying TCP/UDP, then set the encaps |
131 |
* source and destination ports to those from the TCP/UDP header. |
132 |
*/ |
133 |
static void extract_ports(struct iphdr * iph, struct sockaddr_encap * er) |
134 |
{ |
135 |
struct udphdr *udp; |
136 |
|
137 |
switch (iph->protocol) { |
138 |
case IPPROTO_UDP: |
139 |
case IPPROTO_TCP: |
140 |
/* |
141 |
* The ports are at the same offsets in a TCP and UDP |
142 |
* header so hack it ... |
143 |
*/ |
144 |
udp = (struct udphdr*)(((char*)iph)+(iph->ihl<<2)); |
145 |
er->sen_sport = udp->source; |
146 |
er->sen_dport = udp->dest; |
147 |
break; |
148 |
default: |
149 |
er->sen_sport = 0; |
150 |
er->sen_dport = 0; |
151 |
break; |
152 |
} |
153 |
} |
154 |
|
155 |
/* |
156 |
* A TRAP eroute is installed and we want to replace it with a HOLD |
157 |
* eroute. |
158 |
*/ |
159 |
static int create_hold_eroute(struct sk_buff * skb, struct iphdr * iph, |
160 |
uint32_t eroute_pid) |
161 |
{ |
162 |
struct eroute hold_eroute; |
163 |
struct sa_id hold_said; |
164 |
struct sk_buff *first, *last; |
165 |
int error; |
166 |
|
167 |
first = last = NULL; |
168 |
memset((caddr_t)&hold_eroute, 0, sizeof(hold_eroute)); |
169 |
memset((caddr_t)&hold_said, 0, sizeof(hold_said)); |
170 |
|
171 |
hold_said.proto = IPPROTO_INT; |
172 |
hold_said.spi = htonl(SPI_HOLD); |
173 |
hold_said.dst.s_addr = INADDR_ANY; |
174 |
|
175 |
hold_eroute.er_eaddr.sen_len = sizeof(struct sockaddr_encap); |
176 |
hold_eroute.er_emask.sen_len = sizeof(struct sockaddr_encap); |
177 |
hold_eroute.er_eaddr.sen_family = AF_ENCAP; |
178 |
hold_eroute.er_emask.sen_family = AF_ENCAP; |
179 |
hold_eroute.er_eaddr.sen_type = SENT_IP4; |
180 |
hold_eroute.er_emask.sen_type = 255; |
181 |
|
182 |
hold_eroute.er_eaddr.sen_ip_src.s_addr = iph->saddr; |
183 |
hold_eroute.er_eaddr.sen_ip_dst.s_addr = iph->daddr; |
184 |
hold_eroute.er_emask.sen_ip_src.s_addr = INADDR_BROADCAST; |
185 |
hold_eroute.er_emask.sen_ip_dst.s_addr = INADDR_BROADCAST; |
186 |
hold_eroute.er_emask.sen_sport = ~0; |
187 |
hold_eroute.er_emask.sen_dport = ~0; |
188 |
hold_eroute.er_pid = eroute_pid; |
189 |
hold_eroute.er_count = 0; |
190 |
hold_eroute.er_lasttime = jiffies/HZ; |
191 |
|
192 |
hold_eroute.er_eaddr.sen_proto = iph->protocol; |
193 |
extract_ports(iph, &hold_eroute.er_eaddr); |
194 |
|
195 |
#ifdef CONFIG_IPSEC_DEBUG |
196 |
if (debug_pfkey) { |
197 |
char buf1[64], buf2[64]; |
198 |
subnettoa(hold_eroute.er_eaddr.sen_ip_src, |
199 |
hold_eroute.er_emask.sen_ip_src, 0, buf1, sizeof(buf1)); |
200 |
subnettoa(hold_eroute.er_eaddr.sen_ip_dst, |
201 |
hold_eroute.er_emask.sen_ip_dst, 0, buf2, sizeof(buf2)); |
202 |
KLIPS_PRINT(debug_pfkey, |
203 |
"klips_debug:ipsec_tunnel_start_xmit: " |
204 |
"calling breakeroute and makeroute for %s:%d->%s:%d %d HOLD eroute.\n", |
205 |
buf1, ntohs(hold_eroute.er_eaddr.sen_sport), |
206 |
buf2, ntohs(hold_eroute.er_eaddr.sen_dport), |
207 |
hold_eroute.er_eaddr.sen_proto); |
208 |
} |
209 |
#endif /* CONFIG_IPSEC_DEBUG */ |
210 |
|
211 |
if (ipsec_breakroute(&(hold_eroute.er_eaddr), &(hold_eroute.er_emask), |
212 |
&first, &last)) { |
213 |
KLIPS_PRINT(debug_pfkey, |
214 |
"klips_debug:ipsec_tunnel_start_xmit: " |
215 |
"HOLD breakeroute found nothing.\n"); |
216 |
} else { |
217 |
KLIPS_PRINT(debug_pfkey, |
218 |
"klips_debug:ipsec_tunnel_start_xmit: " |
219 |
"HOLD breakroute deleted %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u %u\n", |
220 |
NIPQUAD(hold_eroute.er_eaddr.sen_ip_src), |
221 |
ntohs(hold_eroute.er_eaddr.sen_sport), |
222 |
NIPQUAD(hold_eroute.er_eaddr.sen_ip_dst), |
223 |
ntohs(hold_eroute.er_eaddr.sen_dport), |
224 |
hold_eroute.er_eaddr.sen_proto); |
225 |
} |
226 |
if (first != NULL) |
227 |
kfree_skb(first); |
228 |
if (last != NULL) |
229 |
kfree_skb(last); |
230 |
|
231 |
error = ipsec_makeroute(&(hold_eroute.er_eaddr), |
232 |
&(hold_eroute.er_emask), |
233 |
hold_said, eroute_pid, skb, NULL, NULL); |
234 |
if (error) { |
235 |
KLIPS_PRINT(debug_pfkey, |
236 |
"klips_debug:ipsec_tunnel_start_xmit: " |
237 |
"HOLD makeroute returned %d, failed.\n", error); |
238 |
} else { |
239 |
KLIPS_PRINT(debug_pfkey, |
240 |
"klips_debug:ipsec_tunnel_start_xmit: " |
241 |
"HOLD makeroute call successful.\n"); |
242 |
} |
243 |
return (error == 0); |
244 |
} |
245 |
|
246 |
|
247 |
|
248 |
#ifdef CONFIG_IPSEC_DEBUG_ |
249 |
DEBUG_NO_STATIC void |
250 |
dmp(char *s, caddr_t bb, int len) |
251 |
{ |
252 |
int i; |
253 |
unsigned char *b = bb; |
254 |
|
255 |
if (debug_tunnel) { |
256 |
printk(KERN_INFO "klips_debug:ipsec_tunnel_:dmp: " |
257 |
"at %s, len=%d:", |
258 |
s, |
259 |
len); |
260 |
for (i=0; i < len; i++) { |
261 |
if(!(i%16)){ |
262 |
printk("\nklips_debug: "); |
263 |
} |
264 |
printk(" %02x", *b++); |
265 |
} |
266 |
printk("\n"); |
267 |
} |
268 |
} |
269 |
#else /* CONFIG_IPSEC_DEBUG */ |
270 |
#define dmp(_x, _y, _z) |
271 |
#endif /* CONFIG_IPSEC_DEBUG */ |
272 |
|
273 |
#ifndef SKB_COPY_EXPAND |
274 |
/* |
275 |
* This is mostly skbuff.c:skb_copy(). |
276 |
*/ |
277 |
struct sk_buff * |
278 |
skb_copy_expand(struct sk_buff *skb, int headroom, int tailroom, int priority) |
279 |
{ |
280 |
struct sk_buff *n; |
281 |
unsigned long offset; |
282 |
|
283 |
/* |
284 |
* Do sanity checking |
285 |
*/ |
286 |
if((headroom < 0) || (tailroom < 0) || ((headroom+tailroom) < 0)) { |
287 |
printk(KERN_WARNING |
288 |
"klips_error:skb_copy_expand: " |
289 |
"Illegal negative head,tailroom %d,%d\n", |
290 |
headroom, |
291 |
tailroom); |
292 |
return NULL; |
293 |
} |
294 |
/* |
295 |
* Allocate the copy buffer |
296 |
*/ |
297 |
|
298 |
#ifndef NET_21 |
299 |
IS_SKB(skb); |
300 |
#endif /* !NET_21 */ |
301 |
|
302 |
|
303 |
n=alloc_skb(skb->end - skb->head + headroom + tailroom, priority); |
304 |
|
305 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
306 |
"klips_debug:skb_copy_expand: " |
307 |
"allocating %d bytes, head=0p%p data=0p%p tail=0p%p end=0p%p end-head=%d tail-data=%d\n", |
308 |
skb->end - skb->head + headroom + tailroom, |
309 |
skb->head, |
310 |
skb->data, |
311 |
skb->tail, |
312 |
skb->end, |
313 |
skb->end - skb->head, |
314 |
skb->tail - skb->data); |
315 |
|
316 |
if(n==NULL) |
317 |
return NULL; |
318 |
|
319 |
/* |
320 |
* Shift between the two data areas in bytes |
321 |
*/ |
322 |
|
323 |
/* offset=n->head-skb->head; */ /* moved down a few lines */ |
324 |
|
325 |
/* Set the data pointer */ |
326 |
skb_reserve(n,skb->data-skb->head+headroom); |
327 |
/* Set the tail pointer and length */ |
328 |
if(skb_tailroom(n) < skb->len) { |
329 |
printk(KERN_WARNING "klips_error:skb_copy_expand: " |
330 |
"tried to skb_put %ld, %d available. This should never happen, please report.\n", |
331 |
(unsigned long int)skb->len, |
332 |
skb_tailroom(n)); |
333 |
dev_kfree_skb(n, FREE_WRITE); |
334 |
return NULL; |
335 |
} |
336 |
skb_put(n,skb->len); |
337 |
|
338 |
offset=n->head + headroom - skb->head; |
339 |
|
340 |
/* Copy the bytes */ |
341 |
memcpy(n->head + headroom, skb->head,skb->end-skb->head); |
342 |
#ifdef NET_21 |
343 |
n->csum=skb->csum; |
344 |
n->priority=skb->priority; |
345 |
n->dst=dst_clone(skb->dst); |
346 |
if(skb->nh.raw) |
347 |
n->nh.raw=skb->nh.raw+offset; |
348 |
#ifndef NETDEV_23 |
349 |
n->is_clone=0; |
350 |
#endif /* NETDEV_23 */ |
351 |
atomic_set(&n->users, 1); |
352 |
n->destructor = NULL; |
353 |
n->security=skb->security; |
354 |
#else /* NET_21 */ |
355 |
n->link3=NULL; |
356 |
n->when=skb->when; |
357 |
if(skb->ip_hdr) |
358 |
n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset); |
359 |
n->saddr=skb->saddr; |
360 |
n->daddr=skb->daddr; |
361 |
n->raddr=skb->raddr; |
362 |
n->seq=skb->seq; |
363 |
n->end_seq=skb->end_seq; |
364 |
n->ack_seq=skb->ack_seq; |
365 |
n->acked=skb->acked; |
366 |
n->free=1; |
367 |
n->arp=skb->arp; |
368 |
n->tries=0; |
369 |
n->lock=0; |
370 |
n->users=0; |
371 |
#endif /* NET_21 */ |
372 |
n->protocol=skb->protocol; |
373 |
n->list=NULL; |
374 |
n->sk=NULL; |
375 |
n->dev=skb->dev; |
376 |
if(skb->h.raw) |
377 |
n->h.raw=skb->h.raw+offset; |
378 |
if(skb->mac.raw) |
379 |
n->mac.raw=skb->mac.raw+offset; |
380 |
memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv)); |
381 |
#ifndef NETDEV_23 |
382 |
n->used=skb->used; |
383 |
#endif /* !NETDEV_23 */ |
384 |
n->pkt_type=skb->pkt_type; |
385 |
n->stamp=skb->stamp; |
386 |
|
387 |
#ifndef NET_21 |
388 |
IS_SKB(n); |
389 |
#endif /* !NET_21 */ |
390 |
return n; |
391 |
} |
392 |
#endif /* !SKB_COPY_EXPAND */ |
393 |
|
394 |
#ifdef CONFIG_IPSEC_DEBUG |
395 |
void |
396 |
ipsec_print_ip(struct iphdr *ip) |
397 |
{ |
398 |
char buf[ADDRTOA_BUF]; |
399 |
|
400 |
printk(KERN_INFO "klips_debug: IP:"); |
401 |
printk(" ihl:%d", ip->ihl << 2); |
402 |
printk(" ver:%d", ip->version); |
403 |
printk(" tos:%d", ip->tos); |
404 |
printk(" tlen:%d", ntohs(ip->tot_len)); |
405 |
printk(" id:%d", ntohs(ip->id)); |
406 |
printk(" %s%s%sfrag_off:%d", |
407 |
ip->frag_off & __constant_htons(IP_CE) ? "CE " : "", |
408 |
ip->frag_off & __constant_htons(IP_DF) ? "DF " : "", |
409 |
ip->frag_off & __constant_htons(IP_MF) ? "MF " : "", |
410 |
(ntohs(ip->frag_off) & IP_OFFSET) << 3); |
411 |
printk(" ttl:%d", ip->ttl); |
412 |
printk(" proto:%d", ip->protocol); |
413 |
if(ip->protocol == IPPROTO_UDP) |
414 |
printk(" (UDP)"); |
415 |
if(ip->protocol == IPPROTO_TCP) |
416 |
printk(" (TCP)"); |
417 |
if(ip->protocol == IPPROTO_ICMP) |
418 |
printk(" (ICMP)"); |
419 |
printk(" chk:%d", ntohs(ip->check)); |
420 |
addrtoa(*((struct in_addr*)(&ip->saddr)), 0, buf, sizeof(buf)); |
421 |
printk(" saddr:%s", buf); |
422 |
if(ip->protocol == IPPROTO_UDP) |
423 |
printk(":%d", |
424 |
ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->source)); |
425 |
if(ip->protocol == IPPROTO_TCP) |
426 |
printk(":%d", |
427 |
ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->source)); |
428 |
addrtoa(*((struct in_addr*)(&ip->daddr)), 0, buf, sizeof(buf)); |
429 |
printk(" daddr:%s", buf); |
430 |
if(ip->protocol == IPPROTO_UDP) |
431 |
printk(":%d", |
432 |
ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest)); |
433 |
if(ip->protocol == IPPROTO_TCP) |
434 |
printk(":%d", |
435 |
ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest)); |
436 |
if(ip->protocol == IPPROTO_ICMP) |
437 |
printk(" type:code=%d:%d", |
438 |
((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->type, |
439 |
((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->code); |
440 |
printk("\n"); |
441 |
|
442 |
if(sysctl_ipsec_debug_verbose) { |
443 |
__u8 *c; |
444 |
int i; |
445 |
|
446 |
c = ((__u8*)ip) + ip->ihl*4; |
447 |
for(i = 0; i < ntohs(ip->tot_len) - ip->ihl*4; i++ /*, c++*/) { |
448 |
if(!(i % 16)) { |
449 |
printk(KERN_INFO |
450 |
"klips_debug: @%03x:", |
451 |
i); |
452 |
} |
453 |
printk(" %02x", /***/c[i]); |
454 |
if(!((i + 1) % 16)) { |
455 |
printk("\n"); |
456 |
} |
457 |
} |
458 |
if(i % 16) { |
459 |
printk("\n"); |
460 |
} |
461 |
} |
462 |
} |
463 |
#endif /* CONFIG_IPSEC_DEBUG */ |
464 |
|
465 |
#ifdef REAL_LOCKING_P |
466 |
/* |
467 |
* Locking |
468 |
*/ |
469 |
|
470 |
#if 0 |
471 |
DEBUG_NO_STATIC int |
472 |
ipsec_tunnel_lock(struct ipsecpriv *prv) |
473 |
{ |
474 |
unsigned long flags; |
475 |
save_flags(flags); |
476 |
cli(); |
477 |
/* |
478 |
* Lock in an interrupt may fail |
479 |
*/ |
480 |
if(prv->locked && in_interrupt()) { |
481 |
restore_flags(flags); |
482 |
return 0; |
483 |
} |
484 |
while(prv->locked) |
485 |
sleep_on(&prv->wait_queue); |
486 |
prv->locked=1; |
487 |
restore_flags(flags); |
488 |
return 1; |
489 |
} |
490 |
#endif |
491 |
|
492 |
#if 0 |
493 |
DEBUG_NO_STATIC void |
494 |
ipsec_tunnel_unlock(struct ipsecpriv *prv) |
495 |
{ |
496 |
prv->locked=0; |
497 |
wake_up(&prv->wait_queue); |
498 |
} |
499 |
#endif |
500 |
#endif /* REAL_LOCKING_P */ |
501 |
|
502 |
DEBUG_NO_STATIC int |
503 |
ipsec_tunnel_open(struct device *dev) |
504 |
{ |
505 |
struct ipsecpriv *prv = dev->priv; |
506 |
|
507 |
/* |
508 |
* Can't open until attached. |
509 |
*/ |
510 |
|
511 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
512 |
"klips_debug:ipsec_tunnel_open: " |
513 |
"dev = %s, prv->dev = %s\n", |
514 |
dev->name, prv->dev?prv->dev->name:"NONE"); |
515 |
|
516 |
if (prv->dev == NULL) |
517 |
return -ENODEV; |
518 |
|
519 |
MOD_INC_USE_COUNT; |
520 |
return 0; |
521 |
} |
522 |
|
523 |
DEBUG_NO_STATIC int |
524 |
ipsec_tunnel_close(struct device *dev) |
525 |
{ |
526 |
MOD_DEC_USE_COUNT; |
527 |
return 0; |
528 |
} |
529 |
|
530 |
#ifdef MSS_HACK |
531 |
/* |
532 |
* Issues: |
533 |
* 1) Fragments arriving in the tunnel should probably be rejected. |
534 |
* 2) How does this affect syncookies, mss_cache, dst cache ? |
535 |
* 3) Path MTU discovery handling needs to be reviewed. For example, |
536 |
* if we receive an ICMP 'packet too big' message from an intermediate |
537 |
* router specifying it's next hop MTU, our stack may process this and |
538 |
* adjust the MSS without taking our AH/ESP overheads into account. |
539 |
*/ |
540 |
|
541 |
|
542 |
/* |
543 |
* Recaclulate checksum using differences between changed datum, |
544 |
* borrowed from netfilter. |
545 |
*/ |
546 |
DEBUG_NO_STATIC u_int16_t |
547 |
ipsec_fast_csum(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck) |
548 |
{ |
549 |
u_int32_t diffs[] = { oldvalinv, newval }; |
550 |
return csum_fold(csum_partial((char *)diffs, sizeof(diffs), |
551 |
oldcheck^0xFFFF)); |
552 |
} |
553 |
|
554 |
/* |
555 |
* Determine effective MSS. |
556 |
* |
557 |
* Note that we assume that there is always an MSS option for our own |
558 |
* SYN segments, which is mentioned in tcp_syn_build_options(), kernel 2.2.x. |
559 |
* This could change, and we should probably parse TCP options instead. |
560 |
* |
561 |
*/ |
562 |
DEBUG_NO_STATIC u_int8_t |
563 |
ipsec_adjust_mss(struct sk_buff *skb, struct tcphdr *tcph, u_int16_t mtu) |
564 |
{ |
565 |
u_int16_t oldmss, newmss; |
566 |
u_int32_t *mssp; |
567 |
struct sock *sk = skb->sk; |
568 |
|
569 |
newmss = tcp_sync_mss(sk, mtu); |
570 |
printk(KERN_INFO "klips: setting mss to %u\n", newmss); |
571 |
mssp = (u_int32_t *)tcph + sizeof(struct tcphdr) / sizeof(u_int32_t); |
572 |
oldmss = ntohl(*mssp) & 0x0000FFFF; |
573 |
*mssp = htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) | newmss); |
574 |
tcph->check = ipsec_fast_csum(htons(~oldmss), |
575 |
htons(newmss), tcph->check); |
576 |
return 1; |
577 |
} |
578 |
#endif /* MSS_HACK */ |
579 |
|
580 |
#ifdef NETDEV_23 |
581 |
static inline int ipsec_tunnel_xmit2(struct sk_buff *skb) |
582 |
{ |
583 |
return ip_send(skb); |
584 |
} |
585 |
#endif /* NETDEV_23 */ |
586 |
|
587 |
/* |
588 |
* This function assumes it is being called from dev_queue_xmit() |
589 |
* and that skb is filled properly by that function. |
590 |
*/ |
591 |
|
592 |
int |
593 |
ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev) |
594 |
{ |
595 |
struct ipsecpriv *prv; /* Our device' private space */ |
596 |
struct sk_buff *oskb = NULL; /* Original skb pointer */ |
597 |
struct net_device_stats *stats; /* This device's statistics */ |
598 |
struct iphdr *iph; /* Our new IP header */ |
599 |
__u32 newdst; /* The other SG's IP address */ |
600 |
__u32 orgdst; /* Original IP destination address */ |
601 |
__u32 orgedst; /* 1st SG's IP address */ |
602 |
__u32 newsrc; /* The new source SG's IP address */ |
603 |
__u32 orgsrc; /* Original IP source address */ |
604 |
__u32 innersrc; /* Innermost IP source address */ |
605 |
int iphlen; /* IP header length */ |
606 |
int pyldsz; /* upper protocol payload size */ |
607 |
int headroom; |
608 |
int tailroom; |
609 |
int max_headroom = 0; /* The extra header space needed */ |
610 |
int max_tailroom = 0; /* The extra stuffing needed */ |
611 |
int ll_headroom; /* The extra link layer hard_header space needed */ |
612 |
int tot_headroom = 0; /* The total header space needed */ |
613 |
int tot_tailroom = 0; /* The totalstuffing needed */ |
614 |
__u8 *saved_header = NULL; /* saved copy of the hard header */ |
615 |
int i; |
616 |
unsigned short sport,dport; |
617 |
|
618 |
struct sockaddr_encap matcher; /* eroute search key */ |
619 |
struct eroute *er; |
620 |
struct ipsec_sa *ipsp, *ipsq; /* ipsec_sa pointers */ |
621 |
char sa[SATOA_BUF]; |
622 |
size_t sa_len; |
623 |
int hard_header_stripped = 0; /* has the hard header been removed yet? */ |
624 |
int hard_header_len = 0; |
625 |
struct device *physdev; |
626 |
/* struct device *virtdev; */ |
627 |
short physmtu; |
628 |
short mtudiff; |
629 |
#ifdef NET_21 |
630 |
struct rtable *rt = NULL; |
631 |
#endif /* NET_21 */ |
632 |
struct sa_id outgoing_said; |
633 |
#ifdef NET_21 |
634 |
int pass = 0; |
635 |
#endif /* NET_21 */ |
636 |
int error = 0; |
637 |
uint32_t eroute_pid = 0; |
638 |
struct ipsec_sa ips; |
639 |
|
640 |
dport=sport=0; |
641 |
|
642 |
memset((char*)&ips, 0, sizeof(struct ipsec_sa)); |
643 |
|
644 |
/* |
645 |
* Return if there is nothing to do. (Does this ever happen?) XXX |
646 |
*/ |
647 |
if (skb == NULL) { |
648 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
649 |
"klips_error:ipsec_tunnel_start_xmit: " |
650 |
"Nothing to do!\n" ); |
651 |
goto cleanup; |
652 |
} |
653 |
if (dev == NULL) { |
654 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
655 |
"klips_error:ipsec_tunnel_start_xmit: " |
656 |
"No device associated with skb!\n" ); |
657 |
goto cleanup; |
658 |
} |
659 |
|
660 |
prv = dev->priv; |
661 |
if (prv == NULL) { |
662 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
663 |
"klips_error:ipsec_tunnel_start_xmit: " |
664 |
"Device has no private structure!\n" ); |
665 |
goto cleanup; |
666 |
} |
667 |
|
668 |
physdev = prv->dev; |
669 |
if (physdev == NULL) { |
670 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
671 |
"klips_error:ipsec_tunnel_start_xmit: " |
672 |
"Device is not attached to physical device!\n" ); |
673 |
goto cleanup; |
674 |
} |
675 |
|
676 |
physmtu = physdev->mtu; |
677 |
|
678 |
stats = (struct net_device_stats *) &(prv->mystats); |
679 |
|
680 |
#ifdef NET_21 |
681 |
/* if skb was cloned (most likely due to a packet sniffer such as |
682 |
tcpdump being momentarily attached to the interface), make |
683 |
a copy of our own to modify */ |
684 |
if(skb_cloned(skb)) { |
685 |
if |
686 |
#ifdef SKB_COW_NEW |
687 |
(skb_cow(skb, skb_headroom(skb)) != 0) |
688 |
#else /* SKB_COW_NEW */ |
689 |
((skb = skb_cow(skb, skb_headroom(skb))) == NULL) |
690 |
#endif /* SKB_COW_NEW */ |
691 |
{ |
692 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
693 |
"klips_error:ipsec_tunnel_start_xmit: " |
694 |
"skb_cow failed to allocate buffer, dropping.\n" ); |
695 |
stats->tx_dropped++; |
696 |
goto cleanup; |
697 |
} |
698 |
} |
699 |
#endif /* NET_21 */ |
700 |
|
701 |
#ifdef NET_21 |
702 |
iph = skb->nh.iph; |
703 |
#else /* NET_21 */ |
704 |
iph = skb->ip_hdr; |
705 |
#endif /* NET_21 */ |
706 |
|
707 |
/* sanity check for IP version as we can't handle IPv6 right now */ |
708 |
if (iph->version != 4) { |
709 |
KLIPS_PRINT(debug_tunnel, |
710 |
"klips_debug:ipsec_tunnel_start_xmit: " |
711 |
"found IP Version %d but cannot process other IP versions than v4.\n", |
712 |
iph->version); /* XXX */ |
713 |
stats->tx_dropped++; |
714 |
goto cleanup; |
715 |
} |
716 |
|
717 |
/* physdev->hard_header_len is unreliable and should not be used */ |
718 |
hard_header_len = (unsigned char *)iph - skb->data; |
719 |
|
720 |
if(hard_header_len < 0) { |
721 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
722 |
"klips_error:ipsec_tunnel_start_xmit: " |
723 |
"Negative hard_header_len (%d)?!\n", hard_header_len); |
724 |
stats->tx_dropped++; |
725 |
goto cleanup; |
726 |
} |
727 |
|
728 |
if(hard_header_len == 0) { /* no hard header present */ |
729 |
hard_header_stripped = 1; |
730 |
} |
731 |
|
732 |
#ifdef CONFIG_IPSEC_DEBUG |
733 |
if (debug_tunnel & DB_TN_XMIT) { |
734 |
int i; |
735 |
char c; |
736 |
|
737 |
printk(KERN_INFO "klips_debug:ipsec_tunnel_start_xmit: " |
738 |
">>> skb->len=%ld hard_header_len:%d", |
739 |
(unsigned long int)skb->len, hard_header_len); |
740 |
c = ' '; |
741 |
for (i=0; i < hard_header_len; i++) { |
742 |
printk("%c%02x", c, skb->data[i]); |
743 |
c = ':'; |
744 |
} |
745 |
printk(" \n"); |
746 |
} |
747 |
#endif /* CONFIG_IPSEC_DEBUG */ |
748 |
|
749 |
KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph); |
750 |
|
751 |
/* |
752 |
* Sanity checks |
753 |
*/ |
754 |
|
755 |
#if IPSEC_DISALLOW_IPOPTIONS |
756 |
if ((iph->ihl << 2) != sizeof (struct iphdr)) { |
757 |
KLIPS_PRINT(debug_tunnel, |
758 |
"klips_debug:ipsec_tunnel_start_xmit: " |
759 |
"cannot process IP header options yet. May be mal-formed packet.\n"); /* XXX */ |
760 |
stats->tx_dropped++; |
761 |
goto cleanup; |
762 |
} |
763 |
#endif /* IPSEC_DISALLOW_IPOPTIONS */ |
764 |
|
765 |
#ifndef NET_21 |
766 |
/* TTL decrement code (on the way out!) borrowed from ip_forward.c */ |
767 |
if(0) { |
768 |
unsigned long checksum = iph->check; |
769 |
iph->ttl--; |
770 |
/* |
771 |
* Re-compute the IP header checksum. |
772 |
* This is efficient. We know what has happened to the header |
773 |
* and can thus adjust the checksum as Phil Karn does in KA9Q |
774 |
* except we do this in "network byte order". |
775 |
*/ |
776 |
checksum += htons(0x0100); |
777 |
/* carry overflow? */ |
778 |
checksum += checksum >> 16; |
779 |
iph->check = checksum; |
780 |
} |
781 |
if (iph->ttl <= 0) { |
782 |
/* Tell the sender its packet died... */ |
783 |
ICMP_SEND(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, physdev); |
784 |
|
785 |
KLIPS_PRINT(debug_tunnel, "klips_debug:ipsec_tunnel_start_xmit: " |
786 |
"TTL=0, too many hops!\n"); |
787 |
stats->tx_dropped++; |
788 |
goto cleanup; |
789 |
} |
790 |
#endif /* !NET_21 */ |
791 |
|
792 |
/* |
793 |
* First things first -- look us up in the erouting tables. |
794 |
*/ |
795 |
matcher.sen_len = sizeof (struct sockaddr_encap); |
796 |
matcher.sen_family = AF_ENCAP; |
797 |
matcher.sen_type = SENT_IP4; |
798 |
matcher.sen_ip_src.s_addr = iph->saddr; |
799 |
matcher.sen_ip_dst.s_addr = iph->daddr; |
800 |
matcher.sen_proto = iph->protocol; |
801 |
extract_ports(iph, &matcher); |
802 |
|
803 |
/* |
804 |
* The spinlock is to prevent any other process from accessing or deleting |
805 |
* the eroute while we are using and updating it. |
806 |
*/ |
807 |
spin_lock(&eroute_lock); |
808 |
|
809 |
er = ipsec_findroute(&matcher); |
810 |
|
811 |
if(iph->protocol == IPPROTO_UDP) { |
812 |
if(skb->sk) { |
813 |
sport=ntohs(skb->sk->sport); |
814 |
dport=ntohs(skb->sk->dport); |
815 |
} else if((ntohs(iph->frag_off) & IP_OFFSET) == 0 && |
816 |
((skb->len - hard_header_len) >= |
817 |
((iph->ihl << 2) + sizeof(struct udphdr)))) { |
818 |
sport=ntohs(((struct udphdr*)((caddr_t)iph+(iph->ihl<<2)))->source); |
819 |
dport=ntohs(((struct udphdr*)((caddr_t)iph + (iph->ihl<<2)))->dest); |
820 |
} else { |
821 |
sport=0; dport=0; |
822 |
} |
823 |
} |
824 |
|
825 |
/* default to a %drop eroute */ |
826 |
outgoing_said.proto = IPPROTO_INT; |
827 |
outgoing_said.spi = htonl(SPI_DROP); |
828 |
outgoing_said.dst.s_addr = INADDR_ANY; |
829 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
830 |
"klips_debug:ipsec_tunnel_start_xmit: " |
831 |
"checking for local udp/500 IKE packet " |
832 |
"saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n", |
833 |
ntohl((unsigned int)iph->saddr), |
834 |
er, |
835 |
ntohl((unsigned int)iph->daddr), |
836 |
er ? ntohl((unsigned int)er->er_said.dst.s_addr) : 0, |
837 |
iph->protocol, |
838 |
sport, |
839 |
dport); |
840 |
|
841 |
/* |
842 |
* Quick cheat for now...are we udp/500? If so, let it through |
843 |
* without interference since it is most likely an IKE packet. |
844 |
*/ |
845 |
|
846 |
if (ip_chk_addr((unsigned long)iph->saddr) == IS_MYADDR |
847 |
&& (!er |
848 |
|| iph->daddr == er->er_said.dst.s_addr |
849 |
|| INADDR_ANY == er->er_said.dst.s_addr) |
850 |
&& (sport == 500)) { |
851 |
/* Whatever the eroute, this is an IKE message |
852 |
* from us (i.e. not being forwarded). |
853 |
* Furthermore, if there is a tunnel eroute, |
854 |
* the destination is the peer for this eroute. |
855 |
* So %pass the packet: modify the default %drop. |
856 |
*/ |
857 |
outgoing_said.spi = htonl(SPI_PASS); |
858 |
if(!(skb->sk) && ((ntohs(iph->frag_off) & IP_MF) != 0)) { |
859 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
860 |
"klips_debug:ipsec_tunnel_start_xmit: " |
861 |
"local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n"); |
862 |
} |
863 |
} else if (er) { |
864 |
er->er_count++; |
865 |
er->er_lasttime = jiffies/HZ; |
866 |
if(er->er_said.proto==IPPROTO_INT |
867 |
&& er->er_said.spi==htonl(SPI_HOLD)) { |
868 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
869 |
"klips_debug:ipsec_tunnel_start_xmit: " |
870 |
"shunt SA of HOLD: skb stored in HOLD.\n"); |
871 |
if(er->er_last != NULL) { |
872 |
kfree_skb(er->er_last); |
873 |
} |
874 |
er->er_last = skb; |
875 |
skb = NULL; |
876 |
stats->tx_dropped++; |
877 |
spin_unlock(&eroute_lock); |
878 |
goto cleanup; |
879 |
} |
880 |
outgoing_said = er->er_said; |
881 |
eroute_pid = er->er_pid; |
882 |
/* Copy of the ident for the TRAP/TRAPSUBNET eroutes */ |
883 |
if(outgoing_said.proto==IPPROTO_INT |
884 |
&& (outgoing_said.spi==htonl(SPI_TRAP) |
885 |
|| (outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) { |
886 |
int len; |
887 |
|
888 |
ips.ips_ident_s.type = er->er_ident_s.type; |
889 |
ips.ips_ident_s.id = er->er_ident_s.id; |
890 |
ips.ips_ident_s.len = er->er_ident_s.len; |
891 |
if (ips.ips_ident_s.len) { |
892 |
len = ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident); |
893 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
894 |
"klips_debug:ipsec_tunnel_start_xmit: " |
895 |
"allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n", |
896 |
len); |
897 |
if ((ips.ips_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) { |
898 |
printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: " |
899 |
"Failed, tried to allocate %d bytes for source ident.\n", |
900 |
len); |
901 |
stats->tx_dropped++; |
902 |
spin_unlock(&eroute_lock); |
903 |
goto cleanup; |
904 |
} |
905 |
memcpy(ips.ips_ident_s.data, er->er_ident_s.data, len); |
906 |
} |
907 |
ips.ips_ident_d.type = er->er_ident_d.type; |
908 |
ips.ips_ident_d.id = er->er_ident_d.id; |
909 |
ips.ips_ident_d.len = er->er_ident_d.len; |
910 |
if (ips.ips_ident_d.len) { |
911 |
len = ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident); |
912 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
913 |
"klips_debug:ipsec_tunnel_start_xmit: " |
914 |
"allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n", |
915 |
len); |
916 |
if ((ips.ips_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) { |
917 |
printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: " |
918 |
"Failed, tried to allocate %d bytes for dest ident.\n", |
919 |
len); |
920 |
stats->tx_dropped++; |
921 |
spin_unlock(&eroute_lock); |
922 |
goto cleanup; |
923 |
} |
924 |
memcpy(ips.ips_ident_d.data, er->er_ident_d.data, len); |
925 |
} |
926 |
} |
927 |
} |
928 |
|
929 |
spin_unlock(&eroute_lock); |
930 |
|
931 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
932 |
"klips_debug:ipsec_tunnel_start_xmit: " |
933 |
"Original head,tailroom: %d,%d\n", |
934 |
skb_headroom(skb), skb_tailroom(skb)); |
935 |
|
936 |
innersrc = iph->saddr; |
937 |
/* start encapsulation loop here XXX */ |
938 |
do { |
939 |
struct ipsec_sa *ipsprev = NULL; |
940 |
|
941 |
newdst = orgdst = iph->daddr; |
942 |
newsrc = orgsrc = iph->saddr; |
943 |
orgedst = outgoing_said.dst.s_addr; |
944 |
iphlen = iph->ihl << 2; |
945 |
pyldsz = ntohs(iph->tot_len) - iphlen; |
946 |
max_headroom = max_tailroom = 0; |
947 |
|
948 |
if (outgoing_said.proto == IPPROTO_INT) { |
949 |
switch (ntohl(outgoing_said.spi)) { |
950 |
case SPI_DROP: |
951 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
952 |
"klips_debug:ipsec_tunnel_start_xmit: " |
953 |
"shunt SA of DROP or no eroute: dropping.\n"); |
954 |
stats->tx_dropped++; |
955 |
break; |
956 |
|
957 |
case SPI_REJECT: |
958 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
959 |
"klips_debug:ipsec_tunnel_start_xmit: " |
960 |
"shunt SA of REJECT: notifying and dropping.\n"); |
961 |
ICMP_SEND(skb, |
962 |
ICMP_DEST_UNREACH, |
963 |
ICMP_PKT_FILTERED, |
964 |
0, |
965 |
physdev); |
966 |
stats->tx_dropped++; |
967 |
break; |
968 |
|
969 |
case SPI_PASS: |
970 |
#ifdef NET_21 |
971 |
pass = 1; |
972 |
#endif /* NET_21 */ |
973 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
974 |
"klips_debug:ipsec_tunnel_start_xmit: " |
975 |
"PASS: calling dev_queue_xmit\n"); |
976 |
goto bypass; |
977 |
|
978 |
#if 1 /* now moved up to finderoute so we don't need to lock it longer */ |
979 |
case SPI_HOLD: |
980 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
981 |
"klips_debug:ipsec_tunnel_start_xmit: " |
982 |
"shunt SA of HOLD: this does not make sense here, dropping.\n"); |
983 |
stats->tx_dropped++; |
984 |
break; |
985 |
#endif |
986 |
case SPI_TRAP: |
987 |
case SPI_TRAPSUBNET: |
988 |
{ |
989 |
struct sockaddr_in src, dst; |
990 |
#ifdef CONFIG_IPSEC_DEBUG |
991 |
char bufsrc[ADDRTOA_BUF], bufdst[ADDRTOA_BUF]; |
992 |
#endif /* CONFIG_IPSEC_DEBUG */ |
993 |
|
994 |
/* Signal all listening KMds with a PF_KEY ACQUIRE */ |
995 |
ips.ips_said.proto = iph->protocol; |
996 |
src.sin_family = AF_INET; |
997 |
dst.sin_family = AF_INET; |
998 |
src.sin_addr.s_addr = iph->saddr; |
999 |
dst.sin_addr.s_addr = iph->daddr; |
1000 |
src.sin_port = |
1001 |
(iph->protocol == IPPROTO_UDP |
1002 |
? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->source |
1003 |
: (iph->protocol == IPPROTO_TCP |
1004 |
? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->source |
1005 |
: 0)); |
1006 |
dst.sin_port = |
1007 |
(iph->protocol == IPPROTO_UDP |
1008 |
? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->dest |
1009 |
: (iph->protocol == IPPROTO_TCP |
1010 |
? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->dest |
1011 |
: 0)); |
1012 |
for(i = 0; |
1013 |
i < sizeof(struct sockaddr_in) |
1014 |
- offsetof(struct sockaddr_in, sin_zero); |
1015 |
i++) { |
1016 |
src.sin_zero[i] = 0; |
1017 |
dst.sin_zero[i] = 0; |
1018 |
} |
1019 |
|
1020 |
ips.ips_addr_s = (struct sockaddr*)(&src); |
1021 |
ips.ips_addr_d = (struct sockaddr*)(&dst); |
1022 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1023 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1024 |
"SADB_ACQUIRE sent with src=%s:%d, dst=%s:%d, proto=%d.\n", |
1025 |
addrtoa(((struct sockaddr_in*)(ips.ips_addr_s))->sin_addr, 0, bufsrc, sizeof(bufsrc)) <= ADDRTOA_BUF ? bufsrc : "BAD_ADDR", |
1026 |
ntohs(((struct sockaddr_in*)(ips.ips_addr_s))->sin_port), |
1027 |
addrtoa(((struct sockaddr_in*)(ips.ips_addr_d))->sin_addr, 0, bufdst, sizeof(bufdst)) <= ADDRTOA_BUF ? bufdst : "BAD_ADDR", |
1028 |
ntohs(((struct sockaddr_in*)(ips.ips_addr_d))->sin_port), |
1029 |
ips.ips_said.proto); |
1030 |
|
1031 |
if (pfkey_acquire(&ips) == 0) { |
1032 |
|
1033 |
if (outgoing_said.spi==htonl(SPI_TRAPSUBNET)) { |
1034 |
/* |
1035 |
* The spinlock is to prevent any other |
1036 |
* process from accessing or deleting |
1037 |
* the eroute while we are using and |
1038 |
* updating it. |
1039 |
*/ |
1040 |
spin_lock(&eroute_lock); |
1041 |
er = ipsec_findroute(&matcher); |
1042 |
if(er) { |
1043 |
er->er_said.spi = htonl(SPI_HOLD); |
1044 |
er->er_first = skb; |
1045 |
skb = NULL; |
1046 |
} |
1047 |
spin_unlock(&eroute_lock); |
1048 |
} else if (create_hold_eroute(skb, iph, eroute_pid)) { |
1049 |
skb = NULL; |
1050 |
} |
1051 |
} |
1052 |
stats->tx_dropped++; |
1053 |
} |
1054 |
default: |
1055 |
/* XXX what do we do with an unknown shunt spi? */ |
1056 |
break; |
1057 |
} /* switch (ntohl(outgoing_said.spi)) */ |
1058 |
goto cleanup; |
1059 |
} /* if (outgoing_said.proto == IPPROTO_INT) */ |
1060 |
|
1061 |
/* |
1062 |
The spinlock is to prevent any other process from |
1063 |
accessing or deleting the ipsec_sa hash table or any of the |
1064 |
ipsec_sa s while we are using and updating them. |
1065 |
|
1066 |
This is not optimal, but was relatively straightforward |
1067 |
at the time. A better way to do it has been planned for |
1068 |
more than a year, to lock the hash table and put reference |
1069 |
counts on each ipsec_sa instead. This is not likely to happen |
1070 |
in KLIPS1 unless a volunteer contributes it, but will be |
1071 |
designed into KLIPS2. |
1072 |
*/ |
1073 |
spin_lock(&tdb_lock); |
1074 |
|
1075 |
ipsp = ipsec_sa_getbyid(&outgoing_said); |
1076 |
sa_len = satoa(outgoing_said, 0, sa, SATOA_BUF); |
1077 |
|
1078 |
if (ipsp == NULL) { |
1079 |
spin_unlock(&tdb_lock); |
1080 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1081 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1082 |
"no ipsec_sa for SA%s: outgoing packet with no SA, dropped.\n", |
1083 |
sa_len ? sa : " (error)"); |
1084 |
stats->tx_dropped++; |
1085 |
goto cleanup; |
1086 |
} |
1087 |
|
1088 |
ipsec_sa_put(ipsp); /* incomplete */ |
1089 |
|
1090 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1091 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1092 |
"found ipsec_sa -- SA:<%s%s%s> %s\n", |
1093 |
IPS_XFORM_NAME(ipsp), |
1094 |
sa_len ? sa : " (error)"); |
1095 |
|
1096 |
/* |
1097 |
* How much headroom do we need to be able to apply |
1098 |
* all the grouped transforms? |
1099 |
*/ |
1100 |
ipsq = ipsp; /* save the head of the ipsec_sa chain */ |
1101 |
while (ipsp) { |
1102 |
sa_len = satoa(ipsp->ips_said, 0, sa, SATOA_BUF); |
1103 |
if(sa_len == 0) { |
1104 |
strcpy(sa, "(error)"); |
1105 |
} |
1106 |
|
1107 |
/* If it is in larval state, drop the packet, we cannot process yet. */ |
1108 |
if(ipsp->ips_state == SADB_SASTATE_LARVAL) { |
1109 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1110 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1111 |
"ipsec_sa in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n", |
1112 |
IPS_XFORM_NAME(ipsp), |
1113 |
sa_len ? sa : " (error)"); |
1114 |
spin_unlock(&tdb_lock); |
1115 |
stats->tx_errors++; |
1116 |
goto cleanup; |
1117 |
} |
1118 |
|
1119 |
if(ipsp->ips_state == SADB_SASTATE_DEAD) { |
1120 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1121 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1122 |
"ipsec_sa in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n", |
1123 |
IPS_XFORM_NAME(ipsp), |
1124 |
sa_len ? sa : " (error)"); |
1125 |
spin_unlock(&tdb_lock); |
1126 |
stats->tx_errors++; |
1127 |
goto cleanup; |
1128 |
} |
1129 |
|
1130 |
/* If the replay window counter == -1, expire SA, it will roll */ |
1131 |
if(ipsp->ips_replaywin && ipsp->ips_replaywin_lastseq == -1) { |
1132 |
pfkey_expire(ipsp, 1); |
1133 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1134 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1135 |
"replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n", |
1136 |
IPS_XFORM_NAME(ipsp), |
1137 |
sa_len ? sa : " (error)"); |
1138 |
ipsec_sa_delchain(ipsp); |
1139 |
spin_unlock(&tdb_lock); |
1140 |
stats->tx_errors++; |
1141 |
goto cleanup; |
1142 |
} |
1143 |
|
1144 |
/* |
1145 |
* if this is the first time we are using this SA, mark start time, |
1146 |
* and offset hard/soft counters by "now" for later checking. |
1147 |
*/ |
1148 |
#if 0 |
1149 |
if(ipsp->ips_life.ipl_usetime.count == 0) { |
1150 |
ipsp->ips_life.ipl_usetime.count = jiffies; |
1151 |
ipsp->ips_life.ipl_usetime.hard += jiffies; |
1152 |
ipsp->ips_life.ipl_usetime.soft += jiffies; |
1153 |
} |
1154 |
#endif |
1155 |
|
1156 |
|
1157 |
if(ipsec_lifetime_check(&ipsp->ips_life.ipl_bytes, "bytes", sa, |
1158 |
ipsec_life_countbased, ipsec_outgoing, ipsp) == ipsec_life_harddied || |
1159 |
ipsec_lifetime_check(&ipsp->ips_life.ipl_addtime, "addtime",sa, |
1160 |
ipsec_life_timebased, ipsec_outgoing, ipsp) == ipsec_life_harddied || |
1161 |
ipsec_lifetime_check(&ipsp->ips_life.ipl_usetime, "usetime",sa, |
1162 |
ipsec_life_timebased, ipsec_outgoing, ipsp) == ipsec_life_harddied || |
1163 |
ipsec_lifetime_check(&ipsp->ips_life.ipl_packets, "packets",sa, |
1164 |
ipsec_life_countbased, ipsec_outgoing, ipsp) == ipsec_life_harddied) { |
1165 |
|
1166 |
ipsec_sa_delchain(ipsp); |
1167 |
spin_unlock(&tdb_lock); |
1168 |
stats->tx_errors++; |
1169 |
goto cleanup; |
1170 |
} |
1171 |
|
1172 |
|
1173 |
headroom = tailroom = 0; |
1174 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1175 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1176 |
"calling room for <%s%s%s>, SA:%s\n", |
1177 |
IPS_XFORM_NAME(ipsp), |
1178 |
sa_len ? sa : " (error)"); |
1179 |
switch(ipsp->ips_said.proto) { |
1180 |
#ifdef CONFIG_IPSEC_AH |
1181 |
case IPPROTO_AH: |
1182 |
headroom += sizeof(struct ah); |
1183 |
break; |
1184 |
#endif /* CONFIG_IPSEC_AH */ |
1185 |
#ifdef CONFIG_IPSEC_ESP |
1186 |
case IPPROTO_ESP: |
1187 |
switch(ipsp->ips_encalg) { |
1188 |
#ifdef CONFIG_IPSEC_ENC_3DES |
1189 |
case ESP_3DES: |
1190 |
headroom += sizeof(struct esp); |
1191 |
break; |
1192 |
#endif /* CONFIG_IPSEC_ENC_3DES */ |
1193 |
default: |
1194 |
spin_unlock(&tdb_lock); |
1195 |
stats->tx_errors++; |
1196 |
goto cleanup; |
1197 |
} |
1198 |
switch(ipsp->ips_authalg) { |
1199 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 |
1200 |
case AH_MD5: |
1201 |
tailroom += AHHMAC_HASHLEN; |
1202 |
break; |
1203 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ |
1204 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 |
1205 |
case AH_SHA: |
1206 |
tailroom += AHHMAC_HASHLEN; |
1207 |
break; |
1208 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ |
1209 |
case AH_NONE: |
1210 |
break; |
1211 |
default: |
1212 |
spin_unlock(&tdb_lock); |
1213 |
stats->tx_errors++; |
1214 |
goto cleanup; |
1215 |
} |
1216 |
tailroom += ((8 - ((pyldsz + 2 * sizeof(unsigned char)) % 8)) % 8) + 2; |
1217 |
break; |
1218 |
#endif /* !CONFIG_IPSEC_ESP */ |
1219 |
#ifdef CONFIG_IPSEC_IPIP |
1220 |
case IPPROTO_IPIP: |
1221 |
headroom += sizeof(struct iphdr); |
1222 |
break; |
1223 |
#endif /* !CONFIG_IPSEC_IPIP */ |
1224 |
case IPPROTO_COMP: |
1225 |
#ifdef CONFIG_IPSEC_IPCOMP |
1226 |
/* |
1227 |
We can't predict how much the packet will |
1228 |
shrink without doing the actual compression. |
1229 |
We could do it here, if we were the first |
1230 |
encapsulation in the chain. That might save |
1231 |
us a skb_copy_expand, since we might fit |
1232 |
into the existing skb then. However, this |
1233 |
would be a bit unclean (and this hack has |
1234 |
bit us once), so we better not do it. After |
1235 |
all, the skb_copy_expand is cheap in |
1236 |
comparison to the actual compression. |
1237 |
At least we know the packet will not grow. |
1238 |
*/ |
1239 |
break; |
1240 |
#endif /* CONFIG_IPSEC_IPCOMP */ |
1241 |
default: |
1242 |
spin_unlock(&tdb_lock); |
1243 |
stats->tx_errors++; |
1244 |
goto cleanup; |
1245 |
} |
1246 |
ipsp = ipsp->ips_onext; |
1247 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1248 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1249 |
"Required head,tailroom: %d,%d\n", |
1250 |
headroom, tailroom); |
1251 |
max_headroom += headroom; |
1252 |
max_tailroom += tailroom; |
1253 |
pyldsz += (headroom + tailroom); |
1254 |
} |
1255 |
ipsp = ipsq; /* restore the head of the ipsec_sa chain */ |
1256 |
|
1257 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1258 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1259 |
"existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n", |
1260 |
skb_headroom(skb), skb_tailroom(skb), |
1261 |
max_headroom, max_tailroom); |
1262 |
|
1263 |
tot_headroom += max_headroom; |
1264 |
tot_tailroom += max_tailroom; |
1265 |
|
1266 |
mtudiff = prv->mtu + tot_headroom + tot_tailroom - physmtu; |
1267 |
|
1268 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1269 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1270 |
"mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n", |
1271 |
prv->mtu, physmtu, |
1272 |
tot_headroom, tot_tailroom, mtudiff, ntohs(iph->tot_len)); |
1273 |
if(mtudiff > 0) { |
1274 |
int newmtu = physmtu - (tot_headroom + ((tot_tailroom + 2) & ~7) + 5); |
1275 |
|
1276 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1277 |
"klips_info:ipsec_tunnel_start_xmit: " |
1278 |
"dev %s mtu of %d decreased by %d to %d\n", |
1279 |
dev->name, |
1280 |
prv->mtu, |
1281 |
prv->mtu - newmtu, |
1282 |
newmtu); |
1283 |
prv->mtu = newmtu; |
1284 |
#ifdef NET_21 |
1285 |
#if 0 |
1286 |
skb->dst->pmtu = prv->mtu; /* RGB */ |
1287 |
#endif /* 0 */ |
1288 |
#else /* NET_21 */ |
1289 |
#if 0 |
1290 |
dev->mtu = prv->mtu; /* RGB */ |
1291 |
#endif /* 0 */ |
1292 |
#endif /* NET_21 */ |
1293 |
} |
1294 |
|
1295 |
/* |
1296 |
If the sender is doing PMTU discovery, and the |
1297 |
packet doesn't fit within prv->mtu, notify him |
1298 |
(unless it was an ICMP packet, or it was not the |
1299 |
zero-offset packet) and send it anyways. |
1300 |
|
1301 |
Note: buggy firewall configuration may prevent the |
1302 |
ICMP packet from getting back. |
1303 |
*/ |
1304 |
if(sysctl_ipsec_icmp |
1305 |
&& prv->mtu < ntohs(iph->tot_len) |
1306 |
&& (iph->frag_off & __constant_htons(IP_DF)) ) { |
1307 |
int notify = iph->protocol != IPPROTO_ICMP |
1308 |
&& (iph->frag_off & __constant_htons(IP_OFFSET)) == 0; |
1309 |
|
1310 |
#ifdef IPSEC_obey_DF |
1311 |
spin_unlock(&tdb_lock); |
1312 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1313 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1314 |
"fragmentation needed and DF set; %sdropping packet\n", |
1315 |
notify ? "sending ICMP and " : ""); |
1316 |
if (notify) |
1317 |
ICMP_SEND(skb, |
1318 |
ICMP_DEST_UNREACH, |
1319 |
ICMP_FRAG_NEEDED, |
1320 |
prv->mtu, |
1321 |
physdev); |
1322 |
stats->tx_errors++; |
1323 |
goto cleanup; |
1324 |
#else /* IPSEC_obey_DF */ |
1325 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1326 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1327 |
"fragmentation needed and DF set; %spassing packet\n", |
1328 |
notify ? "sending ICMP and " : ""); |
1329 |
if (notify) |
1330 |
ICMP_SEND(skb, |
1331 |
ICMP_DEST_UNREACH, |
1332 |
ICMP_FRAG_NEEDED, |
1333 |
prv->mtu, |
1334 |
physdev); |
1335 |
#endif /* IPSEC_obey_DF */ |
1336 |
} |
1337 |
|
1338 |
#ifdef MSS_HACK |
1339 |
/* |
1340 |
* If this is a transport mode TCP packet with |
1341 |
* SYN set, determine an effective MSS based on |
1342 |
* AH/ESP overheads determined above. |
1343 |
*/ |
1344 |
if (iph->protocol == IPPROTO_TCP |
1345 |
&& outgoing_said.proto != IPPROTO_IPIP) { |
1346 |
struct tcphdr *tcph = skb->h.th; |
1347 |
if (tcph->syn && !tcph->ack) { |
1348 |
if(!ipsec_adjust_mss(skb, tcph, prv->mtu)) { |
1349 |
spin_unlock(&tdb_lock); |
1350 |
printk(KERN_WARNING |
1351 |
"klips_warning:ipsec_tunnel_start_xmit: " |
1352 |
"ipsec_adjust_mss() failed\n"); |
1353 |
stats->tx_errors++; |
1354 |
goto cleanup; |
1355 |
} |
1356 |
} |
1357 |
} |
1358 |
#endif /* MSS_HACK */ |
1359 |
|
1360 |
if(!hard_header_stripped) { |
1361 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1362 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1363 |
"allocating %d bytes for hardheader.\n", |
1364 |
hard_header_len); |
1365 |
if((saved_header = kmalloc(hard_header_len, GFP_ATOMIC)) == NULL) { |
1366 |
spin_unlock(&tdb_lock); |
1367 |
printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: " |
1368 |
"Failed, tried to allocate %d bytes for temp hard_header.\n", |
1369 |
hard_header_len); |
1370 |
stats->tx_errors++; |
1371 |
goto cleanup; |
1372 |
} |
1373 |
for (i = 0; i < hard_header_len; i++) { |
1374 |
saved_header[i] = skb->data[i]; |
1375 |
} |
1376 |
if(skb->len < hard_header_len) { |
1377 |
spin_unlock(&tdb_lock); |
1378 |
printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: " |
1379 |
"tried to skb_pull hhlen=%d, %d available. This should never happen, please report.\n", |
1380 |
hard_header_len, (int)(skb->len)); |
1381 |
stats->tx_errors++; |
1382 |
goto cleanup; |
1383 |
} |
1384 |
skb_pull(skb, hard_header_len); |
1385 |
hard_header_stripped = 1; |
1386 |
|
1387 |
/* iph = (struct iphdr *) (skb->data); */ |
1388 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1389 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1390 |
"head,tailroom: %d,%d after hard_header stripped.\n", |
1391 |
skb_headroom(skb), skb_tailroom(skb)); |
1392 |
KLIPS_IP_PRINT(debug_tunnel & DB_TN_CROUT, iph); |
1393 |
} else { |
1394 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1395 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1396 |
"hard header already stripped.\n"); |
1397 |
} |
1398 |
|
1399 |
ll_headroom = (hard_header_len + 15) & ~15; |
1400 |
|
1401 |
if ((skb_headroom(skb) >= max_headroom + 2 * ll_headroom) && |
1402 |
(skb_tailroom(skb) >= max_tailroom) |
1403 |
#ifndef NET_21 |
1404 |
&& skb->free |
1405 |
#endif /* !NET_21 */ |
1406 |
) { |
1407 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1408 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1409 |
"data fits in existing skb\n"); |
1410 |
} else { |
1411 |
struct sk_buff* tskb = skb; |
1412 |
|
1413 |
if(!oskb) { |
1414 |
oskb = skb; |
1415 |
} |
1416 |
|
1417 |
tskb = skb_copy_expand(skb, |
1418 |
/* The reason for 2 * link layer length here still baffles me...RGB */ |
1419 |
max_headroom + 2 * ll_headroom, |
1420 |
max_tailroom, |
1421 |
GFP_ATOMIC); |
1422 |
#ifdef NET_21 |
1423 |
if(tskb && skb->sk) { |
1424 |
skb_set_owner_w(tskb, skb->sk); |
1425 |
} |
1426 |
#endif /* NET_21 */ |
1427 |
if(!(skb == oskb) ) { |
1428 |
dev_kfree_skb(skb, FREE_WRITE); |
1429 |
} |
1430 |
skb = tskb; |
1431 |
if (!skb) { |
1432 |
spin_unlock(&tdb_lock); |
1433 |
printk(KERN_WARNING |
1434 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1435 |
"Failed, tried to allocate %d head and %d tailroom\n", |
1436 |
max_headroom, max_tailroom); |
1437 |
stats->tx_errors++; |
1438 |
goto cleanup; |
1439 |
} |
1440 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1441 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1442 |
"head,tailroom: %d,%d after allocation\n", |
1443 |
skb_headroom(skb), skb_tailroom(skb)); |
1444 |
} |
1445 |
|
1446 |
/* |
1447 |
* Apply grouped transforms to packet |
1448 |
*/ |
1449 |
while (ipsp) { |
1450 |
#ifdef CONFIG_IPSEC_ESP |
1451 |
struct esp *espp; |
1452 |
__u32 iv[2]; |
1453 |
unsigned char *idat, *pad; |
1454 |
int authlen = 0, padlen = 0, i; |
1455 |
#endif /* !CONFIG_IPSEC_ESP */ |
1456 |
#ifdef CONFIG_IPSEC_AH |
1457 |
struct iphdr ipo; |
1458 |
struct ah *ahp; |
1459 |
#endif /* CONFIG_IPSEC_AH */ |
1460 |
#if defined(CONFIG_IPSEC_AUTH_HMAC_MD5) || defined(CONFIG_IPSEC_AUTH_HMAC_SHA1) |
1461 |
union { |
1462 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 |
1463 |
MD5_CTX md5; |
1464 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ |
1465 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 |
1466 |
SHA1_CTX sha1; |
1467 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ |
1468 |
} tctx; |
1469 |
__u8 hash[AH_AMAX]; |
1470 |
#endif /* defined(CONFIG_IPSEC_AUTH_HMAC_MD5) || defined(CONFIG_IPSEC_AUTH_HMAC_SHA1) */ |
1471 |
int headroom = 0, tailroom = 0, ilen = 0, len = 0; |
1472 |
unsigned char *dat; |
1473 |
|
1474 |
iphlen = iph->ihl << 2; |
1475 |
pyldsz = ntohs(iph->tot_len) - iphlen; |
1476 |
sa_len = satoa(ipsp->ips_said, 0, sa, SATOA_BUF); |
1477 |
KLIPS_PRINT(debug_tunnel & DB_TN_OXFS, |
1478 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1479 |
"calling output for <%s%s%s>, SA:%s\n", |
1480 |
IPS_XFORM_NAME(ipsp), |
1481 |
sa_len ? sa : " (error)"); |
1482 |
|
1483 |
switch(ipsp->ips_said.proto) { |
1484 |
#ifdef CONFIG_IPSEC_AH |
1485 |
case IPPROTO_AH: |
1486 |
headroom += sizeof(struct ah); |
1487 |
break; |
1488 |
#endif /* CONFIG_IPSEC_AH */ |
1489 |
#ifdef CONFIG_IPSEC_ESP |
1490 |
case IPPROTO_ESP: |
1491 |
switch(ipsp->ips_encalg) { |
1492 |
#ifdef CONFIG_IPSEC_ENC_3DES |
1493 |
case ESP_3DES: |
1494 |
headroom += sizeof(struct esp); |
1495 |
break; |
1496 |
#endif /* CONFIG_IPSEC_ENC_3DES */ |
1497 |
default: |
1498 |
spin_unlock(&tdb_lock); |
1499 |
stats->tx_errors++; |
1500 |
goto cleanup; |
1501 |
} |
1502 |
switch(ipsp->ips_authalg) { |
1503 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 |
1504 |
case AH_MD5: |
1505 |
authlen = AHHMAC_HASHLEN; |
1506 |
break; |
1507 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ |
1508 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 |
1509 |
case AH_SHA: |
1510 |
authlen = AHHMAC_HASHLEN; |
1511 |
break; |
1512 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ |
1513 |
case AH_NONE: |
1514 |
break; |
1515 |
default: |
1516 |
spin_unlock(&tdb_lock); |
1517 |
stats->tx_errors++; |
1518 |
goto cleanup; |
1519 |
} |
1520 |
tailroom += ((8 - ((pyldsz + 2 * sizeof(unsigned char)) % 8)) % 8) + 2; |
1521 |
tailroom += authlen; |
1522 |
break; |
1523 |
#endif /* !CONFIG_IPSEC_ESP */ |
1524 |
#ifdef CONFIG_IPSEC_IPIP |
1525 |
case IPPROTO_IPIP: |
1526 |
headroom += sizeof(struct iphdr); |
1527 |
iphlen = sizeof(struct iphdr); |
1528 |
break; |
1529 |
#endif /* !CONFIG_IPSEC_IPIP */ |
1530 |
#ifdef CONFIG_IPSEC_IPCOMP |
1531 |
case IPPROTO_COMP: |
1532 |
break; |
1533 |
#endif /* CONFIG_IPSEC_IPCOMP */ |
1534 |
default: |
1535 |
spin_unlock(&tdb_lock); |
1536 |
stats->tx_errors++; |
1537 |
goto cleanup; |
1538 |
} |
1539 |
|
1540 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1541 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1542 |
"pushing %d bytes, putting %d, proto %d.\n", |
1543 |
headroom, tailroom, ipsp->ips_said.proto); |
1544 |
if(skb_headroom(skb) < headroom) { |
1545 |
spin_unlock(&tdb_lock); |
1546 |
printk(KERN_WARNING |
1547 |
"klips_error:ipsec_tunnel_start_xmit: " |
1548 |
"tried to skb_push headroom=%d, %d available. This should never happen, please report.\n", |
1549 |
headroom, skb_headroom(skb)); |
1550 |
stats->tx_errors++; |
1551 |
goto cleanup; |
1552 |
} |
1553 |
dat = skb_push(skb, headroom); |
1554 |
ilen = skb->len - tailroom; |
1555 |
if(skb_tailroom(skb) < tailroom) { |
1556 |
spin_unlock(&tdb_lock); |
1557 |
printk(KERN_WARNING |
1558 |
"klips_error:ipsec_tunnel_start_xmit: " |
1559 |
"tried to skb_put %d, %d available. This should never happen, please report.\n", |
1560 |
tailroom, skb_tailroom(skb)); |
1561 |
stats->tx_errors++; |
1562 |
goto cleanup; |
1563 |
} |
1564 |
skb_put(skb, tailroom); |
1565 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1566 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1567 |
"head,tailroom: %d,%d before xform.\n", |
1568 |
skb_headroom(skb), skb_tailroom(skb)); |
1569 |
len = skb->len; |
1570 |
if(len > 0xfff0) { |
1571 |
spin_unlock(&tdb_lock); |
1572 |
printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: " |
1573 |
"tot_len (%d) > 65520. This should never happen, please report.\n", |
1574 |
len); |
1575 |
stats->tx_errors++; |
1576 |
goto cleanup; |
1577 |
} |
1578 |
memmove((void *)dat, (void *)(dat + headroom), iphlen); |
1579 |
iph = (struct iphdr *)dat; |
1580 |
iph->tot_len = htons(skb->len); |
1581 |
|
1582 |
switch(ipsp->ips_said.proto) { |
1583 |
#ifdef CONFIG_IPSEC_ESP |
1584 |
case IPPROTO_ESP: |
1585 |
espp = (struct esp *)(dat + iphlen); |
1586 |
espp->esp_spi = ipsp->ips_said.spi; |
1587 |
espp->esp_rpl = htonl(++(ipsp->ips_replaywin_lastseq)); |
1588 |
|
1589 |
switch(ipsp->ips_encalg) { |
1590 |
#if defined(CONFIG_IPSEC_ENC_3DES) |
1591 |
#ifdef CONFIG_IPSEC_ENC_3DES |
1592 |
case ESP_3DES: |
1593 |
#endif /* CONFIG_IPSEC_ENC_3DES */ |
1594 |
iv[0] = *((__u32*)&(espp->esp_iv) ) = |
1595 |
((__u32*)(ipsp->ips_iv))[0]; |
1596 |
iv[1] = *((__u32*)&(espp->esp_iv) + 1) = |
1597 |
((__u32*)(ipsp->ips_iv))[1]; |
1598 |
break; |
1599 |
#endif /* defined(CONFIG_IPSEC_ENC_3DES) */ |
1600 |
default: |
1601 |
spin_unlock(&tdb_lock); |
1602 |
stats->tx_errors++; |
1603 |
goto cleanup; |
1604 |
} |
1605 |
|
1606 |
idat = dat + iphlen + headroom; |
1607 |
ilen = len - (iphlen + headroom + authlen); |
1608 |
|
1609 |
/* Self-describing padding */ |
1610 |
pad = &dat[len - tailroom]; |
1611 |
padlen = tailroom - 2 - authlen; |
1612 |
for (i = 0; i < padlen; i++) { |
1613 |
pad[i] = i + 1; |
1614 |
} |
1615 |
dat[len - authlen - 2] = padlen; |
1616 |
|
1617 |
dat[len - authlen - 1] = iph->protocol; |
1618 |
iph->protocol = IPPROTO_ESP; |
1619 |
|
1620 |
switch(ipsp->ips_encalg) { |
1621 |
#ifdef CONFIG_IPSEC_ENC_3DES |
1622 |
case ESP_3DES: |
1623 |
des_ede3_cbc_encrypt((des_cblock *)idat, |
1624 |
(des_cblock *)idat, |
1625 |
ilen, |
1626 |
((struct des_eks *)(ipsp->ips_key_e))[0].ks, |
1627 |
((struct des_eks *)(ipsp->ips_key_e))[1].ks, |
1628 |
((struct des_eks *)(ipsp->ips_key_e))[2].ks, |
1629 |
(des_cblock *)iv, 1); |
1630 |
break; |
1631 |
#endif /* CONFIG_IPSEC_ENC_3DES */ |
1632 |
default: |
1633 |
spin_unlock(&tdb_lock); |
1634 |
stats->tx_errors++; |
1635 |
goto cleanup; |
1636 |
} |
1637 |
|
1638 |
switch(ipsp->ips_encalg) { |
1639 |
#if defined(CONFIG_IPSEC_ENC_3DES) |
1640 |
#ifdef CONFIG_IPSEC_ENC_3DES |
1641 |
case ESP_3DES: |
1642 |
#endif /* CONFIG_IPSEC_ENC_3DES */ |
1643 |
/* XXX update IV with the last 8 octets of the encryption */ |
1644 |
#if KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK |
1645 |
((__u32*)(ipsp->ips_iv))[0] = |
1646 |
((__u32 *)(idat))[(ilen >> 2) - 2]; |
1647 |
((__u32*)(ipsp->ips_iv))[1] = |
1648 |
((__u32 *)(idat))[(ilen >> 2) - 1]; |
1649 |
#else /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */ |
1650 |
prng_bytes(&ipsec_prng, (char *)ipsp->ips_iv, EMT_ESPDES_IV_SZ); |
1651 |
#endif /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */ |
1652 |
break; |
1653 |
#endif /* defined(CONFIG_IPSEC_ENC_3DES) */ |
1654 |
default: |
1655 |
spin_unlock(&tdb_lock); |
1656 |
stats->tx_errors++; |
1657 |
goto cleanup; |
1658 |
} |
1659 |
|
1660 |
switch(ipsp->ips_authalg) { |
1661 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 |
1662 |
case AH_MD5: |
1663 |
dmp("espp", (char*)espp, len - iphlen - authlen); |
1664 |
tctx.md5 = ((struct md5_ctx*)(ipsp->ips_key_a))->ictx; |
1665 |
dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5)); |
1666 |
MD5Update(&tctx.md5, (caddr_t)espp, len - iphlen - authlen); |
1667 |
dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5)); |
1668 |
MD5Final(hash, &tctx.md5); |
1669 |
dmp("ictx hash", (char*)&hash, sizeof(hash)); |
1670 |
tctx.md5 = ((struct md5_ctx*)(ipsp->ips_key_a))->octx; |
1671 |
dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5)); |
1672 |
MD5Update(&tctx.md5, hash, AHMD596_ALEN); |
1673 |
dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5)); |
1674 |
MD5Final(hash, &tctx.md5); |
1675 |
dmp("octx hash", (char*)&hash, sizeof(hash)); |
1676 |
memcpy(&(dat[len - authlen]), hash, authlen); |
1677 |
|
1678 |
/* paranoid */ |
1679 |
memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5)); |
1680 |
memset((caddr_t)hash, 0, sizeof(*hash)); |
1681 |
break; |
1682 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ |
1683 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 |
1684 |
case AH_SHA: |
1685 |
tctx.sha1 = ((struct sha1_ctx*)(ipsp->ips_key_a))->ictx; |
1686 |
SHA1Update(&tctx.sha1, (caddr_t)espp, len - iphlen - authlen); |
1687 |
SHA1Final(hash, &tctx.sha1); |
1688 |
tctx.sha1 = ((struct sha1_ctx*)(ipsp->ips_key_a))->octx; |
1689 |
SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN); |
1690 |
SHA1Final(hash, &tctx.sha1); |
1691 |
memcpy(&(dat[len - authlen]), hash, authlen); |
1692 |
|
1693 |
/* paranoid */ |
1694 |
memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1)); |
1695 |
memset((caddr_t)hash, 0, sizeof(*hash)); |
1696 |
break; |
1697 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ |
1698 |
case AH_NONE: |
1699 |
break; |
1700 |
default: |
1701 |
spin_unlock(&tdb_lock); |
1702 |
stats->tx_errors++; |
1703 |
goto cleanup; |
1704 |
} |
1705 |
#ifdef NET_21 |
1706 |
skb->h.raw = (unsigned char*)espp; |
1707 |
#endif /* NET_21 */ |
1708 |
break; |
1709 |
#endif /* !CONFIG_IPSEC_ESP */ |
1710 |
#ifdef CONFIG_IPSEC_AH |
1711 |
case IPPROTO_AH: |
1712 |
ahp = (struct ah *)(dat + iphlen); |
1713 |
ahp->ah_spi = ipsp->ips_said.spi; |
1714 |
ahp->ah_rpl = htonl(++(ipsp->ips_replaywin_lastseq)); |
1715 |
ahp->ah_rv = 0; |
1716 |
ahp->ah_nh = iph->protocol; |
1717 |
ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32); |
1718 |
iph->protocol = IPPROTO_AH; |
1719 |
dmp("ahp", (char*)ahp, sizeof(*ahp)); |
1720 |
|
1721 |
ipo = *iph; |
1722 |
ipo.tos = 0; |
1723 |
ipo.frag_off = 0; |
1724 |
ipo.ttl = 0; |
1725 |
ipo.check = 0; |
1726 |
dmp("ipo", (char*)&ipo, sizeof(ipo)); |
1727 |
|
1728 |
switch(ipsp->ips_authalg) { |
1729 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5 |
1730 |
case AH_MD5: |
1731 |
tctx.md5 = ((struct md5_ctx*)(ipsp->ips_key_a))->ictx; |
1732 |
dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5)); |
1733 |
MD5Update(&tctx.md5, (unsigned char *)&ipo, sizeof (struct iphdr)); |
1734 |
dmp("ictx+ipo", (char*)&tctx.md5, sizeof(tctx.md5)); |
1735 |
MD5Update(&tctx.md5, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data)); |
1736 |
dmp("ictx+ahp", (char*)&tctx.md5, sizeof(tctx.md5)); |
1737 |
MD5Update(&tctx.md5, (unsigned char *)zeroes, AHHMAC_HASHLEN); |
1738 |
dmp("ictx+zeroes", (char*)&tctx.md5, sizeof(tctx.md5)); |
1739 |
MD5Update(&tctx.md5, dat + iphlen + headroom, len - iphlen - headroom); |
1740 |
dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5)); |
1741 |
MD5Final(hash, &tctx.md5); |
1742 |
dmp("ictx hash", (char*)&hash, sizeof(hash)); |
1743 |
tctx.md5 = ((struct md5_ctx*)(ipsp->ips_key_a))->octx; |
1744 |
dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5)); |
1745 |
MD5Update(&tctx.md5, hash, AHMD596_ALEN); |
1746 |
dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5)); |
1747 |
MD5Final(hash, &tctx.md5); |
1748 |
dmp("octx hash", (char*)&hash, sizeof(hash)); |
1749 |
|
1750 |
memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN); |
1751 |
|
1752 |
/* paranoid */ |
1753 |
memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5)); |
1754 |
memset((caddr_t)hash, 0, sizeof(hash)); |
1755 |
break; |
1756 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */ |
1757 |
#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1 |
1758 |
case AH_SHA: |
1759 |
tctx.sha1 = ((struct sha1_ctx*)(ipsp->ips_key_a))->ictx; |
1760 |
SHA1Update(&tctx.sha1, (unsigned char *)&ipo, sizeof (struct iphdr)); |
1761 |
SHA1Update(&tctx.sha1, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data)); |
1762 |
SHA1Update(&tctx.sha1, (unsigned char *)zeroes, AHHMAC_HASHLEN); |
1763 |
SHA1Update(&tctx.sha1, dat + iphlen + headroom, len - iphlen - headroom); |
1764 |
SHA1Final(hash, &tctx.sha1); |
1765 |
tctx.sha1 = ((struct sha1_ctx*)(ipsp->ips_key_a))->octx; |
1766 |
SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN); |
1767 |
SHA1Final(hash, &tctx.sha1); |
1768 |
|
1769 |
memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN); |
1770 |
|
1771 |
/* paranoid */ |
1772 |
memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1)); |
1773 |
memset((caddr_t)hash, 0, sizeof(hash)); |
1774 |
break; |
1775 |
#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */ |
1776 |
default: |
1777 |
spin_unlock(&tdb_lock); |
1778 |
stats->tx_errors++; |
1779 |
goto cleanup; |
1780 |
} |
1781 |
#ifdef NET_21 |
1782 |
skb->h.raw = (unsigned char*)ahp; |
1783 |
#endif /* NET_21 */ |
1784 |
break; |
1785 |
#endif /* CONFIG_IPSEC_AH */ |
1786 |
#ifdef CONFIG_IPSEC_IPIP |
1787 |
case IPPROTO_IPIP: |
1788 |
iph->version = 4; |
1789 |
switch(sysctl_ipsec_tos) { |
1790 |
case 0: |
1791 |
#ifdef NET_21 |
1792 |
iph->tos = skb->nh.iph->tos; |
1793 |
#else /* NET_21 */ |
1794 |
iph->tos = skb->ip_hdr->tos; |
1795 |
#endif /* NET_21 */ |
1796 |
break; |
1797 |
case 1: |
1798 |
iph->tos = 0; |
1799 |
break; |
1800 |
default: |
1801 |
break; |
1802 |
} |
1803 |
#ifdef NET_21 |
1804 |
#ifdef NETDEV_23 |
1805 |
iph->ttl = sysctl_ip_default_ttl; |
1806 |
#else /* NETDEV_23 */ |
1807 |
iph->ttl = ip_statistics.IpDefaultTTL; |
1808 |
#endif /* NETDEV_23 */ |
1809 |
#else /* NET_21 */ |
1810 |
iph->ttl = 64; /* ip_statistics.IpDefaultTTL; */ |
1811 |
#endif /* NET_21 */ |
1812 |
iph->frag_off = 0; |
1813 |
iph->saddr = ((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr.s_addr; |
1814 |
iph->daddr = ((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr.s_addr; |
1815 |
iph->protocol = IPPROTO_IPIP; |
1816 |
iph->ihl = sizeof(struct iphdr) >> 2; |
1817 |
|
1818 |
KLIPS_IP_SELECT_IDENT(iph, skb); |
1819 |
|
1820 |
newdst = (__u32)iph->daddr; |
1821 |
newsrc = (__u32)iph->saddr; |
1822 |
|
1823 |
#ifdef NET_21 |
1824 |
skb->h.ipiph = skb->nh.iph; |
1825 |
#endif /* NET_21 */ |
1826 |
break; |
1827 |
#endif /* !CONFIG_IPSEC_IPIP */ |
1828 |
#ifdef CONFIG_IPSEC_IPCOMP |
1829 |
case IPPROTO_COMP: |
1830 |
{ |
1831 |
unsigned int flags = 0; |
1832 |
#ifdef CONFIG_IPSEC_DEBUG |
1833 |
unsigned int old_tot_len = ntohs(iph->tot_len); |
1834 |
#endif /* CONFIG_IPSEC_DEBUG */ |
1835 |
ipsp->ips_comp_ratio_dbytes += ntohs(iph->tot_len); |
1836 |
|
1837 |
skb = skb_compress(skb, ipsp, &flags); |
1838 |
|
1839 |
#ifdef NET_21 |
1840 |
iph = skb->nh.iph; |
1841 |
#else /* NET_21 */ |
1842 |
iph = skb->ip_hdr; |
1843 |
#endif /* NET_21 */ |
1844 |
|
1845 |
ipsp->ips_comp_ratio_cbytes += ntohs(iph->tot_len); |
1846 |
|
1847 |
#ifdef CONFIG_IPSEC_DEBUG |
1848 |
if (debug_tunnel & DB_TN_CROUT) |
1849 |
{ |
1850 |
if (old_tot_len > ntohs(iph->tot_len)) |
1851 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1852 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1853 |
"packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n", |
1854 |
old_tot_len, ntohs(iph->tot_len), |
1855 |
ntohs(((struct ipcomphdr*)(((char*)iph) + ((iph->ihl) << 2)))->ipcomp_cpi), |
1856 |
ntohl(ipsp->ips_said.spi), |
1857 |
(__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff)); |
1858 |
else |
1859 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1860 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1861 |
"packet did not compress (flags = %d).\n", |
1862 |
flags); |
1863 |
} |
1864 |
#endif /* CONFIG_IPSEC_DEBUG */ |
1865 |
} |
1866 |
break; |
1867 |
#endif /* CONFIG_IPSEC_IPCOMP */ |
1868 |
default: |
1869 |
spin_unlock(&tdb_lock); |
1870 |
stats->tx_errors++; |
1871 |
goto cleanup; |
1872 |
} |
1873 |
|
1874 |
#ifdef NET_21 |
1875 |
skb->nh.raw = skb->data; |
1876 |
#else /* NET_21 */ |
1877 |
skb->ip_hdr = skb->h.iph = (struct iphdr *) skb->data; |
1878 |
#endif /* NET_21 */ |
1879 |
iph->check = 0; |
1880 |
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); |
1881 |
|
1882 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1883 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1884 |
"after <%s%s%s>, SA:%s:\n", |
1885 |
IPS_XFORM_NAME(ipsp), |
1886 |
sa_len ? sa : " (error)"); |
1887 |
KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph); |
1888 |
|
1889 |
ipsp->ips_life.ipl_bytes.ipl_count += len; |
1890 |
ipsp->ips_life.ipl_bytes.ipl_last = len; |
1891 |
|
1892 |
if(!ipsp->ips_life.ipl_usetime.ipl_count) { |
1893 |
ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ; |
1894 |
} |
1895 |
ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ; |
1896 |
ipsp->ips_life.ipl_packets.ipl_count++; |
1897 |
|
1898 |
ipsprev = ipsp; |
1899 |
ipsp = ipsp->ips_onext; |
1900 |
|
1901 |
} |
1902 |
/* end encapsulation loop here XXX */ |
1903 |
|
1904 |
spin_unlock(&tdb_lock); |
1905 |
|
1906 |
matcher.sen_ip_src.s_addr = iph->saddr; |
1907 |
matcher.sen_ip_dst.s_addr = iph->daddr; |
1908 |
matcher.sen_proto = iph->protocol; |
1909 |
extract_ports(iph, &matcher); |
1910 |
|
1911 |
spin_lock(&eroute_lock); |
1912 |
er = ipsec_findroute(&matcher); |
1913 |
if(er) { |
1914 |
outgoing_said = er->er_said; |
1915 |
eroute_pid = er->er_pid; |
1916 |
er->er_count++; |
1917 |
er->er_lasttime = jiffies/HZ; |
1918 |
} |
1919 |
spin_unlock(&eroute_lock); |
1920 |
KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) && |
1921 |
/* ((orgdst != newdst) || (orgsrc != newsrc)) */ |
1922 |
(orgedst != outgoing_said.dst.s_addr) && |
1923 |
outgoing_said.dst.s_addr && |
1924 |
er, |
1925 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1926 |
"We are recursing here.\n"); |
1927 |
} while(/*((orgdst != newdst) || (orgsrc != newsrc))*/ |
1928 |
(orgedst != outgoing_said.dst.s_addr) && |
1929 |
outgoing_said.dst.s_addr && |
1930 |
er); |
1931 |
|
1932 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1933 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1934 |
"After recursive xforms -- head,tailroom: %d,%d\n", |
1935 |
skb_headroom(skb), skb_tailroom(skb)); |
1936 |
|
1937 |
if(saved_header) { |
1938 |
if(skb_headroom(skb) < hard_header_len) { |
1939 |
printk(KERN_WARNING |
1940 |
"klips_error:ipsec_tunnel_start_xmit: " |
1941 |
"tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n", |
1942 |
hard_header_len, skb_headroom(skb)); |
1943 |
stats->tx_errors++; |
1944 |
goto cleanup; |
1945 |
} |
1946 |
skb_push(skb, hard_header_len); |
1947 |
for (i = 0; i < hard_header_len; i++) { |
1948 |
skb->data[i] = saved_header[i]; |
1949 |
} |
1950 |
} |
1951 |
bypass: |
1952 |
KLIPS_PRINT(debug_tunnel & DB_TN_CROUT, |
1953 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1954 |
"With hard_header, final head,tailroom: %d,%d\n", |
1955 |
skb_headroom(skb), skb_tailroom(skb)); |
1956 |
|
1957 |
#ifdef NET_21 /* 2.2 and 2.4 kernels */ |
1958 |
/* new route/dst cache code from James Morris */ |
1959 |
skb->dev = physdev; |
1960 |
/*skb_orphan(skb);*/ |
1961 |
if((error = ip_route_output(&rt, |
1962 |
skb->nh.iph->daddr, |
1963 |
pass ? 0 : skb->nh.iph->saddr, |
1964 |
RT_TOS(skb->nh.iph->tos), |
1965 |
physdev->iflink /* rgb: should this be 0? */))) { |
1966 |
stats->tx_errors++; |
1967 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1968 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1969 |
"ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n", |
1970 |
error, |
1971 |
rt->u.dst.dev->name); |
1972 |
goto cleanup; |
1973 |
} |
1974 |
if(dev == rt->u.dst.dev) { |
1975 |
ip_rt_put(rt); |
1976 |
/* This is recursion, drop it. */ |
1977 |
stats->tx_errors++; |
1978 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
1979 |
"klips_debug:ipsec_tunnel_start_xmit: " |
1980 |
"suspect recursion, dev=rt->u.dst.dev=%s, dropped\n", dev->name); |
1981 |
goto cleanup; |
1982 |
} |
1983 |
dst_release(skb->dst); |
1984 |
skb->dst = &rt->u.dst; |
1985 |
stats->tx_bytes += skb->len; |
1986 |
if(skb->len < skb->nh.raw - skb->data) { |
1987 |
stats->tx_errors++; |
1988 |
printk(KERN_WARNING |
1989 |
"klips_error:ipsec_tunnel_start_xmit: " |
1990 |
"tried to __skb_pull nh-data=%ld, %d available. This should never happen, please report.\n", |
1991 |
(unsigned long)(skb->nh.raw - skb->data), skb->len); |
1992 |
goto cleanup; |
1993 |
} |
1994 |
__skb_pull(skb, skb->nh.raw - skb->data); |
1995 |
#ifdef SKB_RESET_NFCT |
1996 |
if(!pass) { |
1997 |
nf_conntrack_put(skb->nfct); |
1998 |
skb->nfct = NULL; |
1999 |
} |
2000 |
#ifdef CONFIG_NETFILTER_DEBUG |
2001 |
skb->nf_debug = 0; |
2002 |
#endif /* CONFIG_NETFILTER_DEBUG */ |
2003 |
#endif /* SKB_RESET_NFCT */ |
2004 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
2005 |
"klips_debug:ipsec_tunnel_start_xmit: " |
2006 |
"...done, calling ip_send() on device:%s\n", |
2007 |
skb->dev ? skb->dev->name : "NULL"); |
2008 |
KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, skb->nh.iph); |
2009 |
#ifdef NETDEV_23 /* 2.4 kernels */ |
2010 |
{ |
2011 |
int err; |
2012 |
|
2013 |
err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, |
2014 |
ipsec_tunnel_xmit2); |
2015 |
if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) { |
2016 |
if(net_ratelimit()) |
2017 |
printk(KERN_ERR |
2018 |
"klips_error:ipsec_tunnel_start_xmit: " |
2019 |
"ip_send() failed, err=%d\n", |
2020 |
-err); |
2021 |
stats->tx_errors++; |
2022 |
stats->tx_aborted_errors++; |
2023 |
skb = NULL; |
2024 |
goto cleanup; |
2025 |
} |
2026 |
} |
2027 |
#else /* NETDEV_23 */ /* 2.2 kernels */ |
2028 |
ip_send(skb); |
2029 |
#endif /* NETDEV_23 */ |
2030 |
#else /* NET_21 */ /* 2.0 kernels */ |
2031 |
skb->arp = 1; |
2032 |
/* ISDN/ASYNC PPP from Matjaz Godec. */ |
2033 |
/* skb->protocol = htons(ETH_P_IP); */ |
2034 |
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT, |
2035 |
"klips_debug:ipsec_tunnel_start_xmit: " |
2036 |
"...done, calling dev_queue_xmit() or ip_fragment().\n"); |
2037 |
IP_SEND(skb, physdev); |
2038 |
#endif /* NET_21 */ |
2039 |
stats->tx_packets++; |
2040 |
|
2041 |
skb = NULL; |
2042 |
cleanup: |
2043 |
#if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) |
2044 |
netif_wake_queue(dev); |
2045 |
#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */ |
2046 |
dev->tbusy = 0; |
2047 |
#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */ |
2048 |
if(saved_header) { |
2049 |
kfree(saved_header); |
2050 |
} |
2051 |
if(skb) { |
2052 |
dev_kfree_skb(skb, FREE_WRITE); |
2053 |
} |
2054 |
if(oskb) { |
2055 |
dev_kfree_skb(oskb, FREE_WRITE); |
2056 |
} |
2057 |
if (ips.ips_ident_s.data) { |
2058 |
kfree(ips.ips_ident_s.data); |
2059 |
} |
2060 |
if (ips.ips_ident_d.data) { |
2061 |
kfree(ips.ips_ident_d.data); |
2062 |
} |
2063 |
return 0; |
2064 |
} |
2065 |
|
2066 |
DEBUG_NO_STATIC struct net_device_stats * |
2067 |
ipsec_tunnel_get_stats(struct device *dev) |
2068 |
{ |
2069 |
return &(((struct ipsecpriv *)(dev->priv))->mystats); |
2070 |
} |
2071 |
|
2072 |
/* |
2073 |
* Revectored calls. |
2074 |
* For each of these calls, a field exists in our private structure. |
2075 |
*/ |
2076 |
|
2077 |
DEBUG_NO_STATIC int |
2078 |
ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev, |
2079 |
unsigned short type, void *daddr, void *saddr, unsigned len) |
2080 |
{ |
2081 |
struct ipsecpriv *prv = dev->priv; |
2082 |
struct device *tmp; |
2083 |
int ret; |
2084 |
struct net_device_stats *stats; /* This device's statistics */ |
2085 |
|
2086 |
if(skb == NULL) { |
2087 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2088 |
"klips_debug:ipsec_tunnel_hard_header: " |
2089 |
"no skb...\n"); |
2090 |
return -ENODATA; |
2091 |
} |
2092 |
|
2093 |
if(dev == NULL) { |
2094 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2095 |
"klips_debug:ipsec_tunnel_hard_header: " |
2096 |
"no device...\n"); |
2097 |
return -ENODEV; |
2098 |
} |
2099 |
|
2100 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2101 |
"klips_debug:ipsec_tunnel_hard_header: " |
2102 |
"skb->dev=%s dev=%s.\n", |
2103 |
skb->dev ? skb->dev->name : "NULL", |
2104 |
dev->name); |
2105 |
|
2106 |
if(prv == NULL) { |
2107 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2108 |
"klips_debug:ipsec_tunnel_hard_header: " |
2109 |
"no private space associated with dev=%s\n", |
2110 |
dev->name ? dev->name : "NULL"); |
2111 |
return -ENODEV; |
2112 |
} |
2113 |
|
2114 |
stats = (struct net_device_stats *) &(prv->mystats); |
2115 |
|
2116 |
if(prv->dev == NULL) { |
2117 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2118 |
"klips_debug:ipsec_tunnel_hard_header: " |
2119 |
"no physical device associated with dev=%s\n", |
2120 |
dev->name ? dev->name : "NULL"); |
2121 |
stats->tx_dropped++; |
2122 |
return -ENODEV; |
2123 |
} |
2124 |
|
2125 |
/* check if we have to send a IPv6 packet. It might be a Router |
2126 |
Solicitation, where the building of the packet happens in |
2127 |
reverse order: |
2128 |
1. ll hdr, |
2129 |
2. IPv6 hdr, |
2130 |
3. ICMPv6 hdr |
2131 |
-> skb->nh.raw is still uninitialized when this function is |
2132 |
called!! If this is no IPv6 packet, we can print debugging |
2133 |
messages, otherwise we skip all debugging messages and just |
2134 |
build the ll header */ |
2135 |
if(type != ETH_P_IPV6) { |
2136 |
/* execute this only, if we don't have to build the |
2137 |
header for a IPv6 packet */ |
2138 |
if(!prv->hard_header) { |
2139 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2140 |
"klips_debug:ipsec_tunnel_hard_header: " |
2141 |
"physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ", |
2142 |
saddr, |
2143 |
daddr, |
2144 |
len, |
2145 |
type, |
2146 |
dev->name); |
2147 |
#ifdef NET_21 |
2148 |
KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC, |
2149 |
"ip=%08x->%08x\n", |
2150 |
(__u32)ntohl(skb->nh.iph->saddr), |
2151 |
(__u32)ntohl(skb->nh.iph->daddr) ); |
2152 |
#else /* NET_21 */ |
2153 |
KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC, |
2154 |
"ip=%08x->%08x\n", |
2155 |
(__u32)ntohl(skb->ip_hdr->saddr), |
2156 |
(__u32)ntohl(skb->ip_hdr->daddr) ); |
2157 |
#endif /* NET_21 */ |
2158 |
stats->tx_dropped++; |
2159 |
return -ENODEV; |
2160 |
} |
2161 |
|
2162 |
#define da ((struct device *)(prv->dev))->dev_addr |
2163 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2164 |
"klips_debug:ipsec_tunnel_hard_header: " |
2165 |
"Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ", |
2166 |
saddr, |
2167 |
daddr, |
2168 |
len, |
2169 |
type, |
2170 |
dev->name, |
2171 |
prv->dev->name, |
2172 |
da[0], da[1], da[2], da[3], da[4], da[5]); |
2173 |
#ifdef NET_21 |
2174 |
KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC, |
2175 |
"ip=%08x->%08x\n", |
2176 |
(__u32)ntohl(skb->nh.iph->saddr), |
2177 |
(__u32)ntohl(skb->nh.iph->daddr) ); |
2178 |
#else /* NET_21 */ |
2179 |
KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC, |
2180 |
"ip=%08x->%08x\n", |
2181 |
(__u32)ntohl(skb->ip_hdr->saddr), |
2182 |
(__u32)ntohl(skb->ip_hdr->daddr) ); |
2183 |
#endif /* NET_21 */ |
2184 |
} else { |
2185 |
KLIPS_PRINT(debug_tunnel, |
2186 |
"klips_debug:ipsec_tunnel_hard_header: " |
2187 |
"is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n"); |
2188 |
} |
2189 |
tmp = skb->dev; |
2190 |
skb->dev = prv->dev; |
2191 |
ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len); |
2192 |
skb->dev = tmp; |
2193 |
return ret; |
2194 |
} |
2195 |
|
2196 |
DEBUG_NO_STATIC int |
2197 |
#ifdef NET_21 |
2198 |
ipsec_tunnel_rebuild_header(struct sk_buff *skb) |
2199 |
#else /* NET_21 */ |
2200 |
ipsec_tunnel_rebuild_header(void *buff, struct device *dev, |
2201 |
unsigned long raddr, struct sk_buff *skb) |
2202 |
#endif /* NET_21 */ |
2203 |
{ |
2204 |
struct ipsecpriv *prv = skb->dev->priv; |
2205 |
struct device *tmp; |
2206 |
int ret; |
2207 |
struct net_device_stats *stats; /* This device's statistics */ |
2208 |
|
2209 |
if(skb->dev == NULL) { |
2210 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2211 |
"klips_debug:ipsec_tunnel_rebuild_header: " |
2212 |
"no device..."); |
2213 |
return -ENODEV; |
2214 |
} |
2215 |
|
2216 |
if(prv == NULL) { |
2217 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2218 |
"klips_debug:ipsec_tunnel_rebuild_header: " |
2219 |
"no private space associated with dev=%s", |
2220 |
skb->dev->name ? skb->dev->name : "NULL"); |
2221 |
return -ENODEV; |
2222 |
} |
2223 |
|
2224 |
stats = (struct net_device_stats *) &(prv->mystats); |
2225 |
|
2226 |
if(prv->dev == NULL) { |
2227 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2228 |
"klips_debug:ipsec_tunnel_rebuild_header: " |
2229 |
"no physical device associated with dev=%s", |
2230 |
skb->dev->name ? skb->dev->name : "NULL"); |
2231 |
stats->tx_dropped++; |
2232 |
return -ENODEV; |
2233 |
} |
2234 |
|
2235 |
if(!prv->rebuild_header) { |
2236 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2237 |
"klips_debug:ipsec_tunnel_rebuild_header: " |
2238 |
"physical device has been detached, packet dropped skb->dev=%s->NULL ", |
2239 |
skb->dev->name); |
2240 |
#ifdef NET_21 |
2241 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2242 |
"ip=%08x->%08x\n", |
2243 |
(__u32)ntohl(skb->nh.iph->saddr), |
2244 |
(__u32)ntohl(skb->nh.iph->daddr) ); |
2245 |
#else /* NET_21 */ |
2246 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2247 |
"ip=%08x->%08x\n", |
2248 |
(__u32)ntohl(skb->ip_hdr->saddr), |
2249 |
(__u32)ntohl(skb->ip_hdr->daddr) ); |
2250 |
#endif /* NET_21 */ |
2251 |
stats->tx_dropped++; |
2252 |
return -ENODEV; |
2253 |
} |
2254 |
|
2255 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2256 |
"klips_debug:ipsec_tunnel: " |
2257 |
"Revectored rebuild_header dev=%s->%s ", |
2258 |
skb->dev->name, prv->dev->name); |
2259 |
#ifdef NET_21 |
2260 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2261 |
"ip=%08x->%08x\n", |
2262 |
(__u32)ntohl(skb->nh.iph->saddr), |
2263 |
(__u32)ntohl(skb->nh.iph->daddr) ); |
2264 |
#else /* NET_21 */ |
2265 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2266 |
"ip=%08x->%08x\n", |
2267 |
(__u32)ntohl(skb->ip_hdr->saddr), |
2268 |
(__u32)ntohl(skb->ip_hdr->daddr) ); |
2269 |
#endif /* NET_21 */ |
2270 |
tmp = skb->dev; |
2271 |
skb->dev = prv->dev; |
2272 |
|
2273 |
#ifdef NET_21 |
2274 |
ret = prv->rebuild_header(skb); |
2275 |
#else /* NET_21 */ |
2276 |
ret = prv->rebuild_header(buff, prv->dev, raddr, skb); |
2277 |
#endif /* NET_21 */ |
2278 |
skb->dev = tmp; |
2279 |
return ret; |
2280 |
} |
2281 |
|
2282 |
DEBUG_NO_STATIC int |
2283 |
ipsec_tunnel_set_mac_address(struct device *dev, void *addr) |
2284 |
{ |
2285 |
struct ipsecpriv *prv = dev->priv; |
2286 |
|
2287 |
struct net_device_stats *stats; /* This device's statistics */ |
2288 |
|
2289 |
if(dev == NULL) { |
2290 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2291 |
"klips_debug:ipsec_tunnel_set_mac_address: " |
2292 |
"no device..."); |
2293 |
return -ENODEV; |
2294 |
} |
2295 |
|
2296 |
if(prv == NULL) { |
2297 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2298 |
"klips_debug:ipsec_tunnel_set_mac_address: " |
2299 |
"no private space associated with dev=%s", |
2300 |
dev->name ? dev->name : "NULL"); |
2301 |
return -ENODEV; |
2302 |
} |
2303 |
|
2304 |
stats = (struct net_device_stats *) &(prv->mystats); |
2305 |
|
2306 |
if(prv->dev == NULL) { |
2307 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2308 |
"klips_debug:ipsec_tunnel_set_mac_address: " |
2309 |
"no physical device associated with dev=%s", |
2310 |
dev->name ? dev->name : "NULL"); |
2311 |
stats->tx_dropped++; |
2312 |
return -ENODEV; |
2313 |
} |
2314 |
|
2315 |
if(!prv->set_mac_address) { |
2316 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2317 |
"klips_debug:ipsec_tunnel_set_mac_address: " |
2318 |
"physical device has been detached, cannot set - skb->dev=%s->NULL\n", |
2319 |
dev->name); |
2320 |
return -ENODEV; |
2321 |
} |
2322 |
|
2323 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2324 |
"klips_debug:ipsec_tunnel_set_mac_address: " |
2325 |
"Revectored dev=%s->%s addr=0p%p\n", |
2326 |
dev->name, prv->dev->name, addr); |
2327 |
return prv->set_mac_address(prv->dev, addr); |
2328 |
|
2329 |
} |
2330 |
|
2331 |
#ifndef NET_21 |
2332 |
DEBUG_NO_STATIC void |
2333 |
ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev, |
2334 |
unsigned short htype, __u32 daddr) |
2335 |
{ |
2336 |
struct ipsecpriv *prv = dev->priv; |
2337 |
|
2338 |
struct net_device_stats *stats; /* This device's statistics */ |
2339 |
|
2340 |
if(dev == NULL) { |
2341 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2342 |
"klips_debug:ipsec_tunnel_cache_bind: " |
2343 |
"no device..."); |
2344 |
return; |
2345 |
} |
2346 |
|
2347 |
if(prv == NULL) { |
2348 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2349 |
"klips_debug:ipsec_tunnel_cache_bind: " |
2350 |
"no private space associated with dev=%s", |
2351 |
dev->name ? dev->name : "NULL"); |
2352 |
return; |
2353 |
} |
2354 |
|
2355 |
stats = (struct net_device_stats *) &(prv->mystats); |
2356 |
|
2357 |
if(prv->dev == NULL) { |
2358 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2359 |
"klips_debug:ipsec_tunnel_cache_bind: " |
2360 |
"no physical device associated with dev=%s", |
2361 |
dev->name ? dev->name : "NULL"); |
2362 |
stats->tx_dropped++; |
2363 |
return; |
2364 |
} |
2365 |
|
2366 |
if(!prv->header_cache_bind) { |
2367 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2368 |
"klips_debug:ipsec_tunnel_cache_bind: " |
2369 |
"physical device has been detached, cannot set - skb->dev=%s->NULL\n", |
2370 |
dev->name); |
2371 |
stats->tx_dropped++; |
2372 |
return; |
2373 |
} |
2374 |
|
2375 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2376 |
"klips_debug:ipsec_tunnel_cache_bind: " |
2377 |
"Revectored \n"); |
2378 |
prv->header_cache_bind(hhp, prv->dev, htype, daddr); |
2379 |
return; |
2380 |
} |
2381 |
#endif /* !NET_21 */ |
2382 |
|
2383 |
|
2384 |
DEBUG_NO_STATIC void |
2385 |
ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char * haddr) |
2386 |
{ |
2387 |
struct ipsecpriv *prv = dev->priv; |
2388 |
|
2389 |
struct net_device_stats *stats; /* This device's statistics */ |
2390 |
|
2391 |
if(dev == NULL) { |
2392 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2393 |
"klips_debug:ipsec_tunnel_cache_update: " |
2394 |
"no device..."); |
2395 |
return; |
2396 |
} |
2397 |
|
2398 |
if(prv == NULL) { |
2399 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2400 |
"klips_debug:ipsec_tunnel_cache_update: " |
2401 |
"no private space associated with dev=%s", |
2402 |
dev->name ? dev->name : "NULL"); |
2403 |
return; |
2404 |
} |
2405 |
|
2406 |
stats = (struct net_device_stats *) &(prv->mystats); |
2407 |
|
2408 |
if(prv->dev == NULL) { |
2409 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2410 |
"klips_debug:ipsec_tunnel_cache_update: " |
2411 |
"no physical device associated with dev=%s", |
2412 |
dev->name ? dev->name : "NULL"); |
2413 |
stats->tx_dropped++; |
2414 |
return; |
2415 |
} |
2416 |
|
2417 |
if(!prv->header_cache_update) { |
2418 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2419 |
"klips_debug:ipsec_tunnel_cache_update: " |
2420 |
"physical device has been detached, cannot set - skb->dev=%s->NULL\n", |
2421 |
dev->name); |
2422 |
return; |
2423 |
} |
2424 |
|
2425 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2426 |
"klips_debug:ipsec_tunnel: " |
2427 |
"Revectored cache_update\n"); |
2428 |
prv->header_cache_update(hh, prv->dev, haddr); |
2429 |
return; |
2430 |
} |
2431 |
|
2432 |
#ifdef NET_21 |
2433 |
DEBUG_NO_STATIC int |
2434 |
ipsec_tunnel_neigh_setup(struct neighbour *n) |
2435 |
{ |
2436 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2437 |
"klips_debug:ipsec_tunnel_neigh_setup:\n"); |
2438 |
|
2439 |
if (n->nud_state == NUD_NONE) { |
2440 |
n->ops = &arp_broken_ops; |
2441 |
n->output = n->ops->output; |
2442 |
} |
2443 |
return 0; |
2444 |
} |
2445 |
|
2446 |
DEBUG_NO_STATIC int |
2447 |
ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p) |
2448 |
{ |
2449 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2450 |
"klips_debug:ipsec_tunnel_neigh_setup_dev: " |
2451 |
"setting up %s\n", |
2452 |
dev ? dev->name : "NULL"); |
2453 |
|
2454 |
if (p->tbl->family == AF_INET) { |
2455 |
p->neigh_setup = ipsec_tunnel_neigh_setup; |
2456 |
p->ucast_probes = 0; |
2457 |
p->mcast_probes = 0; |
2458 |
} |
2459 |
return 0; |
2460 |
} |
2461 |
#endif /* NET_21 */ |
2462 |
|
2463 |
/* |
2464 |
* We call the attach routine to attach another device. |
2465 |
*/ |
2466 |
|
2467 |
DEBUG_NO_STATIC int |
2468 |
ipsec_tunnel_attach(struct device *dev, struct device *physdev) |
2469 |
{ |
2470 |
int i; |
2471 |
struct ipsecpriv *prv = dev->priv; |
2472 |
|
2473 |
if(dev == NULL) { |
2474 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2475 |
"klips_debug:ipsec_tunnel_attach: " |
2476 |
"no device..."); |
2477 |
return -ENODEV; |
2478 |
} |
2479 |
|
2480 |
if(prv == NULL) { |
2481 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2482 |
"klips_debug:ipsec_tunnel_attach: " |
2483 |
"no private space associated with dev=%s", |
2484 |
dev->name ? dev->name : "NULL"); |
2485 |
return -ENODATA; |
2486 |
} |
2487 |
|
2488 |
prv->dev = physdev; |
2489 |
prv->hard_start_xmit = physdev->hard_start_xmit; |
2490 |
prv->get_stats = physdev->get_stats; |
2491 |
|
2492 |
if (physdev->hard_header) { |
2493 |
prv->hard_header = physdev->hard_header; |
2494 |
dev->hard_header = ipsec_tunnel_hard_header; |
2495 |
} else |
2496 |
dev->hard_header = NULL; |
2497 |
|
2498 |
if (physdev->rebuild_header) { |
2499 |
prv->rebuild_header = physdev->rebuild_header; |
2500 |
dev->rebuild_header = ipsec_tunnel_rebuild_header; |
2501 |
} else |
2502 |
dev->rebuild_header = NULL; |
2503 |
|
2504 |
if (physdev->set_mac_address) { |
2505 |
prv->set_mac_address = physdev->set_mac_address; |
2506 |
dev->set_mac_address = ipsec_tunnel_set_mac_address; |
2507 |
} else |
2508 |
dev->set_mac_address = NULL; |
2509 |
|
2510 |
#ifndef NET_21 |
2511 |
if (physdev->header_cache_bind) { |
2512 |
prv->header_cache_bind = physdev->header_cache_bind; |
2513 |
dev->header_cache_bind = ipsec_tunnel_cache_bind; |
2514 |
} else |
2515 |
dev->header_cache_bind = NULL; |
2516 |
#endif /* !NET_21 */ |
2517 |
|
2518 |
if (physdev->header_cache_update) { |
2519 |
prv->header_cache_update = physdev->header_cache_update; |
2520 |
dev->header_cache_update = ipsec_tunnel_cache_update; |
2521 |
} else |
2522 |
dev->header_cache_update = NULL; |
2523 |
|
2524 |
dev->hard_header_len = physdev->hard_header_len; |
2525 |
|
2526 |
#ifdef NET_21 |
2527 |
/* prv->neigh_setup = physdev->neigh_setup; */ |
2528 |
dev->neigh_setup = ipsec_tunnel_neigh_setup_dev; |
2529 |
#endif /* NET_21 */ |
2530 |
dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */ |
2531 |
prv->mtu = physdev->mtu; |
2532 |
|
2533 |
#ifdef PHYSDEV_TYPE |
2534 |
dev->type = physdev->type; /* ARPHRD_TUNNEL; */ |
2535 |
#endif /* PHYSDEV_TYPE */ |
2536 |
|
2537 |
dev->addr_len = physdev->addr_len; |
2538 |
for (i=0; i<dev->addr_len; i++) { |
2539 |
dev->dev_addr[i] = physdev->dev_addr[i]; |
2540 |
} |
2541 |
#ifdef CONFIG_IPSEC_DEBUG |
2542 |
if(debug_tunnel & DB_TN_INIT) { |
2543 |
printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: " |
2544 |
"physical device %s being attached has HW address: %2x", |
2545 |
physdev->name, physdev->dev_addr[0]); |
2546 |
for (i=1; i < physdev->addr_len; i++) { |
2547 |
printk(":%02x", physdev->dev_addr[i]); |
2548 |
} |
2549 |
printk("\n"); |
2550 |
} |
2551 |
#endif /* CONFIG_IPSEC_DEBUG */ |
2552 |
|
2553 |
return 0; |
2554 |
} |
2555 |
|
2556 |
/* |
2557 |
* We call the detach routine to detach the ipsec tunnel from another device. |
2558 |
*/ |
2559 |
|
2560 |
DEBUG_NO_STATIC int |
2561 |
ipsec_tunnel_detach(struct device *dev) |
2562 |
{ |
2563 |
int i; |
2564 |
struct ipsecpriv *prv = dev->priv; |
2565 |
|
2566 |
if(dev == NULL) { |
2567 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2568 |
"klips_debug:ipsec_tunnel_detach: " |
2569 |
"no device..."); |
2570 |
return -ENODEV; |
2571 |
} |
2572 |
|
2573 |
if(prv == NULL) { |
2574 |
KLIPS_PRINT(debug_tunnel & DB_TN_REVEC, |
2575 |
"klips_debug:ipsec_tunnel_detach: " |
2576 |
"no private space associated with dev=%s", |
2577 |
dev->name ? dev->name : "NULL"); |
2578 |
return -ENODATA; |
2579 |
} |
2580 |
|
2581 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2582 |
"klips_debug:ipsec_tunnel_detach: " |
2583 |
"physical device %s being detached from virtual device %s\n", |
2584 |
prv->dev ? prv->dev->name : "NULL", |
2585 |
dev->name); |
2586 |
|
2587 |
prv->dev = NULL; |
2588 |
prv->hard_start_xmit = NULL; |
2589 |
prv->get_stats = NULL; |
2590 |
|
2591 |
prv->hard_header = NULL; |
2592 |
#ifdef DETACH_AND_DOWN |
2593 |
dev->hard_header = NULL; |
2594 |
#endif /* DETACH_AND_DOWN */ |
2595 |
|
2596 |
prv->rebuild_header = NULL; |
2597 |
#ifdef DETACH_AND_DOWN |
2598 |
dev->rebuild_header = NULL; |
2599 |
#endif /* DETACH_AND_DOWN */ |
2600 |
|
2601 |
prv->set_mac_address = NULL; |
2602 |
#ifdef DETACH_AND_DOWN |
2603 |
dev->set_mac_address = NULL; |
2604 |
#endif /* DETACH_AND_DOWN */ |
2605 |
|
2606 |
#ifndef NET_21 |
2607 |
prv->header_cache_bind = NULL; |
2608 |
#ifdef DETACH_AND_DOWN |
2609 |
dev->header_cache_bind = NULL; |
2610 |
#endif /* DETACH_AND_DOWN */ |
2611 |
#endif /* !NET_21 */ |
2612 |
|
2613 |
prv->header_cache_update = NULL; |
2614 |
#ifdef DETACH_AND_DOWN |
2615 |
dev->header_cache_update = NULL; |
2616 |
#endif /* DETACH_AND_DOWN */ |
2617 |
|
2618 |
#ifdef NET_21 |
2619 |
/* prv->neigh_setup = NULL; */ |
2620 |
#ifdef DETACH_AND_DOWN |
2621 |
dev->neigh_setup = NULL; |
2622 |
#endif /* DETACH_AND_DOWN */ |
2623 |
#endif /* NET_21 */ |
2624 |
dev->hard_header_len = 0; |
2625 |
#ifdef DETACH_AND_DOWN |
2626 |
dev->mtu = 0; |
2627 |
#endif /* DETACH_AND_DOWN */ |
2628 |
prv->mtu = 0; |
2629 |
for (i=0; i<MAX_ADDR_LEN; i++) { |
2630 |
dev->dev_addr[i] = 0; |
2631 |
} |
2632 |
dev->addr_len = 0; |
2633 |
#ifdef PHYSDEV_TYPE |
2634 |
dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */ |
2635 |
#endif /* PHYSDEV_TYPE */ |
2636 |
|
2637 |
return 0; |
2638 |
} |
2639 |
|
2640 |
/* |
2641 |
* We call the clear routine to detach all ipsec tunnels from other devices. |
2642 |
*/ |
2643 |
DEBUG_NO_STATIC int |
2644 |
ipsec_tunnel_clear(void) |
2645 |
{ |
2646 |
int i; |
2647 |
struct device *ipsecdev = NULL, *prvdev; |
2648 |
struct ipsecpriv *prv; |
2649 |
char name[9]; |
2650 |
int ret; |
2651 |
|
2652 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2653 |
"klips_debug:ipsec_tunnel_clear: .\n"); |
2654 |
|
2655 |
for(i = 0; i < IPSEC_NUM_IF; i++) { |
2656 |
sprintf(name, IPSEC_DEV_FORMAT, i); |
2657 |
if((ipsecdev = ipsec_dev_get(name)) != NULL) { |
2658 |
if((prv = (struct ipsecpriv *)(ipsecdev->priv))) { |
2659 |
prvdev = (struct device *)(prv->dev); |
2660 |
if(prvdev) { |
2661 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2662 |
"klips_debug:ipsec_tunnel_clear: " |
2663 |
"physical device for device %s is %s\n", |
2664 |
name, prvdev->name); |
2665 |
if((ret = ipsec_tunnel_detach(ipsecdev))) { |
2666 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2667 |
"klips_debug:ipsec_tunnel_clear: " |
2668 |
"error %d detatching device %s from device %s.\n", |
2669 |
ret, name, prvdev->name); |
2670 |
return ret; |
2671 |
} |
2672 |
} |
2673 |
} |
2674 |
} |
2675 |
} |
2676 |
return 0; |
2677 |
} |
2678 |
|
2679 |
DEBUG_NO_STATIC int |
2680 |
ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd) |
2681 |
{ |
2682 |
struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data; |
2683 |
struct ipsecpriv *prv = dev->priv; |
2684 |
struct device *them; /* physical device */ |
2685 |
#ifdef CONFIG_IP_ALIAS |
2686 |
char *colon; |
2687 |
char realphysname[IFNAMSIZ]; |
2688 |
#endif /* CONFIG_IP_ALIAS */ |
2689 |
|
2690 |
if(dev == NULL) { |
2691 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2692 |
"klips_debug:ipsec_tunnel_ioctl: " |
2693 |
"device not supplied.\n"); |
2694 |
return -ENODEV; |
2695 |
} |
2696 |
|
2697 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2698 |
"klips_debug:ipsec_tunnel_ioctl: " |
2699 |
"tncfg service call #%d for dev=%s\n", |
2700 |
cmd, |
2701 |
dev->name ? dev->name : "NULL"); |
2702 |
switch (cmd) { |
2703 |
/* attach a virtual ipsec? device to a physical device */ |
2704 |
case IPSEC_SET_DEV: |
2705 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2706 |
"klips_debug:ipsec_tunnel_ioctl: " |
2707 |
"calling ipsec_tunnel_attatch...\n"); |
2708 |
#ifdef CONFIG_IP_ALIAS |
2709 |
/* If this is an IP alias interface, get its real physical name */ |
2710 |
strncpy(realphysname, cf->cf_name, IFNAMSIZ); |
2711 |
realphysname[IFNAMSIZ-1] = 0; |
2712 |
colon = strchr(realphysname, ':'); |
2713 |
if (colon) *colon = 0; |
2714 |
them = ipsec_dev_get(realphysname); |
2715 |
#else /* CONFIG_IP_ALIAS */ |
2716 |
them = ipsec_dev_get(cf->cf_name); |
2717 |
#endif /* CONFIG_IP_ALIAS */ |
2718 |
|
2719 |
if (them == NULL) { |
2720 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2721 |
"klips_debug:ipsec_tunnel_ioctl: " |
2722 |
"physical device %s requested is null\n", |
2723 |
cf->cf_name); |
2724 |
return -ENXIO; |
2725 |
} |
2726 |
|
2727 |
#if 0 |
2728 |
if (them->flags & IFF_UP) { |
2729 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2730 |
"klips_debug:ipsec_tunnel_ioctl: " |
2731 |
"physical device %s requested is not up.\n", |
2732 |
cf->cf_name); |
2733 |
return -ENXIO; |
2734 |
} |
2735 |
#endif |
2736 |
|
2737 |
if (prv && prv->dev) { |
2738 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2739 |
"klips_debug:ipsec_tunnel_ioctl: " |
2740 |
"virtual device is already connected to %s.\n", |
2741 |
prv->dev->name ? prv->dev->name : "NULL"); |
2742 |
return -EBUSY; |
2743 |
} |
2744 |
return ipsec_tunnel_attach(dev, them); |
2745 |
|
2746 |
case IPSEC_DEL_DEV: |
2747 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2748 |
"klips_debug:ipsec_tunnel_ioctl: " |
2749 |
"calling ipsec_tunnel_detatch.\n"); |
2750 |
if (! prv->dev) { |
2751 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2752 |
"klips_debug:ipsec_tunnel_ioctl: " |
2753 |
"physical device not connected.\n"); |
2754 |
return -ENODEV; |
2755 |
} |
2756 |
return ipsec_tunnel_detach(dev); |
2757 |
|
2758 |
case IPSEC_CLR_DEV: |
2759 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2760 |
"klips_debug:ipsec_tunnel_ioctl: " |
2761 |
"calling ipsec_tunnel_clear.\n"); |
2762 |
return ipsec_tunnel_clear(); |
2763 |
|
2764 |
default: |
2765 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2766 |
"klips_debug:ipsec_tunnel_ioctl: " |
2767 |
"unknown command %d.\n", |
2768 |
cmd); |
2769 |
return -EOPNOTSUPP; |
2770 |
} |
2771 |
} |
2772 |
|
2773 |
int |
2774 |
ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr) |
2775 |
{ |
2776 |
struct device *dev = ptr; |
2777 |
struct device *ipsec_dev; |
2778 |
struct ipsecpriv *priv; |
2779 |
char name[9]; |
2780 |
int i; |
2781 |
|
2782 |
if (dev == NULL) { |
2783 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2784 |
"klips_debug:ipsec_device_event: " |
2785 |
"dev=NULL for event type %ld.\n", |
2786 |
event); |
2787 |
return(NOTIFY_DONE); |
2788 |
} |
2789 |
|
2790 |
/* check for loopback devices */ |
2791 |
if (dev && (dev->flags & IFF_LOOPBACK)) { |
2792 |
return(NOTIFY_DONE); |
2793 |
} |
2794 |
|
2795 |
switch (event) { |
2796 |
case NETDEV_DOWN: |
2797 |
/* look very carefully at the scope of these compiler |
2798 |
directives before changing anything... -- RGB */ |
2799 |
#ifdef NET_21 |
2800 |
case NETDEV_UNREGISTER: |
2801 |
switch (event) { |
2802 |
case NETDEV_DOWN: |
2803 |
#endif /* NET_21 */ |
2804 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2805 |
"klips_debug:ipsec_device_event: " |
2806 |
"NETDEV_DOWN dev=%s flags=%x\n", |
2807 |
dev->name, |
2808 |
dev->flags); |
2809 |
if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) { |
2810 |
printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n", |
2811 |
dev->name); |
2812 |
} |
2813 |
#ifdef NET_21 |
2814 |
break; |
2815 |
case NETDEV_UNREGISTER: |
2816 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2817 |
"klips_debug:ipsec_device_event: " |
2818 |
"NETDEV_UNREGISTER dev=%s flags=%x\n", |
2819 |
dev->name, |
2820 |
dev->flags); |
2821 |
break; |
2822 |
} |
2823 |
#endif /* NET_21 */ |
2824 |
|
2825 |
/* find the attached physical device and detach it. */ |
2826 |
for(i = 0; i < IPSEC_NUM_IF; i++) { |
2827 |
sprintf(name, IPSEC_DEV_FORMAT, i); |
2828 |
ipsec_dev = ipsec_dev_get(name); |
2829 |
if(ipsec_dev) { |
2830 |
priv = (struct ipsecpriv *)(ipsec_dev->priv); |
2831 |
if(priv) { |
2832 |
; |
2833 |
if(((struct device *)(priv->dev)) == dev) { |
2834 |
/* dev_close(ipsec_dev); */ |
2835 |
/* return */ ipsec_tunnel_detach(ipsec_dev); |
2836 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2837 |
"klips_debug:ipsec_device_event: " |
2838 |
"device '%s' has been detached.\n", |
2839 |
ipsec_dev->name); |
2840 |
break; |
2841 |
} |
2842 |
} else { |
2843 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2844 |
"klips_debug:ipsec_device_event: " |
2845 |
"device '%s' has no private data space!\n", |
2846 |
ipsec_dev->name); |
2847 |
} |
2848 |
} |
2849 |
} |
2850 |
break; |
2851 |
case NETDEV_UP: |
2852 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2853 |
"klips_debug:ipsec_device_event: " |
2854 |
"NETDEV_UP dev=%s\n", |
2855 |
dev->name); |
2856 |
break; |
2857 |
#ifdef NET_21 |
2858 |
case NETDEV_REBOOT: |
2859 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2860 |
"klips_debug:ipsec_device_event: " |
2861 |
"NETDEV_REBOOT dev=%s\n", |
2862 |
dev->name); |
2863 |
break; |
2864 |
case NETDEV_CHANGE: |
2865 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2866 |
"klips_debug:ipsec_device_event: " |
2867 |
"NETDEV_CHANGE dev=%s flags=%x\n", |
2868 |
dev->name, |
2869 |
dev->flags); |
2870 |
break; |
2871 |
case NETDEV_REGISTER: |
2872 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2873 |
"klips_debug:ipsec_device_event: " |
2874 |
"NETDEV_REGISTER dev=%s\n", |
2875 |
dev->name); |
2876 |
break; |
2877 |
case NETDEV_CHANGEMTU: |
2878 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2879 |
"klips_debug:ipsec_device_event: " |
2880 |
"NETDEV_CHANGEMTU dev=%s to mtu=%d\n", |
2881 |
dev->name, |
2882 |
dev->mtu); |
2883 |
break; |
2884 |
case NETDEV_CHANGEADDR: |
2885 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2886 |
"klips_debug:ipsec_device_event: " |
2887 |
"NETDEV_CHANGEADDR dev=%s\n", |
2888 |
dev->name); |
2889 |
break; |
2890 |
case NETDEV_GOING_DOWN: |
2891 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2892 |
"klips_debug:ipsec_device_event: " |
2893 |
"NETDEV_GOING_DOWN dev=%s\n", |
2894 |
dev->name); |
2895 |
break; |
2896 |
case NETDEV_CHANGENAME: |
2897 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2898 |
"klips_debug:ipsec_device_event: " |
2899 |
"NETDEV_CHANGENAME dev=%s\n", |
2900 |
dev->name); |
2901 |
break; |
2902 |
#endif /* NET_21 */ |
2903 |
default: |
2904 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
2905 |
"klips_debug:ipsec_device_event: " |
2906 |
"event type %ld unrecognised for dev=%s\n", |
2907 |
event, |
2908 |
dev->name); |
2909 |
break; |
2910 |
} |
2911 |
return NOTIFY_DONE; |
2912 |
} |
2913 |
|
2914 |
/* |
2915 |
* Called when an ipsec tunnel device is initialized. |
2916 |
* The ipsec tunnel device structure is passed to us. |
2917 |
*/ |
2918 |
|
2919 |
int |
2920 |
ipsec_tunnel_init(struct device *dev) |
2921 |
{ |
2922 |
int i; |
2923 |
|
2924 |
KLIPS_PRINT(debug_tunnel, |
2925 |
"klips_debug:ipsec_tunnel_init: " |
2926 |
"allocating %lu bytes initialising device: %s\n", |
2927 |
(unsigned long) sizeof(struct ipsecpriv), |
2928 |
dev->name ? dev->name : "NULL"); |
2929 |
|
2930 |
/* Add our tunnel functions to the device */ |
2931 |
dev->open = ipsec_tunnel_open; |
2932 |
dev->stop = ipsec_tunnel_close; |
2933 |
dev->hard_start_xmit = ipsec_tunnel_start_xmit; |
2934 |
dev->get_stats = ipsec_tunnel_get_stats; |
2935 |
|
2936 |
dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL); |
2937 |
if (dev->priv == NULL) |
2938 |
return -ENOMEM; |
2939 |
memset(dev->priv, 0, sizeof(struct ipsecpriv)); |
2940 |
|
2941 |
for(i = 0; i < sizeof(zeroes); i++) { |
2942 |
((__u8*)(zeroes))[i] = 0; |
2943 |
} |
2944 |
|
2945 |
#ifndef NET_21 |
2946 |
/* Initialize the tunnel device structure */ |
2947 |
for (i = 0; i < DEV_NUMBUFFS; i++) |
2948 |
skb_queue_head_init(&dev->buffs[i]); |
2949 |
#endif /* !NET_21 */ |
2950 |
|
2951 |
dev->set_multicast_list = NULL; |
2952 |
dev->do_ioctl = ipsec_tunnel_ioctl; |
2953 |
dev->hard_header = NULL; |
2954 |
dev->rebuild_header = NULL; |
2955 |
dev->set_mac_address = NULL; |
2956 |
#ifndef NET_21 |
2957 |
dev->header_cache_bind = NULL; |
2958 |
#endif /* !NET_21 */ |
2959 |
dev->header_cache_update= NULL; |
2960 |
|
2961 |
#ifdef NET_21 |
2962 |
/* prv->neigh_setup = NULL; */ |
2963 |
dev->neigh_setup = ipsec_tunnel_neigh_setup_dev; |
2964 |
#endif /* NET_21 */ |
2965 |
dev->hard_header_len = 0; |
2966 |
dev->mtu = 0; |
2967 |
dev->addr_len = 0; |
2968 |
dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */ |
2969 |
dev->tx_queue_len = 10; /* Small queue */ |
2970 |
memset(dev->broadcast,0xFF, ETH_ALEN); /* what if this is not attached to ethernet? */ |
2971 |
|
2972 |
/* New-style flags. */ |
2973 |
dev->flags = IFF_NOARP /* 0 */ /* Petr Novak */; |
2974 |
#ifdef NET_21 |
2975 |
dev_init_buffers(dev); |
2976 |
#else /* NET_21 */ |
2977 |
dev->family = AF_INET; |
2978 |
dev->pa_addr = 0; |
2979 |
dev->pa_brdaddr = 0; |
2980 |
dev->pa_mask = 0; |
2981 |
dev->pa_alen = 4; |
2982 |
#endif /* NET_21 */ |
2983 |
|
2984 |
/* We're done. Have I forgotten anything? */ |
2985 |
return 0; |
2986 |
} |
2987 |
|
2988 |
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ |
2989 |
/* Module specific interface (but it links with the rest of IPSEC) */ |
2990 |
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ |
2991 |
|
2992 |
int |
2993 |
ipsec_tunnel_probe(struct device *dev) |
2994 |
{ |
2995 |
ipsec_tunnel_init(dev); |
2996 |
return 0; |
2997 |
} |
2998 |
|
2999 |
#if !CONFIG_IPSEC_DYNDEV |
3000 |
static struct device dev_ipsec3 = |
3001 |
{ |
3002 |
"ipsec3\0 ", /* name */ |
3003 |
0, /* recv memory end */ |
3004 |
0, /* recv memory start */ |
3005 |
0, /* memory end */ |
3006 |
0, /* memory start */ |
3007 |
0x0, /* base I/O address */ |
3008 |
0, /* IRQ */ |
3009 |
0, 0, 0, /* flags */ |
3010 |
NULL, /* next device */ |
3011 |
ipsec_tunnel_probe /* setup */ |
3012 |
}; |
3013 |
|
3014 |
static struct device dev_ipsec2 = |
3015 |
{ |
3016 |
"ipsec2\0 ", /* name */ |
3017 |
0, /* recv memory end */ |
3018 |
0, /* recv memory start */ |
3019 |
0, /* memory end */ |
3020 |
0, /* memory start */ |
3021 |
0x0, /* base I/O address */ |
3022 |
0, /* IRQ */ |
3023 |
0, 0, 0, /* flags */ |
3024 |
NULL, /* next device */ |
3025 |
ipsec_tunnel_probe /* setup */ |
3026 |
}; |
3027 |
|
3028 |
static struct device dev_ipsec1 = |
3029 |
{ |
3030 |
"ipsec1\0 ", /* name */ |
3031 |
0, /* recv memory end */ |
3032 |
0, /* recv memory start */ |
3033 |
0, /* memory end */ |
3034 |
0, /* memory start */ |
3035 |
0x0, /* base I/O address */ |
3036 |
0, /* IRQ */ |
3037 |
0, 0, 0, /* flags */ |
3038 |
NULL, /* next device */ |
3039 |
ipsec_tunnel_probe /* setup */ |
3040 |
}; |
3041 |
|
3042 |
static struct device dev_ipsec0 = |
3043 |
{ |
3044 |
"ipsec0\0 ", /* name */ |
3045 |
0, /* recv memory end */ |
3046 |
0, /* recv memory start */ |
3047 |
0, /* memory end */ |
3048 |
0, /* memory start */ |
3049 |
0x0, /* base I/O address */ |
3050 |
0, /* IRQ */ |
3051 |
0, 0, 0, /* flags */ |
3052 |
NULL, /* next device */ |
3053 |
ipsec_tunnel_probe /* setup */ |
3054 |
}; |
3055 |
#endif /* !CONFIG_IPSEC_DYNDEV */ |
3056 |
|
3057 |
int |
3058 |
ipsec_tunnel_init_devices(void) |
3059 |
{ |
3060 |
#if CONFIG_IPSEC_DYNDEV |
3061 |
int i; |
3062 |
char name[IFNAMSIZ]; |
3063 |
struct device *dev_ipsec; |
3064 |
|
3065 |
KLIPS_PRINT(debug_tunnel & DB_TN_INIT, |
3066 |
"klips_debug:ipsec_tunnel_init_devices: " |
3067 |
"creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n", |
3068 |
IPSEC_NUM_IF, |
3069 |
(unsigned long) (sizeof(struct device) + IFNAMSIZ), |
3070 |
IFNAMSIZ); |
3071 |
|
3072 |
for(i = 0; i < IPSEC_NUM_IF; i++) { |
3073 |
sprintf(name, IPSEC_DEV_FORMAT, i); |
3074 |
dev_ipsec = (struct device*)kmalloc(sizeof(struct device), GFP_KERNEL); |
3075 |
if (dev_ipsec == NULL) { |
3076 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3077 |
"klips_debug:ipsec_tunnel_init_devices: " |
3078 |
"failed to allocate memory for device %s, quitting device init.\n", |
3079 |
name); |
3080 |
return -ENOMEM; |
3081 |
} |
3082 |
memset((void*)dev_ipsec, 0, sizeof(struct device)); |
3083 |
#ifdef NETDEV_23 |
3084 |
strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name)); |
3085 |
#else /* NETDEV_23 */ |
3086 |
dev_ipsec->name = (char*)kmalloc(IFNAMSIZ, GFP_KERNEL); |
3087 |
if (dev_ipsec->name == NULL) { |
3088 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3089 |
"klips_debug:ipsec_tunnel_init_devices: " |
3090 |
"failed to allocate memory for device %s name, quitting device init.\n", |
3091 |
name); |
3092 |
return -ENOMEM; |
3093 |
} |
3094 |
memset((void*)dev_ipsec->name, 0, IFNAMSIZ); |
3095 |
strncpy(dev_ipsec->name, name, IFNAMSIZ); |
3096 |
#endif /* NETDEV_23 */ |
3097 |
#if 0 |
3098 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3099 |
"klips_debug:ipsec_tunnel_init_devices: " |
3100 |
"printing name one char at a time:"); |
3101 |
{ |
3102 |
int j; |
3103 |
for(j = 0; j < IFNAMSIZ; j++) { |
3104 |
printk( " %d=%c", dev_ipsec->name[j], dev_ipsec->name[j]); |
3105 |
} |
3106 |
} |
3107 |
printk( "\n"); |
3108 |
#endif |
3109 |
dev_ipsec->next = NULL; |
3110 |
dev_ipsec->init = &ipsec_tunnel_probe; |
3111 |
#if 0 |
3112 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3113 |
"klips_debug:ipsec_tunnel_init_devices: " |
3114 |
"registering device %s\n", |
3115 |
dev_ipsec->name); |
3116 |
#endif |
3117 |
if (register_netdev(dev_ipsec) != 0) { |
3118 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3119 |
"klips_debug:ipsec_tunnel_init_devices: " |
3120 |
"registering device %s failed, quitting device init.\n", |
3121 |
dev_ipsec->name); |
3122 |
return -EIO; |
3123 |
} else { |
3124 |
#if 0 |
3125 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3126 |
"klips_debug:ipsec_tunnel_init_devices: " |
3127 |
"registering device %s succeeded, continuing...\n", |
3128 |
dev_ipsec->name); |
3129 |
#endif |
3130 |
} |
3131 |
} |
3132 |
#else /* CONFIG_IPSEC_DYNDEV */ |
3133 |
#if 0 |
3134 |
KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT, |
3135 |
"klips_debug:ipsec_tunnel_init_devices: " |
3136 |
"creating and registering %d static devices.\n", |
3137 |
IPSEC_NUM_IF); |
3138 |
#endif |
3139 |
if (register_netdev(&dev_ipsec0) != 0) |
3140 |
return -EIO; |
3141 |
if (register_netdev(&dev_ipsec1) != 0) |
3142 |
return -EIO; |
3143 |
if (register_netdev(&dev_ipsec2) != 0) |
3144 |
return -EIO; |
3145 |
if (register_netdev(&dev_ipsec3) != 0) |
3146 |
return -EIO; |
3147 |
#endif /* CONFIG_IPSEC_DYNDEV */ |
3148 |
|
3149 |
return 0; |
3150 |
} |
3151 |
|
3152 |
/* void */ |
3153 |
int |
3154 |
ipsec_tunnel_cleanup_devices(void) |
3155 |
{ |
3156 |
int error = 0; |
3157 |
#if CONFIG_IPSEC_DYNDEV |
3158 |
int i; |
3159 |
char name[10]; |
3160 |
struct device *dev_ipsec; |
3161 |
|
3162 |
for(i = 0; i < IPSEC_NUM_IF; i++) { |
3163 |
sprintf(name, IPSEC_DEV_FORMAT, i); |
3164 |
if((dev_ipsec = ipsec_dev_get(name)) == NULL) { |
3165 |
break; |
3166 |
} |
3167 |
unregister_netdev(dev_ipsec); |
3168 |
#ifndef NETDEV_23 |
3169 |
kfree(dev_ipsec->name); |
3170 |
dev_ipsec->name=NULL; |
3171 |
#endif /* !NETDEV_23 */ |
3172 |
kfree(dev_ipsec->priv); |
3173 |
dev_ipsec->priv=NULL; |
3174 |
} |
3175 |
#else /* CONFIG_IPSEC_DYNDEV */ |
3176 |
unregister_netdev(&dev_ipsec0); |
3177 |
unregister_netdev(&dev_ipsec1); |
3178 |
unregister_netdev(&dev_ipsec2); |
3179 |
unregister_netdev(&dev_ipsec3); |
3180 |
kfree(dev_ipsec0.priv); |
3181 |
kfree(dev_ipsec1.priv); |
3182 |
kfree(dev_ipsec2.priv); |
3183 |
kfree(dev_ipsec3.priv); |
3184 |
dev_ipsec0.priv=NULL; |
3185 |
dev_ipsec1.priv=NULL; |
3186 |
dev_ipsec2.priv=NULL; |
3187 |
dev_ipsec3.priv=NULL; |
3188 |
#endif /* CONFIG_IPSEC_DYNDEV */ |
3189 |
|
3190 |
return error; |
3191 |
} |
3192 |
|
3193 |
/* |
3194 |
* $Log: ipsec_tunnel.c,v $ |
3195 |
* Revision 1.200.16.1 2003/04/05 14:36:08 mcr |
3196 |
* fix for PR#204. |
3197 |
* |
3198 |
* Revision 1.200 2002/12/06 02:24:02 mcr |
3199 |
* patches for compiling against SUSE 8.1 kernels. Requires |
3200 |
* an additional -DSUSE_LINUX_2_4_19_IS_STUPID. |
3201 |
* |
3202 |
* Revision 1.199 2002/10/12 23:11:53 dhr |
3203 |
* |
3204 |
* [KenB + DHR] more 64-bit cleanup |
3205 |
* |
3206 |
* Revision 1.198 2002/10/05 05:02:58 dhr |
3207 |
* |
3208 |
* C labels go on statements |
3209 |
* |
3210 |
* Revision 1.197 2002/09/20 05:01:50 rgb |
3211 |
* Added compiler directive to switch on IP options and fix IP options bug. |
3212 |
* Make ip->ihl treatment consistent using shifts rather than multiplications. |
3213 |
* Check for large enough packet before accessing udp header for IKE bypass. |
3214 |
* Added memory allocation debugging. |
3215 |
* Fixed potential memory allocation failure-induced oops. |
3216 |
* |
3217 |
* Revision 1.196 2002/07/24 18:44:54 rgb |
3218 |
* Type fiddling to tame ia64 compiler. |
3219 |
* |
3220 |
* Revision 1.195 2002/07/23 03:36:07 rgb |
3221 |
* Fixed 2.2 device initialisation hang. |
3222 |
* |
3223 |
* Revision 1.194 2002/05/27 21:40:34 rgb |
3224 |
* Set unused ipsec devices to ARPHRD_VOID to avoid confusing iproute2. |
3225 |
* Cleaned up intermediate step to dynamic device allocation. |
3226 |
* |
3227 |
* Revision 1.193 2002/05/27 19:31:36 rgb |
3228 |
* Convert to dynamic ipsec device allocation. |
3229 |
* Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT. |
3230 |
* |
3231 |
* Revision 1.192 2002/05/23 07:14:28 rgb |
3232 |
* Added refcount code. |
3233 |
* Cleaned up %p variants to 0p%p for test suite cleanup. |
3234 |
* |
3235 |
* Revision 1.191 2002/05/14 02:34:37 rgb |
3236 |
* Change all references to tdb, TDB or Tunnel Descriptor Block to ips, |
3237 |
* ipsec_sa or ipsec_sa. |
3238 |
* |
3239 |
* Revision 1.190 2002/04/24 07:55:32 mcr |
3240 |
* #include patches and Makefiles for post-reorg compilation. |
3241 |
* |
3242 |
* Revision 1.189 2002/04/24 07:36:32 mcr |
3243 |
* Moved from ./klips/net/ipsec/ipsec_tunnel.c,v |
3244 |
* |
3245 |
* Revision 1.188 2002/04/20 00:12:25 rgb |
3246 |
* Added esp IV CBC attack fix, disabled. |
3247 |
* |
3248 |
* Revision 1.187 2002/03/23 19:55:17 rgb |
3249 |
* Fix for 2.2 local IKE fragmentation blackhole. Still won't work if |
3250 |
* iptraf or another pcap app is running. |
3251 |
* |
3252 |
* Revision 1.186 2002/03/19 03:26:22 rgb |
3253 |
* Applied DHR's tunnel patch to streamline IKE/specialSA processing. |
3254 |
* |
3255 |
* Revision 1.185 2002/02/20 04:13:05 rgb |
3256 |
* Send back ICMP_PKT_FILTERED upon %reject. |
3257 |
* |
3258 |
* Revision 1.184 2002/01/29 17:17:56 mcr |
3259 |
* moved include of ipsec_param.h to after include of linux/kernel.h |
3260 |
* otherwise, it seems that some option that is set in ipsec_param.h |
3261 |
* screws up something subtle in the include path to kernel.h, and |
3262 |
* it complains on the snprintf() prototype. |
3263 |
* |
3264 |
* Revision 1.183 2002/01/29 04:00:53 mcr |
3265 |
* more excise of kversions.h header. |
3266 |
* |
3267 |
* Revision 1.182 2002/01/29 02:13:18 mcr |
3268 |
* introduction of ipsec_kversion.h means that include of |
3269 |
* ipsec_param.h must preceed any decisions about what files to |
3270 |
* include to deal with differences in kernel source. |
3271 |
* |
3272 |
* Revision 1.181 2002/01/07 20:00:33 rgb |
3273 |
* Added IKE destination port debugging. |
3274 |
* |
3275 |
* Revision 1.180 2001/12/21 21:49:54 rgb |
3276 |
* Fixed bug as a result of moving IKE bypass above %trap/%hold code. |
3277 |
* |
3278 |
* Revision 1.179 2001/12/19 21:08:14 rgb |
3279 |
* Added transport protocol ports to ipsec_print_ip(). |
3280 |
* Update eroute info for non-SA targets. |
3281 |
* Added obey DF code disabled. |
3282 |
* Fixed formatting bugs in ipsec_tunnel_hard_header(). |
3283 |
* |
3284 |
* Revision 1.178 2001/12/05 09:36:10 rgb |
3285 |
* Moved the UDP/500 IKE check just above the %hold/%trap checks to avoid |
3286 |
* IKE packets being stolen by the %hold (and returned to the sending KMd |
3287 |
* in an ACQUIRE, ironically ;-). |
3288 |
* |
3289 |
* Revision 1.177 2001/11/26 09:23:50 rgb |
3290 |
* Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes. |
3291 |
* |
3292 |
* Revision 1.170.2.1 2001/09/25 02:28:27 mcr |
3293 |
* struct tdb -> struct ipsec_sa. |
3294 |
* lifetime checks moved to common routines. |
3295 |
* cleaned up includes. |
3296 |
* |
3297 |
* Revision 1.170.2.2 2001/10/22 21:08:01 mcr |
3298 |
* include des.h, removed phony prototypes and fixed calling |
3299 |
* conventions to match real prototypes. |
3300 |
* |
3301 |
* Revision 1.176 2001/11/09 18:32:31 rgb |
3302 |
* Added Hans Schultz' fragmented UDP/500 IKE socket port selector. |
3303 |
* |
3304 |
* Revision 1.175 2001/11/06 20:47:00 rgb |
3305 |
* Added Eric Espie's TRAPSUBNET fix, minus spin-lock-bh dabbling. |
3306 |
* |
3307 |
* Revision 1.174 2001/11/06 19:50:43 rgb |
3308 |
* Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for |
3309 |
* use also by pfkey_v2_parser.c |
3310 |
* |
3311 |
* Revision 1.173 2001/10/29 21:53:44 henry |
3312 |
* tone down the device-down message slightly, until we can make it smarter |
3313 |
* |
3314 |
* Revision 1.172 2001/10/26 04:59:37 rgb |
3315 |
* Added a critical level syslog message if an ipsec device goes down. |
3316 |
* |
3317 |
* Revision 1.171 2001/10/18 04:45:21 rgb |
3318 |
* 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h, |
3319 |
* lib/freeswan.h version macros moved to lib/kversions.h. |
3320 |
* Other compiler directive cleanups. |
3321 |
* |
3322 |
* Revision 1.170 2001/09/25 00:09:50 rgb |
3323 |
* Added NetCelo's TRAPSUBNET code to convert a new type TRAPSUBNET into a |
3324 |
* HOLD. |
3325 |
* |
3326 |
* Revision 1.169 2001/09/15 16:24:05 rgb |
3327 |
* Re-inject first and last HOLD packet when an eroute REPLACE is done. |
3328 |
* |
3329 |
* Revision 1.168 2001/09/14 16:58:37 rgb |
3330 |
* Added support for storing the first and last packets through a HOLD. |
3331 |
* |
3332 |
* Revision 1.167 2001/09/08 21:13:33 rgb |
3333 |
* Added pfkey ident extension support for ISAKMPd. (NetCelo) |
3334 |
* |
3335 |
* Revision 1.166 2001/08/27 19:47:59 rgb |
3336 |
* Clear tdb before usage. |
3337 |
* Added comment: clear IF before calling routing? |
3338 |
* |
3339 |
* Revision 1.165 2001/07/03 01:23:53 rgb |
3340 |
* Send back ICMP iff DF set, !ICMP, offset==0, sysctl_icmp, iph->tot_len > |
3341 |
* emtu, and don't drop. |
3342 |
* |
3343 |
* Revision 1.164 2001/06/14 19:35:10 rgb |
3344 |
* Update copyright date. |
3345 |
* |
3346 |
* Revision 1.163 2001/06/06 20:28:51 rgb |
3347 |
* Added sanity checks for NULL skbs and devices. |
3348 |
* Added more debugging output to various functions. |
3349 |
* Removed redundant dev->priv argument to ipsec_tunnel_{at,de}tach(). |
3350 |
* Renamed ipsec_tunnel_attach() virtual and physical device arguments. |
3351 |
* Corrected neigh_setup() device function assignment. |
3352 |
* Keep valid pointers to ipsec_tunnel_*() on detach. |
3353 |
* Set dev->type to the originally-initiallised value. |
3354 |
* |
3355 |
* Revision 1.162 2001/06/01 07:28:04 rgb |
3356 |
* Added sanity checks for detached devices. Don't down virtual devices |
3357 |
* to prevent packets going out in the clear if the detached device comes |
3358 |
* back up. |
3359 |
* |
3360 |
* Revision 1.161 2001/05/30 08:14:52 rgb |
3361 |
* Removed vestiges of esp-null transforms. |
3362 |
* NetDev Notifier instrumentation to track down disappearing devices. |
3363 |
* |
3364 |
* Revision 1.160 2001/05/29 05:15:12 rgb |
3365 |
* Added SS' PMTU patch which notifies sender if packet doesn't fit |
3366 |
* physical MTU (if it wasn't ICMP) and then drops it. |
3367 |
* |
3368 |
* Revision 1.159 2001/05/27 06:12:12 rgb |
3369 |
* Added structures for pid, packet count and last access time to eroute. |
3370 |
* Added packet count to beginning of /proc/net/ipsec_eroute. |
3371 |
* |
3372 |
* Revision 1.158 2001/05/24 05:39:33 rgb |
3373 |
* Applied source zeroing to 2.2 ip_route_output() call as well to enable |
3374 |
* PASS eroutes for opportunism. |
3375 |
* |
3376 |
* Revision 1.157 2001/05/23 22:35:28 rgb |
3377 |
* 2.4 source override simplification. |
3378 |
* |
3379 |
* Revision 1.156 2001/05/23 21:41:31 rgb |
3380 |
* Added error return code printing on ip_route_output(). |
3381 |
* |
3382 |
* Revision 1.155 2001/05/23 05:09:13 rgb |
3383 |
* Fixed incorrect ip_route_output() failure message. |
3384 |
* |
3385 |
* Revision 1.154 2001/05/21 14:53:31 rgb |
3386 |
* Added debug statement for case when ip_route_output() fails, causing |
3387 |
* packet to be dropped, but log looked ok. |
3388 |
* |
3389 |
* Revision 1.153 2001/05/19 02:37:54 rgb |
3390 |
* Fixed missing comment termination. |
3391 |
* |
3392 |
* Revision 1.152 2001/05/19 02:35:50 rgb |
3393 |
* Debug code optimisation for non-debug speed. |
3394 |
* Kernel version compiler define comments. |
3395 |
* 2.2 and 2.4 kernel ip_send device and ip debug output added. |
3396 |
* |
3397 |
* Revision 1.151 2001/05/18 16:17:35 rgb |
3398 |
* Changed reference from "magic" to "shunt" SAs. |
3399 |
* |
3400 |
* Revision 1.150 2001/05/18 16:12:19 rgb |
3401 |
* Changed UDP/500 bypass test from 3 nested ifs to one anded if. |
3402 |
* |
3403 |
* Revision 1.149 2001/05/16 04:39:33 rgb |
3404 |
* Add default == eroute.dest to IKE bypass conditions for magic eroutes. |
3405 |
* |
3406 |
* Revision 1.148 2001/05/05 03:31:41 rgb |
3407 |
* IP frag debugging updates and enhancements. |
3408 |
* |
3409 |
* Revision 1.147 2001/05/03 19:41:40 rgb |
3410 |
* Added SS' skb_cow fix for 2.4.4. |
3411 |
* |
3412 |
* Revision 1.146 2001/04/30 19:28:16 rgb |
3413 |
* Update for 2.4.4. ip_select_ident() now has 3 args. |
3414 |
* |
3415 |
* Revision 1.145 2001/04/23 14:56:10 rgb |
3416 |
* Added spin_lock() check to prevent double-locking for multiple |
3417 |
* transforms and hence kernel lock-ups with SMP kernels. |
3418 |
* |
3419 |
* Revision 1.144 2001/04/21 23:04:45 rgb |
3420 |
* Define out skb->used for 2.4 kernels. |
3421 |
* Check if soft expire has already been sent before sending another to |
3422 |
* prevent ACQUIRE flooding. |
3423 |
* |
3424 |
* Revision 1.143 2001/03/16 07:37:21 rgb |
3425 |
* Added comments to all #endifs. |
3426 |
* |
3427 |
* Revision 1.142 2001/02/28 05:03:27 rgb |
3428 |
* Clean up and rationalise startup messages. |
3429 |
* |
3430 |
* Revision 1.141 2001/02/27 22:24:54 rgb |
3431 |
* Re-formatting debug output (line-splitting, joining, 1arg/line). |
3432 |
* Check for satoa() return codes. |
3433 |
* |
3434 |
* Revision 1.140 2001/02/27 06:40:12 rgb |
3435 |
* Fixed TRAP->HOLD eroute byte order. |
3436 |
* |
3437 |
* Revision 1.139 2001/02/26 20:38:59 rgb |
3438 |
* Added compiler defines for 2.4.x-specific code. |
3439 |
* |
3440 |
* Revision 1.138 2001/02/26 19:57:27 rgb |
3441 |
* Implement magic SAs %drop, %reject, %trap, %hold, %pass as part |
3442 |
* of the new SPD and to support opportunistic. |
3443 |
* Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs. |
3444 |
* |
3445 |
* Revision 1.137 2001/02/19 22:29:49 rgb |
3446 |
* Fixes for presence of active ipv6 segments which share ipsec physical |
3447 |
* device (gg). |
3448 |
* |
3449 |
* Revision 1.136 2001/01/29 22:30:38 rgb |
3450 |
* Fixed minor acquire debug printing bug. |
3451 |
* |
3452 |
* Revision 1.135 2001/01/29 22:19:45 rgb |
3453 |
* Zero source address for 2.4 bypass route lookup. |
3454 |
* |
3455 |
* Revision 1.134 2001/01/23 20:19:49 rgb |
3456 |
* 2.4 fix to remove removed is_clone member. |
3457 |
* |
3458 |
* Revision 1.133 2000/12/09 22:08:35 rgb |
3459 |
* Fix NET_23 bug, should be NETDEV_23. |
3460 |
* |
3461 |
* Revision 1.132 2000/12/01 06:54:50 rgb |
3462 |
* Fix for new 2.4 IP TTL default variable name. |
3463 |
* |
3464 |
* Revision 1.131 2000/11/09 20:52:15 rgb |
3465 |
* More spinlock shuffling, locking earlier and unlocking later in rcv to |
3466 |
* include ipcomp and prevent races, renaming some tdb variables that got |
3467 |
* forgotten, moving some unlocks to include tdbs and adding a missing |
3468 |
* unlock. Thanks to Svenning for some of these. |
3469 |
* |
3470 |
* Revision 1.130 2000/11/09 20:11:22 rgb |
3471 |
* Minor shuffles to fix non-standard kernel config option selection. |
3472 |
* |
3473 |
* Revision 1.129 2000/11/06 04:32:49 rgb |
3474 |
* Clean up debug printing. |
3475 |
* Copy skb->protocol for all kernel versions. |
3476 |
* Ditched spin_lock_irqsave in favour of spin_lock. |
3477 |
* Disabled TTL decrement, done in ip_forward. |
3478 |
* Added debug printing before pfkey_acquire(). |
3479 |
* Fixed printk-deltdbchain-spin_lock races (Svenning). |
3480 |
* Use defaultTTL for 2.1+ kernels. |
3481 |
* Add Svenning's adaptive content compression. |
3482 |
* Fix up debug display arguments. |
3483 |
* |
3484 |
* Revision 1.128 2000/09/28 00:58:57 rgb |
3485 |
* Moved the IKE passthrough check after the eroute lookup so we can pass |
3486 |
* IKE through intermediate tunnels. |
3487 |
* |
3488 |
* Revision 1.127 2000/09/22 17:52:11 rgb |
3489 |
* Fixed misleading ipcomp debug output. |
3490 |
* |
3491 |
* Revision 1.126 2000/09/22 04:22:56 rgb |
3492 |
* Fixed dumb spi->cpi conversion error. |
3493 |
* |
3494 |
* Revision 1.125 2000/09/21 04:34:48 rgb |
3495 |
* A few debug-specific things should be hidden under |
3496 |
* CONFIG_IPSEC_DEBUG.(MB) |
3497 |
* Improved ip_send() error handling.(MB) |
3498 |
* |
3499 |
* Revision 1.124 2000/09/21 03:40:58 rgb |
3500 |
* Added more debugging to try and track down the cpi outward copy problem. |
3501 |
* |
3502 |
* Revision 1.123 2000/09/19 07:08:49 rgb |
3503 |
* Added debugging to outgoing compression report. |
3504 |
* |
3505 |
* Revision 1.122 2000/09/18 19:21:26 henry |
3506 |
* RGB-supplied fix for RH5.2 problem |
3507 |
* |
3508 |
* Revision 1.121 2000/09/17 21:05:09 rgb |
3509 |
* Added tdb to skb_compress call to write in cpi. |
3510 |
* |
3511 |
* Revision 1.120 2000/09/17 16:57:16 rgb |
3512 |
* Added Svenning's patch to remove restriction of ipcomp to innermost |
3513 |
* transform. |
3514 |
* |
3515 |
* Revision 1.119 2000/09/15 11:37:01 rgb |
3516 |
* Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk> |
3517 |
* IPCOMP zlib deflate code. |
3518 |
* |
3519 |
* Revision 1.118 2000/09/15 04:57:16 rgb |
3520 |
* Moved debug output after sanity check. |
3521 |
* Added tos copy sysctl. |
3522 |
* |
3523 |
* Revision 1.117 2000/09/12 03:22:51 rgb |
3524 |
* Converted ipsec_icmp, no_eroute_pass, opportunistic and #if0 debugs to |
3525 |
* sysctl. |
3526 |
* |
3527 |
* Revision 1.116 2000/09/08 19:18:19 rgb |
3528 |
* Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG. |
3529 |
* Added outgoing opportunistic hook, ifdef'ed out. |
3530 |
* |
3531 |
* Revision 1.115 2000/08/30 05:27:29 rgb |
3532 |
* Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst. |
3533 |
* Kill remainder of tdb_xform, tdb_xdata, xformsw. |
3534 |
* |
3535 |
* Revision 1.114 2000/08/28 18:15:46 rgb |
3536 |
* Added MB's nf-debug reset patch. |
3537 |
* |
3538 |
* Revision 1.113 2000/08/27 02:26:40 rgb |
3539 |
* Send all no-eroute-bypass, pluto-bypass and passthrough packets through |
3540 |
* fragmentation machinery for 2.0, 2.2 and 2.4 kernels. |
3541 |
* |
3542 |
* Revision 1.112 2000/08/20 21:37:33 rgb |
3543 |
* Activated pfkey_expire() calls. |
3544 |
* Added a hard/soft expiry parameter to pfkey_expire(). (Momchil) |
3545 |
* Re-arranged the order of soft and hard expiry to conform to RFC2367. |
3546 |
* Clean up references to CONFIG_IPSEC_PFKEYv2. |
3547 |
* |
3548 |
* Revision 1.111 2000/08/01 14:51:51 rgb |
3549 |
* Removed _all_ remaining traces of DES. |
3550 |
* |
3551 |
* Revision 1.110 2000/07/28 14:58:31 rgb |
3552 |
* Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5. |
3553 |
* |
3554 |
* Revision 1.109 2000/07/28 13:50:54 rgb |
3555 |
* Changed enet_statistics to net_device_stats and added back compatibility |
3556 |
* for pre-2.1.19. |
3557 |
* |
3558 |
* Revision 1.108 2000/05/16 03:03:11 rgb |
3559 |
* Updates for 2.3.99pre8 from MB. |
3560 |
* |
3561 |
* Revision 1.107 2000/05/10 23:08:21 rgb |
3562 |
* Print a debug warning about bogus packets received by the outgoing |
3563 |
* processing machinery only when klipsdebug is not set to none. |
3564 |
* Comment out the device initialisation informational messages. |
3565 |
* |
3566 |
* Revision 1.106 2000/05/10 19:17:14 rgb |
3567 |
* Define an IP_SEND macro, intending to have all packet passthroughs |
3568 |
* use fragmentation. This didn't quite work, but is a step in the |
3569 |
* right direction. |
3570 |
* Added buffer allocation debugging statements. |
3571 |
* Added configure option to shut off no eroute passthrough. |
3572 |
* Only check usetime against soft and hard limits if the tdb has been |
3573 |
* used. |
3574 |
* Cast output of ntohl so that the broken prototype doesn't make our |
3575 |
* compile noisy. |
3576 |
* |
3577 |
* Revision 1.105 2000/03/22 16:15:37 rgb |
3578 |
* Fixed renaming of dev_get (MB). |
3579 |
* |
3580 |
* Revision 1.104 2000/03/16 14:04:15 rgb |
3581 |
* Indented headers for readability. |
3582 |
* Fixed debug scope to enable compilation with debug off. |
3583 |
* Added macros for ip_chk_addr and IS_MYADDR for identifying self. |
3584 |
* |
3585 |
* Revision 1.103 2000/03/16 07:11:07 rgb |
3586 |
* Hardcode PF_KEYv2 support. |
3587 |
* Fixed bug which allowed UDP/500 packet from another machine |
3588 |
* through in the clear. |
3589 |
* Added disabled skb->protocol fix for ISDN/ASYNC PPP from Matjaz Godec. |
3590 |
* |
3591 |
* Revision 1.102 2000/03/14 12:26:59 rgb |
3592 |
* Added skb->nfct support for clearing netfilter conntrack bits (MB). |
3593 |
* |
3594 |
* Revision 1.101 2000/02/14 21:05:22 rgb |
3595 |
* Added MB's netif_queue fix for kernels 2.3.43+. |
3596 |
* |
3597 |
* Revision 1.100 2000/01/26 10:04:57 rgb |
3598 |
* Fixed noisy 2.0 printk arguments. |
3599 |
* |
3600 |
* Revision 1.99 2000/01/21 06:16:25 rgb |
3601 |
* Added sanity checks on skb_push(), skb_pull() to prevent panics. |
3602 |
* Switched to AF_ENCAP macro. |
3603 |
* Shortened debug output per packet and re-arranging debug_tunnel |
3604 |
* bitmap flags, while retaining necessary information to avoid |
3605 |
* trampling the kernel print ring buffer. |
3606 |
* Reformatted recursion switch code. |
3607 |
* Changed all references to tdb_proto to tdb_said.proto for clarity. |
3608 |
* |
3609 |
* Revision 1.98 2000/01/13 08:09:31 rgb |
3610 |
* Shuffled debug_tunnel switches to focus output. |
3611 |
* Fixed outgoing recursion bug, limiting to recursing only if the remote |
3612 |
* SG changes and if it is valid, ie. not passthrough. |
3613 |
* Clarified a number of debug messages. |
3614 |
* |
3615 |
* Revision 1.97 2000/01/10 16:37:16 rgb |
3616 |
* MB support for new ip_select_ident() upon disappearance of |
3617 |
* ip_id_count in 2.3.36+. |
3618 |
* |
3619 |
* Revision 1.96 1999/12/31 14:59:08 rgb |
3620 |
* MB fix to use new skb_copy_expand in kernel 2.3.35. |
3621 |
* |
3622 |
* Revision 1.95 1999/12/29 21:15:44 rgb |
3623 |
* Fix tncfg to aliased device bug. |
3624 |
* |
3625 |
* Revision 1.94 1999/12/22 04:26:06 rgb |
3626 |
* Converted all 'static' functions to 'DEBUG_NO_STATIC' to enable |
3627 |
* debugging by providing external labels to all functions with debugging |
3628 |
* turned on. |
3629 |
* |
3630 |
* Revision 1.93 1999/12/13 13:30:14 rgb |
3631 |
* Changed MTU reports and HW address reporting back to debug only. |
3632 |
* |
3633 |
* Revision 1.92 1999/12/07 18:57:56 rgb |
3634 |
* Fix PFKEY symbol compile error (SADB_*) without pfkey enabled. |
3635 |
* |
3636 |
* Revision 1.91 1999/12/01 22:15:36 rgb |
3637 |
* Add checks for LARVAL and DEAD SAs. |
3638 |
* Change state of SA from MATURE to DYING when a soft lifetime is |
3639 |
* reached and print debug warning. |
3640 |
* |
3641 |
* Revision 1.90 1999/11/23 23:04:04 rgb |
3642 |
* Use provided macro ADDRTOA_BUF instead of hardcoded value. |
3643 |
* Sort out pfkey and freeswan headers, putting them in a library path. |
3644 |
* |
3645 |
* Revision 1.89 1999/11/18 18:50:59 rgb |
3646 |
* Changed all device registrations for static linking to |
3647 |
* dynamic to reduce the number and size of patches. |
3648 |
* |
3649 |
* Revision 1.88 1999/11/18 04:09:19 rgb |
3650 |
* Replaced all kernel version macros to shorter, readable form. |
3651 |
* |
3652 |
* Revision 1.87 1999/11/17 15:53:40 rgb |
3653 |
* Changed all occurrences of #include "../../../lib/freeswan.h" |
3654 |
* to #include <freeswan.h> which works due to -Ilibfreeswan in the |
3655 |
* klips/net/ipsec/Makefile. |
3656 |
* |
3657 |
* Revision 1.86 1999/10/16 18:25:37 rgb |
3658 |
* Moved SA lifetime expiry checks before packet processing. |
3659 |
* Expire SA on replay counter rollover. |
3660 |
* |
3661 |
* Revision 1.85 1999/10/16 04:24:31 rgb |
3662 |
* Add stats for time since last packet. |
3663 |
* |
3664 |
* Revision 1.84 1999/10/16 00:30:47 rgb |
3665 |
* Added SA lifetime counting. |
3666 |
* |
3667 |
* Revision 1.83 1999/10/15 22:15:57 rgb |
3668 |
* Clean out cruft. |
3669 |
* Add debugging. |
3670 |
* |
3671 |
* Revision 1.82 1999/10/08 18:26:19 rgb |
3672 |
* Fix 2.0.3x outgoing fragmented packet memory leak. |
3673 |
* |
3674 |
* Revision 1.81 1999/10/05 02:38:54 rgb |
3675 |
* Lower the default mtu of virtual devices to 16260. |
3676 |
* |
3677 |
* Revision 1.80 1999/10/03 18:56:41 rgb |
3678 |
* Spinlock support for 2.3.xx. |
3679 |
* Don't forget to undo spinlocks on error! |
3680 |
* Check for valid eroute before copying the structure. |
3681 |
* |
3682 |
* Revision 1.79 1999/10/01 15:44:53 rgb |
3683 |
* Move spinlock header include to 2.1> scope. |
3684 |
* |
3685 |
* Revision 1.78 1999/10/01 00:02:43 rgb |
3686 |
* Added tdb structure locking. |
3687 |
* Added eroute structure locking. |
3688 |
* |
3689 |
* Revision 1.77 1999/09/30 02:52:29 rgb |
3690 |
* Add Marc Boucher's Copy-On-Write code (same as ipsec_rcv.c). |
3691 |
* |
3692 |
* Revision 1.76 1999/09/25 19:31:27 rgb |
3693 |
* Refine MSS hack to affect SYN, but not SYN+ACK packets. |
3694 |
* |
3695 |
* Revision 1.75 1999/09/24 22:52:38 rgb |
3696 |
* Fix two things broken in 2.0.38 by trying to fix network notifiers. |
3697 |
* |
3698 |
* Revision 1.74 1999/09/24 00:30:37 rgb |
3699 |
* Add test for changed source as well as destination to check for |
3700 |
* recursion. |
3701 |
* |
3702 |
* Revision 1.73 1999/09/23 20:52:24 rgb |
3703 |
* Add James Morris' MSS hack patch, disabled. |
3704 |
* |
3705 |
* Revision 1.72 1999/09/23 20:22:40 rgb |
3706 |
* Enable, tidy and fix network notifier code. |
3707 |
* |
3708 |
* Revision 1.71 1999/09/23 18:09:05 rgb |
3709 |
* Clean up 2.2.x fragmenting traces. |
3710 |
* Disable dev->type switching, forcing ARPHRD_TUNNEL. |
3711 |
* |
3712 |
* Revision 1.70 1999/09/22 14:14:24 rgb |
3713 |
* Add sanity checks for revectored calls to prevent calling a downed I/F. |
3714 |
* |
3715 |
* Revision 1.69 1999/09/21 15:00:57 rgb |
3716 |
* Add Marc Boucher's packet size check. |
3717 |
* Flesh out network device notifier code. |
3718 |
* |
3719 |
* Revision 1.68 1999/09/18 11:39:57 rgb |
3720 |
* Start to add (disabled) netdevice notifier code. |
3721 |
* |
3722 |
* Revision 1.67 1999/09/17 23:44:40 rgb |
3723 |
* Add a comment warning potential code hackers to stay away from mac.raw. |
3724 |
* |
3725 |
* Revision 1.66 1999/09/17 18:04:02 rgb |
3726 |
* Add fix for unpredictable hard_header_len for ISDN folks (thanks MB). |
3727 |
* Ditch TTL decrement in 2.2 (MB). |
3728 |
* |
3729 |
* Revision 1.65 1999/09/15 23:15:35 henry |
3730 |
* Marc Boucher's PPP fixes |
3731 |
* |
3732 |
* Revision 1.64 1999/09/07 13:40:53 rgb |
3733 |
* Ditch unreliable references to skb->mac.raw. |
3734 |
* |
3735 |
* Revision 1.63 1999/08/28 11:33:09 rgb |
3736 |
* Check for null skb->mac pointer. |
3737 |
* |
3738 |
* Revision 1.62 1999/08/28 02:02:30 rgb |
3739 |
* Add Marc Boucher's fix for properly dealing with skb->sk. |
3740 |
* |
3741 |
* Revision 1.61 1999/08/27 05:23:05 rgb |
3742 |
* Clean up skb->data/raw/nh/h manipulation. |
3743 |
* Add Marc Boucher's mods to aid tcpdump. |
3744 |
* Add sanity checks to skb->raw/nh/h pointer copies in skb_copy_expand. |
3745 |
* Re-order hard_header stripping -- might be able to remove it... |
3746 |
* |
3747 |
* Revision 1.60 1999/08/26 20:01:02 rgb |
3748 |
* Tidy up compiler directives and macros. |
3749 |
* Re-enable ICMP for tunnels where inner_dst != outer_dst. |
3750 |
* Remove unnecessary skb->dev = physdev assignment affecting 2.2.x. |
3751 |
* |
3752 |
* Revision 1.59 1999/08/25 15:44:41 rgb |
3753 |
* Clean up from 2.2.x instrumenting for compilation under 2.0.36. |
3754 |
* |
3755 |
* Revision 1.58 1999/08/25 15:00:54 rgb |
3756 |
* Add dst cache code for 2.2.xx. |
3757 |
* Add sanity check for skb packet header pointers. |
3758 |
* Add/modify debugging instrumentation to *_start_xmit, *_hard_header and |
3759 |
* *_rebuild_header. |
3760 |
* Add neigh_* cache code. |
3761 |
* Change dev->type back to ARPHRD_TUNNEL. |
3762 |
* |
3763 |
* Revision 1.57 1999/08/17 21:50:23 rgb |
3764 |
* Fixed minor debug output bugs. |
3765 |
* Regrouped error recovery exit code. |
3766 |
* Added compiler directives to remove unwanted code and symbols. |
3767 |
* Shut off ICMP messages: to be refined to only send ICMP to remote systems. |
3768 |
* Add debugging code for output function addresses. |
3769 |
* Fix minor bug in (possibly unused) header_cache_bind function. |
3770 |
* Add device neighbour caching code. |
3771 |
* Change dev->type from ARPHRD_TUNNEL to physdev->type. |
3772 |
* |
3773 |
* Revision 1.56 1999/08/03 17:22:56 rgb |
3774 |
* Debug output clarification using KERN_* macros. Other inactive changes |
3775 |
* added. |
3776 |
* |
3777 |
* Revision 1.55 1999/08/03 16:58:46 rgb |
3778 |
* Fix skb_copy_expand size bug. Was getting incorrect size. |
3779 |
* |
3780 |
* Revision 1.54 1999/07/14 19:32:38 rgb |
3781 |
* Fix oversize packet crash and ssh stalling in 2.2.x kernels. |
3782 |
* |
3783 |
* Revision 1.53 1999/06/10 15:44:02 rgb |
3784 |
* Minor reformatting and clean-up. |
3785 |
* |
3786 |
* Revision 1.52 1999/05/09 03:25:36 rgb |
3787 |
* Fix bug introduced by 2.2 quick-and-dirty patch. |
3788 |
* |
3789 |
* Revision 1.51 1999/05/08 21:24:59 rgb |
3790 |
* Add casting to silence the 2.2.x compile. |
3791 |
* |
3792 |
* Revision 1.50 1999/05/05 22:02:32 rgb |
3793 |
* Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>. |
3794 |
* |
3795 |
* Revision 1.49 1999/04/29 15:18:52 rgb |
3796 |
* Change gettdb parameter to a pointer to reduce stack loading and |
3797 |
* facilitate parameter sanity checking. |
3798 |
* Fix undetected bug that might have tried to access a null pointer. |
3799 |
* Eliminate unnessessary usage of tdb_xform member to further switch |
3800 |
* away from the transform switch to the algorithm switch. |
3801 |
* Add return values to init and cleanup functions. |
3802 |
* |
3803 |
* Revision 1.48 1999/04/16 15:38:00 rgb |
3804 |
* Minor rearrangement of freeing code to avoid memory leaks with impossible or |
3805 |
* rare situations. |
3806 |
* |
3807 |
* Revision 1.47 1999/04/15 15:37:25 rgb |
3808 |
* Forward check changes from POST1_00 branch. |
3809 |
* |
3810 |
* Revision 1.32.2.4 1999/04/13 21:00:18 rgb |
3811 |
* Ditch 'things I wish I had known before...'. |
3812 |
* |
3813 |
* Revision 1.32.2.3 1999/04/13 20:34:38 rgb |
3814 |
* Free skb after fragmentation. |
3815 |
* Use stats more effectively. |
3816 |
* Add I/F to mtu notch-down reporting. |
3817 |
* |
3818 |
* Revision 1.32.2.2 1999/04/02 04:26:14 rgb |
3819 |
* Backcheck from HEAD, pre1.0. |
3820 |
* |
3821 |
* Revision 1.46 1999/04/11 00:29:00 henry |
3822 |
* GPL boilerplate |
3823 |
* |
3824 |
* Revision 1.45 1999/04/07 15:42:01 rgb |
3825 |
* Fix mtu/ping bug AGAIN! |
3826 |
* |
3827 |
* Revision 1.44 1999/04/06 04:54:27 rgb |
3828 |
* Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes |
3829 |
* patch shell fixes. |
3830 |
* |
3831 |
* Revision 1.43 1999/04/04 03:57:07 rgb |
3832 |
* ip_fragment() doesn't free the supplied skb. Freed. |
3833 |
* |
3834 |
* Revision 1.42 1999/04/01 23:27:15 rgb |
3835 |
* Preload size of virtual mtu. |
3836 |
* |
3837 |
* Revision 1.41 1999/04/01 09:31:23 rgb |
3838 |
* Invert meaning of ICMP PMTUD config option and clarify. |
3839 |
* Code clean-up. |
3840 |
* |
3841 |
* Revision 1.40 1999/04/01 04:37:17 rgb |
3842 |
* SSH stalling bug fix. |
3843 |
* |
3844 |
* Revision 1.39 1999/03/31 23:44:28 rgb |
3845 |
* Don't send ICMP on DF and frag_off. |
3846 |
* |
3847 |
* Revision 1.38 1999/03/31 15:20:10 rgb |
3848 |
* Quiet down debugging. |
3849 |
* |
3850 |
* Revision 1.37 1999/03/31 08:30:31 rgb |
3851 |
* Add switch to shut off ICMP PMTUD packets. |
3852 |
* |
3853 |
* Revision 1.36 1999/03/31 05:44:47 rgb |
3854 |
* Keep PMTU reduction private. |
3855 |
* |
3856 |
* Revision 1.35 1999/03/27 15:13:02 rgb |
3857 |
* PMTU/fragmentation bug fix. |
3858 |
* |
3859 |
* Revision 1.34 1999/03/17 21:19:26 rgb |
3860 |
* Fix kmalloc nonatomic bug. |
3861 |
* |
3862 |
* Revision 1.33 1999/03/17 15:38:42 rgb |
3863 |
* Code clean-up. |
3864 |
* ESP_NULL IV bug fix. |
3865 |
* |
3866 |
* Revision 1.32 1999/03/01 20:44:25 rgb |
3867 |
* Code clean-up. |
3868 |
* Memory leak bug fix. |
3869 |
* |
3870 |
* Revision 1.31 1999/02/27 00:02:09 rgb |
3871 |
* Tune to report the MTU reduction once, rather than after every recursion |
3872 |
* through the encapsulating code, preventing tcp stream stalling. |
3873 |
* |
3874 |
* Revision 1.30 1999/02/24 20:21:01 rgb |
3875 |
* Reformat debug printk's. |
3876 |
* Fix recursive encapsulation, dynamic MTU bugs and add debugging code. |
3877 |
* Clean-up. |
3878 |
* |
3879 |
* Revision 1.29 1999/02/22 17:08:14 rgb |
3880 |
* Fix recursive encapsulation code. |
3881 |
* |
3882 |
* Revision 1.28 1999/02/19 18:27:02 rgb |
3883 |
* Improve DF, fragmentation and PMTU behaviour and add dynamic MTU discovery. |
3884 |
* |
3885 |
* Revision 1.27 1999/02/17 16:51:37 rgb |
3886 |
* Clean out unused cruft. |
3887 |
* Temporarily tone down volume of debug output. |
3888 |
* Temporarily shut off fragment rejection. |
3889 |
* Disabled temporary failed recursive encapsulation loop. |
3890 |
* |
3891 |
* Revision 1.26 1999/02/12 21:21:26 rgb |
3892 |
* Move KLIPS_PRINT to ipsec_netlink.h for accessibility. |
3893 |
* |
3894 |
* Revision 1.25 1999/02/11 19:38:27 rgb |
3895 |
* More clean-up. |
3896 |
* Add sanity checking for skb_copy_expand() to prevent kernel panics on |
3897 |
* skb_put() values out of range. |
3898 |
* Fix head/tailroom calculation causing skb_put() out-of-range values. |
3899 |
* Fix return values to prevent 'nonatomic alloc_skb' warnings. |
3900 |
* Allocate new skb iff needed. |
3901 |
* Added more debug statements. |
3902 |
* Make headroom depend on structure, not hard-coded values. |
3903 |
* |
3904 |
* Revision 1.24 1999/02/10 23:20:33 rgb |
3905 |
* Shut up annoying 'statement has no effect' compiler warnings with |
3906 |
* debugging compiled out. |
3907 |
* |
3908 |
* Revision 1.23 1999/02/10 22:36:30 rgb |
3909 |
* Clean-up obsolete, unused and messy code. |
3910 |
* Converted most IPSEC_DEBUG statements to KLIPS_PRINT macros. |
3911 |
* Rename ipsec_tunnel_do_xmit to ipsec_tunnel_start_xmit and eliminated |
3912 |
* original ipsec_tunnel_start_xmit. |
3913 |
* Send all packet with different inner and outer destinations directly to |
3914 |
* the attached physical device, rather than back through ip_forward, |
3915 |
* preventing disappearing routes problems. |
3916 |
* Do sanity checking before investing too much CPU in allocating new |
3917 |
* structures. |
3918 |
* Fail on IP header options: We cannot process them yet. |
3919 |
* Add some helpful comments. |
3920 |
* Use virtual device for parameters instead of physical device. |
3921 |
* |
3922 |
* Revision 1.22 1999/02/10 03:03:02 rgb |
3923 |
* Duh. Fixed the TTL bug: forgot to update the checksum. |
3924 |
* |
3925 |
* Revision 1.21 1999/02/09 23:17:53 rgb |
3926 |
* Add structure members to ipsec_print_ip debug function. |
3927 |
* Temporarily fix TTL bug preventing tunnel mode from functioning. |
3928 |
* |
3929 |
* Revision 1.20 1999/02/09 00:14:25 rgb |
3930 |
* Add KLIPSPRINT macro. (Not used yet, though.) |
3931 |
* Delete old ip_tunnel code (BADCODE). |
3932 |
* Decrement TTL in outgoing packet. |
3933 |
* Set TTL on new IPIP_TUNNEL to default, not existing packet TTL. |
3934 |
* Delete ethernet only feature and fix hard-coded hard_header_len. |
3935 |
* |
3936 |
* Revision 1.19 1999/01/29 17:56:22 rgb |
3937 |
* 64-bit re-fix submitted by Peter Onion. |
3938 |
* |
3939 |
* Revision 1.18 1999/01/28 22:43:24 rgb |
3940 |
* Fixed bug in ipsec_print_ip that caused an OOPS, found by P.Onion. |
3941 |
* |
3942 |
* Revision 1.17 1999/01/26 02:08:16 rgb |
3943 |
* Removed CONFIG_IPSEC_ALGO_SWITCH macro. |
3944 |
* Removed dead code. |
3945 |
* |
3946 |
* Revision 1.16 1999/01/22 06:25:26 rgb |
3947 |
* Cruft clean-out. |
3948 |
* Added algorithm switch code. |
3949 |
* 64-bit clean-up. |
3950 |
* Passthrough on IPIP protocol, spi 0x0 fix. |
3951 |
* Enhanced debugging. |
3952 |
* |
3953 |
* Revision 1.15 1998/12/01 13:22:04 rgb |
3954 |
* Added support for debug printing of version info. |
3955 |
* |
3956 |
* Revision 1.14 1998/11/30 13:22:55 rgb |
3957 |
* Rationalised all the klips kernel file headers. They are much shorter |
3958 |
* now and won't conflict under RH5.2. |
3959 |
* |
3960 |
* Revision 1.13 1998/11/17 21:13:52 rgb |
3961 |
* Put IKE port bypass debug output in user-switched debug statements. |
3962 |
* |
3963 |
* Revision 1.12 1998/11/13 13:20:25 rgb |
3964 |
* Fixed ntohs bug in udp/500 hole for IKE. |
3965 |
* |
3966 |
* Revision 1.11 1998/11/10 08:01:19 rgb |
3967 |
* Kill tcp/500 hole, keep udp/500 hole. |
3968 |
* |
3969 |
* Revision 1.10 1998/11/09 21:29:26 rgb |
3970 |
* If no eroute is found, discard packet and incr. tx_error. |
3971 |
* |
3972 |
* Revision 1.9 1998/10/31 06:50:00 rgb |
3973 |
* Add tcp/udp/500 bypass. |
3974 |
* Fixed up comments in #endif directives. |
3975 |
* |
3976 |
* Revision 1.8 1998/10/27 00:34:31 rgb |
3977 |
* Reformat debug output of IP headers. |
3978 |
* Newlines added before calls to ipsec_print_ip. |
3979 |
* |
3980 |
* Revision 1.7 1998/10/19 14:44:28 rgb |
3981 |
* Added inclusion of freeswan.h. |
3982 |
* sa_id structure implemented and used: now includes protocol. |
3983 |
* |
3984 |
* Revision 1.6 1998/10/09 04:31:35 rgb |
3985 |
* Added 'klips_debug' prefix to all klips printk debug statements. |
3986 |
* |
3987 |
* Revision 1.5 1998/08/28 03:09:51 rgb |
3988 |
* Prevent kernel log spam with default route through ipsec. |
3989 |
* |
3990 |
* Revision 1.4 1998/08/05 22:23:09 rgb |
3991 |
* Change setdev return code to ENXIO for a non-existant physical device. |
3992 |
* |
3993 |
* Revision 1.3 1998/07/29 20:41:11 rgb |
3994 |
* Add ipsec_tunnel_clear to clear all tunnel attachments. |
3995 |
* |
3996 |
* Revision 1.2 1998/06/25 20:00:33 rgb |
3997 |
* Clean up #endif comments. |
3998 |
* Rename dev_ipsec to dev_ipsec0 for consistency. |
3999 |
* Document ipsec device fields. |
4000 |
* Make ipsec_tunnel_probe visible from rest of kernel for static linking. |
4001 |
* Get debugging report for *every* ipsec device initialisation. |
4002 |
* Comment out redundant code. |
4003 |
* |
4004 |
* Revision 1.1 1998/06/18 21:27:50 henry |
4005 |
* move sources from klips/src to klips/net/ipsec, to keep stupid |
4006 |
* kernel-build scripts happier in the presence of symlinks |
4007 |
* |
4008 |
* Revision 1.8 1998/06/14 23:49:40 rgb |
4009 |
* Clarify version reporting on module loading. |
4010 |
* |
4011 |
* Revision 1.7 1998/05/27 23:19:20 rgb |
4012 |
* Added version reporting. |
4013 |
* |
4014 |
* Revision 1.6 1998/05/18 21:56:23 rgb |
4015 |
* Clean up for numerical consistency of output and cleaning up debug code. |
4016 |
* |
4017 |
* Revision 1.5 1998/05/12 02:44:23 rgb |
4018 |
* Clarifying 'no e-route to host' message. |
4019 |
* |
4020 |
* Revision 1.4 1998/04/30 15:34:35 rgb |
4021 |
* Enclosed most remaining debugging statements in #ifdef's to make it quieter. |
4022 |
* |
4023 |
* Revision 1.3 1998/04/21 21:28:54 rgb |
4024 |
* Rearrange debug switches to change on the fly debug output from user |
4025 |
* space. Only kernel changes checked in at this time. radij.c was also |
4026 |
* changed to temporarily remove buggy debugging code in rj_delete causing |
4027 |
* an OOPS and hence, netlink device open errors. |
4028 |
* |
4029 |
* Revision 1.2 1998/04/12 22:03:24 rgb |
4030 |
* Updated ESP-3DES-HMAC-MD5-96, |
4031 |
* ESP-DES-HMAC-MD5-96, |
4032 |
* AH-HMAC-MD5-96, |
4033 |
* AH-HMAC-SHA1-96 since Henry started freeswan cvs repository |
4034 |
* from old standards (RFC182[5-9] to new (as of March 1998) drafts. |
4035 |
* |
4036 |
* Fixed eroute references in /proc/net/ipsec*. |
4037 |
* |
4038 |
* Started to patch module unloading memory leaks in ipsec_netlink and |
4039 |
* radij tree unloading. |
4040 |
* |
4041 |
* Revision 1.1 1998/04/09 03:06:12 henry |
4042 |
* sources moved up from linux/net/ipsec |
4043 |
* |
4044 |
* Revision 1.1.1.1 1998/04/08 05:35:04 henry |
4045 |
* RGB's ipsec-0.8pre2.tar.gz ipsec-0.8 |
4046 |
* |
4047 |
* Revision 0.5 1997/06/03 04:24:48 ji |
4048 |
* Added transport mode. |
4049 |
* Changed the way routing is done. |
4050 |
* Lots of bug fixes. |
4051 |
* |
4052 |
* Revision 0.4 1997/01/15 01:28:15 ji |
4053 |
* No changes. |
4054 |
* |
4055 |
* Revision 0.3 1996/11/20 14:39:04 ji |
4056 |
* Minor cleanups. |
4057 |
* Rationalized debugging code. |
4058 |
* |
4059 |
* Revision 0.2 1996/11/02 00:18:33 ji |
4060 |
* First limited release. |
4061 |
* |
4062 |
* |
4063 |
*/ |