Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xfrm4_policy.c
Go to the documentation of this file.
1 /*
2  * xfrm4_policy.c
3  *
4  * Changes:
5  * Kazunori MIYAZAWA @USAGI
6  * YOSHIFUJI Hideaki @USAGI
7  * Split up af-specific portion
8  *
9  */
10 
11 #include <linux/err.h>
12 #include <linux/kernel.h>
13 #include <linux/inetdevice.h>
14 #include <linux/if_tunnel.h>
15 #include <net/dst.h>
16 #include <net/xfrm.h>
17 #include <net/ip.h>
18 
19 static struct xfrm_policy_afinfo xfrm4_policy_afinfo;
20 
21 static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
22  int tos,
23  const xfrm_address_t *saddr,
24  const xfrm_address_t *daddr)
25 {
26  struct rtable *rt;
27 
28  memset(fl4, 0, sizeof(*fl4));
29  fl4->daddr = daddr->a4;
30  fl4->flowi4_tos = tos;
31  if (saddr)
32  fl4->saddr = saddr->a4;
33 
34  rt = __ip_route_output_key(net, fl4);
35  if (!IS_ERR(rt))
36  return &rt->dst;
37 
38  return ERR_CAST(rt);
39 }
40 
41 static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos,
42  const xfrm_address_t *saddr,
43  const xfrm_address_t *daddr)
44 {
45  struct flowi4 fl4;
46 
47  return __xfrm4_dst_lookup(net, &fl4, tos, saddr, daddr);
48 }
49 
50 static int xfrm4_get_saddr(struct net *net,
51  xfrm_address_t *saddr, xfrm_address_t *daddr)
52 {
53  struct dst_entry *dst;
54  struct flowi4 fl4;
55 
56  dst = __xfrm4_dst_lookup(net, &fl4, 0, NULL, daddr);
57  if (IS_ERR(dst))
58  return -EHOSTUNREACH;
59 
60  saddr->a4 = fl4.saddr;
61  dst_release(dst);
62  return 0;
63 }
64 
65 static int xfrm4_get_tos(const struct flowi *fl)
66 {
67  return IPTOS_RT_MASK & fl->u.ip4.flowi4_tos; /* Strip ECN bits */
68 }
69 
70 static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
71  int nfheader_len)
72 {
73  return 0;
74 }
75 
76 static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
77  const struct flowi *fl)
78 {
79  struct rtable *rt = (struct rtable *)xdst->route;
80  const struct flowi4 *fl4 = &fl->u.ip4;
81 
82  xdst->u.rt.rt_iif = fl4->flowi4_iif;
83 
84  xdst->u.dst.dev = dev;
85  dev_hold(dev);
86 
87  /* Sheit... I remember I did this right. Apparently,
88  * it was magically lost, so this code needs audit */
89  xdst->u.rt.rt_is_input = rt->rt_is_input;
90  xdst->u.rt.rt_flags = rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST |
91  RTCF_LOCAL);
92  xdst->u.rt.rt_type = rt->rt_type;
93  xdst->u.rt.rt_gateway = rt->rt_gateway;
94  xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
95  xdst->u.rt.rt_pmtu = rt->rt_pmtu;
96  INIT_LIST_HEAD(&xdst->u.rt.rt_uncached);
97 
98  return 0;
99 }
100 
101 static void
102 _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
103 {
104  const struct iphdr *iph = ip_hdr(skb);
105  u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
106  struct flowi4 *fl4 = &fl->u.ip4;
107 
108  memset(fl4, 0, sizeof(struct flowi4));
109  fl4->flowi4_mark = skb->mark;
110 
111  if (!ip_is_fragment(iph)) {
112  switch (iph->protocol) {
113  case IPPROTO_UDP:
114  case IPPROTO_UDPLITE:
115  case IPPROTO_TCP:
116  case IPPROTO_SCTP:
117  case IPPROTO_DCCP:
118  if (xprth + 4 < skb->data ||
119  pskb_may_pull(skb, xprth + 4 - skb->data)) {
120  __be16 *ports = (__be16 *)xprth;
121 
122  fl4->fl4_sport = ports[!!reverse];
123  fl4->fl4_dport = ports[!reverse];
124  }
125  break;
126 
127  case IPPROTO_ICMP:
128  if (pskb_may_pull(skb, xprth + 2 - skb->data)) {
129  u8 *icmp = xprth;
130 
131  fl4->fl4_icmp_type = icmp[0];
132  fl4->fl4_icmp_code = icmp[1];
133  }
134  break;
135 
136  case IPPROTO_ESP:
137  if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
138  __be32 *ehdr = (__be32 *)xprth;
139 
140  fl4->fl4_ipsec_spi = ehdr[0];
141  }
142  break;
143 
144  case IPPROTO_AH:
145  if (pskb_may_pull(skb, xprth + 8 - skb->data)) {
146  __be32 *ah_hdr = (__be32 *)xprth;
147 
148  fl4->fl4_ipsec_spi = ah_hdr[1];
149  }
150  break;
151 
152  case IPPROTO_COMP:
153  if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
154  __be16 *ipcomp_hdr = (__be16 *)xprth;
155 
156  fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
157  }
158  break;
159 
160  case IPPROTO_GRE:
161  if (pskb_may_pull(skb, xprth + 12 - skb->data)) {
162  __be16 *greflags = (__be16 *)xprth;
163  __be32 *gre_hdr = (__be32 *)xprth;
164 
165  if (greflags[0] & GRE_KEY) {
166  if (greflags[0] & GRE_CSUM)
167  gre_hdr++;
168  fl4->fl4_gre_key = gre_hdr[1];
169  }
170  }
171  break;
172 
173  default:
174  fl4->fl4_ipsec_spi = 0;
175  break;
176  }
177  }
178  fl4->flowi4_proto = iph->protocol;
179  fl4->daddr = reverse ? iph->saddr : iph->daddr;
180  fl4->saddr = reverse ? iph->daddr : iph->saddr;
181  fl4->flowi4_tos = iph->tos;
182 }
183 
184 static inline int xfrm4_garbage_collect(struct dst_ops *ops)
185 {
186  struct net *net = container_of(ops, struct net, xfrm.xfrm4_dst_ops);
187 
188  xfrm4_policy_afinfo.garbage_collect(net);
189  return (dst_entries_get_slow(ops) > ops->gc_thresh * 2);
190 }
191 
192 static void xfrm4_update_pmtu(struct dst_entry *dst, struct sock *sk,
193  struct sk_buff *skb, u32 mtu)
194 {
195  struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
196  struct dst_entry *path = xdst->route;
197 
198  path->ops->update_pmtu(path, sk, skb, mtu);
199 }
200 
201 static void xfrm4_redirect(struct dst_entry *dst, struct sock *sk,
202  struct sk_buff *skb)
203 {
204  struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
205  struct dst_entry *path = xdst->route;
206 
207  path->ops->redirect(path, sk, skb);
208 }
209 
210 static void xfrm4_dst_destroy(struct dst_entry *dst)
211 {
212  struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
213 
214  dst_destroy_metrics_generic(dst);
215 
216  xfrm_dst_destroy(xdst);
217 }
218 
219 static void xfrm4_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
220  int unregister)
221 {
222  if (!unregister)
223  return;
224 
225  xfrm_dst_ifdown(dst, dev);
226 }
227 
228 static struct dst_ops xfrm4_dst_ops = {
229  .family = AF_INET,
230  .protocol = cpu_to_be16(ETH_P_IP),
231  .gc = xfrm4_garbage_collect,
232  .update_pmtu = xfrm4_update_pmtu,
233  .redirect = xfrm4_redirect,
234  .cow_metrics = dst_cow_metrics_generic,
235  .destroy = xfrm4_dst_destroy,
236  .ifdown = xfrm4_dst_ifdown,
237  .local_out = __ip_local_out,
238  .gc_thresh = 1024,
239 };
240 
241 static struct xfrm_policy_afinfo xfrm4_policy_afinfo = {
242  .family = AF_INET,
243  .dst_ops = &xfrm4_dst_ops,
244  .dst_lookup = xfrm4_dst_lookup,
245  .get_saddr = xfrm4_get_saddr,
246  .decode_session = _decode_session4,
247  .get_tos = xfrm4_get_tos,
248  .init_path = xfrm4_init_path,
249  .fill_dst = xfrm4_fill_dst,
250  .blackhole_route = ipv4_blackhole_route,
251 };
252 
253 #ifdef CONFIG_SYSCTL
254 static struct ctl_table xfrm4_policy_table[] = {
255  {
256  .procname = "xfrm4_gc_thresh",
257  .data = &init_net.xfrm.xfrm4_dst_ops.gc_thresh,
258  .maxlen = sizeof(int),
259  .mode = 0644,
260  .proc_handler = proc_dointvec,
261  },
262  { }
263 };
264 
265 static struct ctl_table_header *sysctl_hdr;
266 #endif
267 
268 static void __init xfrm4_policy_init(void)
269 {
270  xfrm_policy_register_afinfo(&xfrm4_policy_afinfo);
271 }
272 
273 static void __exit xfrm4_policy_fini(void)
274 {
275 #ifdef CONFIG_SYSCTL
276  if (sysctl_hdr)
277  unregister_net_sysctl_table(sysctl_hdr);
278 #endif
279  xfrm_policy_unregister_afinfo(&xfrm4_policy_afinfo);
280 }
281 
282 void __init xfrm4_init(void)
283 {
284  dst_entries_init(&xfrm4_dst_ops);
285 
286  xfrm4_state_init();
287  xfrm4_policy_init();
288 #ifdef CONFIG_SYSCTL
289  sysctl_hdr = register_net_sysctl(&init_net, "net/ipv4",
290  xfrm4_policy_table);
291 #endif
292 }
293 
Generated on Thu Jan 10 2013 14:59:04 for Linux Kernel by   doxygen 1.8.2