Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xfrm6_policy.c
Go to the documentation of this file.
1 /*
2  * xfrm6_policy.c: based on xfrm4_policy.c
3  *
4  * Authors:
5  * Mitsuru KANDA @USAGI
6  * Kazunori MIYAZAWA @USAGI
7  * Kunihiro Ishiguro <[email protected]>
8  * IPv6 support
9  * YOSHIFUJI Hideaki
10  * Split up af-specific portion
11  *
12  */
13 
14 #include <linux/err.h>
15 #include <linux/kernel.h>
16 #include <linux/netdevice.h>
17 #include <net/addrconf.h>
18 #include <net/dst.h>
19 #include <net/xfrm.h>
20 #include <net/ip.h>
21 #include <net/ipv6.h>
22 #include <net/ip6_route.h>
23 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
24 #include <net/mip6.h>
25 #endif
26 
27 static struct xfrm_policy_afinfo xfrm6_policy_afinfo;
28 
29 static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos,
30  const xfrm_address_t *saddr,
31  const xfrm_address_t *daddr)
32 {
33  struct flowi6 fl6;
34  struct dst_entry *dst;
35  int err;
36 
37  memset(&fl6, 0, sizeof(fl6));
38  memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr));
39  if (saddr)
40  memcpy(&fl6.saddr, saddr, sizeof(fl6.saddr));
41 
42  dst = ip6_route_output(net, NULL, &fl6);
43 
44  err = dst->error;
45  if (dst->error) {
46  dst_release(dst);
47  dst = ERR_PTR(err);
48  }
49 
50  return dst;
51 }
52 
53 static int xfrm6_get_saddr(struct net *net,
54  xfrm_address_t *saddr, xfrm_address_t *daddr)
55 {
56  struct dst_entry *dst;
57  struct net_device *dev;
58 
59  dst = xfrm6_dst_lookup(net, 0, NULL, daddr);
60  if (IS_ERR(dst))
61  return -EHOSTUNREACH;
62 
63  dev = ip6_dst_idev(dst)->dev;
64  ipv6_dev_get_saddr(dev_net(dev), dev,
65  (struct in6_addr *)&daddr->a6, 0,
66  (struct in6_addr *)&saddr->a6);
67  dst_release(dst);
68  return 0;
69 }
70 
71 static int xfrm6_get_tos(const struct flowi *fl)
72 {
73  return 0;
74 }
75 
76 static void xfrm6_init_dst(struct net *net, struct xfrm_dst *xdst)
77 {
78  struct rt6_info *rt = (struct rt6_info *)xdst;
79 
80  rt6_init_peer(rt, net->ipv6.peers);
81 }
82 
83 static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
84  int nfheader_len)
85 {
86  if (dst->ops->family == AF_INET6) {
87  struct rt6_info *rt = (struct rt6_info*)dst;
88  if (rt->rt6i_node)
89  path->path_cookie = rt->rt6i_node->fn_sernum;
90  }
91 
92  path->u.rt6.rt6i_nfheader_len = nfheader_len;
93 
94  return 0;
95 }
96 
97 static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
98  const struct flowi *fl)
99 {
100  struct rt6_info *rt = (struct rt6_info*)xdst->route;
101 
102  xdst->u.dst.dev = dev;
103  dev_hold(dev);
104 
105  xdst->u.rt6.rt6i_idev = in6_dev_get(dev);
106  if (!xdst->u.rt6.rt6i_idev)
107  return -ENODEV;
108 
109  rt6_transfer_peer(&xdst->u.rt6, rt);
110 
111  /* Sheit... I remember I did this right. Apparently,
112  * it was magically lost, so this code needs audit */
113  xdst->u.rt6.n = neigh_clone(rt->n);
114  xdst->u.rt6.rt6i_flags = rt->rt6i_flags & (RTF_ANYCAST |
115  RTF_LOCAL);
116  xdst->u.rt6.rt6i_metric = rt->rt6i_metric;
117  xdst->u.rt6.rt6i_node = rt->rt6i_node;
118  if (rt->rt6i_node)
119  xdst->route_cookie = rt->rt6i_node->fn_sernum;
120  xdst->u.rt6.rt6i_gateway = rt->rt6i_gateway;
121  xdst->u.rt6.rt6i_dst = rt->rt6i_dst;
122  xdst->u.rt6.rt6i_src = rt->rt6i_src;
123 
124  return 0;
125 }
126 
127 static inline void
128 _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
129 {
130  struct flowi6 *fl6 = &fl->u.ip6;
131  int onlyproto = 0;
132  u16 offset = skb_network_header_len(skb);
133  const struct ipv6hdr *hdr = ipv6_hdr(skb);
134  struct ipv6_opt_hdr *exthdr;
135  const unsigned char *nh = skb_network_header(skb);
136  u8 nexthdr = nh[IP6CB(skb)->nhoff];
137 
138  memset(fl6, 0, sizeof(struct flowi6));
139  fl6->flowi6_mark = skb->mark;
140 
141  fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
142  fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
143 
144  while (nh + offset + 1 < skb->data ||
145  pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
146  nh = skb_network_header(skb);
147  exthdr = (struct ipv6_opt_hdr *)(nh + offset);
148 
149  switch (nexthdr) {
150  case NEXTHDR_FRAGMENT:
151  onlyproto = 1;
152  case NEXTHDR_ROUTING:
153  case NEXTHDR_HOP:
154  case NEXTHDR_DEST:
155  offset += ipv6_optlen(exthdr);
156  nexthdr = exthdr->nexthdr;
157  exthdr = (struct ipv6_opt_hdr *)(nh + offset);
158  break;
159 
160  case IPPROTO_UDP:
161  case IPPROTO_UDPLITE:
162  case IPPROTO_TCP:
163  case IPPROTO_SCTP:
164  case IPPROTO_DCCP:
165  if (!onlyproto && (nh + offset + 4 < skb->data ||
166  pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
167  __be16 *ports = (__be16 *)exthdr;
168 
169  fl6->fl6_sport = ports[!!reverse];
170  fl6->fl6_dport = ports[!reverse];
171  }
172  fl6->flowi6_proto = nexthdr;
173  return;
174 
175  case IPPROTO_ICMPV6:
176  if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
177  u8 *icmp = (u8 *)exthdr;
178 
179  fl6->fl6_icmp_type = icmp[0];
180  fl6->fl6_icmp_code = icmp[1];
181  }
182  fl6->flowi6_proto = nexthdr;
183  return;
184 
185 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
186  case IPPROTO_MH:
187  if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
188  struct ip6_mh *mh;
189  mh = (struct ip6_mh *)exthdr;
190 
191  fl6->fl6_mh_type = mh->ip6mh_type;
192  }
193  fl6->flowi6_proto = nexthdr;
194  return;
195 #endif
196 
197  /* XXX Why are there these headers? */
198  case IPPROTO_AH:
199  case IPPROTO_ESP:
200  case IPPROTO_COMP:
201  default:
202  fl6->fl6_ipsec_spi = 0;
203  fl6->flowi6_proto = nexthdr;
204  return;
205  }
206  }
207 }
208 
209 static inline int xfrm6_garbage_collect(struct dst_ops *ops)
210 {
211  struct net *net = container_of(ops, struct net, xfrm.xfrm6_dst_ops);
212 
213  xfrm6_policy_afinfo.garbage_collect(net);
214  return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
215 }
216 
217 static void xfrm6_update_pmtu(struct dst_entry *dst, struct sock *sk,
218  struct sk_buff *skb, u32 mtu)
219 {
220  struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
221  struct dst_entry *path = xdst->route;
222 
223  path->ops->update_pmtu(path, sk, skb, mtu);
224 }
225 
226 static void xfrm6_redirect(struct dst_entry *dst, struct sock *sk,
227  struct sk_buff *skb)
228 {
229  struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
230  struct dst_entry *path = xdst->route;
231 
232  path->ops->redirect(path, sk, skb);
233 }
234 
235 static void xfrm6_dst_destroy(struct dst_entry *dst)
236 {
237  struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
238 
239  if (likely(xdst->u.rt6.rt6i_idev))
240  in6_dev_put(xdst->u.rt6.rt6i_idev);
241  dst_destroy_metrics_generic(dst);
242  if (rt6_has_peer(&xdst->u.rt6)) {
243  struct inet_peer *peer = rt6_peer_ptr(&xdst->u.rt6);
244  inet_putpeer(peer);
245  }
246  xfrm_dst_destroy(xdst);
247 }
248 
249 static void xfrm6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
250  int unregister)
251 {
252  struct xfrm_dst *xdst;
253 
254  if (!unregister)
255  return;
256 
257  xdst = (struct xfrm_dst *)dst;
258  if (xdst->u.rt6.rt6i_idev->dev == dev) {
259  struct inet6_dev *loopback_idev =
260  in6_dev_get(dev_net(dev)->loopback_dev);
261  BUG_ON(!loopback_idev);
262 
263  do {
264  in6_dev_put(xdst->u.rt6.rt6i_idev);
265  xdst->u.rt6.rt6i_idev = loopback_idev;
266  in6_dev_hold(loopback_idev);
267  xdst = (struct xfrm_dst *)xdst->u.dst.child;
268  } while (xdst->u.dst.xfrm);
269 
270  __in6_dev_put(loopback_idev);
271  }
272 
273  xfrm_dst_ifdown(dst, dev);
274 }
275 
276 static struct dst_ops xfrm6_dst_ops = {
277  .family = AF_INET6,
278  .protocol = cpu_to_be16(ETH_P_IPV6),
279  .gc = xfrm6_garbage_collect,
280  .update_pmtu = xfrm6_update_pmtu,
281  .redirect = xfrm6_redirect,
282  .cow_metrics = dst_cow_metrics_generic,
283  .destroy = xfrm6_dst_destroy,
284  .ifdown = xfrm6_dst_ifdown,
285  .local_out = __ip6_local_out,
286  .gc_thresh = 1024,
287 };
288 
289 static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
290  .family = AF_INET6,
291  .dst_ops = &xfrm6_dst_ops,
292  .dst_lookup = xfrm6_dst_lookup,
293  .get_saddr = xfrm6_get_saddr,
294  .decode_session = _decode_session6,
295  .get_tos = xfrm6_get_tos,
296  .init_dst = xfrm6_init_dst,
297  .init_path = xfrm6_init_path,
298  .fill_dst = xfrm6_fill_dst,
299  .blackhole_route = ip6_blackhole_route,
300 };
301 
302 static int __init xfrm6_policy_init(void)
303 {
304  return xfrm_policy_register_afinfo(&xfrm6_policy_afinfo);
305 }
306 
307 static void xfrm6_policy_fini(void)
308 {
309  xfrm_policy_unregister_afinfo(&xfrm6_policy_afinfo);
310 }
311 
312 #ifdef CONFIG_SYSCTL
313 static struct ctl_table xfrm6_policy_table[] = {
314  {
315  .procname = "xfrm6_gc_thresh",
316  .data = &init_net.xfrm.xfrm6_dst_ops.gc_thresh,
317  .maxlen = sizeof(int),
318  .mode = 0644,
320  },
321  { }
322 };
323 
324 static struct ctl_table_header *sysctl_hdr;
325 #endif
326 
328 {
329  int ret;
330  unsigned int gc_thresh;
331 
332  /*
333  * We need a good default value for the xfrm6 gc threshold.
334  * In ipv4 we set it to the route hash table size * 8, which
335  * is half the size of the maximaum route cache for ipv4. It
336  * would be good to do the same thing for v6, except the table is
337  * constructed differently here. Here each table for a net namespace
338  * can have FIB_TABLE_HASHSZ entries, so lets go with the same
339  * computation that we used for ipv4 here. Also, lets keep the initial
340  * gc_thresh to a minimum of 1024, since, the ipv6 route cache defaults
341  * to that as a minimum as well
342  */
343  gc_thresh = FIB6_TABLE_HASHSZ * 8;
344  xfrm6_dst_ops.gc_thresh = (gc_thresh < 1024) ? 1024 : gc_thresh;
345  dst_entries_init(&xfrm6_dst_ops);
346 
347  ret = xfrm6_policy_init();
348  if (ret) {
349  dst_entries_destroy(&xfrm6_dst_ops);
350  goto out;
351  }
352  ret = xfrm6_state_init();
353  if (ret)
354  goto out_policy;
355 
356 #ifdef CONFIG_SYSCTL
357  sysctl_hdr = register_net_sysctl(&init_net, "net/ipv6",
358  xfrm6_policy_table);
359 #endif
360 out:
361  return ret;
362 out_policy:
363  xfrm6_policy_fini();
364  goto out;
365 }
366 
367 void xfrm6_fini(void)
368 {
369 #ifdef CONFIG_SYSCTL
370  if (sysctl_hdr)
371  unregister_net_sysctl_table(sysctl_hdr);
372 #endif
373  //xfrm6_input_fini();
374  xfrm6_policy_fini();
376  dst_entries_destroy(&xfrm6_dst_ops);
377 }