Commit df9dcb45 authored by Kazunori MIYAZAWA's avatar Kazunori MIYAZAWA Committed by David S. Miller

[IPSEC]: Fix inter address family IPsec tunnel handling.

Signed-off-by: default avatarKazunori MIYAZAWA <kazunori@miyazawa.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fa86d322
...@@ -204,6 +204,7 @@ struct xfrm_state ...@@ -204,6 +204,7 @@ struct xfrm_state
* transformer. */ * transformer. */
const struct xfrm_type *type; const struct xfrm_type *type;
struct xfrm_mode *inner_mode; struct xfrm_mode *inner_mode;
struct xfrm_mode *inner_mode_iaf;
struct xfrm_mode *outer_mode; struct xfrm_mode *outer_mode;
/* Security context */ /* Security context */
...@@ -387,6 +388,27 @@ enum { ...@@ -387,6 +388,27 @@ enum {
extern int xfrm_register_mode(struct xfrm_mode *mode, int family); extern int xfrm_register_mode(struct xfrm_mode *mode, int family);
extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family); extern int xfrm_unregister_mode(struct xfrm_mode *mode, int family);
static inline int xfrm_af2proto(unsigned int family)
{
switch(family) {
case AF_INET:
return IPPROTO_IPIP;
case AF_INET6:
return IPPROTO_IPV6;
default:
return 0;
}
}
static inline struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto)
{
if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) ||
(ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6))
return x->inner_mode;
else
return x->inner_mode_iaf;
}
struct xfrm_tmpl struct xfrm_tmpl
{ {
/* id in template is interpreted as: /* id in template is interpreted as:
...@@ -1253,6 +1275,7 @@ extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, ...@@ -1253,6 +1275,7 @@ extern int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi,
extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr); extern int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
extern int xfrm_output_resume(struct sk_buff *skb, int err); extern int xfrm_output_resume(struct sk_buff *skb, int err);
extern int xfrm_output(struct sk_buff *skb); extern int xfrm_output(struct sk_buff *skb);
extern int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
extern int xfrm4_extract_header(struct sk_buff *skb); extern int xfrm4_extract_header(struct sk_buff *skb);
extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb); extern int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, extern int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
......
...@@ -41,7 +41,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -41,7 +41,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
top_iph->ihl = 5; top_iph->ihl = 5;
top_iph->version = 4; top_iph->version = 4;
top_iph->protocol = x->inner_mode->afinfo->proto; top_iph->protocol = xfrm_af2proto(skb->dst->ops->family);
/* DS disclosed */ /* DS disclosed */
top_iph->tos = INET_ECN_encapsulate(XFRM_MODE_SKB_CB(skb)->tos, top_iph->tos = INET_ECN_encapsulate(XFRM_MODE_SKB_CB(skb)->tos,
......
...@@ -56,7 +56,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -56,7 +56,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
{ {
int err; int err;
err = x->inner_mode->afinfo->extract_output(x, skb); err = xfrm_inner_extract_output(x, skb);
if (err) if (err)
return err; return err;
......
...@@ -45,7 +45,7 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -45,7 +45,7 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl, memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl,
sizeof(top_iph->flow_lbl)); sizeof(top_iph->flow_lbl));
top_iph->nexthdr = x->inner_mode->afinfo->proto; top_iph->nexthdr = xfrm_af2proto(skb->dst->ops->family);
dsfield = XFRM_MODE_SKB_CB(skb)->tos; dsfield = XFRM_MODE_SKB_CB(skb)->tos;
dsfield = INET_ECN_encapsulate(dsfield, dsfield); dsfield = INET_ECN_encapsulate(dsfield, dsfield);
......
...@@ -62,7 +62,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -62,7 +62,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
{ {
int err; int err;
err = x->inner_mode->afinfo->extract_output(x, skb); err = xfrm_inner_extract_output(x, skb);
if (err) if (err)
return err; return err;
......
...@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct sadb_msg *hdr, ...@@ -1219,7 +1219,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct sadb_msg *hdr,
x->sel.prefixlen_s = addr->sadb_address_prefixlen; x->sel.prefixlen_s = addr->sadb_address_prefixlen;
} }
if (!x->sel.family) if (x->props.mode == XFRM_MODE_TRANSPORT)
x->sel.family = x->props.family; x->sel.family = x->props.family;
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) { if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
......
...@@ -84,14 +84,21 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq) ...@@ -84,14 +84,21 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb) int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
{ {
struct xfrm_mode *inner_mode = x->inner_mode;
int err; int err;
err = x->outer_mode->afinfo->extract_input(x, skb); err = x->outer_mode->afinfo->extract_input(x, skb);
if (err) if (err)
return err; return err;
skb->protocol = x->inner_mode->afinfo->eth_proto; if (x->sel.family == AF_UNSPEC) {
return x->inner_mode->input2(x, skb); inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
if (inner_mode == NULL)
return -EAFNOSUPPORT;
}
skb->protocol = inner_mode->afinfo->eth_proto;
return inner_mode->input2(x, skb);
} }
EXPORT_SYMBOL(xfrm_prepare_input); EXPORT_SYMBOL(xfrm_prepare_input);
...@@ -101,6 +108,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) ...@@ -101,6 +108,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
__be32 seq; __be32 seq;
struct xfrm_state *x; struct xfrm_state *x;
xfrm_address_t *daddr; xfrm_address_t *daddr;
struct xfrm_mode *inner_mode;
unsigned int family; unsigned int family;
int decaps = 0; int decaps = 0;
int async = 0; int async = 0;
...@@ -207,7 +215,15 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) ...@@ -207,7 +215,15 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
XFRM_MODE_SKB_CB(skb)->protocol = nexthdr; XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
if (x->inner_mode->input(x, skb)) { inner_mode = x->inner_mode;
if (x->sel.family == AF_UNSPEC) {
inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
if (inner_mode == NULL)
goto drop;
}
if (inner_mode->input(x, skb)) {
XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR); XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEMODEERROR);
goto drop; goto drop;
} }
......
...@@ -124,7 +124,7 @@ int xfrm_output_resume(struct sk_buff *skb, int err) ...@@ -124,7 +124,7 @@ int xfrm_output_resume(struct sk_buff *skb, int err)
if (!x) if (!x)
return dst_output(skb); return dst_output(skb);
err = nf_hook(x->inner_mode->afinfo->family, err = nf_hook(skb->dst->ops->family,
NF_INET_POST_ROUTING, skb, NF_INET_POST_ROUTING, skb,
NULL, skb->dst->dev, xfrm_output2); NULL, skb->dst->dev, xfrm_output2);
if (unlikely(err != 1)) if (unlikely(err != 1))
...@@ -193,4 +193,20 @@ int xfrm_output(struct sk_buff *skb) ...@@ -193,4 +193,20 @@ int xfrm_output(struct sk_buff *skb)
return xfrm_output2(skb); return xfrm_output2(skb);
} }
int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
{
struct xfrm_mode *inner_mode;
if (x->sel.family == AF_UNSPEC)
inner_mode = xfrm_ip2inner_mode(x,
xfrm_af2proto(skb->dst->ops->family));
else
inner_mode = x->inner_mode;
if (inner_mode == NULL)
return -EAFNOSUPPORT;
return inner_mode->afinfo->extract_output(x, skb);
}
EXPORT_SYMBOL_GPL(xfrm_output); EXPORT_SYMBOL_GPL(xfrm_output);
EXPORT_SYMBOL_GPL(xfrm_inner_extract_output);
...@@ -388,6 +388,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x) ...@@ -388,6 +388,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
kfree(x->coaddr); kfree(x->coaddr);
if (x->inner_mode) if (x->inner_mode)
xfrm_put_mode(x->inner_mode); xfrm_put_mode(x->inner_mode);
if (x->inner_mode_iaf)
xfrm_put_mode(x->inner_mode_iaf);
if (x->outer_mode) if (x->outer_mode)
xfrm_put_mode(x->outer_mode); xfrm_put_mode(x->outer_mode);
if (x->type) { if (x->type) {
...@@ -523,6 +525,8 @@ struct xfrm_state *xfrm_state_alloc(void) ...@@ -523,6 +525,8 @@ struct xfrm_state *xfrm_state_alloc(void)
x->lft.hard_packet_limit = XFRM_INF; x->lft.hard_packet_limit = XFRM_INF;
x->replay_maxage = 0; x->replay_maxage = 0;
x->replay_maxdiff = 0; x->replay_maxdiff = 0;
x->inner_mode = NULL;
x->inner_mode_iaf = NULL;
spin_lock_init(&x->lock); spin_lock_init(&x->lock);
} }
return x; return x;
...@@ -796,7 +800,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, ...@@ -796,7 +800,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
selector. selector.
*/ */
if (x->km.state == XFRM_STATE_VALID) { if (x->km.state == XFRM_STATE_VALID) {
if (!xfrm_selector_match(&x->sel, fl, x->sel.family) || if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
!security_xfrm_state_pol_flow_match(x, pol, fl)) !security_xfrm_state_pol_flow_match(x, pol, fl))
continue; continue;
if (!best || if (!best ||
...@@ -1944,6 +1948,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu) ...@@ -1944,6 +1948,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
int xfrm_init_state(struct xfrm_state *x) int xfrm_init_state(struct xfrm_state *x)
{ {
struct xfrm_state_afinfo *afinfo; struct xfrm_state_afinfo *afinfo;
struct xfrm_mode *inner_mode;
int family = x->props.family; int family = x->props.family;
int err; int err;
...@@ -1962,14 +1967,49 @@ int xfrm_init_state(struct xfrm_state *x) ...@@ -1962,14 +1967,49 @@ int xfrm_init_state(struct xfrm_state *x)
goto error; goto error;
err = -EPROTONOSUPPORT; err = -EPROTONOSUPPORT;
x->inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
if (x->inner_mode == NULL) if (x->sel.family != AF_UNSPEC) {
inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
if (inner_mode == NULL)
goto error;
if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
family != x->sel.family) {
xfrm_put_mode(inner_mode);
goto error;
}
x->inner_mode = inner_mode;
} else {
struct xfrm_mode *inner_mode_iaf;
inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
if (inner_mode == NULL)
goto error;
if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
xfrm_put_mode(inner_mode);
goto error; goto error;
}
if (!(x->inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
family != x->sel.family) if (inner_mode_iaf == NULL)
goto error; goto error;
if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
xfrm_put_mode(inner_mode_iaf);
goto error;
}
if (x->props.family == AF_INET) {
x->inner_mode = inner_mode;
x->inner_mode_iaf = inner_mode_iaf;
} else {
x->inner_mode = inner_mode_iaf;
x->inner_mode_iaf = inner_mode;
}
}
x->type = xfrm_get_type(x->id.proto, family); x->type = xfrm_get_type(x->id.proto, family);
if (x->type == NULL) if (x->type == NULL)
goto error; goto error;
......
...@@ -288,12 +288,9 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info * ...@@ -288,12 +288,9 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr)); memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
x->props.flags = p->flags; x->props.flags = p->flags;
/* if (x->props.mode == XFRM_MODE_TRANSPORT)
* Set inner address family if the KM left it as zero.
* See comment in validate_tmpl.
*/
if (!x->sel.family)
x->sel.family = p->family; x->sel.family = p->family;
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment