1 /* 2 * xfrm4_input.c 3 * 4 * Changes: 5 * YOSHIFUJI Hideaki @USAGI 6 * Split up af-specific portion 7 * Derek Atkins <derek@ihtfp.com> 8 * Add Encapsulation support 9 * 10 */ 11 12 #include <linux/module.h> 13 #include <linux/string.h> 14 #include <net/inet_ecn.h> 15 #include <net/ip.h> 16 #include <net/xfrm.h> 17 18 int xfrm4_rcv(struct sk_buff *skb) 19 { 20 return xfrm4_rcv_encap(skb, 0); 21 } 22 23 EXPORT_SYMBOL(xfrm4_rcv); 24 25 static inline void ipip_ecn_decapsulate(struct sk_buff *skb) 26 { 27 struct iphdr *outer_iph = skb->nh.iph; 28 struct iphdr *inner_iph = skb->h.ipiph; 29 30 if (INET_ECN_is_ce(outer_iph->tos)) 31 IP_ECN_set_ce(inner_iph); 32 } 33 34 static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq) 35 { 36 switch (nexthdr) { 37 case IPPROTO_IPIP: 38 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 39 return -EINVAL; 40 *spi = skb->nh.iph->saddr; 41 *seq = 0; 42 return 0; 43 } 44 45 return xfrm_parse_spi(skb, nexthdr, spi, seq); 46 } 47 48 int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type) 49 { 50 int err; 51 u32 spi, seq; 52 struct sec_decap_state xfrm_vec[XFRM_MAX_DEPTH]; 53 struct xfrm_state *x; 54 int xfrm_nr = 0; 55 int decaps = 0; 56 57 if ((err = xfrm4_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) != 0) 58 goto drop; 59 60 do { 61 struct iphdr *iph = skb->nh.iph; 62 63 if (xfrm_nr == XFRM_MAX_DEPTH) 64 goto drop; 65 66 x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, iph->protocol, AF_INET); 67 if (x == NULL) 68 goto drop; 69 70 spin_lock(&x->lock); 71 if (unlikely(x->km.state != XFRM_STATE_VALID)) 72 goto drop_unlock; 73 74 if (x->props.replay_window && xfrm_replay_check(x, seq)) 75 goto drop_unlock; 76 77 if (xfrm_state_check_expire(x)) 78 goto drop_unlock; 79 80 xfrm_vec[xfrm_nr].decap.decap_type = encap_type; 81 if (x->type->input(x, &(xfrm_vec[xfrm_nr].decap), skb)) 82 goto drop_unlock; 83 84 /* only the first xfrm gets the encap type */ 85 encap_type = 0; 86 87 if (x->props.replay_window) 88 xfrm_replay_advance(x, seq); 89 90 x->curlft.bytes += skb->len; 91 x->curlft.packets++; 92 93 spin_unlock(&x->lock); 94 95 xfrm_vec[xfrm_nr++].xvec = x; 96 97 iph = skb->nh.iph; 98 99 if (x->props.mode) { 100 if (iph->protocol != IPPROTO_IPIP) 101 goto drop; 102 if (!pskb_may_pull(skb, sizeof(struct iphdr))) 103 goto drop; 104 if (skb_cloned(skb) && 105 pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 106 goto drop; 107 if (x->props.flags & XFRM_STATE_DECAP_DSCP) 108 ipv4_copy_dscp(iph, skb->h.ipiph); 109 if (!(x->props.flags & XFRM_STATE_NOECN)) 110 ipip_ecn_decapsulate(skb); 111 skb->mac.raw = memmove(skb->data - skb->mac_len, 112 skb->mac.raw, skb->mac_len); 113 skb->nh.raw = skb->data; 114 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); 115 decaps = 1; 116 break; 117 } 118 119 if ((err = xfrm_parse_spi(skb, skb->nh.iph->protocol, &spi, &seq)) < 0) 120 goto drop; 121 } while (!err); 122 123 /* Allocate new secpath or COW existing one. */ 124 125 if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { 126 struct sec_path *sp; 127 sp = secpath_dup(skb->sp); 128 if (!sp) 129 goto drop; 130 if (skb->sp) 131 secpath_put(skb->sp); 132 skb->sp = sp; 133 } 134 if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) 135 goto drop; 136 137 memcpy(skb->sp->x+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(struct sec_decap_state)); 138 skb->sp->len += xfrm_nr; 139 140 if (decaps) { 141 if (!(skb->dev->flags&IFF_LOOPBACK)) { 142 dst_release(skb->dst); 143 skb->dst = NULL; 144 } 145 netif_rx(skb); 146 return 0; 147 } else { 148 return -skb->nh.iph->protocol; 149 } 150 151 drop_unlock: 152 spin_unlock(&x->lock); 153 xfrm_state_put(x); 154 drop: 155 while (--xfrm_nr >= 0) 156 xfrm_state_put(xfrm_vec[xfrm_nr].xvec); 157 158 kfree_skb(skb); 159 return 0; 160 } 161