11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * xfrm6_input.c: based on net/ipv4/xfrm4_input.c 31da177e4SLinus Torvalds * 41da177e4SLinus Torvalds * Authors: 51da177e4SLinus Torvalds * Mitsuru KANDA @USAGI 61da177e4SLinus Torvalds * Kazunori MIYAZAWA @USAGI 71da177e4SLinus Torvalds * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 81da177e4SLinus Torvalds * YOSHIFUJI Hideaki @USAGI 91da177e4SLinus Torvalds * IPv6 support 101da177e4SLinus Torvalds */ 111da177e4SLinus Torvalds 121da177e4SLinus Torvalds #include <linux/module.h> 131da177e4SLinus Torvalds #include <linux/string.h> 14b05e1066SPatrick McHardy #include <linux/netfilter.h> 15b05e1066SPatrick McHardy #include <linux/netfilter_ipv6.h> 161da177e4SLinus Torvalds #include <net/ipv6.h> 171da177e4SLinus Torvalds #include <net/xfrm.h> 181da177e4SLinus Torvalds 19d2acc347SHerbert Xu int xfrm6_rcv_spi(struct sk_buff *skb, u32 spi) 201da177e4SLinus Torvalds { 211da177e4SLinus Torvalds int err; 221da177e4SLinus Torvalds u32 seq; 23dbe5b4aaSHerbert Xu struct xfrm_state *xfrm_vec[XFRM_MAX_DEPTH]; 241da177e4SLinus Torvalds struct xfrm_state *x; 251da177e4SLinus Torvalds int xfrm_nr = 0; 261da177e4SLinus Torvalds int decaps = 0; 271da177e4SLinus Torvalds int nexthdr; 281da177e4SLinus Torvalds unsigned int nhoff; 291da177e4SLinus Torvalds 30951dbc8aSPatrick McHardy nhoff = IP6CB(skb)->nhoff; 311da177e4SLinus Torvalds nexthdr = skb->nh.raw[nhoff]; 321da177e4SLinus Torvalds 331da177e4SLinus Torvalds seq = 0; 341da177e4SLinus Torvalds if (!spi && (err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) != 0) 351da177e4SLinus Torvalds goto drop; 361da177e4SLinus Torvalds 371da177e4SLinus Torvalds do { 381da177e4SLinus Torvalds struct ipv6hdr *iph = skb->nh.ipv6h; 391da177e4SLinus Torvalds 401da177e4SLinus Torvalds if (xfrm_nr == XFRM_MAX_DEPTH) 411da177e4SLinus Torvalds goto drop; 421da177e4SLinus Torvalds 431da177e4SLinus Torvalds x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, nexthdr, AF_INET6); 441da177e4SLinus Torvalds if (x == NULL) 451da177e4SLinus Torvalds goto drop; 461da177e4SLinus Torvalds spin_lock(&x->lock); 471da177e4SLinus Torvalds if (unlikely(x->km.state != XFRM_STATE_VALID)) 481da177e4SLinus Torvalds goto drop_unlock; 491da177e4SLinus Torvalds 501da177e4SLinus Torvalds if (x->props.replay_window && xfrm_replay_check(x, seq)) 511da177e4SLinus Torvalds goto drop_unlock; 521da177e4SLinus Torvalds 531da177e4SLinus Torvalds if (xfrm_state_check_expire(x)) 541da177e4SLinus Torvalds goto drop_unlock; 551da177e4SLinus Torvalds 56e695633eSHerbert Xu nexthdr = x->type->input(x, skb); 571da177e4SLinus Torvalds if (nexthdr <= 0) 581da177e4SLinus Torvalds goto drop_unlock; 591da177e4SLinus Torvalds 601da177e4SLinus Torvalds skb->nh.raw[nhoff] = nexthdr; 611da177e4SLinus Torvalds 621da177e4SLinus Torvalds if (x->props.replay_window) 631da177e4SLinus Torvalds xfrm_replay_advance(x, seq); 641da177e4SLinus Torvalds 651da177e4SLinus Torvalds x->curlft.bytes += skb->len; 661da177e4SLinus Torvalds x->curlft.packets++; 671da177e4SLinus Torvalds 681da177e4SLinus Torvalds spin_unlock(&x->lock); 691da177e4SLinus Torvalds 70dbe5b4aaSHerbert Xu xfrm_vec[xfrm_nr++] = x; 711da177e4SLinus Torvalds 72b59f45d0SHerbert Xu if (x->mode->input(x, skb)) 73b59f45d0SHerbert Xu goto drop; 74b59f45d0SHerbert Xu 757e49e6deSMasahide NAKAMURA if (x->props.mode == XFRM_MODE_TUNNEL) { /* XXX */ 761da177e4SLinus Torvalds decaps = 1; 771da177e4SLinus Torvalds break; 781da177e4SLinus Torvalds } 791da177e4SLinus Torvalds 801da177e4SLinus Torvalds if ((err = xfrm_parse_spi(skb, nexthdr, &spi, &seq)) < 0) 811da177e4SLinus Torvalds goto drop; 821da177e4SLinus Torvalds } while (!err); 831da177e4SLinus Torvalds 841da177e4SLinus Torvalds /* Allocate new secpath or COW existing one. */ 851da177e4SLinus Torvalds if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) { 861da177e4SLinus Torvalds struct sec_path *sp; 871da177e4SLinus Torvalds sp = secpath_dup(skb->sp); 881da177e4SLinus Torvalds if (!sp) 891da177e4SLinus Torvalds goto drop; 901da177e4SLinus Torvalds if (skb->sp) 911da177e4SLinus Torvalds secpath_put(skb->sp); 921da177e4SLinus Torvalds skb->sp = sp; 931da177e4SLinus Torvalds } 941da177e4SLinus Torvalds 951da177e4SLinus Torvalds if (xfrm_nr + skb->sp->len > XFRM_MAX_DEPTH) 961da177e4SLinus Torvalds goto drop; 971da177e4SLinus Torvalds 98dbe5b4aaSHerbert Xu memcpy(skb->sp->xvec + skb->sp->len, xfrm_vec, 99dbe5b4aaSHerbert Xu xfrm_nr * sizeof(xfrm_vec[0])); 1001da177e4SLinus Torvalds skb->sp->len += xfrm_nr; 1011da177e4SLinus Torvalds skb->ip_summed = CHECKSUM_NONE; 1021da177e4SLinus Torvalds 103b05e1066SPatrick McHardy nf_reset(skb); 104b05e1066SPatrick McHardy 1051da177e4SLinus Torvalds if (decaps) { 1061da177e4SLinus Torvalds if (!(skb->dev->flags&IFF_LOOPBACK)) { 1071da177e4SLinus Torvalds dst_release(skb->dst); 1081da177e4SLinus Torvalds skb->dst = NULL; 1091da177e4SLinus Torvalds } 1101da177e4SLinus Torvalds netif_rx(skb); 1111da177e4SLinus Torvalds return -1; 1121da177e4SLinus Torvalds } else { 113b05e1066SPatrick McHardy #ifdef CONFIG_NETFILTER 114b05e1066SPatrick McHardy skb->nh.ipv6h->payload_len = htons(skb->len); 115b05e1066SPatrick McHardy __skb_push(skb, skb->data - skb->nh.raw); 116b05e1066SPatrick McHardy 117b05e1066SPatrick McHardy NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL, 118b05e1066SPatrick McHardy ip6_rcv_finish); 119b05e1066SPatrick McHardy return -1; 120b05e1066SPatrick McHardy #else 1211da177e4SLinus Torvalds return 1; 122b05e1066SPatrick McHardy #endif 1231da177e4SLinus Torvalds } 1241da177e4SLinus Torvalds 1251da177e4SLinus Torvalds drop_unlock: 1261da177e4SLinus Torvalds spin_unlock(&x->lock); 1271da177e4SLinus Torvalds xfrm_state_put(x); 1281da177e4SLinus Torvalds drop: 1291da177e4SLinus Torvalds while (--xfrm_nr >= 0) 130dbe5b4aaSHerbert Xu xfrm_state_put(xfrm_vec[xfrm_nr]); 1311da177e4SLinus Torvalds kfree_skb(skb); 1321da177e4SLinus Torvalds return -1; 1331da177e4SLinus Torvalds } 1341da177e4SLinus Torvalds 1351da177e4SLinus Torvalds EXPORT_SYMBOL(xfrm6_rcv_spi); 1361da177e4SLinus Torvalds 137951dbc8aSPatrick McHardy int xfrm6_rcv(struct sk_buff **pskb) 1381da177e4SLinus Torvalds { 139d2acc347SHerbert Xu return xfrm6_rcv_spi(*pskb, 0); 1401da177e4SLinus Torvalds } 141