2 * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char ipsec_tunnel_c_version
[] = "RCSID $Id: ipsec_tunnel.c,v 1.4 2005/06/16 21:21:02 as Exp $";
19 #define __NO_VERSION__
20 #include <linux/module.h>
21 #include <linux/config.h> /* for CONFIG_IP_FORWARD */
22 #include <linux/version.h>
23 #include <linux/kernel.h> /* printk() */
25 #include "freeswan/ipsec_param.h"
28 # include <linux/slab.h> /* kmalloc() */
29 #else /* MALLOC_SLAB */
30 # include <linux/malloc.h> /* kmalloc() */
31 #endif /* MALLOC_SLAB */
32 #include <linux/errno.h> /* error codes */
33 #include <linux/types.h> /* size_t */
34 #include <linux/interrupt.h> /* mark_bh */
36 #include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
37 #include <linux/etherdevice.h> /* eth_type_trans */
38 #include <linux/ip.h> /* struct iphdr */
39 #include <linux/tcp.h> /* struct tcphdr */
40 #include <linux/udp.h> /* struct udphdr */
41 #include <linux/skbuff.h>
44 # include <asm/uaccess.h>
45 # include <linux/in6.h>
46 # define ip_chk_addr inet_addr_type
47 # define IS_MYADDR RTN_LOCAL
50 # define dev_kfree_skb(a,b) kfree_skb(a)
53 #include <asm/checksum.h>
54 #include <net/icmp.h> /* icmp_send() */
57 # include <linux/netfilter_ipv4.h>
58 #endif /* NETDEV_23 */
60 #include <linux/if_arp.h>
62 #include "freeswan/radij.h"
63 #include "freeswan/ipsec_life.h"
64 #include "freeswan/ipsec_xform.h"
65 #include "freeswan/ipsec_eroute.h"
66 #include "freeswan/ipsec_encap.h"
67 #include "freeswan/ipsec_radij.h"
68 #include "freeswan/ipsec_sa.h"
69 #include "freeswan/ipsec_tunnel.h"
70 #include "freeswan/ipsec_xmit.h"
71 #include "freeswan/ipsec_ipe4.h"
72 #include "freeswan/ipsec_ah.h"
73 #include "freeswan/ipsec_esp.h"
78 #include "freeswan/ipsec_proto.h"
79 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
80 #include <linux/udp.h>
83 static __u32 zeroes
[64];
85 #ifdef CONFIG_IPSEC_DEBUG
87 #endif /* CONFIG_IPSEC_DEBUG */
90 ipsec_tunnel_open(struct device
*dev
)
92 struct ipsecpriv
*prv
= dev
->priv
;
95 * Can't open until attached.
98 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
99 "klips_debug:ipsec_tunnel_open: "
100 "dev = %s, prv->dev = %s\n",
101 dev
->name
, prv
->dev
?prv
->dev
->name
:"NONE");
103 if (prv
->dev
== NULL
)
111 ipsec_tunnel_close(struct device
*dev
)
118 static inline int ipsec_tunnel_xmit2(struct sk_buff
*skb
)
120 #ifdef NETDEV_25 /* 2.6 kernels */
121 return dst_output(skb
);
126 #endif /* NETDEV_23 */
128 enum ipsec_xmit_value
129 ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state
*ixs
)
131 /* ixs->physdev->hard_header_len is unreliable and should not be used */
132 ixs
->hard_header_len
= (unsigned char *)(ixs
->iph
) - ixs
->skb
->data
;
134 if(ixs
->hard_header_len
< 0) {
135 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
136 "klips_error:ipsec_xmit_strip_hard_header: "
137 "Negative hard_header_len (%d)?!\n", ixs
->hard_header_len
);
138 ixs
->stats
->tx_dropped
++;
139 return IPSEC_XMIT_BADHHLEN
;
142 /* while ixs->physdev->hard_header_len is unreliable and
143 * should not be trusted, it accurate and required for ATM, GRE and
144 * some other interfaces to work. Thanks to Willy Tarreau
147 if(ixs
->hard_header_len
== 0) { /* no hard header present */
148 ixs
->hard_header_stripped
= 1;
149 ixs
->hard_header_len
= ixs
->physdev
->hard_header_len
;
152 #ifdef CONFIG_IPSEC_DEBUG
153 if (debug_tunnel
& DB_TN_XMIT
) {
157 printk(KERN_INFO
"klips_debug:ipsec_xmit_strip_hard_header: "
158 ">>> skb->len=%ld hard_header_len:%d",
159 (unsigned long int)ixs
->skb
->len
, ixs
->hard_header_len
);
161 for (i
=0; i
< ixs
->hard_header_len
; i
++) {
162 printk("%c%02x", c
, ixs
->skb
->data
[i
]);
167 #endif /* CONFIG_IPSEC_DEBUG */
169 KLIPS_IP_PRINT(debug_tunnel
& DB_TN_XMIT
, ixs
->iph
);
171 KLIPS_PRINT(debug_tunnel
& DB_TN_CROUT
,
172 "klips_debug:ipsec_xmit_strip_hard_header: "
173 "Original head,tailroom: %d,%d\n",
174 skb_headroom(ixs
->skb
), skb_tailroom(ixs
->skb
));
176 return IPSEC_XMIT_OK
;
179 enum ipsec_xmit_value
180 ipsec_tunnel_SAlookup(struct ipsec_xmit_state
*ixs
)
183 * First things first -- look us up in the erouting tables.
185 ixs
->matcher
.sen_len
= sizeof (struct sockaddr_encap
);
186 ixs
->matcher
.sen_family
= AF_ENCAP
;
187 ixs
->matcher
.sen_type
= SENT_IP4
;
188 ixs
->matcher
.sen_ip_src
.s_addr
= ixs
->iph
->saddr
;
189 ixs
->matcher
.sen_ip_dst
.s_addr
= ixs
->iph
->daddr
;
190 ixs
->matcher
.sen_proto
= ixs
->iph
->protocol
;
191 ipsec_extract_ports(ixs
->iph
, &ixs
->matcher
);
194 * The spinlock is to prevent any other process from accessing or deleting
195 * the eroute while we are using and updating it.
197 spin_lock(&eroute_lock
);
199 ixs
->eroute
= ipsec_findroute(&ixs
->matcher
);
201 if(ixs
->iph
->protocol
== IPPROTO_UDP
) {
203 ixs
->sport
=ntohs(ixs
->skb
->sk
->sport
);
204 ixs
->dport
=ntohs(ixs
->skb
->sk
->dport
);
205 } else if((ntohs(ixs
->iph
->frag_off
) & IP_OFFSET
) == 0 &&
206 ((ixs
->skb
->len
- ixs
->hard_header_len
) >=
207 ((ixs
->iph
->ihl
<< 2) + sizeof(struct udphdr
)))) {
208 ixs
->sport
=ntohs(((struct udphdr
*)((caddr_t
)ixs
->iph
+(ixs
->iph
->ihl
<<2)))->source
);
209 ixs
->dport
=ntohs(((struct udphdr
*)((caddr_t
)ixs
->iph
+ (ixs
->iph
->ihl
<<2)))->dest
);
211 ixs
->sport
=0; ixs
->dport
=0;
215 /* default to a %drop eroute */
216 ixs
->outgoing_said
.proto
= IPPROTO_INT
;
217 ixs
->outgoing_said
.spi
= htonl(SPI_DROP
);
218 ixs
->outgoing_said
.dst
.s_addr
= INADDR_ANY
;
219 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
220 "klips_debug:ipsec_xmit_SAlookup: "
221 "checking for local udp/500 IKE packet "
222 "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
223 ntohl((unsigned int)ixs
->iph
->saddr
),
225 ntohl((unsigned int)ixs
->iph
->daddr
),
226 ixs
->eroute
? ntohl((unsigned int)ixs
->eroute
->er_said
.dst
.s_addr
) : 0,
232 * Quick cheat for now...are we udp/500 or udp/4500? If so, let it through
233 * without interference since it is most likely an IKE packet.
236 if (ip_chk_addr((unsigned long)ixs
->iph
->saddr
) == IS_MYADDR
238 || ixs
->iph
->daddr
== ixs
->eroute
->er_said
.dst
.s_addr
239 || INADDR_ANY
== ixs
->eroute
->er_said
.dst
.s_addr
)
240 && ((ixs
->sport
== 500) || (ixs
->sport
== 4500))) {
241 /* Whatever the eroute, this is an IKE message
242 * from us (i.e. not being forwarded).
243 * Furthermore, if there is a tunnel eroute,
244 * the destination is the peer for this eroute.
245 * So %pass the packet: modify the default %drop.
247 ixs
->outgoing_said
.spi
= htonl(SPI_PASS
);
248 if(!(ixs
->skb
->sk
) && ((ntohs(ixs
->iph
->frag_off
) & IP_MF
) != 0)) {
249 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
250 "klips_debug:ipsec_xmit_SAlookup: "
251 "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
253 } else if (ixs
->eroute
) {
254 ixs
->eroute
->er_count
++;
255 ixs
->eroute
->er_lasttime
= jiffies
/HZ
;
256 if(ixs
->eroute
->er_said
.proto
==IPPROTO_INT
257 && ixs
->eroute
->er_said
.spi
==htonl(SPI_HOLD
)) {
258 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
259 "klips_debug:ipsec_xmit_SAlookup: "
260 "shunt SA of HOLD: skb stored in HOLD.\n");
261 if(ixs
->eroute
->er_last
!= NULL
) {
262 kfree_skb(ixs
->eroute
->er_last
);
264 ixs
->eroute
->er_last
= ixs
->skb
;
266 ixs
->stats
->tx_dropped
++;
267 spin_unlock(&eroute_lock
);
268 return IPSEC_XMIT_STOLEN
;
270 ixs
->outgoing_said
= ixs
->eroute
->er_said
;
271 ixs
->eroute_pid
= ixs
->eroute
->er_pid
;
272 /* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
273 if(ixs
->outgoing_said
.proto
==IPPROTO_INT
274 && (ixs
->outgoing_said
.spi
==htonl(SPI_TRAP
)
275 || (ixs
->outgoing_said
.spi
==htonl(SPI_TRAPSUBNET
)))) {
278 ixs
->ips
.ips_ident_s
.type
= ixs
->eroute
->er_ident_s
.type
;
279 ixs
->ips
.ips_ident_s
.id
= ixs
->eroute
->er_ident_s
.id
;
280 ixs
->ips
.ips_ident_s
.len
= ixs
->eroute
->er_ident_s
.len
;
281 if (ixs
->ips
.ips_ident_s
.len
) {
282 len
= ixs
->ips
.ips_ident_s
.len
* IPSEC_PFKEYv2_ALIGN
- sizeof(struct sadb_ident
);
283 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
284 "klips_debug:ipsec_xmit_SAlookup: "
285 "allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n",
287 if ((ixs
->ips
.ips_ident_s
.data
= kmalloc(len
, GFP_ATOMIC
)) == NULL
) {
288 printk(KERN_WARNING
"klips_debug:ipsec_xmit_SAlookup: "
289 "Failed, tried to allocate %d bytes for source ident.\n",
291 ixs
->stats
->tx_dropped
++;
292 spin_unlock(&eroute_lock
);
293 return IPSEC_XMIT_ERRMEMALLOC
;
295 memcpy(ixs
->ips
.ips_ident_s
.data
, ixs
->eroute
->er_ident_s
.data
, len
);
297 ixs
->ips
.ips_ident_d
.type
= ixs
->eroute
->er_ident_d
.type
;
298 ixs
->ips
.ips_ident_d
.id
= ixs
->eroute
->er_ident_d
.id
;
299 ixs
->ips
.ips_ident_d
.len
= ixs
->eroute
->er_ident_d
.len
;
300 if (ixs
->ips
.ips_ident_d
.len
) {
301 len
= ixs
->ips
.ips_ident_d
.len
* IPSEC_PFKEYv2_ALIGN
- sizeof(struct sadb_ident
);
302 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
303 "klips_debug:ipsec_xmit_SAlookup: "
304 "allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n",
306 if ((ixs
->ips
.ips_ident_d
.data
= kmalloc(len
, GFP_ATOMIC
)) == NULL
) {
307 printk(KERN_WARNING
"klips_debug:ipsec_xmit_SAlookup: "
308 "Failed, tried to allocate %d bytes for dest ident.\n",
310 ixs
->stats
->tx_dropped
++;
311 spin_unlock(&eroute_lock
);
312 return IPSEC_XMIT_ERRMEMALLOC
;
314 memcpy(ixs
->ips
.ips_ident_d
.data
, ixs
->eroute
->er_ident_d
.data
, len
);
319 spin_unlock(&eroute_lock
);
320 return IPSEC_XMIT_OK
;
323 enum ipsec_xmit_value
324 ipsec_tunnel_restore_hard_header(struct ipsec_xmit_state
*ixs
)
326 KLIPS_PRINT(debug_tunnel
& DB_TN_CROUT
,
327 "klips_debug:ipsec_xmit_restore_hard_header: "
328 "After recursive xforms -- head,tailroom: %d,%d\n",
329 skb_headroom(ixs
->skb
),
330 skb_tailroom(ixs
->skb
));
332 if(ixs
->saved_header
) {
333 if(skb_headroom(ixs
->skb
) < ixs
->hard_header_len
) {
335 "klips_error:ipsec_xmit_restore_hard_header: "
336 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
337 ixs
->hard_header_len
,
338 skb_headroom(ixs
->skb
));
339 ixs
->stats
->tx_errors
++;
340 return IPSEC_XMIT_PUSHPULLERR
;
343 skb_push(ixs
->skb
, ixs
->hard_header_len
);
346 for (i
= 0; i
< ixs
->hard_header_len
; i
++) {
347 ixs
->skb
->data
[i
] = ixs
->saved_header
[i
];
351 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
352 if (ixs
->natt_type
&& ixs
->natt_head
) {
353 struct iphdr
*ipp
= ixs
->skb
->nh
.iph
;
355 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
356 "klips_debug:ipsec_tunnel_start_xmit: "
357 "encapsulating packet into UDP (NAT-Traversal) (%d %d)\n",
358 ixs
->natt_type
, ixs
->natt_head
);
359 ixs
->iphlen
= ipp
->ihl
<< 2;
361 htons(ntohs(ipp
->tot_len
) + ixs
->natt_head
);
362 if(skb_tailroom(ixs
->skb
) < ixs
->natt_head
) {
363 printk(KERN_WARNING
"klips_error:ipsec_tunnel_start_xmit: "
364 "tried to skb_put %d, %d available. "
365 "This should never happen, please report.\n",
367 skb_tailroom(ixs
->skb
));
368 ixs
->stats
->tx_errors
++;
369 return IPSEC_XMIT_ESPUDP
;
371 skb_put(ixs
->skb
, ixs
->natt_head
);
372 udp
= (struct udphdr
*)((char *)ipp
+ ixs
->iphlen
);
373 /* move ESP hdr after UDP hdr */
374 memmove((void *)((char *)udp
+ ixs
->natt_head
),
376 ntohs(ipp
->tot_len
) - ixs
->iphlen
- ixs
->natt_head
);
377 /* clear UDP & Non-IKE Markers (if any) */
378 memset(udp
, 0, ixs
->natt_head
);
379 /* fill UDP with usefull informations ;-) */
380 udp
->source
= htons(ixs
->natt_sport
);
381 udp
->dest
= htons(ixs
->natt_dport
);
382 udp
->len
= htons(ntohs(ipp
->tot_len
) - ixs
->iphlen
);
384 ipp
->protocol
= IPPROTO_UDP
;
385 /* fix IP checksum */
387 ipp
->check
= ip_fast_csum((unsigned char *)ipp
, ipp
->ihl
);
390 KLIPS_PRINT(debug_tunnel
& DB_TN_CROUT
,
391 "klips_debug:ipsec_xmit_restore_hard_header: "
392 "With hard_header, final head,tailroom: %d,%d\n",
393 skb_headroom(ixs
->skb
),
394 skb_tailroom(ixs
->skb
));
396 return IPSEC_XMIT_OK
;
399 enum ipsec_xmit_value
400 ipsec_tunnel_send(struct ipsec_xmit_state
*ixs
)
406 #ifdef NET_21 /* 2.2 and 2.4 kernels */
407 /* new route/dst cache code from James Morris */
408 ixs
->skb
->dev
= ixs
->physdev
;
410 fl
.oif
= ixs
->physdev
->iflink
;
411 fl
.nl_u
.ip4_u
.daddr
= ixs
->skb
->nh
.iph
->daddr
;
412 fl
.nl_u
.ip4_u
.saddr
= ixs
->pass
? 0 : ixs
->skb
->nh
.iph
->saddr
;
413 fl
.nl_u
.ip4_u
.tos
= RT_TOS(ixs
->skb
->nh
.iph
->tos
);
414 fl
.proto
= ixs
->skb
->nh
.iph
->protocol
;
415 if ((ixs
->error
= ip_route_output_key(&ixs
->route
, &fl
))) {
417 /*skb_orphan(ixs->skb);*/
418 if((ixs
->error
= ip_route_output(&ixs
->route
,
419 ixs
->skb
->nh
.iph
->daddr
,
420 ixs
->pass
? 0 : ixs
->skb
->nh
.iph
->saddr
,
421 RT_TOS(ixs
->skb
->nh
.iph
->tos
),
422 /* mcr->rgb: should this be 0 instead? */
423 ixs
->physdev
->iflink
))) {
425 ixs
->stats
->tx_errors
++;
426 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
427 "klips_debug:ipsec_xmit_send: "
428 "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
430 ixs
->route
->u
.dst
.dev
->name
);
431 return IPSEC_XMIT_ROUTEERR
;
433 if(ixs
->dev
== ixs
->route
->u
.dst
.dev
) {
434 ip_rt_put(ixs
->route
);
435 /* This is recursion, drop it. */
436 ixs
->stats
->tx_errors
++;
437 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
438 "klips_debug:ipsec_xmit_send: "
439 "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
441 return IPSEC_XMIT_RECURSDETECT
;
443 dst_release(ixs
->skb
->dst
);
444 ixs
->skb
->dst
= &ixs
->route
->u
.dst
;
445 ixs
->stats
->tx_bytes
+= ixs
->skb
->len
;
446 if(ixs
->skb
->len
< ixs
->skb
->nh
.raw
- ixs
->skb
->data
) {
447 ixs
->stats
->tx_errors
++;
449 "klips_error:ipsec_xmit_send: "
450 "tried to __skb_pull nh-data=%ld, %d available. This should never happen, please report.\n",
451 (unsigned long)(ixs
->skb
->nh
.raw
- ixs
->skb
->data
),
453 return IPSEC_XMIT_PUSHPULLERR
;
455 __skb_pull(ixs
->skb
, ixs
->skb
->nh
.raw
- ixs
->skb
->data
);
456 #ifdef SKB_RESET_NFCT
458 nf_conntrack_put(ixs
->skb
->nfct
);
459 ixs
->skb
->nfct
= NULL
;
461 #ifdef CONFIG_NETFILTER_DEBUG
462 ixs
->skb
->nf_debug
= 0;
463 #endif /* CONFIG_NETFILTER_DEBUG */
464 #endif /* SKB_RESET_NFCT */
465 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
466 "klips_debug:ipsec_xmit_send: "
467 "...done, calling ip_send() on device:%s\n",
468 ixs
->skb
->dev
? ixs
->skb
->dev
->name
: "NULL");
469 KLIPS_IP_PRINT(debug_tunnel
& DB_TN_XMIT
, ixs
->skb
->nh
.iph
);
470 #ifdef NETDEV_23 /* 2.4 kernels */
474 err
= NF_HOOK(PF_INET
, NF_IP_LOCAL_OUT
, ixs
->skb
, NULL
, ixs
->route
->u
.dst
.dev
,
476 if(err
!= NET_XMIT_SUCCESS
&& err
!= NET_XMIT_CN
) {
479 "klips_error:ipsec_xmit_send: "
480 "ip_send() failed, err=%d\n",
482 ixs
->stats
->tx_errors
++;
483 ixs
->stats
->tx_aborted_errors
++;
485 return IPSEC_XMIT_IPSENDFAILURE
;
488 #else /* NETDEV_23 */ /* 2.2 kernels */
490 #endif /* NETDEV_23 */
491 #else /* NET_21 */ /* 2.0 kernels */
493 /* ISDN/ASYNC PPP from Matjaz Godec. */
494 /* skb->protocol = htons(ETH_P_IP); */
495 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
496 "klips_debug:ipsec_xmit_send: "
497 "...done, calling dev_queue_xmit() or ip_fragment().\n");
498 IP_SEND(ixs
->skb
, ixs
->physdev
);
500 ixs
->stats
->tx_packets
++;
504 return IPSEC_XMIT_OK
;
508 ipsec_tunnel_cleanup(struct ipsec_xmit_state
*ixs
)
510 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
511 netif_wake_queue(ixs
->dev
);
512 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
514 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
515 if(ixs
->saved_header
) {
516 kfree(ixs
->saved_header
);
519 dev_kfree_skb(ixs
->skb
, FREE_WRITE
);
522 dev_kfree_skb(ixs
->oskb
, FREE_WRITE
);
524 if (ixs
->ips
.ips_ident_s
.data
) {
525 kfree(ixs
->ips
.ips_ident_s
.data
);
527 if (ixs
->ips
.ips_ident_d
.data
) {
528 kfree(ixs
->ips
.ips_ident_d
.data
);
533 * This function assumes it is being called from dev_queue_xmit()
534 * and that skb is filled properly by that function.
537 ipsec_tunnel_start_xmit(struct sk_buff
*skb
, struct device
*dev
)
539 struct ipsec_xmit_state ixs_mem
;
540 struct ipsec_xmit_state
*ixs
= &ixs_mem
;
541 enum ipsec_xmit_value stat
;
543 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
544 ixs
->natt_type
= 0, ixs
->natt_head
= 0;
545 ixs
->natt_sport
= 0, ixs
->natt_dport
= 0;
548 memset((caddr_t
)ixs
, 0, sizeof(*ixs
));
550 ixs
->saved_header
= NULL
; /* saved copy of the hard header */
552 memset((caddr_t
)&(ixs
->ips
), 0, sizeof(ixs
->ips
));
556 stat
= ipsec_xmit_sanity_check_dev(ixs
);
557 if(stat
!= IPSEC_XMIT_OK
) {
561 stat
= ipsec_xmit_sanity_check_skb(ixs
);
562 if(stat
!= IPSEC_XMIT_OK
) {
566 stat
= ipsec_tunnel_strip_hard_header(ixs
);
567 if(stat
!= IPSEC_XMIT_OK
) {
571 stat
= ipsec_tunnel_SAlookup(ixs
);
572 if(stat
!= IPSEC_XMIT_OK
) {
573 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
574 "klips_debug:ipsec_tunnel_start_xmit: SAlookup failed: %d\n",
579 ixs
->innersrc
= ixs
->iph
->saddr
;
580 /* start encapsulation loop here XXX */
582 stat
= ipsec_xmit_encap_bundle(ixs
);
583 if(stat
!= IPSEC_XMIT_OK
) {
584 if(stat
== IPSEC_XMIT_PASS
) {
588 KLIPS_PRINT(debug_tunnel
& DB_TN_XMIT
,
589 "klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: %d\n",
594 ixs
->matcher
.sen_ip_src
.s_addr
= ixs
->iph
->saddr
;
595 ixs
->matcher
.sen_ip_dst
.s_addr
= ixs
->iph
->daddr
;
596 ixs
->matcher
.sen_proto
= ixs
->iph
->protocol
;
597 ipsec_extract_ports(ixs
->iph
, &ixs
->matcher
);
599 spin_lock(&eroute_lock
);
600 ixs
->eroute
= ipsec_findroute(&ixs
->matcher
);
602 ixs
->outgoing_said
= ixs
->eroute
->er_said
;
603 ixs
->eroute_pid
= ixs
->eroute
->er_pid
;
604 ixs
->eroute
->er_count
++;
605 ixs
->eroute
->er_lasttime
= jiffies
/HZ
;
607 spin_unlock(&eroute_lock
);
609 KLIPS_PRINT((debug_tunnel
& DB_TN_XMIT
) &&
610 /* ((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc)) */
611 (ixs
->orgedst
!= ixs
->outgoing_said
.dst
.s_addr
) &&
612 ixs
->outgoing_said
.dst
.s_addr
&&
614 "klips_debug:ipsec_tunnel_start_xmit: "
615 "We are recursing here.\n");
617 } while(/*((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc))*/
618 (ixs
->orgedst
!= ixs
->outgoing_said
.dst
.s_addr
) &&
619 ixs
->outgoing_said
.dst
.s_addr
&&
622 stat
= ipsec_tunnel_restore_hard_header(ixs
);
623 if(stat
!= IPSEC_XMIT_OK
) {
628 stat
= ipsec_tunnel_send(ixs
);
631 ipsec_tunnel_cleanup(ixs
);
636 DEBUG_NO_STATIC
struct net_device_stats
*
637 ipsec_tunnel_get_stats(struct device
*dev
)
639 return &(((struct ipsecpriv
*)(dev
->priv
))->mystats
);
644 * For each of these calls, a field exists in our private structure.
648 ipsec_tunnel_hard_header(struct sk_buff
*skb
, struct device
*dev
,
649 unsigned short type
, void *daddr
, void *saddr
, unsigned len
)
651 struct ipsecpriv
*prv
= dev
->priv
;
654 struct net_device_stats
*stats
; /* This device's statistics */
657 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
658 "klips_debug:ipsec_tunnel_hard_header: "
664 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
665 "klips_debug:ipsec_tunnel_hard_header: "
670 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
671 "klips_debug:ipsec_tunnel_hard_header: "
672 "skb->dev=%s dev=%s.\n",
673 skb
->dev
? skb
->dev
->name
: "NULL",
677 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
678 "klips_debug:ipsec_tunnel_hard_header: "
679 "no private space associated with dev=%s\n",
680 dev
->name
? dev
->name
: "NULL");
684 stats
= (struct net_device_stats
*) &(prv
->mystats
);
686 if(prv
->dev
== NULL
) {
687 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
688 "klips_debug:ipsec_tunnel_hard_header: "
689 "no physical device associated with dev=%s\n",
690 dev
->name
? dev
->name
: "NULL");
695 /* check if we have to send a IPv6 packet. It might be a Router
696 Solicitation, where the building of the packet happens in
701 -> skb->nh.raw is still uninitialized when this function is
702 called!! If this is no IPv6 packet, we can print debugging
703 messages, otherwise we skip all debugging messages and just
704 build the ll header */
705 if(type
!= ETH_P_IPV6
) {
706 /* execute this only, if we don't have to build the
707 header for a IPv6 packet */
708 if(!prv
->hard_header
) {
709 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
710 "klips_debug:ipsec_tunnel_hard_header: "
711 "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
718 KLIPS_PRINTMORE(debug_tunnel
& DB_TN_REVEC
,
720 (__u32
)ntohl(skb
->nh
.iph
->saddr
),
721 (__u32
)ntohl(skb
->nh
.iph
->daddr
) );
723 KLIPS_PRINTMORE(debug_tunnel
& DB_TN_REVEC
,
725 (__u32
)ntohl(skb
->ip_hdr
->saddr
),
726 (__u32
)ntohl(skb
->ip_hdr
->daddr
) );
732 #define da ((struct device *)(prv->dev))->dev_addr
733 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
734 "klips_debug:ipsec_tunnel_hard_header: "
735 "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
742 da
[0], da
[1], da
[2], da
[3], da
[4], da
[5]);
744 KLIPS_PRINTMORE(debug_tunnel
& DB_TN_REVEC
,
746 (__u32
)ntohl(skb
->nh
.iph
->saddr
),
747 (__u32
)ntohl(skb
->nh
.iph
->daddr
) );
749 KLIPS_PRINTMORE(debug_tunnel
& DB_TN_REVEC
,
751 (__u32
)ntohl(skb
->ip_hdr
->saddr
),
752 (__u32
)ntohl(skb
->ip_hdr
->daddr
) );
755 KLIPS_PRINT(debug_tunnel
,
756 "klips_debug:ipsec_tunnel_hard_header: "
757 "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
761 ret
= prv
->hard_header(skb
, prv
->dev
, type
, (void *)daddr
, (void *)saddr
, len
);
768 ipsec_tunnel_rebuild_header(struct sk_buff
*skb
)
770 ipsec_tunnel_rebuild_header(void *buff
, struct device
*dev
,
771 unsigned long raddr
, struct sk_buff
*skb
)
774 struct ipsecpriv
*prv
= skb
->dev
->priv
;
777 struct net_device_stats
*stats
; /* This device's statistics */
779 if(skb
->dev
== NULL
) {
780 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
781 "klips_debug:ipsec_tunnel_rebuild_header: "
787 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
788 "klips_debug:ipsec_tunnel_rebuild_header: "
789 "no private space associated with dev=%s",
790 skb
->dev
->name
? skb
->dev
->name
: "NULL");
794 stats
= (struct net_device_stats
*) &(prv
->mystats
);
796 if(prv
->dev
== NULL
) {
797 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
798 "klips_debug:ipsec_tunnel_rebuild_header: "
799 "no physical device associated with dev=%s",
800 skb
->dev
->name
? skb
->dev
->name
: "NULL");
805 if(!prv
->rebuild_header
) {
806 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
807 "klips_debug:ipsec_tunnel_rebuild_header: "
808 "physical device has been detached, packet dropped skb->dev=%s->NULL ",
811 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
813 (__u32
)ntohl(skb
->nh
.iph
->saddr
),
814 (__u32
)ntohl(skb
->nh
.iph
->daddr
) );
816 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
818 (__u32
)ntohl(skb
->ip_hdr
->saddr
),
819 (__u32
)ntohl(skb
->ip_hdr
->daddr
) );
825 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
826 "klips_debug:ipsec_tunnel: "
827 "Revectored rebuild_header dev=%s->%s ",
828 skb
->dev
->name
, prv
->dev
->name
);
830 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
832 (__u32
)ntohl(skb
->nh
.iph
->saddr
),
833 (__u32
)ntohl(skb
->nh
.iph
->daddr
) );
835 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
837 (__u32
)ntohl(skb
->ip_hdr
->saddr
),
838 (__u32
)ntohl(skb
->ip_hdr
->daddr
) );
844 ret
= prv
->rebuild_header(skb
);
846 ret
= prv
->rebuild_header(buff
, prv
->dev
, raddr
, skb
);
853 ipsec_tunnel_set_mac_address(struct device
*dev
, void *addr
)
855 struct ipsecpriv
*prv
= dev
->priv
;
857 struct net_device_stats
*stats
; /* This device's statistics */
860 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
861 "klips_debug:ipsec_tunnel_set_mac_address: "
867 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
868 "klips_debug:ipsec_tunnel_set_mac_address: "
869 "no private space associated with dev=%s",
870 dev
->name
? dev
->name
: "NULL");
874 stats
= (struct net_device_stats
*) &(prv
->mystats
);
876 if(prv
->dev
== NULL
) {
877 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
878 "klips_debug:ipsec_tunnel_set_mac_address: "
879 "no physical device associated with dev=%s",
880 dev
->name
? dev
->name
: "NULL");
885 if(!prv
->set_mac_address
) {
886 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
887 "klips_debug:ipsec_tunnel_set_mac_address: "
888 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
893 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
894 "klips_debug:ipsec_tunnel_set_mac_address: "
895 "Revectored dev=%s->%s addr=0p%p\n",
896 dev
->name
, prv
->dev
->name
, addr
);
897 return prv
->set_mac_address(prv
->dev
, addr
);
903 ipsec_tunnel_cache_bind(struct hh_cache
**hhp
, struct device
*dev
,
904 unsigned short htype
, __u32 daddr
)
906 struct ipsecpriv
*prv
= dev
->priv
;
908 struct net_device_stats
*stats
; /* This device's statistics */
911 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
912 "klips_debug:ipsec_tunnel_cache_bind: "
918 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
919 "klips_debug:ipsec_tunnel_cache_bind: "
920 "no private space associated with dev=%s",
921 dev
->name
? dev
->name
: "NULL");
925 stats
= (struct net_device_stats
*) &(prv
->mystats
);
927 if(prv
->dev
== NULL
) {
928 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
929 "klips_debug:ipsec_tunnel_cache_bind: "
930 "no physical device associated with dev=%s",
931 dev
->name
? dev
->name
: "NULL");
936 if(!prv
->header_cache_bind
) {
937 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
938 "klips_debug:ipsec_tunnel_cache_bind: "
939 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
945 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
946 "klips_debug:ipsec_tunnel_cache_bind: "
948 prv
->header_cache_bind(hhp
, prv
->dev
, htype
, daddr
);
955 ipsec_tunnel_cache_update(struct hh_cache
*hh
, struct device
*dev
, unsigned char * haddr
)
957 struct ipsecpriv
*prv
= dev
->priv
;
959 struct net_device_stats
*stats
; /* This device's statistics */
962 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
963 "klips_debug:ipsec_tunnel_cache_update: "
969 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
970 "klips_debug:ipsec_tunnel_cache_update: "
971 "no private space associated with dev=%s",
972 dev
->name
? dev
->name
: "NULL");
976 stats
= (struct net_device_stats
*) &(prv
->mystats
);
978 if(prv
->dev
== NULL
) {
979 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
980 "klips_debug:ipsec_tunnel_cache_update: "
981 "no physical device associated with dev=%s",
982 dev
->name
? dev
->name
: "NULL");
987 if(!prv
->header_cache_update
) {
988 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
989 "klips_debug:ipsec_tunnel_cache_update: "
990 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
995 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
996 "klips_debug:ipsec_tunnel: "
997 "Revectored cache_update\n");
998 prv
->header_cache_update(hh
, prv
->dev
, haddr
);
1004 ipsec_tunnel_neigh_setup(struct neighbour
*n
)
1006 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
1007 "klips_debug:ipsec_tunnel_neigh_setup:\n");
1009 if (n
->nud_state
== NUD_NONE
) {
1010 n
->ops
= &arp_broken_ops
;
1011 n
->output
= n
->ops
->output
;
1017 ipsec_tunnel_neigh_setup_dev(struct device
*dev
, struct neigh_parms
*p
)
1019 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
1020 "klips_debug:ipsec_tunnel_neigh_setup_dev: "
1022 dev
? dev
->name
: "NULL");
1024 if (p
->tbl
->family
== AF_INET
) {
1025 p
->neigh_setup
= ipsec_tunnel_neigh_setup
;
1026 p
->ucast_probes
= 0;
1027 p
->mcast_probes
= 0;
1034 * We call the attach routine to attach another device.
1038 ipsec_tunnel_attach(struct device
*dev
, struct device
*physdev
)
1041 struct ipsecpriv
*prv
= dev
->priv
;
1044 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
1045 "klips_debug:ipsec_tunnel_attach: "
1051 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
1052 "klips_debug:ipsec_tunnel_attach: "
1053 "no private space associated with dev=%s",
1054 dev
->name
? dev
->name
: "NULL");
1059 prv
->hard_start_xmit
= physdev
->hard_start_xmit
;
1060 prv
->get_stats
= physdev
->get_stats
;
1062 if (physdev
->hard_header
) {
1063 prv
->hard_header
= physdev
->hard_header
;
1064 dev
->hard_header
= ipsec_tunnel_hard_header
;
1066 dev
->hard_header
= NULL
;
1068 if (physdev
->rebuild_header
) {
1069 prv
->rebuild_header
= physdev
->rebuild_header
;
1070 dev
->rebuild_header
= ipsec_tunnel_rebuild_header
;
1072 dev
->rebuild_header
= NULL
;
1074 if (physdev
->set_mac_address
) {
1075 prv
->set_mac_address
= physdev
->set_mac_address
;
1076 dev
->set_mac_address
= ipsec_tunnel_set_mac_address
;
1078 dev
->set_mac_address
= NULL
;
1081 if (physdev
->header_cache_bind
) {
1082 prv
->header_cache_bind
= physdev
->header_cache_bind
;
1083 dev
->header_cache_bind
= ipsec_tunnel_cache_bind
;
1085 dev
->header_cache_bind
= NULL
;
1086 #endif /* !NET_21 */
1088 if (physdev
->header_cache_update
) {
1089 prv
->header_cache_update
= physdev
->header_cache_update
;
1090 dev
->header_cache_update
= ipsec_tunnel_cache_update
;
1092 dev
->header_cache_update
= NULL
;
1094 dev
->hard_header_len
= physdev
->hard_header_len
;
1097 /* prv->neigh_setup = physdev->neigh_setup; */
1098 dev
->neigh_setup
= ipsec_tunnel_neigh_setup_dev
;
1100 dev
->mtu
= 16260; /* 0xfff0; */ /* dev->mtu; */
1101 prv
->mtu
= physdev
->mtu
;
1104 dev
->type
= physdev
->type
; /* ARPHRD_TUNNEL; */
1105 #endif /* PHYSDEV_TYPE */
1107 dev
->addr_len
= physdev
->addr_len
;
1108 for (i
=0; i
<dev
->addr_len
; i
++) {
1109 dev
->dev_addr
[i
] = physdev
->dev_addr
[i
];
1111 #ifdef CONFIG_IPSEC_DEBUG
1112 if(debug_tunnel
& DB_TN_INIT
) {
1113 printk(KERN_INFO
"klips_debug:ipsec_tunnel_attach: "
1114 "physical device %s being attached has HW address: %2x",
1115 physdev
->name
, physdev
->dev_addr
[0]);
1116 for (i
=1; i
< physdev
->addr_len
; i
++) {
1117 printk(":%02x", physdev
->dev_addr
[i
]);
1121 #endif /* CONFIG_IPSEC_DEBUG */
1127 * We call the detach routine to detach the ipsec tunnel from another device.
1131 ipsec_tunnel_detach(struct device
*dev
)
1134 struct ipsecpriv
*prv
= dev
->priv
;
1137 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
1138 "klips_debug:ipsec_tunnel_detach: "
1144 KLIPS_PRINT(debug_tunnel
& DB_TN_REVEC
,
1145 "klips_debug:ipsec_tunnel_detach: "
1146 "no private space associated with dev=%s",
1147 dev
->name
? dev
->name
: "NULL");
1151 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1152 "klips_debug:ipsec_tunnel_detach: "
1153 "physical device %s being detached from virtual device %s\n",
1154 prv
->dev
? prv
->dev
->name
: "NULL",
1157 ipsec_dev_put(prv
->dev
);
1159 prv
->hard_start_xmit
= NULL
;
1160 prv
->get_stats
= NULL
;
1162 prv
->hard_header
= NULL
;
1163 #ifdef DETACH_AND_DOWN
1164 dev
->hard_header
= NULL
;
1165 #endif /* DETACH_AND_DOWN */
1167 prv
->rebuild_header
= NULL
;
1168 #ifdef DETACH_AND_DOWN
1169 dev
->rebuild_header
= NULL
;
1170 #endif /* DETACH_AND_DOWN */
1172 prv
->set_mac_address
= NULL
;
1173 #ifdef DETACH_AND_DOWN
1174 dev
->set_mac_address
= NULL
;
1175 #endif /* DETACH_AND_DOWN */
1178 prv
->header_cache_bind
= NULL
;
1179 #ifdef DETACH_AND_DOWN
1180 dev
->header_cache_bind
= NULL
;
1181 #endif /* DETACH_AND_DOWN */
1182 #endif /* !NET_21 */
1184 prv
->header_cache_update
= NULL
;
1185 #ifdef DETACH_AND_DOWN
1186 dev
->header_cache_update
= NULL
;
1187 #endif /* DETACH_AND_DOWN */
1190 /* prv->neigh_setup = NULL; */
1191 #ifdef DETACH_AND_DOWN
1192 dev
->neigh_setup
= NULL
;
1193 #endif /* DETACH_AND_DOWN */
1195 dev
->hard_header_len
= 0;
1196 #ifdef DETACH_AND_DOWN
1198 #endif /* DETACH_AND_DOWN */
1200 for (i
=0; i
<MAX_ADDR_LEN
; i
++) {
1201 dev
->dev_addr
[i
] = 0;
1205 dev
->type
= ARPHRD_VOID
; /* ARPHRD_TUNNEL; */
1206 #endif /* PHYSDEV_TYPE */
1212 * We call the clear routine to detach all ipsec tunnels from other devices.
1215 ipsec_tunnel_clear(void)
1218 struct device
*ipsecdev
= NULL
, *prvdev
;
1219 struct ipsecpriv
*prv
;
1223 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1224 "klips_debug:ipsec_tunnel_clear: .\n");
1226 for(i
= 0; i
< IPSEC_NUM_IF
; i
++) {
1227 ipsecdev
= ipsecdevices
[i
];
1228 if(ipsecdev
!= NULL
) {
1229 if((prv
= (struct ipsecpriv
*)(ipsecdev
->priv
))) {
1230 prvdev
= (struct device
*)(prv
->dev
);
1232 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1233 "klips_debug:ipsec_tunnel_clear: "
1234 "physical device for device %s is %s\n",
1235 name
, prvdev
->name
);
1236 if((ret
= ipsec_tunnel_detach(ipsecdev
))) {
1237 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1238 "klips_debug:ipsec_tunnel_clear: "
1239 "error %d detatching device %s from device %s.\n",
1240 ret
, name
, prvdev
->name
);
1251 ipsec_tunnel_ioctl(struct device
*dev
, struct ifreq
*ifr
, int cmd
)
1253 struct ipsectunnelconf
*cf
= (struct ipsectunnelconf
*)&ifr
->ifr_data
;
1254 struct ipsecpriv
*prv
= dev
->priv
;
1255 struct device
*them
; /* physical device */
1256 #ifdef CONFIG_IP_ALIAS
1258 char realphysname
[IFNAMSIZ
];
1259 #endif /* CONFIG_IP_ALIAS */
1262 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1263 "klips_debug:ipsec_tunnel_ioctl: "
1264 "device not supplied.\n");
1268 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1269 "klips_debug:ipsec_tunnel_ioctl: "
1270 "tncfg service call #%d for dev=%s\n",
1272 dev
->name
? dev
->name
: "NULL");
1274 /* attach a virtual ipsec? device to a physical device */
1276 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1277 "klips_debug:ipsec_tunnel_ioctl: "
1278 "calling ipsec_tunnel_attatch...\n");
1279 #ifdef CONFIG_IP_ALIAS
1280 /* If this is an IP alias interface, get its real physical name */
1281 strncpy(realphysname
, cf
->cf_name
, IFNAMSIZ
);
1282 realphysname
[IFNAMSIZ
-1] = 0;
1283 colon
= strchr(realphysname
, ':');
1284 if (colon
) *colon
= 0;
1285 them
= ipsec_dev_get(realphysname
);
1286 #else /* CONFIG_IP_ALIAS */
1287 them
= ipsec_dev_get(cf
->cf_name
);
1288 #endif /* CONFIG_IP_ALIAS */
1291 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1292 "klips_debug:ipsec_tunnel_ioctl: "
1293 "physical device %s requested is null\n",
1299 if (them
->flags
& IFF_UP
) {
1300 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1301 "klips_debug:ipsec_tunnel_ioctl: "
1302 "physical device %s requested is not up.\n",
1304 ipsec_dev_put(them
);
1309 if (prv
&& prv
->dev
) {
1310 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1311 "klips_debug:ipsec_tunnel_ioctl: "
1312 "virtual device is already connected to %s.\n",
1313 prv
->dev
->name
? prv
->dev
->name
: "NULL");
1314 ipsec_dev_put(them
);
1317 return ipsec_tunnel_attach(dev
, them
);
1320 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1321 "klips_debug:ipsec_tunnel_ioctl: "
1322 "calling ipsec_tunnel_detatch.\n");
1324 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1325 "klips_debug:ipsec_tunnel_ioctl: "
1326 "physical device not connected.\n");
1329 return ipsec_tunnel_detach(dev
);
1332 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1333 "klips_debug:ipsec_tunnel_ioctl: "
1334 "calling ipsec_tunnel_clear.\n");
1335 return ipsec_tunnel_clear();
1338 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1339 "klips_debug:ipsec_tunnel_ioctl: "
1340 "unknown command %d.\n",
1347 ipsec_device_event(struct notifier_block
*unused
, unsigned long event
, void *ptr
)
1349 struct device
*dev
= ptr
;
1350 struct device
*ipsec_dev
;
1351 struct ipsecpriv
*priv
;
1355 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1356 "klips_debug:ipsec_device_event: "
1357 "dev=NULL for event type %ld.\n",
1359 return(NOTIFY_DONE
);
1362 /* check for loopback devices */
1363 if (dev
&& (dev
->flags
& IFF_LOOPBACK
)) {
1364 return(NOTIFY_DONE
);
1369 /* look very carefully at the scope of these compiler
1370 directives before changing anything... -- RGB */
1372 case NETDEV_UNREGISTER
:
1376 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1377 "klips_debug:ipsec_device_event: "
1378 "NETDEV_DOWN dev=%s flags=%x\n",
1381 if(strncmp(dev
->name
, "ipsec", strlen("ipsec")) == 0) {
1382 printk(KERN_CRIT
"IPSEC EVENT: KLIPS device %s shut down.\n",
1387 case NETDEV_UNREGISTER
:
1388 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1389 "klips_debug:ipsec_device_event: "
1390 "NETDEV_UNREGISTER dev=%s flags=%x\n",
1397 /* find the attached physical device and detach it. */
1398 for(i
= 0; i
< IPSEC_NUM_IF
; i
++) {
1399 ipsec_dev
= ipsecdevices
[i
];
1402 priv
= (struct ipsecpriv
*)(ipsec_dev
->priv
);
1405 if(((struct device
*)(priv
->dev
)) == dev
) {
1406 /* dev_close(ipsec_dev); */
1407 /* return */ ipsec_tunnel_detach(ipsec_dev
);
1408 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1409 "klips_debug:ipsec_device_event: "
1410 "device '%s' has been detached.\n",
1415 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1416 "klips_debug:ipsec_device_event: "
1417 "device '%s' has no private data space!\n",
1424 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1425 "klips_debug:ipsec_device_event: "
1426 "NETDEV_UP dev=%s\n",
1431 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1432 "klips_debug:ipsec_device_event: "
1433 "NETDEV_REBOOT dev=%s\n",
1437 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1438 "klips_debug:ipsec_device_event: "
1439 "NETDEV_CHANGE dev=%s flags=%x\n",
1443 case NETDEV_REGISTER
:
1444 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1445 "klips_debug:ipsec_device_event: "
1446 "NETDEV_REGISTER dev=%s\n",
1449 case NETDEV_CHANGEMTU
:
1450 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1451 "klips_debug:ipsec_device_event: "
1452 "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
1456 case NETDEV_CHANGEADDR
:
1457 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1458 "klips_debug:ipsec_device_event: "
1459 "NETDEV_CHANGEADDR dev=%s\n",
1462 case NETDEV_GOING_DOWN
:
1463 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1464 "klips_debug:ipsec_device_event: "
1465 "NETDEV_GOING_DOWN dev=%s\n",
1468 case NETDEV_CHANGENAME
:
1469 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1470 "klips_debug:ipsec_device_event: "
1471 "NETDEV_CHANGENAME dev=%s\n",
1476 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1477 "klips_debug:ipsec_device_event: "
1478 "event type %ld unrecognised for dev=%s\n",
1487 * Called when an ipsec tunnel device is initialized.
1488 * The ipsec tunnel device structure is passed to us.
1492 ipsec_tunnel_init(struct device
*dev
)
1496 KLIPS_PRINT(debug_tunnel
,
1497 "klips_debug:ipsec_tunnel_init: "
1498 "allocating %lu bytes initialising device: %s\n",
1499 (unsigned long) sizeof(struct ipsecpriv
),
1500 dev
->name
? dev
->name
: "NULL");
1502 /* Add our tunnel functions to the device */
1503 dev
->open
= ipsec_tunnel_open
;
1504 dev
->stop
= ipsec_tunnel_close
;
1505 dev
->hard_start_xmit
= ipsec_tunnel_start_xmit
;
1506 dev
->get_stats
= ipsec_tunnel_get_stats
;
1508 dev
->priv
= kmalloc(sizeof(struct ipsecpriv
), GFP_KERNEL
);
1509 if (dev
->priv
== NULL
)
1511 memset((caddr_t
)(dev
->priv
), 0, sizeof(struct ipsecpriv
));
1513 for(i
= 0; i
< sizeof(zeroes
); i
++) {
1514 ((__u8
*)(zeroes
))[i
] = 0;
1518 /* Initialize the tunnel device structure */
1519 for (i
= 0; i
< DEV_NUMBUFFS
; i
++)
1520 skb_queue_head_init(&dev
->buffs
[i
]);
1521 #endif /* !NET_21 */
1523 dev
->set_multicast_list
= NULL
;
1524 dev
->do_ioctl
= ipsec_tunnel_ioctl
;
1525 dev
->hard_header
= NULL
;
1526 dev
->rebuild_header
= NULL
;
1527 dev
->set_mac_address
= NULL
;
1529 dev
->header_cache_bind
= NULL
;
1530 #endif /* !NET_21 */
1531 dev
->header_cache_update
= NULL
;
1534 /* prv->neigh_setup = NULL; */
1535 dev
->neigh_setup
= ipsec_tunnel_neigh_setup_dev
;
1537 dev
->hard_header_len
= 0;
1540 dev
->type
= ARPHRD_VOID
; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
1541 dev
->tx_queue_len
= 10; /* Small queue */
1542 memset((caddr_t
)(dev
->broadcast
),0xFF, ETH_ALEN
); /* what if this is not attached to ethernet? */
1544 /* New-style flags. */
1545 dev
->flags
= IFF_NOARP
/* 0 */ /* Petr Novak */;
1547 dev_init_buffers(dev
);
1549 dev
->family
= AF_INET
;
1551 dev
->pa_brdaddr
= 0;
1556 /* We're done. Have I forgotten anything? */
1560 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1561 /* Module specific interface (but it links with the rest of IPSEC) */
1562 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1565 ipsec_tunnel_probe(struct device
*dev
)
1567 ipsec_tunnel_init(dev
);
1571 struct device
*ipsecdevices
[IPSEC_NUM_IF
];
1574 ipsec_tunnel_init_devices(void)
1577 char name
[IFNAMSIZ
];
1578 struct device
*dev_ipsec
;
1580 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1581 "klips_debug:ipsec_tunnel_init_devices: "
1582 "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
1584 (unsigned long) (sizeof(struct device
) + IFNAMSIZ
),
1587 for(i
= 0; i
< IPSEC_NUM_IF
; i
++) {
1588 sprintf(name
, IPSEC_DEV_FORMAT
, i
);
1589 dev_ipsec
= (struct device
*)kmalloc(sizeof(struct device
), GFP_KERNEL
);
1590 if (dev_ipsec
== NULL
) {
1591 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1592 "klips_debug:ipsec_tunnel_init_devices: "
1593 "failed to allocate memory for device %s, quitting device init.\n",
1597 memset((caddr_t
)dev_ipsec
, 0, sizeof(struct device
));
1599 strncpy(dev_ipsec
->name
, name
, sizeof(dev_ipsec
->name
));
1600 #else /* NETDEV_23 */
1601 dev_ipsec
->name
= (char*)kmalloc(IFNAMSIZ
, GFP_KERNEL
);
1602 if (dev_ipsec
->name
== NULL
) {
1603 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1604 "klips_debug:ipsec_tunnel_init_devices: "
1605 "failed to allocate memory for device %s name, quitting device init.\n",
1609 memset((caddr_t
)dev_ipsec
->name
, 0, IFNAMSIZ
);
1610 strncpy(dev_ipsec
->name
, name
, IFNAMSIZ
);
1611 #endif /* NETDEV_23 */
1612 dev_ipsec
->next
= NULL
;
1613 dev_ipsec
->init
= &ipsec_tunnel_probe
;
1614 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1615 "klips_debug:ipsec_tunnel_init_devices: "
1616 "registering device %s\n",
1619 /* reference and hold the device reference */
1620 dev_hold(dev_ipsec
);
1621 ipsecdevices
[i
]=dev_ipsec
;
1623 if (register_netdev(dev_ipsec
) != 0) {
1624 KLIPS_PRINT(1 || debug_tunnel
& DB_TN_INIT
,
1625 "klips_debug:ipsec_tunnel_init_devices: "
1626 "registering device %s failed, quitting device init.\n",
1630 KLIPS_PRINT(debug_tunnel
& DB_TN_INIT
,
1631 "klips_debug:ipsec_tunnel_init_devices: "
1632 "registering device %s succeeded, continuing...\n",
1641 ipsec_tunnel_cleanup_devices(void)
1646 struct device
*dev_ipsec
;
1648 for(i
= 0; i
< IPSEC_NUM_IF
; i
++) {
1649 dev_ipsec
= ipsecdevices
[i
];
1650 if(dev_ipsec
== NULL
) {
1654 /* release reference */
1655 ipsecdevices
[i
]=NULL
;
1656 ipsec_dev_put(dev_ipsec
);
1658 KLIPS_PRINT(debug_tunnel
, "Unregistering %s (refcnt=%d)\n",
1660 atomic_read(&dev_ipsec
->refcnt
));
1661 unregister_netdev(dev_ipsec
);
1662 KLIPS_PRINT(debug_tunnel
, "Unregisted %s\n", name
);
1664 kfree(dev_ipsec
->name
);
1665 dev_ipsec
->name
=NULL
;
1666 #endif /* !NETDEV_23 */
1667 kfree(dev_ipsec
->priv
);
1668 dev_ipsec
->priv
=NULL
;