]> git.ipfire.org Git - thirdparty/strongswan.git/blob - linux/net/ipsec/ipsec_tunnel.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- import of strongswan-2.7.0
[thirdparty/strongswan.git] / linux / net / ipsec / ipsec_tunnel.c
1 /*
2 * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs.
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.4 2005/06/16 21:21:02 as Exp $";
18
19 #define __NO_VERSION__
20 #include <linux/module.h>
21 #include <linux/config.h> /* for CONFIG_IP_FORWARD */
22 #include <linux/version.h>
23 #include <linux/kernel.h> /* printk() */
24
25 #include "freeswan/ipsec_param.h"
26
27 #ifdef MALLOC_SLAB
28 # include <linux/slab.h> /* kmalloc() */
29 #else /* MALLOC_SLAB */
30 # include <linux/malloc.h> /* kmalloc() */
31 #endif /* MALLOC_SLAB */
32 #include <linux/errno.h> /* error codes */
33 #include <linux/types.h> /* size_t */
34 #include <linux/interrupt.h> /* mark_bh */
35
36 #include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
37 #include <linux/etherdevice.h> /* eth_type_trans */
38 #include <linux/ip.h> /* struct iphdr */
39 #include <linux/tcp.h> /* struct tcphdr */
40 #include <linux/udp.h> /* struct udphdr */
41 #include <linux/skbuff.h>
42 #include <freeswan.h>
43 #ifdef NET_21
44 # include <asm/uaccess.h>
45 # include <linux/in6.h>
46 # define ip_chk_addr inet_addr_type
47 # define IS_MYADDR RTN_LOCAL
48 # include <net/dst.h>
49 # undef dev_kfree_skb
50 # define dev_kfree_skb(a,b) kfree_skb(a)
51 # define PHYSDEV_TYPE
52 #endif /* NET_21 */
53 #include <asm/checksum.h>
54 #include <net/icmp.h> /* icmp_send() */
55 #include <net/ip.h>
56 #ifdef NETDEV_23
57 # include <linux/netfilter_ipv4.h>
58 #endif /* NETDEV_23 */
59
60 #include <linux/if_arp.h>
61
62 #include "freeswan/radij.h"
63 #include "freeswan/ipsec_life.h"
64 #include "freeswan/ipsec_xform.h"
65 #include "freeswan/ipsec_eroute.h"
66 #include "freeswan/ipsec_encap.h"
67 #include "freeswan/ipsec_radij.h"
68 #include "freeswan/ipsec_sa.h"
69 #include "freeswan/ipsec_tunnel.h"
70 #include "freeswan/ipsec_xmit.h"
71 #include "freeswan/ipsec_ipe4.h"
72 #include "freeswan/ipsec_ah.h"
73 #include "freeswan/ipsec_esp.h"
74
75 #include <pfkeyv2.h>
76 #include <pfkey.h>
77
78 #include "freeswan/ipsec_proto.h"
79 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
80 #include <linux/udp.h>
81 #endif
82
83 static __u32 zeroes[64];
84
85 #ifdef CONFIG_IPSEC_DEBUG
86 int debug_tunnel = 0;
87 #endif /* CONFIG_IPSEC_DEBUG */
88
89 DEBUG_NO_STATIC int
90 ipsec_tunnel_open(struct device *dev)
91 {
92 struct ipsecpriv *prv = dev->priv;
93
94 /*
95 * Can't open until attached.
96 */
97
98 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
99 "klips_debug:ipsec_tunnel_open: "
100 "dev = %s, prv->dev = %s\n",
101 dev->name, prv->dev?prv->dev->name:"NONE");
102
103 if (prv->dev == NULL)
104 return -ENODEV;
105
106 MOD_INC_USE_COUNT;
107 return 0;
108 }
109
110 DEBUG_NO_STATIC int
111 ipsec_tunnel_close(struct device *dev)
112 {
113 MOD_DEC_USE_COUNT;
114 return 0;
115 }
116
117 #ifdef NETDEV_23
118 static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
119 {
120 #ifdef NETDEV_25 /* 2.6 kernels */
121 return dst_output(skb);
122 #else
123 return ip_send(skb);
124 #endif
125 }
126 #endif /* NETDEV_23 */
127
128 enum ipsec_xmit_value
129 ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs)
130 {
131 /* ixs->physdev->hard_header_len is unreliable and should not be used */
132 ixs->hard_header_len = (unsigned char *)(ixs->iph) - ixs->skb->data;
133
134 if(ixs->hard_header_len < 0) {
135 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
136 "klips_error:ipsec_xmit_strip_hard_header: "
137 "Negative hard_header_len (%d)?!\n", ixs->hard_header_len);
138 ixs->stats->tx_dropped++;
139 return IPSEC_XMIT_BADHHLEN;
140 }
141
142 /* while ixs->physdev->hard_header_len is unreliable and
143 * should not be trusted, it accurate and required for ATM, GRE and
144 * some other interfaces to work. Thanks to Willy Tarreau
145 * <willy@w.ods.org>.
146 */
147 if(ixs->hard_header_len == 0) { /* no hard header present */
148 ixs->hard_header_stripped = 1;
149 ixs->hard_header_len = ixs->physdev->hard_header_len;
150 }
151
152 #ifdef CONFIG_IPSEC_DEBUG
153 if (debug_tunnel & DB_TN_XMIT) {
154 int i;
155 char c;
156
157 printk(KERN_INFO "klips_debug:ipsec_xmit_strip_hard_header: "
158 ">>> skb->len=%ld hard_header_len:%d",
159 (unsigned long int)ixs->skb->len, ixs->hard_header_len);
160 c = ' ';
161 for (i=0; i < ixs->hard_header_len; i++) {
162 printk("%c%02x", c, ixs->skb->data[i]);
163 c = ':';
164 }
165 printk(" \n");
166 }
167 #endif /* CONFIG_IPSEC_DEBUG */
168
169 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
170
171 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
172 "klips_debug:ipsec_xmit_strip_hard_header: "
173 "Original head,tailroom: %d,%d\n",
174 skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
175
176 return IPSEC_XMIT_OK;
177 }
178
179 enum ipsec_xmit_value
180 ipsec_tunnel_SAlookup(struct ipsec_xmit_state *ixs)
181 {
182 /*
183 * First things first -- look us up in the erouting tables.
184 */
185 ixs->matcher.sen_len = sizeof (struct sockaddr_encap);
186 ixs->matcher.sen_family = AF_ENCAP;
187 ixs->matcher.sen_type = SENT_IP4;
188 ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
189 ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
190 ixs->matcher.sen_proto = ixs->iph->protocol;
191 ipsec_extract_ports(ixs->iph, &ixs->matcher);
192
193 /*
194 * The spinlock is to prevent any other process from accessing or deleting
195 * the eroute while we are using and updating it.
196 */
197 spin_lock(&eroute_lock);
198
199 ixs->eroute = ipsec_findroute(&ixs->matcher);
200
201 if(ixs->iph->protocol == IPPROTO_UDP) {
202 if(ixs->skb->sk) {
203 ixs->sport=ntohs(ixs->skb->sk->sport);
204 ixs->dport=ntohs(ixs->skb->sk->dport);
205 } else if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
206 ((ixs->skb->len - ixs->hard_header_len) >=
207 ((ixs->iph->ihl << 2) + sizeof(struct udphdr)))) {
208 ixs->sport=ntohs(((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)))->source);
209 ixs->dport=ntohs(((struct udphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl<<2)))->dest);
210 } else {
211 ixs->sport=0; ixs->dport=0;
212 }
213 }
214
215 /* default to a %drop eroute */
216 ixs->outgoing_said.proto = IPPROTO_INT;
217 ixs->outgoing_said.spi = htonl(SPI_DROP);
218 ixs->outgoing_said.dst.s_addr = INADDR_ANY;
219 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
220 "klips_debug:ipsec_xmit_SAlookup: "
221 "checking for local udp/500 IKE packet "
222 "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
223 ntohl((unsigned int)ixs->iph->saddr),
224 ixs->eroute,
225 ntohl((unsigned int)ixs->iph->daddr),
226 ixs->eroute ? ntohl((unsigned int)ixs->eroute->er_said.dst.s_addr) : 0,
227 ixs->iph->protocol,
228 ixs->sport,
229 ixs->dport);
230
231 /*
232 * Quick cheat for now...are we udp/500 or udp/4500? If so, let it through
233 * without interference since it is most likely an IKE packet.
234 */
235
236 if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
237 && (!ixs->eroute
238 || ixs->iph->daddr == ixs->eroute->er_said.dst.s_addr
239 || INADDR_ANY == ixs->eroute->er_said.dst.s_addr)
240 && ((ixs->sport == 500) || (ixs->sport == 4500))) {
241 /* Whatever the eroute, this is an IKE message
242 * from us (i.e. not being forwarded).
243 * Furthermore, if there is a tunnel eroute,
244 * the destination is the peer for this eroute.
245 * So %pass the packet: modify the default %drop.
246 */
247 ixs->outgoing_said.spi = htonl(SPI_PASS);
248 if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
249 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
250 "klips_debug:ipsec_xmit_SAlookup: "
251 "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
252 }
253 } else if (ixs->eroute) {
254 ixs->eroute->er_count++;
255 ixs->eroute->er_lasttime = jiffies/HZ;
256 if(ixs->eroute->er_said.proto==IPPROTO_INT
257 && ixs->eroute->er_said.spi==htonl(SPI_HOLD)) {
258 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
259 "klips_debug:ipsec_xmit_SAlookup: "
260 "shunt SA of HOLD: skb stored in HOLD.\n");
261 if(ixs->eroute->er_last != NULL) {
262 kfree_skb(ixs->eroute->er_last);
263 }
264 ixs->eroute->er_last = ixs->skb;
265 ixs->skb = NULL;
266 ixs->stats->tx_dropped++;
267 spin_unlock(&eroute_lock);
268 return IPSEC_XMIT_STOLEN;
269 }
270 ixs->outgoing_said = ixs->eroute->er_said;
271 ixs->eroute_pid = ixs->eroute->er_pid;
272 /* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
273 if(ixs->outgoing_said.proto==IPPROTO_INT
274 && (ixs->outgoing_said.spi==htonl(SPI_TRAP)
275 || (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) {
276 int len;
277
278 ixs->ips.ips_ident_s.type = ixs->eroute->er_ident_s.type;
279 ixs->ips.ips_ident_s.id = ixs->eroute->er_ident_s.id;
280 ixs->ips.ips_ident_s.len = ixs->eroute->er_ident_s.len;
281 if (ixs->ips.ips_ident_s.len) {
282 len = ixs->ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
283 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
284 "klips_debug:ipsec_xmit_SAlookup: "
285 "allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n",
286 len);
287 if ((ixs->ips.ips_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
288 printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
289 "Failed, tried to allocate %d bytes for source ident.\n",
290 len);
291 ixs->stats->tx_dropped++;
292 spin_unlock(&eroute_lock);
293 return IPSEC_XMIT_ERRMEMALLOC;
294 }
295 memcpy(ixs->ips.ips_ident_s.data, ixs->eroute->er_ident_s.data, len);
296 }
297 ixs->ips.ips_ident_d.type = ixs->eroute->er_ident_d.type;
298 ixs->ips.ips_ident_d.id = ixs->eroute->er_ident_d.id;
299 ixs->ips.ips_ident_d.len = ixs->eroute->er_ident_d.len;
300 if (ixs->ips.ips_ident_d.len) {
301 len = ixs->ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
302 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
303 "klips_debug:ipsec_xmit_SAlookup: "
304 "allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n",
305 len);
306 if ((ixs->ips.ips_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
307 printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
308 "Failed, tried to allocate %d bytes for dest ident.\n",
309 len);
310 ixs->stats->tx_dropped++;
311 spin_unlock(&eroute_lock);
312 return IPSEC_XMIT_ERRMEMALLOC;
313 }
314 memcpy(ixs->ips.ips_ident_d.data, ixs->eroute->er_ident_d.data, len);
315 }
316 }
317 }
318
319 spin_unlock(&eroute_lock);
320 return IPSEC_XMIT_OK;
321 }
322
323 enum ipsec_xmit_value
324 ipsec_tunnel_restore_hard_header(struct ipsec_xmit_state*ixs)
325 {
326 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
327 "klips_debug:ipsec_xmit_restore_hard_header: "
328 "After recursive xforms -- head,tailroom: %d,%d\n",
329 skb_headroom(ixs->skb),
330 skb_tailroom(ixs->skb));
331
332 if(ixs->saved_header) {
333 if(skb_headroom(ixs->skb) < ixs->hard_header_len) {
334 printk(KERN_WARNING
335 "klips_error:ipsec_xmit_restore_hard_header: "
336 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
337 ixs->hard_header_len,
338 skb_headroom(ixs->skb));
339 ixs->stats->tx_errors++;
340 return IPSEC_XMIT_PUSHPULLERR;
341
342 }
343 skb_push(ixs->skb, ixs->hard_header_len);
344 {
345 int i;
346 for (i = 0; i < ixs->hard_header_len; i++) {
347 ixs->skb->data[i] = ixs->saved_header[i];
348 }
349 }
350 }
351 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
352 if (ixs->natt_type && ixs->natt_head) {
353 struct iphdr *ipp = ixs->skb->nh.iph;
354 struct udphdr *udp;
355 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
356 "klips_debug:ipsec_tunnel_start_xmit: "
357 "encapsulating packet into UDP (NAT-Traversal) (%d %d)\n",
358 ixs->natt_type, ixs->natt_head);
359 ixs->iphlen = ipp->ihl << 2;
360 ipp->tot_len =
361 htons(ntohs(ipp->tot_len) + ixs->natt_head);
362 if(skb_tailroom(ixs->skb) < ixs->natt_head) {
363 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
364 "tried to skb_put %d, %d available. "
365 "This should never happen, please report.\n",
366 ixs->natt_head,
367 skb_tailroom(ixs->skb));
368 ixs->stats->tx_errors++;
369 return IPSEC_XMIT_ESPUDP;
370 }
371 skb_put(ixs->skb, ixs->natt_head);
372 udp = (struct udphdr *)((char *)ipp + ixs->iphlen);
373 /* move ESP hdr after UDP hdr */
374 memmove((void *)((char *)udp + ixs->natt_head),
375 (void *)(udp),
376 ntohs(ipp->tot_len) - ixs->iphlen - ixs->natt_head);
377 /* clear UDP & Non-IKE Markers (if any) */
378 memset(udp, 0, ixs->natt_head);
379 /* fill UDP with usefull informations ;-) */
380 udp->source = htons(ixs->natt_sport);
381 udp->dest = htons(ixs->natt_dport);
382 udp->len = htons(ntohs(ipp->tot_len) - ixs->iphlen);
383 /* set protocol */
384 ipp->protocol = IPPROTO_UDP;
385 /* fix IP checksum */
386 ipp->check = 0;
387 ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
388 }
389 #endif
390 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
391 "klips_debug:ipsec_xmit_restore_hard_header: "
392 "With hard_header, final head,tailroom: %d,%d\n",
393 skb_headroom(ixs->skb),
394 skb_tailroom(ixs->skb));
395
396 return IPSEC_XMIT_OK;
397 }
398
399 enum ipsec_xmit_value
400 ipsec_tunnel_send(struct ipsec_xmit_state*ixs)
401 {
402 #ifdef NETDEV_25
403 struct flowi fl;
404 #endif
405
406 #ifdef NET_21 /* 2.2 and 2.4 kernels */
407 /* new route/dst cache code from James Morris */
408 ixs->skb->dev = ixs->physdev;
409 #ifdef NETDEV_25
410 fl.oif = ixs->physdev->iflink;
411 fl.nl_u.ip4_u.daddr = ixs->skb->nh.iph->daddr;
412 fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ixs->skb->nh.iph->saddr;
413 fl.nl_u.ip4_u.tos = RT_TOS(ixs->skb->nh.iph->tos);
414 fl.proto = ixs->skb->nh.iph->protocol;
415 if ((ixs->error = ip_route_output_key(&ixs->route, &fl))) {
416 #else
417 /*skb_orphan(ixs->skb);*/
418 if((ixs->error = ip_route_output(&ixs->route,
419 ixs->skb->nh.iph->daddr,
420 ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
421 RT_TOS(ixs->skb->nh.iph->tos),
422 /* mcr->rgb: should this be 0 instead? */
423 ixs->physdev->iflink))) {
424 #endif
425 ixs->stats->tx_errors++;
426 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
427 "klips_debug:ipsec_xmit_send: "
428 "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
429 ixs->error,
430 ixs->route->u.dst.dev->name);
431 return IPSEC_XMIT_ROUTEERR;
432 }
433 if(ixs->dev == ixs->route->u.dst.dev) {
434 ip_rt_put(ixs->route);
435 /* This is recursion, drop it. */
436 ixs->stats->tx_errors++;
437 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
438 "klips_debug:ipsec_xmit_send: "
439 "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
440 ixs->dev->name);
441 return IPSEC_XMIT_RECURSDETECT;
442 }
443 dst_release(ixs->skb->dst);
444 ixs->skb->dst = &ixs->route->u.dst;
445 ixs->stats->tx_bytes += ixs->skb->len;
446 if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
447 ixs->stats->tx_errors++;
448 printk(KERN_WARNING
449 "klips_error:ipsec_xmit_send: "
450 "tried to __skb_pull nh-data=%ld, %d available. This should never happen, please report.\n",
451 (unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
452 ixs->skb->len);
453 return IPSEC_XMIT_PUSHPULLERR;
454 }
455 __skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
456 #ifdef SKB_RESET_NFCT
457 if(!ixs->pass) {
458 nf_conntrack_put(ixs->skb->nfct);
459 ixs->skb->nfct = NULL;
460 }
461 #ifdef CONFIG_NETFILTER_DEBUG
462 ixs->skb->nf_debug = 0;
463 #endif /* CONFIG_NETFILTER_DEBUG */
464 #endif /* SKB_RESET_NFCT */
465 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
466 "klips_debug:ipsec_xmit_send: "
467 "...done, calling ip_send() on device:%s\n",
468 ixs->skb->dev ? ixs->skb->dev->name : "NULL");
469 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->skb->nh.iph);
470 #ifdef NETDEV_23 /* 2.4 kernels */
471 {
472 int err;
473
474 err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
475 ipsec_tunnel_xmit2);
476 if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
477 if(net_ratelimit())
478 printk(KERN_ERR
479 "klips_error:ipsec_xmit_send: "
480 "ip_send() failed, err=%d\n",
481 -err);
482 ixs->stats->tx_errors++;
483 ixs->stats->tx_aborted_errors++;
484 ixs->skb = NULL;
485 return IPSEC_XMIT_IPSENDFAILURE;
486 }
487 }
488 #else /* NETDEV_23 */ /* 2.2 kernels */
489 ip_send(ixs->skb);
490 #endif /* NETDEV_23 */
491 #else /* NET_21 */ /* 2.0 kernels */
492 ixs->skb->arp = 1;
493 /* ISDN/ASYNC PPP from Matjaz Godec. */
494 /* skb->protocol = htons(ETH_P_IP); */
495 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
496 "klips_debug:ipsec_xmit_send: "
497 "...done, calling dev_queue_xmit() or ip_fragment().\n");
498 IP_SEND(ixs->skb, ixs->physdev);
499 #endif /* NET_21 */
500 ixs->stats->tx_packets++;
501
502 ixs->skb = NULL;
503
504 return IPSEC_XMIT_OK;
505 }
506
507 void
508 ipsec_tunnel_cleanup(struct ipsec_xmit_state*ixs)
509 {
510 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
511 netif_wake_queue(ixs->dev);
512 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
513 ixs->dev->tbusy = 0;
514 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
515 if(ixs->saved_header) {
516 kfree(ixs->saved_header);
517 }
518 if(ixs->skb) {
519 dev_kfree_skb(ixs->skb, FREE_WRITE);
520 }
521 if(ixs->oskb) {
522 dev_kfree_skb(ixs->oskb, FREE_WRITE);
523 }
524 if (ixs->ips.ips_ident_s.data) {
525 kfree(ixs->ips.ips_ident_s.data);
526 }
527 if (ixs->ips.ips_ident_d.data) {
528 kfree(ixs->ips.ips_ident_d.data);
529 }
530 }
531
532 /*
533 * This function assumes it is being called from dev_queue_xmit()
534 * and that skb is filled properly by that function.
535 */
536 int
537 ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
538 {
539 struct ipsec_xmit_state ixs_mem;
540 struct ipsec_xmit_state *ixs = &ixs_mem;
541 enum ipsec_xmit_value stat;
542
543 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
544 ixs->natt_type = 0, ixs->natt_head = 0;
545 ixs->natt_sport = 0, ixs->natt_dport = 0;
546 #endif
547
548 memset((caddr_t)ixs, 0, sizeof(*ixs));
549 ixs->oskb = NULL;
550 ixs->saved_header = NULL; /* saved copy of the hard header */
551 ixs->route = NULL;
552 memset((caddr_t)&(ixs->ips), 0, sizeof(ixs->ips));
553 ixs->dev = dev;
554 ixs->skb = skb;
555
556 stat = ipsec_xmit_sanity_check_dev(ixs);
557 if(stat != IPSEC_XMIT_OK) {
558 goto cleanup;
559 }
560
561 stat = ipsec_xmit_sanity_check_skb(ixs);
562 if(stat != IPSEC_XMIT_OK) {
563 goto cleanup;
564 }
565
566 stat = ipsec_tunnel_strip_hard_header(ixs);
567 if(stat != IPSEC_XMIT_OK) {
568 goto cleanup;
569 }
570
571 stat = ipsec_tunnel_SAlookup(ixs);
572 if(stat != IPSEC_XMIT_OK) {
573 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
574 "klips_debug:ipsec_tunnel_start_xmit: SAlookup failed: %d\n",
575 stat);
576 goto cleanup;
577 }
578
579 ixs->innersrc = ixs->iph->saddr;
580 /* start encapsulation loop here XXX */
581 do {
582 stat = ipsec_xmit_encap_bundle(ixs);
583 if(stat != IPSEC_XMIT_OK) {
584 if(stat == IPSEC_XMIT_PASS) {
585 goto bypass;
586 }
587
588 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
589 "klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: %d\n",
590 stat);
591 goto cleanup;
592 }
593
594 ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
595 ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
596 ixs->matcher.sen_proto = ixs->iph->protocol;
597 ipsec_extract_ports(ixs->iph, &ixs->matcher);
598
599 spin_lock(&eroute_lock);
600 ixs->eroute = ipsec_findroute(&ixs->matcher);
601 if(ixs->eroute) {
602 ixs->outgoing_said = ixs->eroute->er_said;
603 ixs->eroute_pid = ixs->eroute->er_pid;
604 ixs->eroute->er_count++;
605 ixs->eroute->er_lasttime = jiffies/HZ;
606 }
607 spin_unlock(&eroute_lock);
608
609 KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
610 /* ((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc)) */
611 (ixs->orgedst != ixs->outgoing_said.dst.s_addr) &&
612 ixs->outgoing_said.dst.s_addr &&
613 ixs->eroute,
614 "klips_debug:ipsec_tunnel_start_xmit: "
615 "We are recursing here.\n");
616
617 } while(/*((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc))*/
618 (ixs->orgedst != ixs->outgoing_said.dst.s_addr) &&
619 ixs->outgoing_said.dst.s_addr &&
620 ixs->eroute);
621
622 stat = ipsec_tunnel_restore_hard_header(ixs);
623 if(stat != IPSEC_XMIT_OK) {
624 goto cleanup;
625 }
626
627 bypass:
628 stat = ipsec_tunnel_send(ixs);
629
630 cleanup:
631 ipsec_tunnel_cleanup(ixs);
632
633 return 0;
634 }
635
636 DEBUG_NO_STATIC struct net_device_stats *
637 ipsec_tunnel_get_stats(struct device *dev)
638 {
639 return &(((struct ipsecpriv *)(dev->priv))->mystats);
640 }
641
642 /*
643 * Revectored calls.
644 * For each of these calls, a field exists in our private structure.
645 */
646
647 DEBUG_NO_STATIC int
648 ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev,
649 unsigned short type, void *daddr, void *saddr, unsigned len)
650 {
651 struct ipsecpriv *prv = dev->priv;
652 struct device *tmp;
653 int ret;
654 struct net_device_stats *stats; /* This device's statistics */
655
656 if(skb == NULL) {
657 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
658 "klips_debug:ipsec_tunnel_hard_header: "
659 "no skb...\n");
660 return -ENODATA;
661 }
662
663 if(dev == NULL) {
664 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
665 "klips_debug:ipsec_tunnel_hard_header: "
666 "no device...\n");
667 return -ENODEV;
668 }
669
670 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
671 "klips_debug:ipsec_tunnel_hard_header: "
672 "skb->dev=%s dev=%s.\n",
673 skb->dev ? skb->dev->name : "NULL",
674 dev->name);
675
676 if(prv == NULL) {
677 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
678 "klips_debug:ipsec_tunnel_hard_header: "
679 "no private space associated with dev=%s\n",
680 dev->name ? dev->name : "NULL");
681 return -ENODEV;
682 }
683
684 stats = (struct net_device_stats *) &(prv->mystats);
685
686 if(prv->dev == NULL) {
687 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
688 "klips_debug:ipsec_tunnel_hard_header: "
689 "no physical device associated with dev=%s\n",
690 dev->name ? dev->name : "NULL");
691 stats->tx_dropped++;
692 return -ENODEV;
693 }
694
695 /* check if we have to send a IPv6 packet. It might be a Router
696 Solicitation, where the building of the packet happens in
697 reverse order:
698 1. ll hdr,
699 2. IPv6 hdr,
700 3. ICMPv6 hdr
701 -> skb->nh.raw is still uninitialized when this function is
702 called!! If this is no IPv6 packet, we can print debugging
703 messages, otherwise we skip all debugging messages and just
704 build the ll header */
705 if(type != ETH_P_IPV6) {
706 /* execute this only, if we don't have to build the
707 header for a IPv6 packet */
708 if(!prv->hard_header) {
709 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
710 "klips_debug:ipsec_tunnel_hard_header: "
711 "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
712 saddr,
713 daddr,
714 len,
715 type,
716 dev->name);
717 #ifdef NET_21
718 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
719 "ip=%08x->%08x\n",
720 (__u32)ntohl(skb->nh.iph->saddr),
721 (__u32)ntohl(skb->nh.iph->daddr) );
722 #else /* NET_21 */
723 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
724 "ip=%08x->%08x\n",
725 (__u32)ntohl(skb->ip_hdr->saddr),
726 (__u32)ntohl(skb->ip_hdr->daddr) );
727 #endif /* NET_21 */
728 stats->tx_dropped++;
729 return -ENODEV;
730 }
731
732 #define da ((struct device *)(prv->dev))->dev_addr
733 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
734 "klips_debug:ipsec_tunnel_hard_header: "
735 "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
736 saddr,
737 daddr,
738 len,
739 type,
740 dev->name,
741 prv->dev->name,
742 da[0], da[1], da[2], da[3], da[4], da[5]);
743 #ifdef NET_21
744 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
745 "ip=%08x->%08x\n",
746 (__u32)ntohl(skb->nh.iph->saddr),
747 (__u32)ntohl(skb->nh.iph->daddr) );
748 #else /* NET_21 */
749 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
750 "ip=%08x->%08x\n",
751 (__u32)ntohl(skb->ip_hdr->saddr),
752 (__u32)ntohl(skb->ip_hdr->daddr) );
753 #endif /* NET_21 */
754 } else {
755 KLIPS_PRINT(debug_tunnel,
756 "klips_debug:ipsec_tunnel_hard_header: "
757 "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
758 }
759 tmp = skb->dev;
760 skb->dev = prv->dev;
761 ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
762 skb->dev = tmp;
763 return ret;
764 }
765
766 DEBUG_NO_STATIC int
767 #ifdef NET_21
768 ipsec_tunnel_rebuild_header(struct sk_buff *skb)
769 #else /* NET_21 */
770 ipsec_tunnel_rebuild_header(void *buff, struct device *dev,
771 unsigned long raddr, struct sk_buff *skb)
772 #endif /* NET_21 */
773 {
774 struct ipsecpriv *prv = skb->dev->priv;
775 struct device *tmp;
776 int ret;
777 struct net_device_stats *stats; /* This device's statistics */
778
779 if(skb->dev == NULL) {
780 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
781 "klips_debug:ipsec_tunnel_rebuild_header: "
782 "no device...");
783 return -ENODEV;
784 }
785
786 if(prv == NULL) {
787 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
788 "klips_debug:ipsec_tunnel_rebuild_header: "
789 "no private space associated with dev=%s",
790 skb->dev->name ? skb->dev->name : "NULL");
791 return -ENODEV;
792 }
793
794 stats = (struct net_device_stats *) &(prv->mystats);
795
796 if(prv->dev == NULL) {
797 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
798 "klips_debug:ipsec_tunnel_rebuild_header: "
799 "no physical device associated with dev=%s",
800 skb->dev->name ? skb->dev->name : "NULL");
801 stats->tx_dropped++;
802 return -ENODEV;
803 }
804
805 if(!prv->rebuild_header) {
806 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
807 "klips_debug:ipsec_tunnel_rebuild_header: "
808 "physical device has been detached, packet dropped skb->dev=%s->NULL ",
809 skb->dev->name);
810 #ifdef NET_21
811 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
812 "ip=%08x->%08x\n",
813 (__u32)ntohl(skb->nh.iph->saddr),
814 (__u32)ntohl(skb->nh.iph->daddr) );
815 #else /* NET_21 */
816 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
817 "ip=%08x->%08x\n",
818 (__u32)ntohl(skb->ip_hdr->saddr),
819 (__u32)ntohl(skb->ip_hdr->daddr) );
820 #endif /* NET_21 */
821 stats->tx_dropped++;
822 return -ENODEV;
823 }
824
825 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
826 "klips_debug:ipsec_tunnel: "
827 "Revectored rebuild_header dev=%s->%s ",
828 skb->dev->name, prv->dev->name);
829 #ifdef NET_21
830 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
831 "ip=%08x->%08x\n",
832 (__u32)ntohl(skb->nh.iph->saddr),
833 (__u32)ntohl(skb->nh.iph->daddr) );
834 #else /* NET_21 */
835 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
836 "ip=%08x->%08x\n",
837 (__u32)ntohl(skb->ip_hdr->saddr),
838 (__u32)ntohl(skb->ip_hdr->daddr) );
839 #endif /* NET_21 */
840 tmp = skb->dev;
841 skb->dev = prv->dev;
842
843 #ifdef NET_21
844 ret = prv->rebuild_header(skb);
845 #else /* NET_21 */
846 ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
847 #endif /* NET_21 */
848 skb->dev = tmp;
849 return ret;
850 }
851
852 DEBUG_NO_STATIC int
853 ipsec_tunnel_set_mac_address(struct device *dev, void *addr)
854 {
855 struct ipsecpriv *prv = dev->priv;
856
857 struct net_device_stats *stats; /* This device's statistics */
858
859 if(dev == NULL) {
860 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
861 "klips_debug:ipsec_tunnel_set_mac_address: "
862 "no device...");
863 return -ENODEV;
864 }
865
866 if(prv == NULL) {
867 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
868 "klips_debug:ipsec_tunnel_set_mac_address: "
869 "no private space associated with dev=%s",
870 dev->name ? dev->name : "NULL");
871 return -ENODEV;
872 }
873
874 stats = (struct net_device_stats *) &(prv->mystats);
875
876 if(prv->dev == NULL) {
877 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
878 "klips_debug:ipsec_tunnel_set_mac_address: "
879 "no physical device associated with dev=%s",
880 dev->name ? dev->name : "NULL");
881 stats->tx_dropped++;
882 return -ENODEV;
883 }
884
885 if(!prv->set_mac_address) {
886 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
887 "klips_debug:ipsec_tunnel_set_mac_address: "
888 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
889 dev->name);
890 return -ENODEV;
891 }
892
893 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
894 "klips_debug:ipsec_tunnel_set_mac_address: "
895 "Revectored dev=%s->%s addr=0p%p\n",
896 dev->name, prv->dev->name, addr);
897 return prv->set_mac_address(prv->dev, addr);
898
899 }
900
901 #ifndef NET_21
902 DEBUG_NO_STATIC void
903 ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev,
904 unsigned short htype, __u32 daddr)
905 {
906 struct ipsecpriv *prv = dev->priv;
907
908 struct net_device_stats *stats; /* This device's statistics */
909
910 if(dev == NULL) {
911 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
912 "klips_debug:ipsec_tunnel_cache_bind: "
913 "no device...");
914 return;
915 }
916
917 if(prv == NULL) {
918 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
919 "klips_debug:ipsec_tunnel_cache_bind: "
920 "no private space associated with dev=%s",
921 dev->name ? dev->name : "NULL");
922 return;
923 }
924
925 stats = (struct net_device_stats *) &(prv->mystats);
926
927 if(prv->dev == NULL) {
928 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
929 "klips_debug:ipsec_tunnel_cache_bind: "
930 "no physical device associated with dev=%s",
931 dev->name ? dev->name : "NULL");
932 stats->tx_dropped++;
933 return;
934 }
935
936 if(!prv->header_cache_bind) {
937 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
938 "klips_debug:ipsec_tunnel_cache_bind: "
939 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
940 dev->name);
941 stats->tx_dropped++;
942 return;
943 }
944
945 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
946 "klips_debug:ipsec_tunnel_cache_bind: "
947 "Revectored \n");
948 prv->header_cache_bind(hhp, prv->dev, htype, daddr);
949 return;
950 }
951 #endif /* !NET_21 */
952
953
954 DEBUG_NO_STATIC void
955 ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char * haddr)
956 {
957 struct ipsecpriv *prv = dev->priv;
958
959 struct net_device_stats *stats; /* This device's statistics */
960
961 if(dev == NULL) {
962 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
963 "klips_debug:ipsec_tunnel_cache_update: "
964 "no device...");
965 return;
966 }
967
968 if(prv == NULL) {
969 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
970 "klips_debug:ipsec_tunnel_cache_update: "
971 "no private space associated with dev=%s",
972 dev->name ? dev->name : "NULL");
973 return;
974 }
975
976 stats = (struct net_device_stats *) &(prv->mystats);
977
978 if(prv->dev == NULL) {
979 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
980 "klips_debug:ipsec_tunnel_cache_update: "
981 "no physical device associated with dev=%s",
982 dev->name ? dev->name : "NULL");
983 stats->tx_dropped++;
984 return;
985 }
986
987 if(!prv->header_cache_update) {
988 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
989 "klips_debug:ipsec_tunnel_cache_update: "
990 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
991 dev->name);
992 return;
993 }
994
995 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
996 "klips_debug:ipsec_tunnel: "
997 "Revectored cache_update\n");
998 prv->header_cache_update(hh, prv->dev, haddr);
999 return;
1000 }
1001
1002 #ifdef NET_21
1003 DEBUG_NO_STATIC int
1004 ipsec_tunnel_neigh_setup(struct neighbour *n)
1005 {
1006 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1007 "klips_debug:ipsec_tunnel_neigh_setup:\n");
1008
1009 if (n->nud_state == NUD_NONE) {
1010 n->ops = &arp_broken_ops;
1011 n->output = n->ops->output;
1012 }
1013 return 0;
1014 }
1015
1016 DEBUG_NO_STATIC int
1017 ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
1018 {
1019 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1020 "klips_debug:ipsec_tunnel_neigh_setup_dev: "
1021 "setting up %s\n",
1022 dev ? dev->name : "NULL");
1023
1024 if (p->tbl->family == AF_INET) {
1025 p->neigh_setup = ipsec_tunnel_neigh_setup;
1026 p->ucast_probes = 0;
1027 p->mcast_probes = 0;
1028 }
1029 return 0;
1030 }
1031 #endif /* NET_21 */
1032
1033 /*
1034 * We call the attach routine to attach another device.
1035 */
1036
1037 DEBUG_NO_STATIC int
1038 ipsec_tunnel_attach(struct device *dev, struct device *physdev)
1039 {
1040 int i;
1041 struct ipsecpriv *prv = dev->priv;
1042
1043 if(dev == NULL) {
1044 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1045 "klips_debug:ipsec_tunnel_attach: "
1046 "no device...");
1047 return -ENODEV;
1048 }
1049
1050 if(prv == NULL) {
1051 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1052 "klips_debug:ipsec_tunnel_attach: "
1053 "no private space associated with dev=%s",
1054 dev->name ? dev->name : "NULL");
1055 return -ENODATA;
1056 }
1057
1058 prv->dev = physdev;
1059 prv->hard_start_xmit = physdev->hard_start_xmit;
1060 prv->get_stats = physdev->get_stats;
1061
1062 if (physdev->hard_header) {
1063 prv->hard_header = physdev->hard_header;
1064 dev->hard_header = ipsec_tunnel_hard_header;
1065 } else
1066 dev->hard_header = NULL;
1067
1068 if (physdev->rebuild_header) {
1069 prv->rebuild_header = physdev->rebuild_header;
1070 dev->rebuild_header = ipsec_tunnel_rebuild_header;
1071 } else
1072 dev->rebuild_header = NULL;
1073
1074 if (physdev->set_mac_address) {
1075 prv->set_mac_address = physdev->set_mac_address;
1076 dev->set_mac_address = ipsec_tunnel_set_mac_address;
1077 } else
1078 dev->set_mac_address = NULL;
1079
1080 #ifndef NET_21
1081 if (physdev->header_cache_bind) {
1082 prv->header_cache_bind = physdev->header_cache_bind;
1083 dev->header_cache_bind = ipsec_tunnel_cache_bind;
1084 } else
1085 dev->header_cache_bind = NULL;
1086 #endif /* !NET_21 */
1087
1088 if (physdev->header_cache_update) {
1089 prv->header_cache_update = physdev->header_cache_update;
1090 dev->header_cache_update = ipsec_tunnel_cache_update;
1091 } else
1092 dev->header_cache_update = NULL;
1093
1094 dev->hard_header_len = physdev->hard_header_len;
1095
1096 #ifdef NET_21
1097 /* prv->neigh_setup = physdev->neigh_setup; */
1098 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
1099 #endif /* NET_21 */
1100 dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
1101 prv->mtu = physdev->mtu;
1102
1103 #ifdef PHYSDEV_TYPE
1104 dev->type = physdev->type; /* ARPHRD_TUNNEL; */
1105 #endif /* PHYSDEV_TYPE */
1106
1107 dev->addr_len = physdev->addr_len;
1108 for (i=0; i<dev->addr_len; i++) {
1109 dev->dev_addr[i] = physdev->dev_addr[i];
1110 }
1111 #ifdef CONFIG_IPSEC_DEBUG
1112 if(debug_tunnel & DB_TN_INIT) {
1113 printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
1114 "physical device %s being attached has HW address: %2x",
1115 physdev->name, physdev->dev_addr[0]);
1116 for (i=1; i < physdev->addr_len; i++) {
1117 printk(":%02x", physdev->dev_addr[i]);
1118 }
1119 printk("\n");
1120 }
1121 #endif /* CONFIG_IPSEC_DEBUG */
1122
1123 return 0;
1124 }
1125
1126 /*
1127 * We call the detach routine to detach the ipsec tunnel from another device.
1128 */
1129
1130 DEBUG_NO_STATIC int
1131 ipsec_tunnel_detach(struct device *dev)
1132 {
1133 int i;
1134 struct ipsecpriv *prv = dev->priv;
1135
1136 if(dev == NULL) {
1137 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1138 "klips_debug:ipsec_tunnel_detach: "
1139 "no device...");
1140 return -ENODEV;
1141 }
1142
1143 if(prv == NULL) {
1144 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
1145 "klips_debug:ipsec_tunnel_detach: "
1146 "no private space associated with dev=%s",
1147 dev->name ? dev->name : "NULL");
1148 return -ENODATA;
1149 }
1150
1151 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1152 "klips_debug:ipsec_tunnel_detach: "
1153 "physical device %s being detached from virtual device %s\n",
1154 prv->dev ? prv->dev->name : "NULL",
1155 dev->name);
1156
1157 ipsec_dev_put(prv->dev);
1158 prv->dev = NULL;
1159 prv->hard_start_xmit = NULL;
1160 prv->get_stats = NULL;
1161
1162 prv->hard_header = NULL;
1163 #ifdef DETACH_AND_DOWN
1164 dev->hard_header = NULL;
1165 #endif /* DETACH_AND_DOWN */
1166
1167 prv->rebuild_header = NULL;
1168 #ifdef DETACH_AND_DOWN
1169 dev->rebuild_header = NULL;
1170 #endif /* DETACH_AND_DOWN */
1171
1172 prv->set_mac_address = NULL;
1173 #ifdef DETACH_AND_DOWN
1174 dev->set_mac_address = NULL;
1175 #endif /* DETACH_AND_DOWN */
1176
1177 #ifndef NET_21
1178 prv->header_cache_bind = NULL;
1179 #ifdef DETACH_AND_DOWN
1180 dev->header_cache_bind = NULL;
1181 #endif /* DETACH_AND_DOWN */
1182 #endif /* !NET_21 */
1183
1184 prv->header_cache_update = NULL;
1185 #ifdef DETACH_AND_DOWN
1186 dev->header_cache_update = NULL;
1187 #endif /* DETACH_AND_DOWN */
1188
1189 #ifdef NET_21
1190 /* prv->neigh_setup = NULL; */
1191 #ifdef DETACH_AND_DOWN
1192 dev->neigh_setup = NULL;
1193 #endif /* DETACH_AND_DOWN */
1194 #endif /* NET_21 */
1195 dev->hard_header_len = 0;
1196 #ifdef DETACH_AND_DOWN
1197 dev->mtu = 0;
1198 #endif /* DETACH_AND_DOWN */
1199 prv->mtu = 0;
1200 for (i=0; i<MAX_ADDR_LEN; i++) {
1201 dev->dev_addr[i] = 0;
1202 }
1203 dev->addr_len = 0;
1204 #ifdef PHYSDEV_TYPE
1205 dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */
1206 #endif /* PHYSDEV_TYPE */
1207
1208 return 0;
1209 }
1210
1211 /*
1212 * We call the clear routine to detach all ipsec tunnels from other devices.
1213 */
1214 DEBUG_NO_STATIC int
1215 ipsec_tunnel_clear(void)
1216 {
1217 int i;
1218 struct device *ipsecdev = NULL, *prvdev;
1219 struct ipsecpriv *prv;
1220 char name[9];
1221 int ret;
1222
1223 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1224 "klips_debug:ipsec_tunnel_clear: .\n");
1225
1226 for(i = 0; i < IPSEC_NUM_IF; i++) {
1227 ipsecdev = ipsecdevices[i];
1228 if(ipsecdev != NULL) {
1229 if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
1230 prvdev = (struct device *)(prv->dev);
1231 if(prvdev) {
1232 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1233 "klips_debug:ipsec_tunnel_clear: "
1234 "physical device for device %s is %s\n",
1235 name, prvdev->name);
1236 if((ret = ipsec_tunnel_detach(ipsecdev))) {
1237 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1238 "klips_debug:ipsec_tunnel_clear: "
1239 "error %d detatching device %s from device %s.\n",
1240 ret, name, prvdev->name);
1241 return ret;
1242 }
1243 }
1244 }
1245 }
1246 }
1247 return 0;
1248 }
1249
1250 DEBUG_NO_STATIC int
1251 ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
1252 {
1253 struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
1254 struct ipsecpriv *prv = dev->priv;
1255 struct device *them; /* physical device */
1256 #ifdef CONFIG_IP_ALIAS
1257 char *colon;
1258 char realphysname[IFNAMSIZ];
1259 #endif /* CONFIG_IP_ALIAS */
1260
1261 if(dev == NULL) {
1262 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1263 "klips_debug:ipsec_tunnel_ioctl: "
1264 "device not supplied.\n");
1265 return -ENODEV;
1266 }
1267
1268 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1269 "klips_debug:ipsec_tunnel_ioctl: "
1270 "tncfg service call #%d for dev=%s\n",
1271 cmd,
1272 dev->name ? dev->name : "NULL");
1273 switch (cmd) {
1274 /* attach a virtual ipsec? device to a physical device */
1275 case IPSEC_SET_DEV:
1276 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1277 "klips_debug:ipsec_tunnel_ioctl: "
1278 "calling ipsec_tunnel_attatch...\n");
1279 #ifdef CONFIG_IP_ALIAS
1280 /* If this is an IP alias interface, get its real physical name */
1281 strncpy(realphysname, cf->cf_name, IFNAMSIZ);
1282 realphysname[IFNAMSIZ-1] = 0;
1283 colon = strchr(realphysname, ':');
1284 if (colon) *colon = 0;
1285 them = ipsec_dev_get(realphysname);
1286 #else /* CONFIG_IP_ALIAS */
1287 them = ipsec_dev_get(cf->cf_name);
1288 #endif /* CONFIG_IP_ALIAS */
1289
1290 if (them == NULL) {
1291 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1292 "klips_debug:ipsec_tunnel_ioctl: "
1293 "physical device %s requested is null\n",
1294 cf->cf_name);
1295 return -ENXIO;
1296 }
1297
1298 #if 0
1299 if (them->flags & IFF_UP) {
1300 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1301 "klips_debug:ipsec_tunnel_ioctl: "
1302 "physical device %s requested is not up.\n",
1303 cf->cf_name);
1304 ipsec_dev_put(them);
1305 return -ENXIO;
1306 }
1307 #endif
1308
1309 if (prv && prv->dev) {
1310 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1311 "klips_debug:ipsec_tunnel_ioctl: "
1312 "virtual device is already connected to %s.\n",
1313 prv->dev->name ? prv->dev->name : "NULL");
1314 ipsec_dev_put(them);
1315 return -EBUSY;
1316 }
1317 return ipsec_tunnel_attach(dev, them);
1318
1319 case IPSEC_DEL_DEV:
1320 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1321 "klips_debug:ipsec_tunnel_ioctl: "
1322 "calling ipsec_tunnel_detatch.\n");
1323 if (! prv->dev) {
1324 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1325 "klips_debug:ipsec_tunnel_ioctl: "
1326 "physical device not connected.\n");
1327 return -ENODEV;
1328 }
1329 return ipsec_tunnel_detach(dev);
1330
1331 case IPSEC_CLR_DEV:
1332 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1333 "klips_debug:ipsec_tunnel_ioctl: "
1334 "calling ipsec_tunnel_clear.\n");
1335 return ipsec_tunnel_clear();
1336
1337 default:
1338 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1339 "klips_debug:ipsec_tunnel_ioctl: "
1340 "unknown command %d.\n",
1341 cmd);
1342 return -EOPNOTSUPP;
1343 }
1344 }
1345
1346 int
1347 ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
1348 {
1349 struct device *dev = ptr;
1350 struct device *ipsec_dev;
1351 struct ipsecpriv *priv;
1352 int i;
1353
1354 if (dev == NULL) {
1355 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1356 "klips_debug:ipsec_device_event: "
1357 "dev=NULL for event type %ld.\n",
1358 event);
1359 return(NOTIFY_DONE);
1360 }
1361
1362 /* check for loopback devices */
1363 if (dev && (dev->flags & IFF_LOOPBACK)) {
1364 return(NOTIFY_DONE);
1365 }
1366
1367 switch (event) {
1368 case NETDEV_DOWN:
1369 /* look very carefully at the scope of these compiler
1370 directives before changing anything... -- RGB */
1371 #ifdef NET_21
1372 case NETDEV_UNREGISTER:
1373 switch (event) {
1374 case NETDEV_DOWN:
1375 #endif /* NET_21 */
1376 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1377 "klips_debug:ipsec_device_event: "
1378 "NETDEV_DOWN dev=%s flags=%x\n",
1379 dev->name,
1380 dev->flags);
1381 if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
1382 printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
1383 dev->name);
1384 }
1385 #ifdef NET_21
1386 break;
1387 case NETDEV_UNREGISTER:
1388 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1389 "klips_debug:ipsec_device_event: "
1390 "NETDEV_UNREGISTER dev=%s flags=%x\n",
1391 dev->name,
1392 dev->flags);
1393 break;
1394 }
1395 #endif /* NET_21 */
1396
1397 /* find the attached physical device and detach it. */
1398 for(i = 0; i < IPSEC_NUM_IF; i++) {
1399 ipsec_dev = ipsecdevices[i];
1400
1401 if(ipsec_dev) {
1402 priv = (struct ipsecpriv *)(ipsec_dev->priv);
1403 if(priv) {
1404 ;
1405 if(((struct device *)(priv->dev)) == dev) {
1406 /* dev_close(ipsec_dev); */
1407 /* return */ ipsec_tunnel_detach(ipsec_dev);
1408 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1409 "klips_debug:ipsec_device_event: "
1410 "device '%s' has been detached.\n",
1411 ipsec_dev->name);
1412 break;
1413 }
1414 } else {
1415 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1416 "klips_debug:ipsec_device_event: "
1417 "device '%s' has no private data space!\n",
1418 ipsec_dev->name);
1419 }
1420 }
1421 }
1422 break;
1423 case NETDEV_UP:
1424 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1425 "klips_debug:ipsec_device_event: "
1426 "NETDEV_UP dev=%s\n",
1427 dev->name);
1428 break;
1429 #ifdef NET_21
1430 case NETDEV_REBOOT:
1431 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1432 "klips_debug:ipsec_device_event: "
1433 "NETDEV_REBOOT dev=%s\n",
1434 dev->name);
1435 break;
1436 case NETDEV_CHANGE:
1437 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1438 "klips_debug:ipsec_device_event: "
1439 "NETDEV_CHANGE dev=%s flags=%x\n",
1440 dev->name,
1441 dev->flags);
1442 break;
1443 case NETDEV_REGISTER:
1444 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1445 "klips_debug:ipsec_device_event: "
1446 "NETDEV_REGISTER dev=%s\n",
1447 dev->name);
1448 break;
1449 case NETDEV_CHANGEMTU:
1450 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1451 "klips_debug:ipsec_device_event: "
1452 "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
1453 dev->name,
1454 dev->mtu);
1455 break;
1456 case NETDEV_CHANGEADDR:
1457 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1458 "klips_debug:ipsec_device_event: "
1459 "NETDEV_CHANGEADDR dev=%s\n",
1460 dev->name);
1461 break;
1462 case NETDEV_GOING_DOWN:
1463 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1464 "klips_debug:ipsec_device_event: "
1465 "NETDEV_GOING_DOWN dev=%s\n",
1466 dev->name);
1467 break;
1468 case NETDEV_CHANGENAME:
1469 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1470 "klips_debug:ipsec_device_event: "
1471 "NETDEV_CHANGENAME dev=%s\n",
1472 dev->name);
1473 break;
1474 #endif /* NET_21 */
1475 default:
1476 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1477 "klips_debug:ipsec_device_event: "
1478 "event type %ld unrecognised for dev=%s\n",
1479 event,
1480 dev->name);
1481 break;
1482 }
1483 return NOTIFY_DONE;
1484 }
1485
1486 /*
1487 * Called when an ipsec tunnel device is initialized.
1488 * The ipsec tunnel device structure is passed to us.
1489 */
1490
1491 int
1492 ipsec_tunnel_init(struct device *dev)
1493 {
1494 int i;
1495
1496 KLIPS_PRINT(debug_tunnel,
1497 "klips_debug:ipsec_tunnel_init: "
1498 "allocating %lu bytes initialising device: %s\n",
1499 (unsigned long) sizeof(struct ipsecpriv),
1500 dev->name ? dev->name : "NULL");
1501
1502 /* Add our tunnel functions to the device */
1503 dev->open = ipsec_tunnel_open;
1504 dev->stop = ipsec_tunnel_close;
1505 dev->hard_start_xmit = ipsec_tunnel_start_xmit;
1506 dev->get_stats = ipsec_tunnel_get_stats;
1507
1508 dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
1509 if (dev->priv == NULL)
1510 return -ENOMEM;
1511 memset((caddr_t)(dev->priv), 0, sizeof(struct ipsecpriv));
1512
1513 for(i = 0; i < sizeof(zeroes); i++) {
1514 ((__u8*)(zeroes))[i] = 0;
1515 }
1516
1517 #ifndef NET_21
1518 /* Initialize the tunnel device structure */
1519 for (i = 0; i < DEV_NUMBUFFS; i++)
1520 skb_queue_head_init(&dev->buffs[i]);
1521 #endif /* !NET_21 */
1522
1523 dev->set_multicast_list = NULL;
1524 dev->do_ioctl = ipsec_tunnel_ioctl;
1525 dev->hard_header = NULL;
1526 dev->rebuild_header = NULL;
1527 dev->set_mac_address = NULL;
1528 #ifndef NET_21
1529 dev->header_cache_bind = NULL;
1530 #endif /* !NET_21 */
1531 dev->header_cache_update= NULL;
1532
1533 #ifdef NET_21
1534 /* prv->neigh_setup = NULL; */
1535 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
1536 #endif /* NET_21 */
1537 dev->hard_header_len = 0;
1538 dev->mtu = 0;
1539 dev->addr_len = 0;
1540 dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
1541 dev->tx_queue_len = 10; /* Small queue */
1542 memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN); /* what if this is not attached to ethernet? */
1543
1544 /* New-style flags. */
1545 dev->flags = IFF_NOARP /* 0 */ /* Petr Novak */;
1546 #ifdef NET_21
1547 dev_init_buffers(dev);
1548 #else /* NET_21 */
1549 dev->family = AF_INET;
1550 dev->pa_addr = 0;
1551 dev->pa_brdaddr = 0;
1552 dev->pa_mask = 0;
1553 dev->pa_alen = 4;
1554 #endif /* NET_21 */
1555
1556 /* We're done. Have I forgotten anything? */
1557 return 0;
1558 }
1559
1560 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1561 /* Module specific interface (but it links with the rest of IPSEC) */
1562 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1563
1564 int
1565 ipsec_tunnel_probe(struct device *dev)
1566 {
1567 ipsec_tunnel_init(dev);
1568 return 0;
1569 }
1570
1571 struct device *ipsecdevices[IPSEC_NUM_IF];
1572
1573 int
1574 ipsec_tunnel_init_devices(void)
1575 {
1576 int i;
1577 char name[IFNAMSIZ];
1578 struct device *dev_ipsec;
1579
1580 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1581 "klips_debug:ipsec_tunnel_init_devices: "
1582 "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
1583 IPSEC_NUM_IF,
1584 (unsigned long) (sizeof(struct device) + IFNAMSIZ),
1585 IFNAMSIZ);
1586
1587 for(i = 0; i < IPSEC_NUM_IF; i++) {
1588 sprintf(name, IPSEC_DEV_FORMAT, i);
1589 dev_ipsec = (struct device*)kmalloc(sizeof(struct device), GFP_KERNEL);
1590 if (dev_ipsec == NULL) {
1591 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1592 "klips_debug:ipsec_tunnel_init_devices: "
1593 "failed to allocate memory for device %s, quitting device init.\n",
1594 name);
1595 return -ENOMEM;
1596 }
1597 memset((caddr_t)dev_ipsec, 0, sizeof(struct device));
1598 #ifdef NETDEV_23
1599 strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name));
1600 #else /* NETDEV_23 */
1601 dev_ipsec->name = (char*)kmalloc(IFNAMSIZ, GFP_KERNEL);
1602 if (dev_ipsec->name == NULL) {
1603 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1604 "klips_debug:ipsec_tunnel_init_devices: "
1605 "failed to allocate memory for device %s name, quitting device init.\n",
1606 name);
1607 return -ENOMEM;
1608 }
1609 memset((caddr_t)dev_ipsec->name, 0, IFNAMSIZ);
1610 strncpy(dev_ipsec->name, name, IFNAMSIZ);
1611 #endif /* NETDEV_23 */
1612 dev_ipsec->next = NULL;
1613 dev_ipsec->init = &ipsec_tunnel_probe;
1614 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1615 "klips_debug:ipsec_tunnel_init_devices: "
1616 "registering device %s\n",
1617 dev_ipsec->name);
1618
1619 /* reference and hold the device reference */
1620 dev_hold(dev_ipsec);
1621 ipsecdevices[i]=dev_ipsec;
1622
1623 if (register_netdev(dev_ipsec) != 0) {
1624 KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT,
1625 "klips_debug:ipsec_tunnel_init_devices: "
1626 "registering device %s failed, quitting device init.\n",
1627 dev_ipsec->name);
1628 return -EIO;
1629 } else {
1630 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1631 "klips_debug:ipsec_tunnel_init_devices: "
1632 "registering device %s succeeded, continuing...\n",
1633 dev_ipsec->name);
1634 }
1635 }
1636 return 0;
1637 }
1638
1639 /* void */
1640 int
1641 ipsec_tunnel_cleanup_devices(void)
1642 {
1643 int error = 0;
1644 int i;
1645 char name[32];
1646 struct device *dev_ipsec;
1647
1648 for(i = 0; i < IPSEC_NUM_IF; i++) {
1649 dev_ipsec = ipsecdevices[i];
1650 if(dev_ipsec == NULL) {
1651 continue;
1652 }
1653
1654 /* release reference */
1655 ipsecdevices[i]=NULL;
1656 ipsec_dev_put(dev_ipsec);
1657
1658 KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
1659 name,
1660 atomic_read(&dev_ipsec->refcnt));
1661 unregister_netdev(dev_ipsec);
1662 KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", name);
1663 #ifndef NETDEV_23
1664 kfree(dev_ipsec->name);
1665 dev_ipsec->name=NULL;
1666 #endif /* !NETDEV_23 */
1667 kfree(dev_ipsec->priv);
1668 dev_ipsec->priv=NULL;
1669 }
1670 return error;
1671 }
Unnamed repository; edit this file 'description' to name the repository.