* IPv6 support
* YOSHIFUJI Hideaki @USAGI
* Split up af-specific portion
- *
+ *
*/
#include <net/xfrm.h>
#include <linux/pfkeyv2.h>
#include <linux/ipsec.h>
+#include <linux/netfilter_ipv6.h>
+#include <net/dsfield.h>
#include <net/ipv6.h>
#include <net/addrconf.h>
-static struct xfrm_state_afinfo xfrm6_state_afinfo;
-
static void
__xfrm6_init_tempsel(struct xfrm_state *x, struct flowi *fl,
struct xfrm_tmpl *tmpl,
ipv6_addr_copy((struct in6_addr *)&x->sel.daddr, &fl->fl6_dst);
ipv6_addr_copy((struct in6_addr *)&x->sel.saddr, &fl->fl6_src);
x->sel.dport = xfrm_flowi_dport(fl);
- x->sel.dport_mask = ~0;
+ x->sel.dport_mask = htons(0xffff);
x->sel.sport = xfrm_flowi_sport(fl);
- x->sel.sport_mask = ~0;
+ x->sel.sport_mask = htons(0xffff);
+ x->sel.family = AF_INET6;
x->sel.prefixlen_d = 128;
x->sel.prefixlen_s = 128;
x->sel.proto = fl->proto;
memcpy(&x->props.saddr, &tmpl->saddr, sizeof(x->props.saddr));
if (ipv6_addr_any((struct in6_addr*)&x->props.saddr))
memcpy(&x->props.saddr, saddr, sizeof(x->props.saddr));
- if (tmpl->mode == XFRM_MODE_TUNNEL && ipv6_addr_any((struct in6_addr*)&x->props.saddr)) {
- struct rt6_info *rt;
- struct flowi fl_tunnel = {
- .nl_u = {
- .ip6_u = {
- .daddr = *(struct in6_addr *)daddr,
- }
- }
- };
- if (!xfrm_dst_lookup((struct xfrm_dst **)&rt,
- &fl_tunnel, AF_INET6)) {
- ipv6_get_saddr(&rt->u.dst, (struct in6_addr *)daddr,
- (struct in6_addr *)&x->props.saddr);
- dst_release(&rt->u.dst);
- }
- }
x->props.mode = tmpl->mode;
x->props.reqid = tmpl->reqid;
x->props.family = AF_INET6;
}
-static struct xfrm_state *
-__xfrm6_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
- u8 proto)
+/* distribution counting sort function for xfrm_state and xfrm_tmpl */
+static int
+__xfrm6_sort(void **dst, void **src, int n, int (*cmp)(void *p), int maxclass)
{
- struct xfrm_state *x = NULL;
- unsigned h;
+ int i;
+ int class[XFRM_MAX_DEPTH];
+ int count[maxclass];
+
+ memset(count, 0, sizeof(count));
- h = __xfrm6_src_hash(saddr);
- list_for_each_entry(x, xfrm6_state_afinfo.state_bysrc+h, bysrc) {
- if (x->props.family == AF_INET6 &&
- ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)x->id.daddr.a6) &&
- ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)x->props.saddr.a6) &&
- proto == x->id.proto) {
- xfrm_state_hold(x);
- return x;
- }
+ for (i = 0; i < n; i++) {
+ int c;
+ class[i] = c = cmp(src[i]);
+ count[c]++;
}
- return NULL;
-}
-static struct xfrm_state *
-__xfrm6_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto)
-{
- unsigned h = __xfrm6_spi_hash(daddr, spi, proto);
- struct xfrm_state *x;
+ for (i = 2; i < maxclass; i++)
+ count[i] += count[i - 1];
- list_for_each_entry(x, xfrm6_state_afinfo.state_byspi+h, byspi) {
- if (x->props.family == AF_INET6 &&
- spi == x->id.spi &&
- ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)x->id.daddr.a6) &&
- proto == x->id.proto) {
- xfrm_state_hold(x);
- return x;
- }
+ for (i = 0; i < n; i++) {
+ dst[count[class[i] - 1]++] = src[i];
+ src[i] = NULL;
}
- return NULL;
+
+ return 0;
}
-static struct xfrm_state *
-__xfrm6_find_acq(u8 mode, u32 reqid, u8 proto,
- xfrm_address_t *daddr, xfrm_address_t *saddr,
- int create)
+/*
+ * Rule for xfrm_state:
+ *
+ * rule 1: select IPsec transport except AH
+ * rule 2: select MIPv6 RO or inbound trigger
+ * rule 3: select IPsec transport AH
+ * rule 4: select IPsec tunnel
+ * rule 5: others
+ */
+static int __xfrm6_state_sort_cmp(void *p)
{
- struct xfrm_state *x, *x0;
- unsigned h = __xfrm6_dst_hash(daddr);
-
- x0 = NULL;
-
- list_for_each_entry(x, xfrm6_state_afinfo.state_bydst+h, bydst) {
- if (x->props.family == AF_INET6 &&
- ipv6_addr_equal((struct in6_addr *)daddr, (struct in6_addr *)x->id.daddr.a6) &&
- mode == x->props.mode &&
- proto == x->id.proto &&
- ipv6_addr_equal((struct in6_addr *)saddr, (struct in6_addr *)x->props.saddr.a6) &&
- reqid == x->props.reqid &&
- x->km.state == XFRM_STATE_ACQ &&
- !x->id.spi) {
- x0 = x;
- break;
- }
- }
- if (!x0 && create && (x0 = xfrm_state_alloc()) != NULL) {
- ipv6_addr_copy((struct in6_addr *)x0->sel.daddr.a6,
- (struct in6_addr *)daddr);
- ipv6_addr_copy((struct in6_addr *)x0->sel.saddr.a6,
- (struct in6_addr *)saddr);
- x0->sel.prefixlen_d = 128;
- x0->sel.prefixlen_s = 128;
- ipv6_addr_copy((struct in6_addr *)x0->props.saddr.a6,
- (struct in6_addr *)saddr);
- x0->km.state = XFRM_STATE_ACQ;
- ipv6_addr_copy((struct in6_addr *)x0->id.daddr.a6,
- (struct in6_addr *)daddr);
- x0->id.proto = proto;
- x0->props.family = AF_INET6;
- x0->props.mode = mode;
- x0->props.reqid = reqid;
- x0->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
- xfrm_state_hold(x0);
- x0->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
- add_timer(&x0->timer);
- xfrm_state_hold(x0);
- list_add_tail(&x0->bydst, xfrm6_state_afinfo.state_bydst+h);
- h = __xfrm6_src_hash(saddr);
- xfrm_state_hold(x0);
- list_add_tail(&x0->bysrc, xfrm6_state_afinfo.state_bysrc+h);
- wake_up(&km_waitq);
+ struct xfrm_state *v = p;
+
+ switch (v->props.mode) {
+ case XFRM_MODE_TRANSPORT:
+ if (v->id.proto != IPPROTO_AH)
+ return 1;
+ else
+ return 3;
+#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
+ case XFRM_MODE_ROUTEOPTIMIZATION:
+ case XFRM_MODE_IN_TRIGGER:
+ return 2;
+#endif
+ case XFRM_MODE_TUNNEL:
+ case XFRM_MODE_BEET:
+ return 4;
}
- if (x0)
- xfrm_state_hold(x0);
- return x0;
+ return 5;
}
static int
__xfrm6_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n)
{
- int i;
- int j = 0;
-
- /* Rule 1: select IPsec transport except AH */
- for (i = 0; i < n; i++) {
- if (src[i]->props.mode == XFRM_MODE_TRANSPORT &&
- src[i]->id.proto != IPPROTO_AH) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
- }
- if (j == n)
- goto end;
-
- /* XXX: Rule 2: select MIPv6 RO or inbound trigger */
-
- /* Rule 3: select IPsec transport AH */
- for (i = 0; i < n; i++) {
- if (src[i] &&
- src[i]->props.mode == XFRM_MODE_TRANSPORT &&
- src[i]->id.proto == IPPROTO_AH) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
- }
- if (j == n)
- goto end;
-
- /* Rule 4: select IPsec tunnel */
- for (i = 0; i < n; i++) {
- if (src[i] &&
- src[i]->props.mode == XFRM_MODE_TUNNEL) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
- }
- if (likely(j == n))
- goto end;
+ return __xfrm6_sort((void **)dst, (void **)src, n,
+ __xfrm6_state_sort_cmp, 6);
+}
- /* Final rule */
- for (i = 0; i < n; i++) {
- if (src[i]) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
+/*
+ * Rule for xfrm_tmpl:
+ *
+ * rule 1: select IPsec transport
+ * rule 2: select MIPv6 RO or inbound trigger
+ * rule 3: select IPsec tunnel
+ * rule 4: others
+ */
+static int __xfrm6_tmpl_sort_cmp(void *p)
+{
+ struct xfrm_tmpl *v = p;
+ switch (v->mode) {
+ case XFRM_MODE_TRANSPORT:
+ return 1;
+#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
+ case XFRM_MODE_ROUTEOPTIMIZATION:
+ case XFRM_MODE_IN_TRIGGER:
+ return 2;
+#endif
+ case XFRM_MODE_TUNNEL:
+ case XFRM_MODE_BEET:
+ return 3;
}
-
- end:
- return 0;
+ return 4;
}
static int
__xfrm6_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n)
{
- int i;
- int j = 0;
-
- /* Rule 1: select IPsec transport */
- for (i = 0; i < n; i++) {
- if (src[i]->mode == XFRM_MODE_TRANSPORT) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
- }
- if (j == n)
- goto end;
-
- /* XXX: Rule 2: select MIPv6 RO or inbound trigger */
+ return __xfrm6_sort((void **)dst, (void **)src, n,
+ __xfrm6_tmpl_sort_cmp, 5);
+}
- /* Rule 3: select IPsec tunnel */
- for (i = 0; i < n; i++) {
- if (src[i] &&
- src[i]->mode == XFRM_MODE_TUNNEL) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
- }
- if (likely(j == n))
- goto end;
+int xfrm6_extract_header(struct sk_buff *skb)
+{
+ struct ipv6hdr *iph = ipv6_hdr(skb);
- /* Final rule */
- for (i = 0; i < n; i++) {
- if (src[i]) {
- dst[j++] = src[i];
- src[i] = NULL;
- }
- }
+ XFRM_MODE_SKB_CB(skb)->ihl = sizeof(*iph);
+ XFRM_MODE_SKB_CB(skb)->id = 0;
+ XFRM_MODE_SKB_CB(skb)->frag_off = htons(IP_DF);
+ XFRM_MODE_SKB_CB(skb)->tos = ipv6_get_dsfield(iph);
+ XFRM_MODE_SKB_CB(skb)->ttl = iph->hop_limit;
+ XFRM_MODE_SKB_CB(skb)->optlen = 0;
+ memcpy(XFRM_MODE_SKB_CB(skb)->flow_lbl, iph->flow_lbl,
+ sizeof(XFRM_MODE_SKB_CB(skb)->flow_lbl));
- end:
return 0;
}
static struct xfrm_state_afinfo xfrm6_state_afinfo = {
.family = AF_INET6,
+ .proto = IPPROTO_IPV6,
+ .eth_proto = htons(ETH_P_IPV6),
+ .owner = THIS_MODULE,
.init_tempsel = __xfrm6_init_tempsel,
- .state_lookup = __xfrm6_state_lookup,
- .state_lookup_byaddr = __xfrm6_state_lookup_byaddr,
- .find_acq = __xfrm6_find_acq,
.tmpl_sort = __xfrm6_tmpl_sort,
.state_sort = __xfrm6_state_sort,
+ .output = xfrm6_output,
+ .extract_input = xfrm6_extract_input,
+ .extract_output = xfrm6_extract_output,
+ .transport_finish = xfrm6_transport_finish,
};
-void __init xfrm6_state_init(void)
+int __init xfrm6_state_init(void)
{
- xfrm_state_register_afinfo(&xfrm6_state_afinfo);
+ return xfrm_state_register_afinfo(&xfrm6_state_afinfo);
}
void xfrm6_state_fini(void)