Commit 4f2c17e0 authored by David S. Miller's avatar David S. Miller

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next

Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2020-01-21

1) Add support for TCP encapsulation of IKE and ESP messages,
   as defined by RFC 8229. Patchset from Sabrina Dubroca.

Please note that there is a merge conflict in:

net/unix/af_unix.c

between commit:

3c32da19 ("unix: Show number of pending scm files of receive queue in fdinfo")

from the net-next tree and commit:

b50b0580 ("net: add queue argument to __skb_wait_for_more_packets and __skb_{,try_}recv_datagram")

from the ipsec-next tree.

The conflict can be solved as done in linux-next.

Please pull or let me know if there are problems.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents d84b99ff e27cca96
...@@ -3464,7 +3464,8 @@ static inline void skb_frag_list_init(struct sk_buff *skb) ...@@ -3464,7 +3464,8 @@ static inline void skb_frag_list_init(struct sk_buff *skb)
for (iter = skb_shinfo(skb)->frag_list; iter; iter = iter->next) for (iter = skb_shinfo(skb)->frag_list; iter; iter = iter->next)
int __skb_wait_for_more_packets(struct sock *sk, int *err, long *timeo_p, int __skb_wait_for_more_packets(struct sock *sk, struct sk_buff_head *queue,
int *err, long *timeo_p,
const struct sk_buff *skb); const struct sk_buff *skb);
struct sk_buff *__skb_try_recv_from_queue(struct sock *sk, struct sk_buff *__skb_try_recv_from_queue(struct sock *sk,
struct sk_buff_head *queue, struct sk_buff_head *queue,
...@@ -3473,12 +3474,16 @@ struct sk_buff *__skb_try_recv_from_queue(struct sock *sk, ...@@ -3473,12 +3474,16 @@ struct sk_buff *__skb_try_recv_from_queue(struct sock *sk,
struct sk_buff *skb), struct sk_buff *skb),
int *off, int *err, int *off, int *err,
struct sk_buff **last); struct sk_buff **last);
struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned flags, struct sk_buff *__skb_try_recv_datagram(struct sock *sk,
struct sk_buff_head *queue,
unsigned int flags,
void (*destructor)(struct sock *sk, void (*destructor)(struct sock *sk,
struct sk_buff *skb), struct sk_buff *skb),
int *off, int *err, int *off, int *err,
struct sk_buff **last); struct sk_buff **last);
struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned flags, struct sk_buff *__skb_recv_datagram(struct sock *sk,
struct sk_buff_head *sk_queue,
unsigned int flags,
void (*destructor)(struct sock *sk, void (*destructor)(struct sock *sk,
struct sk_buff *skb), struct sk_buff *skb),
int *off, int *err); int *off, int *err);
......
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _NET_ESPINTCP_H
#define _NET_ESPINTCP_H
#include <net/strparser.h>
#include <linux/skmsg.h>
void __init espintcp_init(void);
int espintcp_push_skb(struct sock *sk, struct sk_buff *skb);
int espintcp_queue_out(struct sock *sk, struct sk_buff *skb);
bool tcp_is_ulp_esp(struct sock *sk);
struct espintcp_msg {
struct sk_buff *skb;
struct sk_msg skmsg;
int offset;
int len;
};
struct espintcp_ctx {
struct strparser strp;
struct sk_buff_head ike_queue;
struct sk_buff_head out_queue;
struct espintcp_msg partial;
void (*saved_data_ready)(struct sock *sk);
void (*saved_write_space)(struct sock *sk);
struct work_struct work;
bool tx_running;
};
static inline struct espintcp_ctx *espintcp_getctx(const struct sock *sk)
{
struct inet_connection_sock *icsk = inet_csk(sk);
/* RCU is only needed for diag */
return (__force void *)icsk->icsk_ulp_data;
}
#endif
...@@ -193,6 +193,7 @@ struct xfrm_state { ...@@ -193,6 +193,7 @@ struct xfrm_state {
/* Data for encapsulator */ /* Data for encapsulator */
struct xfrm_encap_tmpl *encap; struct xfrm_encap_tmpl *encap;
struct sock __rcu *encap_sk;
/* Data for care-of address */ /* Data for care-of address */
xfrm_address_t *coaddr; xfrm_address_t *coaddr;
...@@ -1547,6 +1548,9 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload); ...@@ -1547,6 +1548,9 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload);
int xfrm_init_state(struct xfrm_state *x); int xfrm_init_state(struct xfrm_state *x);
int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type); int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type);
int xfrm_input_resume(struct sk_buff *skb, int nexthdr); int xfrm_input_resume(struct sk_buff *skb, int nexthdr);
int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
int (*finish)(struct net *, struct sock *,
struct sk_buff *));
int xfrm_trans_queue(struct sk_buff *skb, int xfrm_trans_queue(struct sk_buff *skb,
int (*finish)(struct net *, struct sock *, int (*finish)(struct net *, struct sock *,
struct sk_buff *)); struct sk_buff *));
......
...@@ -42,5 +42,6 @@ struct udphdr { ...@@ -42,5 +42,6 @@ struct udphdr {
#define UDP_ENCAP_GTP0 4 /* GSM TS 09.60 */ #define UDP_ENCAP_GTP0 4 /* GSM TS 09.60 */
#define UDP_ENCAP_GTP1U 5 /* 3GPP TS 29.060 */ #define UDP_ENCAP_GTP1U 5 /* 3GPP TS 29.060 */
#define UDP_ENCAP_RXRPC 6 #define UDP_ENCAP_RXRPC 6
#define TCP_ENCAP_ESPINTCP 7 /* Yikes, this is really xfrm encap types. */
#endif /* _UAPI_LINUX_UDP_H */ #endif /* _UAPI_LINUX_UDP_H */
...@@ -84,7 +84,8 @@ static int receiver_wake_function(wait_queue_entry_t *wait, unsigned int mode, i ...@@ -84,7 +84,8 @@ static int receiver_wake_function(wait_queue_entry_t *wait, unsigned int mode, i
/* /*
* Wait for the last received packet to be different from skb * Wait for the last received packet to be different from skb
*/ */
int __skb_wait_for_more_packets(struct sock *sk, int *err, long *timeo_p, int __skb_wait_for_more_packets(struct sock *sk, struct sk_buff_head *queue,
int *err, long *timeo_p,
const struct sk_buff *skb) const struct sk_buff *skb)
{ {
int error; int error;
...@@ -97,7 +98,7 @@ int __skb_wait_for_more_packets(struct sock *sk, int *err, long *timeo_p, ...@@ -97,7 +98,7 @@ int __skb_wait_for_more_packets(struct sock *sk, int *err, long *timeo_p,
if (error) if (error)
goto out_err; goto out_err;
if (READ_ONCE(sk->sk_receive_queue.prev) != skb) if (READ_ONCE(queue->prev) != skb)
goto out; goto out;
/* Socket shut down? */ /* Socket shut down? */
...@@ -209,6 +210,7 @@ struct sk_buff *__skb_try_recv_from_queue(struct sock *sk, ...@@ -209,6 +210,7 @@ struct sk_buff *__skb_try_recv_from_queue(struct sock *sk,
/** /**
* __skb_try_recv_datagram - Receive a datagram skbuff * __skb_try_recv_datagram - Receive a datagram skbuff
* @sk: socket * @sk: socket
* @queue: socket queue from which to receive
* @flags: MSG\_ flags * @flags: MSG\_ flags
* @destructor: invoked under the receive lock on successful dequeue * @destructor: invoked under the receive lock on successful dequeue
* @off: an offset in bytes to peek skb from. Returns an offset * @off: an offset in bytes to peek skb from. Returns an offset
...@@ -241,13 +243,14 @@ struct sk_buff *__skb_try_recv_from_queue(struct sock *sk, ...@@ -241,13 +243,14 @@ struct sk_buff *__skb_try_recv_from_queue(struct sock *sk,
* quite explicitly by POSIX 1003.1g, don't change them without having * quite explicitly by POSIX 1003.1g, don't change them without having
* the standard around please. * the standard around please.
*/ */
struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned int flags, struct sk_buff *__skb_try_recv_datagram(struct sock *sk,
struct sk_buff_head *queue,
unsigned int flags,
void (*destructor)(struct sock *sk, void (*destructor)(struct sock *sk,
struct sk_buff *skb), struct sk_buff *skb),
int *off, int *err, int *off, int *err,
struct sk_buff **last) struct sk_buff **last)
{ {
struct sk_buff_head *queue = &sk->sk_receive_queue;
struct sk_buff *skb; struct sk_buff *skb;
unsigned long cpu_flags; unsigned long cpu_flags;
/* /*
...@@ -278,7 +281,7 @@ struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned int flags, ...@@ -278,7 +281,7 @@ struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned int flags,
break; break;
sk_busy_loop(sk, flags & MSG_DONTWAIT); sk_busy_loop(sk, flags & MSG_DONTWAIT);
} while (READ_ONCE(sk->sk_receive_queue.prev) != *last); } while (READ_ONCE(queue->prev) != *last);
error = -EAGAIN; error = -EAGAIN;
...@@ -288,7 +291,9 @@ struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned int flags, ...@@ -288,7 +291,9 @@ struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned int flags,
} }
EXPORT_SYMBOL(__skb_try_recv_datagram); EXPORT_SYMBOL(__skb_try_recv_datagram);
struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, struct sk_buff *__skb_recv_datagram(struct sock *sk,
struct sk_buff_head *sk_queue,
unsigned int flags,
void (*destructor)(struct sock *sk, void (*destructor)(struct sock *sk,
struct sk_buff *skb), struct sk_buff *skb),
int *off, int *err) int *off, int *err)
...@@ -299,15 +304,16 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, ...@@ -299,15 +304,16 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags,
timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
do { do {
skb = __skb_try_recv_datagram(sk, flags, destructor, off, err, skb = __skb_try_recv_datagram(sk, sk_queue, flags, destructor,
&last); off, err, &last);
if (skb) if (skb)
return skb; return skb;
if (*err != -EAGAIN) if (*err != -EAGAIN)
break; break;
} while (timeo && } while (timeo &&
!__skb_wait_for_more_packets(sk, err, &timeo, last)); !__skb_wait_for_more_packets(sk, sk_queue, err,
&timeo, last));
return NULL; return NULL;
} }
...@@ -318,7 +324,8 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned int flags, ...@@ -318,7 +324,8 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned int flags,
{ {
int off = 0; int off = 0;
return __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), return __skb_recv_datagram(sk, &sk->sk_receive_queue,
flags | (noblock ? MSG_DONTWAIT : 0),
NULL, &off, err); NULL, &off, err);
} }
EXPORT_SYMBOL(skb_recv_datagram); EXPORT_SYMBOL(skb_recv_datagram);
......
...@@ -378,6 +378,17 @@ config INET_ESP_OFFLOAD ...@@ -378,6 +378,17 @@ config INET_ESP_OFFLOAD
If unsure, say N. If unsure, say N.
config INET_ESPINTCP
bool "IP: ESP in TCP encapsulation (RFC 8229)"
depends on XFRM && INET_ESP
select STREAM_PARSER
select NET_SOCK_MSG
help
Support for RFC 8229 encapsulation of ESP and IKE over
TCP/IPv4 sockets.
If unsure, say N.
config INET_IPCOMP config INET_IPCOMP
tristate "IP: IPComp transformation" tristate "IP: IPComp transformation"
select INET_XFRM_TUNNEL select INET_XFRM_TUNNEL
......
...@@ -18,6 +18,8 @@ ...@@ -18,6 +18,8 @@
#include <net/icmp.h> #include <net/icmp.h>
#include <net/protocol.h> #include <net/protocol.h>
#include <net/udp.h> #include <net/udp.h>
#include <net/tcp.h>
#include <net/espintcp.h>
#include <linux/highmem.h> #include <linux/highmem.h>
...@@ -117,6 +119,132 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp) ...@@ -117,6 +119,132 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp)
put_page(sg_page(sg)); put_page(sg_page(sg));
} }
#ifdef CONFIG_INET_ESPINTCP
struct esp_tcp_sk {
struct sock *sk;
struct rcu_head rcu;
};
static void esp_free_tcp_sk(struct rcu_head *head)
{
struct esp_tcp_sk *esk = container_of(head, struct esp_tcp_sk, rcu);
sock_put(esk->sk);
kfree(esk);
}
static struct sock *esp_find_tcp_sk(struct xfrm_state *x)
{
struct xfrm_encap_tmpl *encap = x->encap;
struct esp_tcp_sk *esk;
__be16 sport, dport;
struct sock *nsk;
struct sock *sk;
sk = rcu_dereference(x->encap_sk);
if (sk && sk->sk_state == TCP_ESTABLISHED)
return sk;
spin_lock_bh(&x->lock);
sport = encap->encap_sport;
dport = encap->encap_dport;
nsk = rcu_dereference_protected(x->encap_sk,
lockdep_is_held(&x->lock));
if (sk && sk == nsk) {
esk = kmalloc(sizeof(*esk), GFP_ATOMIC);
if (!esk) {
spin_unlock_bh(&x->lock);
return ERR_PTR(-ENOMEM);
}
RCU_INIT_POINTER(x->encap_sk, NULL);
esk->sk = sk;
call_rcu(&esk->rcu, esp_free_tcp_sk);
}
spin_unlock_bh(&x->lock);
sk = inet_lookup_established(xs_net(x), &tcp_hashinfo, x->id.daddr.a4,
dport, x->props.saddr.a4, sport, 0);
if (!sk)
return ERR_PTR(-ENOENT);
if (!tcp_is_ulp_esp(sk)) {
sock_put(sk);
return ERR_PTR(-EINVAL);
}
spin_lock_bh(&x->lock);
nsk = rcu_dereference_protected(x->encap_sk,
lockdep_is_held(&x->lock));
if (encap->encap_sport != sport ||
encap->encap_dport != dport) {
sock_put(sk);
sk = nsk ?: ERR_PTR(-EREMCHG);
} else if (sk == nsk) {
sock_put(sk);
} else {
rcu_assign_pointer(x->encap_sk, sk);
}
spin_unlock_bh(&x->lock);
return sk;
}
static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb)
{
struct sock *sk;
int err;
rcu_read_lock();
sk = esp_find_tcp_sk(x);
err = PTR_ERR_OR_ZERO(sk);
if (err)
goto out;
bh_lock_sock(sk);
if (sock_owned_by_user(sk))
err = espintcp_queue_out(sk, skb);
else
err = espintcp_push_skb(sk, skb);
bh_unlock_sock(sk);
out:
rcu_read_unlock();
return err;
}
static int esp_output_tcp_encap_cb(struct net *net, struct sock *sk,
struct sk_buff *skb)
{
struct dst_entry *dst = skb_dst(skb);
struct xfrm_state *x = dst->xfrm;
return esp_output_tcp_finish(x, skb);
}
static int esp_output_tail_tcp(struct xfrm_state *x, struct sk_buff *skb)
{
int err;
local_bh_disable();
err = xfrm_trans_queue_net(xs_net(x), skb, esp_output_tcp_encap_cb);
local_bh_enable();
/* EINPROGRESS just happens to do the right thing. It
* actually means that the skb has been consumed and
* isn't coming back.
*/
return err ?: -EINPROGRESS;
}
#else
static int esp_output_tail_tcp(struct xfrm_state *x, struct sk_buff *skb)
{
kfree_skb(skb);
return -EOPNOTSUPP;
}
#endif
static void esp_output_done(struct crypto_async_request *base, int err) static void esp_output_done(struct crypto_async_request *base, int err)
{ {
struct sk_buff *skb = base->data; struct sk_buff *skb = base->data;
...@@ -147,7 +275,11 @@ static void esp_output_done(struct crypto_async_request *base, int err) ...@@ -147,7 +275,11 @@ static void esp_output_done(struct crypto_async_request *base, int err)
secpath_reset(skb); secpath_reset(skb);
xfrm_dev_resume(skb); xfrm_dev_resume(skb);
} else { } else {
xfrm_output_resume(skb, err); if (!err &&
x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
esp_output_tail_tcp(x, skb);
else
xfrm_output_resume(skb, err);
} }
} }
...@@ -225,45 +357,100 @@ static void esp_output_fill_trailer(u8 *tail, int tfclen, int plen, __u8 proto) ...@@ -225,45 +357,100 @@ static void esp_output_fill_trailer(u8 *tail, int tfclen, int plen, __u8 proto)
tail[plen - 1] = proto; tail[plen - 1] = proto;
} }
static int esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp) static struct ip_esp_hdr *esp_output_udp_encap(struct sk_buff *skb,
int encap_type,
struct esp_info *esp,
__be16 sport,
__be16 dport)
{ {
int encap_type;
struct udphdr *uh; struct udphdr *uh;
__be32 *udpdata32; __be32 *udpdata32;
__be16 sport, dport;
struct xfrm_encap_tmpl *encap = x->encap;
struct ip_esp_hdr *esph = esp->esph;
unsigned int len; unsigned int len;
spin_lock_bh(&x->lock);
sport = encap->encap_sport;
dport = encap->encap_dport;
encap_type = encap->encap_type;
spin_unlock_bh(&x->lock);
len = skb->len + esp->tailen - skb_transport_offset(skb); len = skb->len + esp->tailen - skb_transport_offset(skb);
if (len + sizeof(struct iphdr) >= IP_MAX_MTU) if (len + sizeof(struct iphdr) > IP_MAX_MTU)
return -EMSGSIZE; return ERR_PTR(-EMSGSIZE);
uh = (struct udphdr *)esph; uh = (struct udphdr *)esp->esph;
uh->source = sport; uh->source = sport;
uh->dest = dport; uh->dest = dport;
uh->len = htons(len); uh->len = htons(len);
uh->check = 0; uh->check = 0;
*skb_mac_header(skb) = IPPROTO_UDP;
if (encap_type == UDP_ENCAP_ESPINUDP_NON_IKE) {
udpdata32 = (__be32 *)(uh + 1);
udpdata32[0] = udpdata32[1] = 0;
return (struct ip_esp_hdr *)(udpdata32 + 2);
}
return (struct ip_esp_hdr *)(uh + 1);
}
#ifdef CONFIG_INET_ESPINTCP
static struct ip_esp_hdr *esp_output_tcp_encap(struct xfrm_state *x,
struct sk_buff *skb,
struct esp_info *esp)
{
__be16 *lenp = (void *)esp->esph;
struct ip_esp_hdr *esph;
unsigned int len;
struct sock *sk;
len = skb->len + esp->tailen - skb_transport_offset(skb);
if (len > IP_MAX_MTU)
return ERR_PTR(-EMSGSIZE);
rcu_read_lock();
sk = esp_find_tcp_sk(x);
rcu_read_unlock();
if (IS_ERR(sk))
return ERR_CAST(sk);
*lenp = htons(len);
esph = (struct ip_esp_hdr *)(lenp + 1);
return esph;
}
#else
static struct ip_esp_hdr *esp_output_tcp_encap(struct xfrm_state *x,
struct sk_buff *skb,
struct esp_info *esp)
{
return ERR_PTR(-EOPNOTSUPP);
}
#endif
static int esp_output_encap(struct xfrm_state *x, struct sk_buff *skb,
struct esp_info *esp)
{
struct xfrm_encap_tmpl *encap = x->encap;
struct ip_esp_hdr *esph;
__be16 sport, dport;
int encap_type;
spin_lock_bh(&x->lock);
sport = encap->encap_sport;
dport = encap->encap_dport;
encap_type = encap->encap_type;
spin_unlock_bh(&x->lock);
switch (encap_type) { switch (encap_type) {
default: default:
case UDP_ENCAP_ESPINUDP: case UDP_ENCAP_ESPINUDP:
esph = (struct ip_esp_hdr *)(uh + 1);
break;
case UDP_ENCAP_ESPINUDP_NON_IKE: case UDP_ENCAP_ESPINUDP_NON_IKE:
udpdata32 = (__be32 *)(uh + 1); esph = esp_output_udp_encap(skb, encap_type, esp, sport, dport);
udpdata32[0] = udpdata32[1] = 0; break;
esph = (struct ip_esp_hdr *)(udpdata32 + 2); case TCP_ENCAP_ESPINTCP:
esph = esp_output_tcp_encap(x, skb, esp);
break; break;
} }
*skb_mac_header(skb) = IPPROTO_UDP; if (IS_ERR(esph))
return PTR_ERR(esph);
esp->esph = esph; esp->esph = esph;
return 0; return 0;
...@@ -279,9 +466,9 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * ...@@ -279,9 +466,9 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
struct sk_buff *trailer; struct sk_buff *trailer;
int tailen = esp->tailen; int tailen = esp->tailen;
/* this is non-NULL only with UDP Encapsulation */ /* this is non-NULL only with TCP/UDP Encapsulation */
if (x->encap) { if (x->encap) {
int err = esp_output_udp_encap(x, skb, esp); int err = esp_output_encap(x, skb, esp);
if (err < 0) if (err < 0)
return err; return err;
...@@ -474,6 +661,9 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * ...@@ -474,6 +661,9 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
if (sg != dsg) if (sg != dsg)
esp_ssg_unref(x, tmp); esp_ssg_unref(x, tmp);
if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
err = esp_output_tail_tcp(x, skb);
error_free: error_free:
kfree(tmp); kfree(tmp);
error: error:
...@@ -600,7 +790,23 @@ int esp_input_done2(struct sk_buff *skb, int err) ...@@ -600,7 +790,23 @@ int esp_input_done2(struct sk_buff *skb, int err)
if (x->encap) { if (x->encap) {
struct xfrm_encap_tmpl *encap = x->encap; struct xfrm_encap_tmpl *encap = x->encap;
struct tcphdr *th = (void *)(skb_network_header(skb) + ihl);
struct udphdr *uh = (void *)(skb_network_header(skb) + ihl); struct udphdr *uh = (void *)(skb_network_header(skb) + ihl);
__be16 source;
switch (x->encap->encap_type) {
case TCP_ENCAP_ESPINTCP:
source = th->source;
break;
case UDP_ENCAP_ESPINUDP:
case UDP_ENCAP_ESPINUDP_NON_IKE:
source = uh->source;
break;
default:
WARN_ON_ONCE(1);
err = -EINVAL;
goto out;
}
/* /*
* 1) if the NAT-T peer's IP or port changed then * 1) if the NAT-T peer's IP or port changed then
...@@ -609,11 +815,11 @@ int esp_input_done2(struct sk_buff *skb, int err) ...@@ -609,11 +815,11 @@ int esp_input_done2(struct sk_buff *skb, int err)
* SRC ports. * SRC ports.
*/ */
if (iph->saddr != x->props.saddr.a4 || if (iph->saddr != x->props.saddr.a4 ||
uh->source != encap->encap_sport) { source != encap->encap_sport) {
xfrm_address_t ipaddr; xfrm_address_t ipaddr;
ipaddr.a4 = iph->saddr; ipaddr.a4 = iph->saddr;
km_new_mapping(x, &ipaddr, uh->source); km_new_mapping(x, &ipaddr, source);
/* XXX: perhaps add an extra /* XXX: perhaps add an extra
* policy check here, to see * policy check here, to see
...@@ -988,6 +1194,14 @@ static int esp_init_state(struct xfrm_state *x) ...@@ -988,6 +1194,14 @@ static int esp_init_state(struct xfrm_state *x)
case UDP_ENCAP_ESPINUDP_NON_IKE: case UDP_ENCAP_ESPINUDP_NON_IKE:
x->props.header_len += sizeof(struct udphdr) + 2 * sizeof(u32); x->props.header_len += sizeof(struct udphdr) + 2 * sizeof(u32);
break; break;
#ifdef CONFIG_INET_ESPINTCP
case TCP_ENCAP_ESPINTCP:
/* only the length field, TCP encap is done by
* the socket
*/
x->props.header_len += 2;
break;
#endif
} }
} }
......
...@@ -1708,7 +1708,8 @@ struct sk_buff *__skb_recv_udp(struct sock *sk, unsigned int flags, ...@@ -1708,7 +1708,8 @@ struct sk_buff *__skb_recv_udp(struct sock *sk, unsigned int flags,
/* sk_queue is empty, reader_queue may contain peeked packets */ /* sk_queue is empty, reader_queue may contain peeked packets */
} while (timeo && } while (timeo &&
!__skb_wait_for_more_packets(sk, &error, &timeo, !__skb_wait_for_more_packets(sk, &sk->sk_receive_queue,
&error, &timeo,
(struct sk_buff *)sk_queue)); (struct sk_buff *)sk_queue));
*err = error; *err = error;
......
...@@ -72,6 +72,14 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, ...@@ -72,6 +72,14 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
if (!head) if (!head)
goto out; goto out;
if (!skb_dst(skb)) {
const struct iphdr *iph = ip_hdr(skb);
if (ip_route_input_noref(skb, iph->daddr, iph->saddr,
iph->tos, skb->dev))
goto drop;
}
for_each_protocol_rcu(*head, handler) for_each_protocol_rcu(*head, handler)
if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL) if ((ret = handler->input_handler(skb, nexthdr, spi, encap_type)) != -EINVAL)
return ret; return ret;
...@@ -79,6 +87,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, ...@@ -79,6 +87,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
out: out:
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0); icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
drop:
kfree_skb(skb); kfree_skb(skb);
return 0; return 0;
} }
......
...@@ -2100,8 +2100,8 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, ...@@ -2100,8 +2100,8 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
mutex_lock(&u->iolock); mutex_lock(&u->iolock);
skip = sk_peek_offset(sk, flags); skip = sk_peek_offset(sk, flags);
skb = __skb_try_recv_datagram(sk, flags, scm_stat_del, skb = __skb_try_recv_datagram(sk, &sk->sk_receive_queue, flags,
&skip, &err, &last); scm_stat_del, &skip, &err, &last);
if (skb) if (skb)
break; break;
...@@ -2110,7 +2110,8 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, ...@@ -2110,7 +2110,8 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
if (err != -EAGAIN) if (err != -EAGAIN)
break; break;
} while (timeo && } while (timeo &&
!__skb_wait_for_more_packets(sk, &err, &timeo, last)); !__skb_wait_for_more_packets(sk, &sk->sk_receive_queue,
&err, &timeo, last));
if (!skb) { /* implies iolock unlocked */ if (!skb) { /* implies iolock unlocked */
unix_state_lock(sk); unix_state_lock(sk);
......
...@@ -11,3 +11,4 @@ obj-$(CONFIG_XFRM_ALGO) += xfrm_algo.o ...@@ -11,3 +11,4 @@ obj-$(CONFIG_XFRM_ALGO) += xfrm_algo.o
obj-$(CONFIG_XFRM_USER) += xfrm_user.o obj-$(CONFIG_XFRM_USER) += xfrm_user.o
obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
obj-$(CONFIG_XFRM_INTERFACE) += xfrm_interface.o obj-$(CONFIG_XFRM_INTERFACE) += xfrm_interface.o
obj-$(CONFIG_INET_ESPINTCP) += espintcp.o
This diff is collapsed.
...@@ -36,6 +36,7 @@ struct xfrm_trans_cb { ...@@ -36,6 +36,7 @@ struct xfrm_trans_cb {
#endif #endif
} header; } header;
int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb); int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb);
struct net *net;
}; };
#define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0])) #define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0]))
...@@ -766,12 +767,13 @@ static void xfrm_trans_reinject(unsigned long data) ...@@ -766,12 +767,13 @@ static void xfrm_trans_reinject(unsigned long data)
skb_queue_splice_init(&trans->queue, &queue); skb_queue_splice_init(&trans->queue, &queue);
while ((skb = __skb_dequeue(&queue))) while ((skb = __skb_dequeue(&queue)))
XFRM_TRANS_SKB_CB(skb)->finish(dev_net(skb->dev), NULL, skb); XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
NULL, skb);
} }
int xfrm_trans_queue(struct sk_buff *skb, int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
int (*finish)(struct net *, struct sock *, int (*finish)(struct net *, struct sock *,
struct sk_buff *)) struct sk_buff *))
{ {
struct xfrm_trans_tasklet *trans; struct xfrm_trans_tasklet *trans;
...@@ -780,11 +782,22 @@ int xfrm_trans_queue(struct sk_buff *skb, ...@@ -780,11 +782,22 @@ int xfrm_trans_queue(struct sk_buff *skb,
if (skb_queue_len(&trans->queue) >= netdev_max_backlog) if (skb_queue_len(&trans->queue) >= netdev_max_backlog)
return -ENOBUFS; return -ENOBUFS;
BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
XFRM_TRANS_SKB_CB(skb)->finish = finish; XFRM_TRANS_SKB_CB(skb)->finish = finish;
XFRM_TRANS_SKB_CB(skb)->net = net;
__skb_queue_tail(&trans->queue, skb); __skb_queue_tail(&trans->queue, skb);
tasklet_schedule(&trans->tasklet); tasklet_schedule(&trans->tasklet);
return 0; return 0;
} }
EXPORT_SYMBOL(xfrm_trans_queue_net);
int xfrm_trans_queue(struct sk_buff *skb,
int (*finish)(struct net *, struct sock *,
struct sk_buff *))
{
return xfrm_trans_queue_net(dev_net(skb->dev), skb, finish);
}
EXPORT_SYMBOL(xfrm_trans_queue); EXPORT_SYMBOL(xfrm_trans_queue);
void __init xfrm_input_init(void) void __init xfrm_input_init(void)
......
...@@ -39,6 +39,9 @@ ...@@ -39,6 +39,9 @@
#ifdef CONFIG_XFRM_STATISTICS #ifdef CONFIG_XFRM_STATISTICS
#include <net/snmp.h> #include <net/snmp.h>
#endif #endif
#ifdef CONFIG_INET_ESPINTCP
#include <net/espintcp.h>
#endif
#include "xfrm_hash.h" #include "xfrm_hash.h"
...@@ -4157,6 +4160,10 @@ void __init xfrm_init(void) ...@@ -4157,6 +4160,10 @@ void __init xfrm_init(void)
seqcount_init(&xfrm_policy_hash_generation); seqcount_init(&xfrm_policy_hash_generation);
xfrm_input_init(); xfrm_input_init();
#ifdef CONFIG_INET_ESPINTCP
espintcp_init();
#endif
RCU_INIT_POINTER(xfrm_if_cb, NULL); RCU_INIT_POINTER(xfrm_if_cb, NULL);
synchronize_rcu(); synchronize_rcu();
} }
......
...@@ -670,6 +670,9 @@ int __xfrm_state_delete(struct xfrm_state *x) ...@@ -670,6 +670,9 @@ int __xfrm_state_delete(struct xfrm_state *x)
net->xfrm.state_num--; net->xfrm.state_num--;
spin_unlock(&net->xfrm.xfrm_state_lock); spin_unlock(&net->xfrm.xfrm_state_lock);
if (x->encap_sk)
sock_put(rcu_dereference_raw(x->encap_sk));
xfrm_dev_state_delete(x); xfrm_dev_state_delete(x);
/* All xfrm_state objects are created by xfrm_state_alloc. /* All xfrm_state objects are created by xfrm_state_alloc.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment