summaryrefslogtreecommitdiff
path: root/linux/net/ipsec/ipsec_tunnel.c
diff options
context:
space:
mode:
Diffstat (limited to 'linux/net/ipsec/ipsec_tunnel.c')
-rw-r--r--linux/net/ipsec/ipsec_tunnel.c1671
1 files changed, 1671 insertions, 0 deletions
diff --git a/linux/net/ipsec/ipsec_tunnel.c b/linux/net/ipsec/ipsec_tunnel.c
new file mode 100644
index 000000000..de86843bb
--- /dev/null
+++ b/linux/net/ipsec/ipsec_tunnel.c
@@ -0,0 +1,1671 @@
+/*
+ * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
+ * Copyright (C) 1996, 1997 John Ioannidis.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 Richard Guy Briggs.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.4 2005/06/16 21:21:02 as Exp $";
+
+#define __NO_VERSION__
+#include <linux/module.h>
+#include <linux/config.h> /* for CONFIG_IP_FORWARD */
+#include <linux/version.h>
+#include <linux/kernel.h> /* printk() */
+
+#include "freeswan/ipsec_param.h"
+
+#ifdef MALLOC_SLAB
+# include <linux/slab.h> /* kmalloc() */
+#else /* MALLOC_SLAB */
+# include <linux/malloc.h> /* kmalloc() */
+#endif /* MALLOC_SLAB */
+#include <linux/errno.h> /* error codes */
+#include <linux/types.h> /* size_t */
+#include <linux/interrupt.h> /* mark_bh */
+
+#include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
+#include <linux/etherdevice.h> /* eth_type_trans */
+#include <linux/ip.h> /* struct iphdr */
+#include <linux/tcp.h> /* struct tcphdr */
+#include <linux/udp.h> /* struct udphdr */
+#include <linux/skbuff.h>
+#include <freeswan.h>
+#ifdef NET_21
+# include <asm/uaccess.h>
+# include <linux/in6.h>
+# define ip_chk_addr inet_addr_type
+# define IS_MYADDR RTN_LOCAL
+# include <net/dst.h>
+# undef dev_kfree_skb
+# define dev_kfree_skb(a,b) kfree_skb(a)
+# define PHYSDEV_TYPE
+#endif /* NET_21 */
+#include <asm/checksum.h>
+#include <net/icmp.h> /* icmp_send() */
+#include <net/ip.h>
+#ifdef NETDEV_23
+# include <linux/netfilter_ipv4.h>
+#endif /* NETDEV_23 */
+
+#include <linux/if_arp.h>
+
+#include "freeswan/radij.h"
+#include "freeswan/ipsec_life.h"
+#include "freeswan/ipsec_xform.h"
+#include "freeswan/ipsec_eroute.h"
+#include "freeswan/ipsec_encap.h"
+#include "freeswan/ipsec_radij.h"
+#include "freeswan/ipsec_sa.h"
+#include "freeswan/ipsec_tunnel.h"
+#include "freeswan/ipsec_xmit.h"
+#include "freeswan/ipsec_ipe4.h"
+#include "freeswan/ipsec_ah.h"
+#include "freeswan/ipsec_esp.h"
+
+#include <pfkeyv2.h>
+#include <pfkey.h>
+
+#include "freeswan/ipsec_proto.h"
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+#include <linux/udp.h>
+#endif
+
+static __u32 zeroes[64];
+
+#ifdef CONFIG_IPSEC_DEBUG
+int debug_tunnel = 0;
+#endif /* CONFIG_IPSEC_DEBUG */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_open(struct device *dev)
+{
+ struct ipsecpriv *prv = dev->priv;
+
+ /*
+ * Can't open until attached.
+ */
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_open: "
+ "dev = %s, prv->dev = %s\n",
+ dev->name, prv->dev?prv->dev->name:"NONE");
+
+ if (prv->dev == NULL)
+ return -ENODEV;
+
+ MOD_INC_USE_COUNT;
+ return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_close(struct device *dev)
+{
+ MOD_DEC_USE_COUNT;
+ return 0;
+}
+
+#ifdef NETDEV_23
+static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
+{
+#ifdef NETDEV_25 /* 2.6 kernels */
+ return dst_output(skb);
+#else
+ return ip_send(skb);
+#endif
+}
+#endif /* NETDEV_23 */
+
+enum ipsec_xmit_value
+ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs)
+{
+ /* ixs->physdev->hard_header_len is unreliable and should not be used */
+ ixs->hard_header_len = (unsigned char *)(ixs->iph) - ixs->skb->data;
+
+ if(ixs->hard_header_len < 0) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_error:ipsec_xmit_strip_hard_header: "
+ "Negative hard_header_len (%d)?!\n", ixs->hard_header_len);
+ ixs->stats->tx_dropped++;
+ return IPSEC_XMIT_BADHHLEN;
+ }
+
+ /* while ixs->physdev->hard_header_len is unreliable and
+ * should not be trusted, it accurate and required for ATM, GRE and
+ * some other interfaces to work. Thanks to Willy Tarreau
+ * <willy@w.ods.org>.
+ */
+ if(ixs->hard_header_len == 0) { /* no hard header present */
+ ixs->hard_header_stripped = 1;
+ ixs->hard_header_len = ixs->physdev->hard_header_len;
+ }
+
+#ifdef CONFIG_IPSEC_DEBUG
+ if (debug_tunnel & DB_TN_XMIT) {
+ int i;
+ char c;
+
+ printk(KERN_INFO "klips_debug:ipsec_xmit_strip_hard_header: "
+ ">>> skb->len=%ld hard_header_len:%d",
+ (unsigned long int)ixs->skb->len, ixs->hard_header_len);
+ c = ' ';
+ for (i=0; i < ixs->hard_header_len; i++) {
+ printk("%c%02x", c, ixs->skb->data[i]);
+ c = ':';
+ }
+ printk(" \n");
+ }
+#endif /* CONFIG_IPSEC_DEBUG */
+
+ KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+ "klips_debug:ipsec_xmit_strip_hard_header: "
+ "Original head,tailroom: %d,%d\n",
+ skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
+
+ return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_tunnel_SAlookup(struct ipsec_xmit_state *ixs)
+{
+ /*
+ * First things first -- look us up in the erouting tables.
+ */
+ ixs->matcher.sen_len = sizeof (struct sockaddr_encap);
+ ixs->matcher.sen_family = AF_ENCAP;
+ ixs->matcher.sen_type = SENT_IP4;
+ ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
+ ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
+ ixs->matcher.sen_proto = ixs->iph->protocol;
+ ipsec_extract_ports(ixs->iph, &ixs->matcher);
+
+ /*
+ * The spinlock is to prevent any other process from accessing or deleting
+ * the eroute while we are using and updating it.
+ */
+ spin_lock(&eroute_lock);
+
+ ixs->eroute = ipsec_findroute(&ixs->matcher);
+
+ if(ixs->iph->protocol == IPPROTO_UDP) {
+ if(ixs->skb->sk) {
+ ixs->sport=ntohs(ixs->skb->sk->sport);
+ ixs->dport=ntohs(ixs->skb->sk->dport);
+ } else if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
+ ((ixs->skb->len - ixs->hard_header_len) >=
+ ((ixs->iph->ihl << 2) + sizeof(struct udphdr)))) {
+ ixs->sport=ntohs(((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)))->source);
+ ixs->dport=ntohs(((struct udphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl<<2)))->dest);
+ } else {
+ ixs->sport=0; ixs->dport=0;
+ }
+ }
+
+ /* default to a %drop eroute */
+ ixs->outgoing_said.proto = IPPROTO_INT;
+ ixs->outgoing_said.spi = htonl(SPI_DROP);
+ ixs->outgoing_said.dst.s_addr = INADDR_ANY;
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_SAlookup: "
+ "checking for local udp/500 IKE packet "
+ "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
+ ntohl((unsigned int)ixs->iph->saddr),
+ ixs->eroute,
+ ntohl((unsigned int)ixs->iph->daddr),
+ ixs->eroute ? ntohl((unsigned int)ixs->eroute->er_said.dst.s_addr) : 0,
+ ixs->iph->protocol,
+ ixs->sport,
+ ixs->dport);
+
+ /*
+ * Quick cheat for now...are we udp/500 or udp/4500? If so, let it through
+ * without interference since it is most likely an IKE packet.
+ */
+
+ if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
+ && (!ixs->eroute
+ || ixs->iph->daddr == ixs->eroute->er_said.dst.s_addr
+ || INADDR_ANY == ixs->eroute->er_said.dst.s_addr)
+ && ((ixs->sport == 500) || (ixs->sport == 4500))) {
+ /* Whatever the eroute, this is an IKE message
+ * from us (i.e. not being forwarded).
+ * Furthermore, if there is a tunnel eroute,
+ * the destination is the peer for this eroute.
+ * So %pass the packet: modify the default %drop.
+ */
+ ixs->outgoing_said.spi = htonl(SPI_PASS);
+ if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_SAlookup: "
+ "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
+ }
+ } else if (ixs->eroute) {
+ ixs->eroute->er_count++;
+ ixs->eroute->er_lasttime = jiffies/HZ;
+ if(ixs->eroute->er_said.proto==IPPROTO_INT
+ && ixs->eroute->er_said.spi==htonl(SPI_HOLD)) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_SAlookup: "
+ "shunt SA of HOLD: skb stored in HOLD.\n");
+ if(ixs->eroute->er_last != NULL) {
+ kfree_skb(ixs->eroute->er_last);
+ }
+ ixs->eroute->er_last = ixs->skb;
+ ixs->skb = NULL;
+ ixs->stats->tx_dropped++;
+ spin_unlock(&eroute_lock);
+ return IPSEC_XMIT_STOLEN;
+ }
+ ixs->outgoing_said = ixs->eroute->er_said;
+ ixs->eroute_pid = ixs->eroute->er_pid;
+ /* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
+ if(ixs->outgoing_said.proto==IPPROTO_INT
+ && (ixs->outgoing_said.spi==htonl(SPI_TRAP)
+ || (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) {
+ int len;
+
+ ixs->ips.ips_ident_s.type = ixs->eroute->er_ident_s.type;
+ ixs->ips.ips_ident_s.id = ixs->eroute->er_ident_s.id;
+ ixs->ips.ips_ident_s.len = ixs->eroute->er_ident_s.len;
+ if (ixs->ips.ips_ident_s.len) {
+ len = ixs->ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_SAlookup: "
+ "allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n",
+ len);
+ if ((ixs->ips.ips_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
+ printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
+ "Failed, tried to allocate %d bytes for source ident.\n",
+ len);
+ ixs->stats->tx_dropped++;
+ spin_unlock(&eroute_lock);
+ return IPSEC_XMIT_ERRMEMALLOC;
+ }
+ memcpy(ixs->ips.ips_ident_s.data, ixs->eroute->er_ident_s.data, len);
+ }
+ ixs->ips.ips_ident_d.type = ixs->eroute->er_ident_d.type;
+ ixs->ips.ips_ident_d.id = ixs->eroute->er_ident_d.id;
+ ixs->ips.ips_ident_d.len = ixs->eroute->er_ident_d.len;
+ if (ixs->ips.ips_ident_d.len) {
+ len = ixs->ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_SAlookup: "
+ "allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n",
+ len);
+ if ((ixs->ips.ips_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
+ printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
+ "Failed, tried to allocate %d bytes for dest ident.\n",
+ len);
+ ixs->stats->tx_dropped++;
+ spin_unlock(&eroute_lock);
+ return IPSEC_XMIT_ERRMEMALLOC;
+ }
+ memcpy(ixs->ips.ips_ident_d.data, ixs->eroute->er_ident_d.data, len);
+ }
+ }
+ }
+
+ spin_unlock(&eroute_lock);
+ return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_tunnel_restore_hard_header(struct ipsec_xmit_state*ixs)
+{
+ KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+ "klips_debug:ipsec_xmit_restore_hard_header: "
+ "After recursive xforms -- head,tailroom: %d,%d\n",
+ skb_headroom(ixs->skb),
+ skb_tailroom(ixs->skb));
+
+ if(ixs->saved_header) {
+ if(skb_headroom(ixs->skb) < ixs->hard_header_len) {
+ printk(KERN_WARNING
+ "klips_error:ipsec_xmit_restore_hard_header: "
+ "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
+ ixs->hard_header_len,
+ skb_headroom(ixs->skb));
+ ixs->stats->tx_errors++;
+ return IPSEC_XMIT_PUSHPULLERR;
+
+ }
+ skb_push(ixs->skb, ixs->hard_header_len);
+ {
+ int i;
+ for (i = 0; i < ixs->hard_header_len; i++) {
+ ixs->skb->data[i] = ixs->saved_header[i];
+ }
+ }
+ }
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+ if (ixs->natt_type && ixs->natt_head) {
+ struct iphdr *ipp = ixs->skb->nh.iph;
+ struct udphdr *udp;
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_tunnel_start_xmit: "
+ "encapsulating packet into UDP (NAT-Traversal) (%d %d)\n",
+ ixs->natt_type, ixs->natt_head);
+ ixs->iphlen = ipp->ihl << 2;
+ ipp->tot_len =
+ htons(ntohs(ipp->tot_len) + ixs->natt_head);
+ if(skb_tailroom(ixs->skb) < ixs->natt_head) {
+ printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
+ "tried to skb_put %d, %d available. "
+ "This should never happen, please report.\n",
+ ixs->natt_head,
+ skb_tailroom(ixs->skb));
+ ixs->stats->tx_errors++;
+ return IPSEC_XMIT_ESPUDP;
+ }
+ skb_put(ixs->skb, ixs->natt_head);
+ udp = (struct udphdr *)((char *)ipp + ixs->iphlen);
+ /* move ESP hdr after UDP hdr */
+ memmove((void *)((char *)udp + ixs->natt_head),
+ (void *)(udp),
+ ntohs(ipp->tot_len) - ixs->iphlen - ixs->natt_head);
+ /* clear UDP & Non-IKE Markers (if any) */
+ memset(udp, 0, ixs->natt_head);
+ /* fill UDP with usefull informations ;-) */
+ udp->source = htons(ixs->natt_sport);
+ udp->dest = htons(ixs->natt_dport);
+ udp->len = htons(ntohs(ipp->tot_len) - ixs->iphlen);
+ /* set protocol */
+ ipp->protocol = IPPROTO_UDP;
+ /* fix IP checksum */
+ ipp->check = 0;
+ ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
+ }
+#endif
+ KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
+ "klips_debug:ipsec_xmit_restore_hard_header: "
+ "With hard_header, final head,tailroom: %d,%d\n",
+ skb_headroom(ixs->skb),
+ skb_tailroom(ixs->skb));
+
+ return IPSEC_XMIT_OK;
+}
+
+enum ipsec_xmit_value
+ipsec_tunnel_send(struct ipsec_xmit_state*ixs)
+{
+#ifdef NETDEV_25
+ struct flowi fl;
+#endif
+
+#ifdef NET_21 /* 2.2 and 2.4 kernels */
+ /* new route/dst cache code from James Morris */
+ ixs->skb->dev = ixs->physdev;
+#ifdef NETDEV_25
+ fl.oif = ixs->physdev->iflink;
+ fl.nl_u.ip4_u.daddr = ixs->skb->nh.iph->daddr;
+ fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ixs->skb->nh.iph->saddr;
+ fl.nl_u.ip4_u.tos = RT_TOS(ixs->skb->nh.iph->tos);
+ fl.proto = ixs->skb->nh.iph->protocol;
+ if ((ixs->error = ip_route_output_key(&ixs->route, &fl))) {
+#else
+ /*skb_orphan(ixs->skb);*/
+ if((ixs->error = ip_route_output(&ixs->route,
+ ixs->skb->nh.iph->daddr,
+ ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
+ RT_TOS(ixs->skb->nh.iph->tos),
+ /* mcr->rgb: should this be 0 instead? */
+ ixs->physdev->iflink))) {
+#endif
+ ixs->stats->tx_errors++;
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_send: "
+ "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
+ ixs->error,
+ ixs->route->u.dst.dev->name);
+ return IPSEC_XMIT_ROUTEERR;
+ }
+ if(ixs->dev == ixs->route->u.dst.dev) {
+ ip_rt_put(ixs->route);
+ /* This is recursion, drop it. */
+ ixs->stats->tx_errors++;
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_send: "
+ "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
+ ixs->dev->name);
+ return IPSEC_XMIT_RECURSDETECT;
+ }
+ dst_release(ixs->skb->dst);
+ ixs->skb->dst = &ixs->route->u.dst;
+ ixs->stats->tx_bytes += ixs->skb->len;
+ if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
+ ixs->stats->tx_errors++;
+ printk(KERN_WARNING
+ "klips_error:ipsec_xmit_send: "
+ "tried to __skb_pull nh-data=%ld, %d available. This should never happen, please report.\n",
+ (unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
+ ixs->skb->len);
+ return IPSEC_XMIT_PUSHPULLERR;
+ }
+ __skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
+#ifdef SKB_RESET_NFCT
+ if(!ixs->pass) {
+ nf_conntrack_put(ixs->skb->nfct);
+ ixs->skb->nfct = NULL;
+ }
+#ifdef CONFIG_NETFILTER_DEBUG
+ ixs->skb->nf_debug = 0;
+#endif /* CONFIG_NETFILTER_DEBUG */
+#endif /* SKB_RESET_NFCT */
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_send: "
+ "...done, calling ip_send() on device:%s\n",
+ ixs->skb->dev ? ixs->skb->dev->name : "NULL");
+ KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->skb->nh.iph);
+#ifdef NETDEV_23 /* 2.4 kernels */
+ {
+ int err;
+
+ err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
+ ipsec_tunnel_xmit2);
+ if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
+ if(net_ratelimit())
+ printk(KERN_ERR
+ "klips_error:ipsec_xmit_send: "
+ "ip_send() failed, err=%d\n",
+ -err);
+ ixs->stats->tx_errors++;
+ ixs->stats->tx_aborted_errors++;
+ ixs->skb = NULL;
+ return IPSEC_XMIT_IPSENDFAILURE;
+ }
+ }
+#else /* NETDEV_23 */ /* 2.2 kernels */
+ ip_send(ixs->skb);
+#endif /* NETDEV_23 */
+#else /* NET_21 */ /* 2.0 kernels */
+ ixs->skb->arp = 1;
+ /* ISDN/ASYNC PPP from Matjaz Godec. */
+ /* skb->protocol = htons(ETH_P_IP); */
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_xmit_send: "
+ "...done, calling dev_queue_xmit() or ip_fragment().\n");
+ IP_SEND(ixs->skb, ixs->physdev);
+#endif /* NET_21 */
+ ixs->stats->tx_packets++;
+
+ ixs->skb = NULL;
+
+ return IPSEC_XMIT_OK;
+}
+
+void
+ipsec_tunnel_cleanup(struct ipsec_xmit_state*ixs)
+{
+#if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
+ netif_wake_queue(ixs->dev);
+#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+ ixs->dev->tbusy = 0;
+#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
+ if(ixs->saved_header) {
+ kfree(ixs->saved_header);
+ }
+ if(ixs->skb) {
+ dev_kfree_skb(ixs->skb, FREE_WRITE);
+ }
+ if(ixs->oskb) {
+ dev_kfree_skb(ixs->oskb, FREE_WRITE);
+ }
+ if (ixs->ips.ips_ident_s.data) {
+ kfree(ixs->ips.ips_ident_s.data);
+ }
+ if (ixs->ips.ips_ident_d.data) {
+ kfree(ixs->ips.ips_ident_d.data);
+ }
+}
+
+/*
+ * This function assumes it is being called from dev_queue_xmit()
+ * and that skb is filled properly by that function.
+ */
+int
+ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
+{
+ struct ipsec_xmit_state ixs_mem;
+ struct ipsec_xmit_state *ixs = &ixs_mem;
+ enum ipsec_xmit_value stat;
+
+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
+ ixs->natt_type = 0, ixs->natt_head = 0;
+ ixs->natt_sport = 0, ixs->natt_dport = 0;
+#endif
+
+ memset((caddr_t)ixs, 0, sizeof(*ixs));
+ ixs->oskb = NULL;
+ ixs->saved_header = NULL; /* saved copy of the hard header */
+ ixs->route = NULL;
+ memset((caddr_t)&(ixs->ips), 0, sizeof(ixs->ips));
+ ixs->dev = dev;
+ ixs->skb = skb;
+
+ stat = ipsec_xmit_sanity_check_dev(ixs);
+ if(stat != IPSEC_XMIT_OK) {
+ goto cleanup;
+ }
+
+ stat = ipsec_xmit_sanity_check_skb(ixs);
+ if(stat != IPSEC_XMIT_OK) {
+ goto cleanup;
+ }
+
+ stat = ipsec_tunnel_strip_hard_header(ixs);
+ if(stat != IPSEC_XMIT_OK) {
+ goto cleanup;
+ }
+
+ stat = ipsec_tunnel_SAlookup(ixs);
+ if(stat != IPSEC_XMIT_OK) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_tunnel_start_xmit: SAlookup failed: %d\n",
+ stat);
+ goto cleanup;
+ }
+
+ ixs->innersrc = ixs->iph->saddr;
+ /* start encapsulation loop here XXX */
+ do {
+ stat = ipsec_xmit_encap_bundle(ixs);
+ if(stat != IPSEC_XMIT_OK) {
+ if(stat == IPSEC_XMIT_PASS) {
+ goto bypass;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
+ "klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: %d\n",
+ stat);
+ goto cleanup;
+ }
+
+ ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
+ ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
+ ixs->matcher.sen_proto = ixs->iph->protocol;
+ ipsec_extract_ports(ixs->iph, &ixs->matcher);
+
+ spin_lock(&eroute_lock);
+ ixs->eroute = ipsec_findroute(&ixs->matcher);
+ if(ixs->eroute) {
+ ixs->outgoing_said = ixs->eroute->er_said;
+ ixs->eroute_pid = ixs->eroute->er_pid;
+ ixs->eroute->er_count++;
+ ixs->eroute->er_lasttime = jiffies/HZ;
+ }
+ spin_unlock(&eroute_lock);
+
+ KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
+ /* ((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc)) */
+ (ixs->orgedst != ixs->outgoing_said.dst.s_addr) &&
+ ixs->outgoing_said.dst.s_addr &&
+ ixs->eroute,
+ "klips_debug:ipsec_tunnel_start_xmit: "
+ "We are recursing here.\n");
+
+ } while(/*((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc))*/
+ (ixs->orgedst != ixs->outgoing_said.dst.s_addr) &&
+ ixs->outgoing_said.dst.s_addr &&
+ ixs->eroute);
+
+ stat = ipsec_tunnel_restore_hard_header(ixs);
+ if(stat != IPSEC_XMIT_OK) {
+ goto cleanup;
+ }
+
+ bypass:
+ stat = ipsec_tunnel_send(ixs);
+
+ cleanup:
+ ipsec_tunnel_cleanup(ixs);
+
+ return 0;
+}
+
+DEBUG_NO_STATIC struct net_device_stats *
+ipsec_tunnel_get_stats(struct device *dev)
+{
+ return &(((struct ipsecpriv *)(dev->priv))->mystats);
+}
+
+/*
+ * Revectored calls.
+ * For each of these calls, a field exists in our private structure.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev,
+ unsigned short type, void *daddr, void *saddr, unsigned len)
+{
+ struct ipsecpriv *prv = dev->priv;
+ struct device *tmp;
+ int ret;
+ struct net_device_stats *stats; /* This device's statistics */
+
+ if(skb == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "no skb...\n");
+ return -ENODATA;
+ }
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "no device...\n");
+ return -ENODEV;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "skb->dev=%s dev=%s.\n",
+ skb->dev ? skb->dev->name : "NULL",
+ dev->name);
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "no private space associated with dev=%s\n",
+ dev->name ? dev->name : "NULL");
+ return -ENODEV;
+ }
+
+ stats = (struct net_device_stats *) &(prv->mystats);
+
+ if(prv->dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "no physical device associated with dev=%s\n",
+ dev->name ? dev->name : "NULL");
+ stats->tx_dropped++;
+ return -ENODEV;
+ }
+
+ /* check if we have to send a IPv6 packet. It might be a Router
+ Solicitation, where the building of the packet happens in
+ reverse order:
+ 1. ll hdr,
+ 2. IPv6 hdr,
+ 3. ICMPv6 hdr
+ -> skb->nh.raw is still uninitialized when this function is
+ called!! If this is no IPv6 packet, we can print debugging
+ messages, otherwise we skip all debugging messages and just
+ build the ll header */
+ if(type != ETH_P_IPV6) {
+ /* execute this only, if we don't have to build the
+ header for a IPv6 packet */
+ if(!prv->hard_header) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
+ saddr,
+ daddr,
+ len,
+ type,
+ dev->name);
+#ifdef NET_21
+ KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->nh.iph->saddr),
+ (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+ KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->ip_hdr->saddr),
+ (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+ stats->tx_dropped++;
+ return -ENODEV;
+ }
+
+#define da ((struct device *)(prv->dev))->dev_addr
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
+ saddr,
+ daddr,
+ len,
+ type,
+ dev->name,
+ prv->dev->name,
+ da[0], da[1], da[2], da[3], da[4], da[5]);
+#ifdef NET_21
+ KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->nh.iph->saddr),
+ (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+ KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->ip_hdr->saddr),
+ (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+ } else {
+ KLIPS_PRINT(debug_tunnel,
+ "klips_debug:ipsec_tunnel_hard_header: "
+ "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
+ }
+ tmp = skb->dev;
+ skb->dev = prv->dev;
+ ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
+ skb->dev = tmp;
+ return ret;
+}
+
+DEBUG_NO_STATIC int
+#ifdef NET_21
+ipsec_tunnel_rebuild_header(struct sk_buff *skb)
+#else /* NET_21 */
+ipsec_tunnel_rebuild_header(void *buff, struct device *dev,
+ unsigned long raddr, struct sk_buff *skb)
+#endif /* NET_21 */
+{
+ struct ipsecpriv *prv = skb->dev->priv;
+ struct device *tmp;
+ int ret;
+ struct net_device_stats *stats; /* This device's statistics */
+
+ if(skb->dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_rebuild_header: "
+ "no device...");
+ return -ENODEV;
+ }
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_rebuild_header: "
+ "no private space associated with dev=%s",
+ skb->dev->name ? skb->dev->name : "NULL");
+ return -ENODEV;
+ }
+
+ stats = (struct net_device_stats *) &(prv->mystats);
+
+ if(prv->dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_rebuild_header: "
+ "no physical device associated with dev=%s",
+ skb->dev->name ? skb->dev->name : "NULL");
+ stats->tx_dropped++;
+ return -ENODEV;
+ }
+
+ if(!prv->rebuild_header) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_rebuild_header: "
+ "physical device has been detached, packet dropped skb->dev=%s->NULL ",
+ skb->dev->name);
+#ifdef NET_21
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->nh.iph->saddr),
+ (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->ip_hdr->saddr),
+ (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+ stats->tx_dropped++;
+ return -ENODEV;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel: "
+ "Revectored rebuild_header dev=%s->%s ",
+ skb->dev->name, prv->dev->name);
+#ifdef NET_21
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->nh.iph->saddr),
+ (__u32)ntohl(skb->nh.iph->daddr) );
+#else /* NET_21 */
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "ip=%08x->%08x\n",
+ (__u32)ntohl(skb->ip_hdr->saddr),
+ (__u32)ntohl(skb->ip_hdr->daddr) );
+#endif /* NET_21 */
+ tmp = skb->dev;
+ skb->dev = prv->dev;
+
+#ifdef NET_21
+ ret = prv->rebuild_header(skb);
+#else /* NET_21 */
+ ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
+#endif /* NET_21 */
+ skb->dev = tmp;
+ return ret;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_set_mac_address(struct device *dev, void *addr)
+{
+ struct ipsecpriv *prv = dev->priv;
+
+ struct net_device_stats *stats; /* This device's statistics */
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_set_mac_address: "
+ "no device...");
+ return -ENODEV;
+ }
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_set_mac_address: "
+ "no private space associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ return -ENODEV;
+ }
+
+ stats = (struct net_device_stats *) &(prv->mystats);
+
+ if(prv->dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_set_mac_address: "
+ "no physical device associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ stats->tx_dropped++;
+ return -ENODEV;
+ }
+
+ if(!prv->set_mac_address) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_set_mac_address: "
+ "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+ dev->name);
+ return -ENODEV;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_set_mac_address: "
+ "Revectored dev=%s->%s addr=0p%p\n",
+ dev->name, prv->dev->name, addr);
+ return prv->set_mac_address(prv->dev, addr);
+
+}
+
+#ifndef NET_21
+DEBUG_NO_STATIC void
+ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev,
+ unsigned short htype, __u32 daddr)
+{
+ struct ipsecpriv *prv = dev->priv;
+
+ struct net_device_stats *stats; /* This device's statistics */
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_bind: "
+ "no device...");
+ return;
+ }
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_bind: "
+ "no private space associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ return;
+ }
+
+ stats = (struct net_device_stats *) &(prv->mystats);
+
+ if(prv->dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_bind: "
+ "no physical device associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ stats->tx_dropped++;
+ return;
+ }
+
+ if(!prv->header_cache_bind) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_bind: "
+ "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+ dev->name);
+ stats->tx_dropped++;
+ return;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_bind: "
+ "Revectored \n");
+ prv->header_cache_bind(hhp, prv->dev, htype, daddr);
+ return;
+}
+#endif /* !NET_21 */
+
+
+DEBUG_NO_STATIC void
+ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char * haddr)
+{
+ struct ipsecpriv *prv = dev->priv;
+
+ struct net_device_stats *stats; /* This device's statistics */
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_update: "
+ "no device...");
+ return;
+ }
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_update: "
+ "no private space associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ return;
+ }
+
+ stats = (struct net_device_stats *) &(prv->mystats);
+
+ if(prv->dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_update: "
+ "no physical device associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ stats->tx_dropped++;
+ return;
+ }
+
+ if(!prv->header_cache_update) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_cache_update: "
+ "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
+ dev->name);
+ return;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel: "
+ "Revectored cache_update\n");
+ prv->header_cache_update(hh, prv->dev, haddr);
+ return;
+}
+
+#ifdef NET_21
+DEBUG_NO_STATIC int
+ipsec_tunnel_neigh_setup(struct neighbour *n)
+{
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_neigh_setup:\n");
+
+ if (n->nud_state == NUD_NONE) {
+ n->ops = &arp_broken_ops;
+ n->output = n->ops->output;
+ }
+ return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
+{
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_neigh_setup_dev: "
+ "setting up %s\n",
+ dev ? dev->name : "NULL");
+
+ if (p->tbl->family == AF_INET) {
+ p->neigh_setup = ipsec_tunnel_neigh_setup;
+ p->ucast_probes = 0;
+ p->mcast_probes = 0;
+ }
+ return 0;
+}
+#endif /* NET_21 */
+
+/*
+ * We call the attach routine to attach another device.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_attach(struct device *dev, struct device *physdev)
+{
+ int i;
+ struct ipsecpriv *prv = dev->priv;
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_attach: "
+ "no device...");
+ return -ENODEV;
+ }
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_attach: "
+ "no private space associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ return -ENODATA;
+ }
+
+ prv->dev = physdev;
+ prv->hard_start_xmit = physdev->hard_start_xmit;
+ prv->get_stats = physdev->get_stats;
+
+ if (physdev->hard_header) {
+ prv->hard_header = physdev->hard_header;
+ dev->hard_header = ipsec_tunnel_hard_header;
+ } else
+ dev->hard_header = NULL;
+
+ if (physdev->rebuild_header) {
+ prv->rebuild_header = physdev->rebuild_header;
+ dev->rebuild_header = ipsec_tunnel_rebuild_header;
+ } else
+ dev->rebuild_header = NULL;
+
+ if (physdev->set_mac_address) {
+ prv->set_mac_address = physdev->set_mac_address;
+ dev->set_mac_address = ipsec_tunnel_set_mac_address;
+ } else
+ dev->set_mac_address = NULL;
+
+#ifndef NET_21
+ if (physdev->header_cache_bind) {
+ prv->header_cache_bind = physdev->header_cache_bind;
+ dev->header_cache_bind = ipsec_tunnel_cache_bind;
+ } else
+ dev->header_cache_bind = NULL;
+#endif /* !NET_21 */
+
+ if (physdev->header_cache_update) {
+ prv->header_cache_update = physdev->header_cache_update;
+ dev->header_cache_update = ipsec_tunnel_cache_update;
+ } else
+ dev->header_cache_update = NULL;
+
+ dev->hard_header_len = physdev->hard_header_len;
+
+#ifdef NET_21
+/* prv->neigh_setup = physdev->neigh_setup; */
+ dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
+#endif /* NET_21 */
+ dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
+ prv->mtu = physdev->mtu;
+
+#ifdef PHYSDEV_TYPE
+ dev->type = physdev->type; /* ARPHRD_TUNNEL; */
+#endif /* PHYSDEV_TYPE */
+
+ dev->addr_len = physdev->addr_len;
+ for (i=0; i<dev->addr_len; i++) {
+ dev->dev_addr[i] = physdev->dev_addr[i];
+ }
+#ifdef CONFIG_IPSEC_DEBUG
+ if(debug_tunnel & DB_TN_INIT) {
+ printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
+ "physical device %s being attached has HW address: %2x",
+ physdev->name, physdev->dev_addr[0]);
+ for (i=1; i < physdev->addr_len; i++) {
+ printk(":%02x", physdev->dev_addr[i]);
+ }
+ printk("\n");
+ }
+#endif /* CONFIG_IPSEC_DEBUG */
+
+ return 0;
+}
+
+/*
+ * We call the detach routine to detach the ipsec tunnel from another device.
+ */
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_detach(struct device *dev)
+{
+ int i;
+ struct ipsecpriv *prv = dev->priv;
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_detach: "
+ "no device...");
+ return -ENODEV;
+ }
+
+ if(prv == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
+ "klips_debug:ipsec_tunnel_detach: "
+ "no private space associated with dev=%s",
+ dev->name ? dev->name : "NULL");
+ return -ENODATA;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_detach: "
+ "physical device %s being detached from virtual device %s\n",
+ prv->dev ? prv->dev->name : "NULL",
+ dev->name);
+
+ ipsec_dev_put(prv->dev);
+ prv->dev = NULL;
+ prv->hard_start_xmit = NULL;
+ prv->get_stats = NULL;
+
+ prv->hard_header = NULL;
+#ifdef DETACH_AND_DOWN
+ dev->hard_header = NULL;
+#endif /* DETACH_AND_DOWN */
+
+ prv->rebuild_header = NULL;
+#ifdef DETACH_AND_DOWN
+ dev->rebuild_header = NULL;
+#endif /* DETACH_AND_DOWN */
+
+ prv->set_mac_address = NULL;
+#ifdef DETACH_AND_DOWN
+ dev->set_mac_address = NULL;
+#endif /* DETACH_AND_DOWN */
+
+#ifndef NET_21
+ prv->header_cache_bind = NULL;
+#ifdef DETACH_AND_DOWN
+ dev->header_cache_bind = NULL;
+#endif /* DETACH_AND_DOWN */
+#endif /* !NET_21 */
+
+ prv->header_cache_update = NULL;
+#ifdef DETACH_AND_DOWN
+ dev->header_cache_update = NULL;
+#endif /* DETACH_AND_DOWN */
+
+#ifdef NET_21
+/* prv->neigh_setup = NULL; */
+#ifdef DETACH_AND_DOWN
+ dev->neigh_setup = NULL;
+#endif /* DETACH_AND_DOWN */
+#endif /* NET_21 */
+ dev->hard_header_len = 0;
+#ifdef DETACH_AND_DOWN
+ dev->mtu = 0;
+#endif /* DETACH_AND_DOWN */
+ prv->mtu = 0;
+ for (i=0; i<MAX_ADDR_LEN; i++) {
+ dev->dev_addr[i] = 0;
+ }
+ dev->addr_len = 0;
+#ifdef PHYSDEV_TYPE
+ dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */
+#endif /* PHYSDEV_TYPE */
+
+ return 0;
+}
+
+/*
+ * We call the clear routine to detach all ipsec tunnels from other devices.
+ */
+DEBUG_NO_STATIC int
+ipsec_tunnel_clear(void)
+{
+ int i;
+ struct device *ipsecdev = NULL, *prvdev;
+ struct ipsecpriv *prv;
+ char name[9];
+ int ret;
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_clear: .\n");
+
+ for(i = 0; i < IPSEC_NUM_IF; i++) {
+ ipsecdev = ipsecdevices[i];
+ if(ipsecdev != NULL) {
+ if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
+ prvdev = (struct device *)(prv->dev);
+ if(prvdev) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_clear: "
+ "physical device for device %s is %s\n",
+ name, prvdev->name);
+ if((ret = ipsec_tunnel_detach(ipsecdev))) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_clear: "
+ "error %d detatching device %s from device %s.\n",
+ ret, name, prvdev->name);
+ return ret;
+ }
+ }
+ }
+ }
+ }
+ return 0;
+}
+
+DEBUG_NO_STATIC int
+ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
+{
+ struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
+ struct ipsecpriv *prv = dev->priv;
+ struct device *them; /* physical device */
+#ifdef CONFIG_IP_ALIAS
+ char *colon;
+ char realphysname[IFNAMSIZ];
+#endif /* CONFIG_IP_ALIAS */
+
+ if(dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "device not supplied.\n");
+ return -ENODEV;
+ }
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "tncfg service call #%d for dev=%s\n",
+ cmd,
+ dev->name ? dev->name : "NULL");
+ switch (cmd) {
+ /* attach a virtual ipsec? device to a physical device */
+ case IPSEC_SET_DEV:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "calling ipsec_tunnel_attatch...\n");
+#ifdef CONFIG_IP_ALIAS
+ /* If this is an IP alias interface, get its real physical name */
+ strncpy(realphysname, cf->cf_name, IFNAMSIZ);
+ realphysname[IFNAMSIZ-1] = 0;
+ colon = strchr(realphysname, ':');
+ if (colon) *colon = 0;
+ them = ipsec_dev_get(realphysname);
+#else /* CONFIG_IP_ALIAS */
+ them = ipsec_dev_get(cf->cf_name);
+#endif /* CONFIG_IP_ALIAS */
+
+ if (them == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "physical device %s requested is null\n",
+ cf->cf_name);
+ return -ENXIO;
+ }
+
+#if 0
+ if (them->flags & IFF_UP) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "physical device %s requested is not up.\n",
+ cf->cf_name);
+ ipsec_dev_put(them);
+ return -ENXIO;
+ }
+#endif
+
+ if (prv && prv->dev) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "virtual device is already connected to %s.\n",
+ prv->dev->name ? prv->dev->name : "NULL");
+ ipsec_dev_put(them);
+ return -EBUSY;
+ }
+ return ipsec_tunnel_attach(dev, them);
+
+ case IPSEC_DEL_DEV:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "calling ipsec_tunnel_detatch.\n");
+ if (! prv->dev) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "physical device not connected.\n");
+ return -ENODEV;
+ }
+ return ipsec_tunnel_detach(dev);
+
+ case IPSEC_CLR_DEV:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "calling ipsec_tunnel_clear.\n");
+ return ipsec_tunnel_clear();
+
+ default:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_ioctl: "
+ "unknown command %d.\n",
+ cmd);
+ return -EOPNOTSUPP;
+ }
+}
+
+int
+ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
+{
+ struct device *dev = ptr;
+ struct device *ipsec_dev;
+ struct ipsecpriv *priv;
+ int i;
+
+ if (dev == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "dev=NULL for event type %ld.\n",
+ event);
+ return(NOTIFY_DONE);
+ }
+
+ /* check for loopback devices */
+ if (dev && (dev->flags & IFF_LOOPBACK)) {
+ return(NOTIFY_DONE);
+ }
+
+ switch (event) {
+ case NETDEV_DOWN:
+ /* look very carefully at the scope of these compiler
+ directives before changing anything... -- RGB */
+#ifdef NET_21
+ case NETDEV_UNREGISTER:
+ switch (event) {
+ case NETDEV_DOWN:
+#endif /* NET_21 */
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_DOWN dev=%s flags=%x\n",
+ dev->name,
+ dev->flags);
+ if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
+ printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
+ dev->name);
+ }
+#ifdef NET_21
+ break;
+ case NETDEV_UNREGISTER:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_UNREGISTER dev=%s flags=%x\n",
+ dev->name,
+ dev->flags);
+ break;
+ }
+#endif /* NET_21 */
+
+ /* find the attached physical device and detach it. */
+ for(i = 0; i < IPSEC_NUM_IF; i++) {
+ ipsec_dev = ipsecdevices[i];
+
+ if(ipsec_dev) {
+ priv = (struct ipsecpriv *)(ipsec_dev->priv);
+ if(priv) {
+ ;
+ if(((struct device *)(priv->dev)) == dev) {
+ /* dev_close(ipsec_dev); */
+ /* return */ ipsec_tunnel_detach(ipsec_dev);
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "device '%s' has been detached.\n",
+ ipsec_dev->name);
+ break;
+ }
+ } else {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "device '%s' has no private data space!\n",
+ ipsec_dev->name);
+ }
+ }
+ }
+ break;
+ case NETDEV_UP:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_UP dev=%s\n",
+ dev->name);
+ break;
+#ifdef NET_21
+ case NETDEV_REBOOT:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_REBOOT dev=%s\n",
+ dev->name);
+ break;
+ case NETDEV_CHANGE:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_CHANGE dev=%s flags=%x\n",
+ dev->name,
+ dev->flags);
+ break;
+ case NETDEV_REGISTER:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_REGISTER dev=%s\n",
+ dev->name);
+ break;
+ case NETDEV_CHANGEMTU:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
+ dev->name,
+ dev->mtu);
+ break;
+ case NETDEV_CHANGEADDR:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_CHANGEADDR dev=%s\n",
+ dev->name);
+ break;
+ case NETDEV_GOING_DOWN:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_GOING_DOWN dev=%s\n",
+ dev->name);
+ break;
+ case NETDEV_CHANGENAME:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "NETDEV_CHANGENAME dev=%s\n",
+ dev->name);
+ break;
+#endif /* NET_21 */
+ default:
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_device_event: "
+ "event type %ld unrecognised for dev=%s\n",
+ event,
+ dev->name);
+ break;
+ }
+ return NOTIFY_DONE;
+}
+
+/*
+ * Called when an ipsec tunnel device is initialized.
+ * The ipsec tunnel device structure is passed to us.
+ */
+
+int
+ipsec_tunnel_init(struct device *dev)
+{
+ int i;
+
+ KLIPS_PRINT(debug_tunnel,
+ "klips_debug:ipsec_tunnel_init: "
+ "allocating %lu bytes initialising device: %s\n",
+ (unsigned long) sizeof(struct ipsecpriv),
+ dev->name ? dev->name : "NULL");
+
+ /* Add our tunnel functions to the device */
+ dev->open = ipsec_tunnel_open;
+ dev->stop = ipsec_tunnel_close;
+ dev->hard_start_xmit = ipsec_tunnel_start_xmit;
+ dev->get_stats = ipsec_tunnel_get_stats;
+
+ dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
+ if (dev->priv == NULL)
+ return -ENOMEM;
+ memset((caddr_t)(dev->priv), 0, sizeof(struct ipsecpriv));
+
+ for(i = 0; i < sizeof(zeroes); i++) {
+ ((__u8*)(zeroes))[i] = 0;
+ }
+
+#ifndef NET_21
+ /* Initialize the tunnel device structure */
+ for (i = 0; i < DEV_NUMBUFFS; i++)
+ skb_queue_head_init(&dev->buffs[i]);
+#endif /* !NET_21 */
+
+ dev->set_multicast_list = NULL;
+ dev->do_ioctl = ipsec_tunnel_ioctl;
+ dev->hard_header = NULL;
+ dev->rebuild_header = NULL;
+ dev->set_mac_address = NULL;
+#ifndef NET_21
+ dev->header_cache_bind = NULL;
+#endif /* !NET_21 */
+ dev->header_cache_update= NULL;
+
+#ifdef NET_21
+/* prv->neigh_setup = NULL; */
+ dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
+#endif /* NET_21 */
+ dev->hard_header_len = 0;
+ dev->mtu = 0;
+ dev->addr_len = 0;
+ dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
+ dev->tx_queue_len = 10; /* Small queue */
+ memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN); /* what if this is not attached to ethernet? */
+
+ /* New-style flags. */
+ dev->flags = IFF_NOARP /* 0 */ /* Petr Novak */;
+#ifdef NET_21
+ dev_init_buffers(dev);
+#else /* NET_21 */
+ dev->family = AF_INET;
+ dev->pa_addr = 0;
+ dev->pa_brdaddr = 0;
+ dev->pa_mask = 0;
+ dev->pa_alen = 4;
+#endif /* NET_21 */
+
+ /* We're done. Have I forgotten anything? */
+ return 0;
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+/* Module specific interface (but it links with the rest of IPSEC) */
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+int
+ipsec_tunnel_probe(struct device *dev)
+{
+ ipsec_tunnel_init(dev);
+ return 0;
+}
+
+struct device *ipsecdevices[IPSEC_NUM_IF];
+
+int
+ipsec_tunnel_init_devices(void)
+{
+ int i;
+ char name[IFNAMSIZ];
+ struct device *dev_ipsec;
+
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_init_devices: "
+ "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
+ IPSEC_NUM_IF,
+ (unsigned long) (sizeof(struct device) + IFNAMSIZ),
+ IFNAMSIZ);
+
+ for(i = 0; i < IPSEC_NUM_IF; i++) {
+ sprintf(name, IPSEC_DEV_FORMAT, i);
+ dev_ipsec = (struct device*)kmalloc(sizeof(struct device), GFP_KERNEL);
+ if (dev_ipsec == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_init_devices: "
+ "failed to allocate memory for device %s, quitting device init.\n",
+ name);
+ return -ENOMEM;
+ }
+ memset((caddr_t)dev_ipsec, 0, sizeof(struct device));
+#ifdef NETDEV_23
+ strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name));
+#else /* NETDEV_23 */
+ dev_ipsec->name = (char*)kmalloc(IFNAMSIZ, GFP_KERNEL);
+ if (dev_ipsec->name == NULL) {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_init_devices: "
+ "failed to allocate memory for device %s name, quitting device init.\n",
+ name);
+ return -ENOMEM;
+ }
+ memset((caddr_t)dev_ipsec->name, 0, IFNAMSIZ);
+ strncpy(dev_ipsec->name, name, IFNAMSIZ);
+#endif /* NETDEV_23 */
+ dev_ipsec->next = NULL;
+ dev_ipsec->init = &ipsec_tunnel_probe;
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_init_devices: "
+ "registering device %s\n",
+ dev_ipsec->name);
+
+ /* reference and hold the device reference */
+ dev_hold(dev_ipsec);
+ ipsecdevices[i]=dev_ipsec;
+
+ if (register_netdev(dev_ipsec) != 0) {
+ KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_init_devices: "
+ "registering device %s failed, quitting device init.\n",
+ dev_ipsec->name);
+ return -EIO;
+ } else {
+ KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
+ "klips_debug:ipsec_tunnel_init_devices: "
+ "registering device %s succeeded, continuing...\n",
+ dev_ipsec->name);
+ }
+ }
+ return 0;
+}
+
+/* void */
+int
+ipsec_tunnel_cleanup_devices(void)
+{
+ int error = 0;
+ int i;
+ char name[32];
+ struct device *dev_ipsec;
+
+ for(i = 0; i < IPSEC_NUM_IF; i++) {
+ dev_ipsec = ipsecdevices[i];
+ if(dev_ipsec == NULL) {
+ continue;
+ }
+
+ /* release reference */
+ ipsecdevices[i]=NULL;
+ ipsec_dev_put(dev_ipsec);
+
+ KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
+ name,
+ atomic_read(&dev_ipsec->refcnt));
+ unregister_netdev(dev_ipsec);
+ KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", name);
+#ifndef NETDEV_23
+ kfree(dev_ipsec->name);
+ dev_ipsec->name=NULL;
+#endif /* !NETDEV_23 */
+ kfree(dev_ipsec->priv);
+ dev_ipsec->priv=NULL;
+ }
+ return error;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-13 07:03:50 +0000