]> err.no Git - linux-2.6/commitdiff
ipsec: Interfamily IPSec BEET, ipv4-inner ipv6-outer
authorJoakim Koskela <jookos@gmail.com>
Wed, 6 Aug 2008 09:40:25 +0000 (02:40 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 6 Aug 2008 09:40:25 +0000 (02:40 -0700)
Here's a revised version, based on Herbert's comments, of a fix for
the ipv4-inner, ipv6-outer interfamily ipsec beet mode. It fixes the
network header adjustment during interfamily, as well as makes sure
that we reserve enough room for the new ipv6 header if we might have
something else as the inner family. Also, the ipv4 pseudo header
construction was added.

Signed-off-by: Joakim Koskela <jookos@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/esp6.c
net/ipv6/xfrm6_mode_beet.c

index c6bb4c6d24b38352b4430e7892b59068714a9b3e..b181b08fb761c4f9cab3e4f06dfc439734213298 100644 (file)
@@ -521,6 +521,10 @@ static int esp6_init_state(struct xfrm_state *x)
                              crypto_aead_ivsize(aead);
        switch (x->props.mode) {
        case XFRM_MODE_BEET:
+               if (x->sel.family != AF_INET6)
+                       x->props.header_len += IPV4_BEET_PHMAXLEN +
+                                              (sizeof(struct ipv6hdr) - sizeof(struct iphdr));
+               break;
        case XFRM_MODE_TRANSPORT:
                break;
        case XFRM_MODE_TUNNEL:
index d6ce400f585f69675a17bd96ae4036492dcf1efb..bbd48b101baeebada8a69f5eda7f7ad5087910db 100644 (file)
@@ -40,16 +40,39 @@ static void xfrm6_beet_make_header(struct sk_buff *skb)
 static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
        struct ipv6hdr *top_iph;
-
-       skb_set_network_header(skb, -x->props.header_len);
+       struct ip_beet_phdr *ph;
+       struct iphdr *iphv4;
+       int optlen, hdr_len;
+
+       iphv4 = ip_hdr(skb);
+       hdr_len = 0;
+       optlen = XFRM_MODE_SKB_CB(skb)->optlen;
+       if (unlikely(optlen))
+               hdr_len += IPV4_BEET_PHMAXLEN - (optlen & 4);
+
+       skb_set_network_header(skb, -x->props.header_len - hdr_len);
+       if (x->sel.family != AF_INET6)
+               skb->network_header += IPV4_BEET_PHMAXLEN;
        skb->mac_header = skb->network_header +
                          offsetof(struct ipv6hdr, nexthdr);
        skb->transport_header = skb->network_header + sizeof(*top_iph);
-       __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl);
+       ph = (struct ip_beet_phdr *)__skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl-hdr_len);
 
        xfrm6_beet_make_header(skb);
 
        top_iph = ipv6_hdr(skb);
+       if (unlikely(optlen)) {
+
+               BUG_ON(optlen < 0);
+
+               ph->padlen = 4 - (optlen & 4);
+               ph->hdrlen = optlen / 8;
+               ph->nexthdr = top_iph->nexthdr;
+               if (ph->padlen)
+                       memset(ph + 1, IPOPT_NOP, ph->padlen);
+
+               top_iph->nexthdr = IPPROTO_BEETPH;
+       }
 
        ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
        ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);