2 * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
3 * Copyright (C) 1996, 1997 John Ioannidis.
4 * Copyright (C) 1998, 1999, 2000, 2001 Richard Guy Briggs.
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.1 2004/05/11 00:38:42 danield Exp $";
19 #define __NO_VERSION__
20 #include <linux/module.h>
21 #include <linux/config.h> /* for CONFIG_IP_FORWARD */
22 #include <linux/version.h>
23 #include <linux/kernel.h> /* printk() */
25 /* XXX-mcr remove this definition when the code has been properly rototiled */
26 #define IPSEC_KLIPS1_COMPAT 1
27 #include "ipsec_param.h"
30 # include <linux/slab.h> /* kmalloc() */
31 #else /* MALLOC_SLAB */
32 # include <linux/malloc.h> /* kmalloc() */
33 #endif /* MALLOC_SLAB */
34 #include <linux/errno.h> /* error codes */
35 #include <linux/types.h> /* size_t */
36 #include <linux/interrupt.h> /* mark_bh */
38 #include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
39 #include <linux/etherdevice.h> /* eth_type_trans */
40 #include <linux/ip.h> /* struct iphdr */
41 #include <linux/tcp.h> /* struct tcphdr */
42 #include <linux/udp.h> /* struct udphdr */
43 #include <linux/skbuff.h>
46 # define MSS_HACK_ /* experimental */
47 # include <asm/uaccess.h>
48 # include <linux/in6.h>
49 # define ip_chk_addr inet_addr_type
50 # define IS_MYADDR RTN_LOCAL
53 # define dev_kfree_skb(a,b) kfree_skb(a)
54 # define proto_priv cb
57 #include <asm/checksum.h>
58 #include <net/icmp.h> /* icmp_send() */
61 # include <linux/netfilter_ipv4.h>
62 #endif /* NETDEV_23 */
64 #include <linux/ledman.h>
67 #include "ipsec_alg.h"
69 #include <linux/if_arp.h>
71 # include <net/tcp.h> /* TCP options */
75 #include "ipsec_life.h"
76 #include "ipsec_xform.h"
77 #include "ipsec_eroute.h"
78 #include "ipsec_encap.h"
79 #include "ipsec_radij.h"
80 #include "ipsec_netlink.h"
82 #include "ipsec_tunnel.h"
83 #include "ipsec_ipe4.h"
85 #include "ipsec_esp.h"
87 #ifdef CONFIG_IPSEC_IPCOMP
89 #endif /* CONFIG_IPSEC_IPCOMP */
94 #include "ipsec_proto.h"
96 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
97 #include <linux/udp.h>
100 /* IXP425 Glue Code */
101 #include "IxCryptoAcc.h"
102 #include "IxOsBuffMgt.h"
103 #include "ipsec_glue_mbuf.h"
104 #include "ipsec_glue.h"
105 #include "ipsec_glue_desc.h"
108 #define MAX_XMIT_TASK_IN_SOFTIRQ 384
111 spinlock_t xmit_lock = SPIN_LOCK_UNLOCKED;
113 spinlock_t xmit_lock = 0;
114 #endif /* SPINLOCK */
116 static void ipsec_tunnel_next_transform (void *data);
117 static struct tq_struct xmit_task[MAX_XMIT_TASK_IN_SOFTIRQ];
118 static __u32 xmitProducer=0;
119 static __u32 xmitConsumer=0;
121 static __u32 zeroes[64];
123 #ifdef CONFIG_IPSEC_DEBUG
124 int debug_tunnel = 0;
125 int sysctl_ipsec_debug_verbose = 0;
126 #endif /* CONFIG_IPSEC_DEBUG */
128 int sysctl_ipsec_icmp = 0;
129 int sysctl_ipsec_tos = 0;
131 #ifdef CONFIG_IPSEC_DEBUG_
133 dmp(char *s, caddr_t bb, int len)
136 unsigned char *b = bb;
139 printk(KERN_INFO "klips_debug:ipsec_tunnel_:dmp: "
143 for (i=0; i < len; i++) {
145 printk("\nklips_debug: ");
147 printk(" %02x", *b++);
152 #else /* CONFIG_IPSEC_DEBUG */
153 #define dmp(_x, _y, _z)
154 #endif /* CONFIG_IPSEC_DEBUG */
156 #ifndef SKB_COPY_EXPAND
158 * This is mostly skbuff.c:skb_copy().
161 skb_copy_expand(struct sk_buff *skb, int headroom, int tailroom, int priority)
164 unsigned long offset;
169 if((headroom < 0) || (tailroom < 0) || ((headroom+tailroom) < 0)) {
171 "klips_error:skb_copy_expand: "
172 "Illegal negative head,tailroom %d,%d\n",
178 * Allocate the copy buffer
186 n=alloc_skb(skb->end - skb->head + headroom + tailroom, priority);
188 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
189 "klips_debug:skb_copy_expand: "
190 "head=%p data=%p tail=%p end=%p end-head=%d tail-data=%d\n",
195 skb->end - skb->head,
196 skb->tail - skb->data);
202 * Shift between the two data areas in bytes
205 /* offset=n->head-skb->head; */ /* moved down a few lines */
207 /* Set the data pointer */
208 skb_reserve(n,skb->data-skb->head+headroom);
209 /* Set the tail pointer and length */
210 if(skb_tailroom(n) < skb->len) {
211 printk(KERN_WARNING "klips_error:skb_copy_expand: "
212 "tried to skb_put %ld, %d available. This should never happen, please report.\n",
213 (unsigned long int)skb->len,
215 dev_kfree_skb(n, FREE_WRITE);
220 offset=n->head + headroom - skb->head;
223 memcpy(n->head + headroom, skb->head,skb->end-skb->head);
226 n->priority=skb->priority;
227 n->dst=dst_clone(skb->dst);
229 n->nh.raw=skb->nh.raw+offset;
232 #endif /* NETDEV_23 */
233 atomic_set(&n->users, 1);
234 n->destructor = NULL;
235 n->security=skb->security;
240 n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset);
245 n->end_seq=skb->end_seq;
246 n->ack_seq=skb->ack_seq;
254 n->protocol=skb->protocol;
259 n->h.raw=skb->h.raw+offset;
261 n->mac.raw=skb->mac.raw+offset;
262 memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
265 #endif /* !NETDEV_23 */
266 n->pkt_type=skb->pkt_type;
274 #endif /* !SKB_COPY_EXPAND */
276 #ifdef CONFIG_IPSEC_DEBUG
278 ipsec_print_ip(struct iphdr *ip)
280 char buf[ADDRTOA_BUF];
282 printk(KERN_INFO "klips_debug: IP:");
283 printk(" ihl:%d", ip->ihl*4);
284 printk(" ver:%d", ip->version);
285 printk(" tos:%d", ip->tos);
286 printk(" tlen:%d", ntohs(ip->tot_len));
287 printk(" id:%d", ntohs(ip->id));
288 printk(" %s%s%sfrag_off:%d",
289 ip->frag_off & __constant_htons(IP_CE) ? "CE " : "",
290 ip->frag_off & __constant_htons(IP_DF) ? "DF " : "",
291 ip->frag_off & __constant_htons(IP_MF) ? "MF " : "",
292 (ntohs(ip->frag_off) & IP_OFFSET) << 3);
293 printk(" ttl:%d", ip->ttl);
294 printk(" proto:%d", ip->protocol);
295 if(ip->protocol == IPPROTO_UDP)
297 if(ip->protocol == IPPROTO_TCP)
299 if(ip->protocol == IPPROTO_ICMP)
301 printk(" chk:%d", ntohs(ip->check));
302 addrtoa(*((struct in_addr*)(&ip->saddr)), 0, buf, sizeof(buf));
303 printk(" saddr:%s", buf);
304 if(ip->protocol == IPPROTO_UDP)
306 ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
307 if(ip->protocol == IPPROTO_TCP)
309 ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
310 addrtoa(*((struct in_addr*)(&ip->daddr)), 0, buf, sizeof(buf));
311 printk(" daddr:%s", buf);
312 if(ip->protocol == IPPROTO_UDP)
314 ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
315 if(ip->protocol == IPPROTO_TCP)
317 ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
318 if(ip->protocol == IPPROTO_ICMP)
319 printk(" type:code=%d:%d",
320 ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->type,
321 ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->code);
324 if(sysctl_ipsec_debug_verbose) {
328 c = ((__u8*)ip) + ip->ihl*4;
329 for(i = 0; i < ntohs(ip->tot_len) - ip->ihl*4; i++ /*, c++*/) {
332 "klips_debug: @%03x:",
335 printk(" %02x", /***/c[i]);
336 if(!((i + 1) % 16)) {
345 #endif /* CONFIG_IPSEC_DEBUG */
347 #ifdef REAL_LOCKING_P
354 ipsec_tunnel_lock(struct ipsecpriv *prv)
360 * Lock in an interrupt may fail
362 if(prv->locked && in_interrupt()) {
363 restore_flags(flags);
367 sleep_on(&prv->wait_queue);
369 restore_flags(flags);
376 ipsec_tunnel_unlock(struct ipsecpriv *prv)
379 wake_up(&prv->wait_queue);
382 #endif /* REAL_LOCKING_P */
385 ipsec_tunnel_open(struct device *dev)
387 struct ipsecpriv *prv = dev->priv;
390 * Can't open until attached.
393 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
394 "klips_debug:ipsec_tunnel_open: "
395 "dev = %s, prv->dev = %s\n",
396 dev->name, prv->dev?prv->dev->name:"NONE");
398 if (prv->dev == NULL)
406 ipsec_tunnel_close(struct device *dev)
415 * 1) Fragments arriving in the tunnel should probably be rejected.
416 * 2) How does this affect syncookies, mss_cache, dst cache ?
417 * 3) Path MTU discovery handling needs to be reviewed. For example,
418 * if we receive an ICMP 'packet too big' message from an intermediate
419 * router specifying it's next hop MTU, our stack may process this and
420 * adjust the MSS without taking our AH/ESP overheads into account.
425 * Recaclulate checksum using differences between changed datum,
426 * borrowed from netfilter.
428 DEBUG_NO_STATIC u_int16_t
429 ipsec_fast_csum(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
431 u_int32_t diffs[] = { oldvalinv, newval };
432 return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
437 * Determine effective MSS.
439 * Note that we assume that there is always an MSS option for our own
440 * SYN segments, which is mentioned in tcp_syn_build_options(), kernel 2.2.x.
441 * This could change, and we should probably parse TCP options instead.
444 DEBUG_NO_STATIC u_int8_t
445 ipsec_adjust_mss(struct sk_buff *skb, struct tcphdr *tcph, u_int16_t mtu)
447 u_int16_t oldmss, newmss;
449 struct sock *sk = skb->sk;
451 newmss = tcp_sync_mss(sk, mtu);
452 printk(KERN_INFO "klips: setting mss to %u\n", newmss);
453 mssp = (u_int32_t *)tcph + sizeof(struct tcphdr) / sizeof(u_int32_t);
454 oldmss = ntohl(*mssp) & 0x0000FFFF;
455 *mssp = htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) | newmss);
456 tcph->check = ipsec_fast_csum(htons(~oldmss),
457 htons(newmss), tcph->check);
460 #endif /* MSS_HACK */
463 static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
467 #endif /* NETDEV_23 */
470 /* IXP425 glue code : ipsec_tunnel_start_xmit_cb */
471 void ipsec_tunnel_start_xmit_cb(
475 IxCryptoAccStatus status)
478 IpsecXmitDesc *pXmitDesc = NULL;
479 struct ipsecpriv *prv; /* Our device' private space */
480 struct net_device_stats *stats; /* This device's statistics */
482 if (pSrcMbuf == NULL)
484 KLIPS_PRINT(debug_tunnel,
485 "klips_debug:ipsec_tunnel_start_xmit: "
492 case IX_CRYPTO_ACC_STATUS_SUCCESS:
493 KLIPS_PRINT(debug_tunnel,
494 "klips_debug:ipsec_tunnel_start_xmit: "
495 "encapsulation successful.\n");
497 spin_lock(&xmit_lock);
499 if ((xmitProducer - xmitConsumer) != MAX_XMIT_TASK_IN_SOFTIRQ)
501 xmitProducer = xmitProducer % MAX_XMIT_TASK_IN_SOFTIRQ;
502 INIT_LIST_HEAD(&xmit_task[xmitProducer].list);
503 xmit_task[xmitProducer].sync = 0;
504 xmit_task[xmitProducer].routine = ipsec_tunnel_next_transform;
505 xmit_task[xmitProducer].data = pSrcMbuf;
506 queue_task(&xmit_task[xmitProducer], &tq_immediate);
508 mark_bh(IMMEDIATE_BH);
512 KLIPS_PRINT(debug_tunnel,
513 "klips_debug:ipsec_tunnel_start_xmit: "
514 "soft IRQ task queue full.\n");
516 /* Detach skb from mbuf */
517 skb = mbuf_swap_skb(pSrcMbuf, NULL);
518 /* get xmit desc from mbuf */
519 pXmitDesc = (IpsecXmitDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pSrcMbuf);
520 ipsec_glue_mbuf_header_rel (pSrcMbuf);
526 spin_lock (&tdb_lock);
527 delXmitDesc_from_salist(pXmitDesc->tdbp, pXmitDesc);
528 spin_unlock (&tdb_lock);
530 prv = (pXmitDesc->dev)->priv;
531 stats = (struct net_device_stats *) &(prv->mystats);
536 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
537 netif_wake_queue(pXmitDesc->dev);
538 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
539 (pXmitDesc->dev)->tbusy = 0;
540 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
541 if(pXmitDesc->saved_header) {
542 kfree(pXmitDesc->saved_header);
544 if(pXmitDesc->oskb) {
545 dev_kfree_skb(pXmitDesc->oskb, FREE_WRITE);
547 if ((pXmitDesc->tdb).tdb_ident_s.data) {
548 kfree((pXmitDesc->tdb).tdb_ident_s.data);
550 if ((pXmitDesc->tdb).tdb_ident_d.data) {
551 kfree((pXmitDesc->tdb).tdb_ident_d.data);
554 ipsec_glue_xmit_desc_release (pXmitDesc);
558 dev_kfree_skb(skb, FREE_WRITE);
562 spin_unlock(&xmit_lock);
566 KLIPS_PRINT(debug_tunnel,
567 "klips_debug:ipsec_tunnel_start_xmit: "
568 "encapsulation on incoming packet failed, dropped\n");
569 /* Detach skb from mbuf */
570 skb = mbuf_swap_skb(pSrcMbuf, NULL);
571 /* get xmit desc from mbuf */
572 pXmitDesc = (IpsecXmitDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pSrcMbuf);
573 ipsec_glue_mbuf_header_rel (pSrcMbuf);
579 spin_lock (&tdb_lock);
580 delXmitDesc_from_salist(pXmitDesc->tdbp, pXmitDesc);
581 spin_unlock (&tdb_lock);
583 prv = (pXmitDesc->dev)->priv;
584 stats = (struct net_device_stats *) &(prv->mystats);
589 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
590 netif_wake_queue(pXmitDesc->dev);
591 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
592 (pXmitDesc->dev)->tbusy = 0;
593 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
594 if(pXmitDesc->saved_header) {
595 kfree(pXmitDesc->saved_header);
597 if(pXmitDesc->oskb) {
598 dev_kfree_skb(pXmitDesc->oskb, FREE_WRITE);
600 if ((pXmitDesc->tdb).tdb_ident_s.data) {
601 kfree((pXmitDesc->tdb).tdb_ident_s.data);
603 if ((pXmitDesc->tdb).tdb_ident_d.data) {
604 kfree((pXmitDesc->tdb).tdb_ident_d.data);
607 ipsec_glue_xmit_desc_release (pXmitDesc);
611 dev_kfree_skb(skb, FREE_WRITE);
618 static void ipsec_tunnel_next_transform(void *data)
621 IpsecXmitDesc *pXmitDesc = NULL;
622 IX_MBUF *pRetSrcMbuf = NULL;
624 struct ipsecpriv *prv; /* Our device' private space */
625 struct net_device_stats *stats; /* This device's statistics */
626 struct iphdr *iph; /* Our new IP header */
627 __u32 newdst; /* The other SG's IP address */
628 __u32 newsrc; /* The new source SG's IP address */
629 __u32 orgdst; /* Original IP destination address */
630 __u32 orgsrc; /* Original IP source address */
631 int iphlen; /* IP header length */
632 int pyldsz; /* upper protocol payload size */
635 int max_headroom = 0; /* The extra header space needed */
636 int max_tailroom = 0; /* The extra stuffing needed */
637 int ll_headroom; /* The extra link layer hard_header space needed */
641 struct ipsec_sa *tdbp, *tdbq; /* Tunnel Descriptor Block pointers */
644 struct device *physdev;
648 struct rtable *rt = NULL;
652 /* IXP425 glue code */
653 unsigned int auth_start_offset = 0;
654 unsigned int auth_data_len = 0;
655 unsigned int crypt_start_offset = 0;
656 unsigned int crypt_data_len = 0;
657 unsigned int icv_offset = 0;
660 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
661 uint8_t natt_type = 0, natt_head = 0;
662 uint16_t natt_sport = 0, natt_dport = 0;
665 pRetSrcMbuf = (IX_MBUF *) data;
667 spin_lock(&xmit_lock);
669 spin_unlock(&xmit_lock);
671 if (pRetSrcMbuf == NULL)
673 KLIPS_PRINT(debug_tunnel,
674 "klips_error:ipsec_tunnel_start_xmit: "
675 "NULL mbuf passed in.\n");
679 /* Detach skb from mbuf */
680 skb = mbuf_swap_skb(pRetSrcMbuf, NULL);
682 /* get xmit desc from mbuf */
683 pXmitDesc = (IpsecXmitDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (pRetSrcMbuf);
685 ipsec_glue_mbuf_header_rel (pRetSrcMbuf);
687 if (pXmitDesc == NULL)
689 KLIPS_PRINT(debug_tunnel,
690 "klips_error:ipsec_tunnel_start_xmit: "
691 "NULL Xmit Descriptor passed in.\n");
696 * Return if there is nothing to do. (Does this ever happen?) XXX
699 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
700 "klips_error:ipsec_tunnel_start_xmit: "
701 "Nothing to do!\n" );
705 if (skb->data == NULL) {
706 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
707 "klips_error:ipsec_tunnel_start_xmit: "
708 "NULL skb->data passed in, packet is bogus, dropping.\n");
712 dev = pXmitDesc->dev;
715 KLIPS_PRINT(debug_tunnel,
716 "klips_error:ipsec_tunnel_start_xmit: "
723 KLIPS_PRINT(debug_tunnel,
724 "klips_error:ipsec_tunnel_start_xmit: "
731 KLIPS_PRINT(debug_tunnel,
732 "klips_error:ipsec_tunnel_start_xmit: "
733 "No physical device\n");
736 physmtu = physdev->mtu;
737 stats = (struct net_device_stats *) &(prv->mystats);
739 /* get current tdbp */
740 tdbp = pXmitDesc->tdbp;
744 KLIPS_PRINT(debug_tunnel,
745 "klips_error:ipsec_tunnel_start_xmit: "
746 "Corrupted descriptor, dropping.\n");
751 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
752 "klips_error:ipsec_tunnel_start_xmit: "
753 "No device associated with skb!\n" );
758 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
759 "klips_error:ipsec_tunnel_start_xmit: "
760 "Device has no private structure!\n" );
764 if (physdev == NULL) {
765 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
766 "klips_error:ipsec_tunnel_start_xmit: "
767 "Device is not attached to physical device!\n" );
771 /* get ip header from skb */
772 iph = (struct iphdr *)skb->data;
774 #ifdef CONFIG_IPSEC_AH
775 if((pXmitDesc->tdbp)->tdb_said.proto == IPPROTO_AH)
777 /* Restore mutable fields */
778 iph->tos = pXmitDesc->ip_tos;
779 iph->frag_off = pXmitDesc->ip_frag_off;
780 iph->ttl = pXmitDesc->ip_ttl;
782 #endif /* CONFIG_IPSEC_AH */
785 skb->nh.raw = skb->data;
787 skb->ip_hdr = skb->h.iph = (struct iphdr *) skb->data;
790 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
792 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
794 spin_lock(&tdb_lock);
796 tdbp->ips_life.ipl_bytes.ipl_count += skb->len;
797 tdbp->ips_life.ipl_bytes.ipl_last = skb->len;
799 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
800 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
802 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
803 tdbp->ips_life.ipl_packets.ipl_count++;
804 delXmitDesc_from_salist(tdbp, pXmitDesc);
806 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
807 if ((tdbp->ips_natt_type) && (!natt_type)) {
809 switch(tdbp->tdb_authalg) {
810 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
812 authlen = AHHMAC_HASHLEN;
814 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
815 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
817 authlen = AHHMAC_HASHLEN;
819 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
824 delXmitDesc_from_salist(tdbp, pXmitDesc);
825 spin_unlock (&tdb_lock);
828 tailroom += ((tdbp->ips_enc_blksize - ((pyldsz + 2 * sizeof(unsigned char))
829 % tdbp->ips_enc_blksize)) % tdbp->ips_enc_blksize) + 2;
831 natt_type = tdbp->ips_natt_type;
832 natt_sport = tdbp->ips_natt_sport;
833 natt_dport = tdbp->ips_natt_dport;
835 case ESPINUDP_WITH_NON_IKE:
836 natt_head = sizeof(struct udphdr)+(2*sizeof(__u32));
838 case ESPINUDP_WITH_NON_ESP:
839 natt_head = sizeof(struct udphdr);
845 tailroom += natt_head;
849 tdbp = tdbp->ips_onext;
850 /* store current tdbp into xmit desc */
851 pXmitDesc->tdbp = tdbp;
852 spin_unlock(&tdb_lock);
854 * Apply grouped transforms to packet
857 #ifdef CONFIG_IPSEC_ESP
861 char iv[ESP_IV_MAXSZ];
863 int authlen = 0, padlen = 0, i;
864 #endif /* !CONFIG_IPSEC_ESP */
865 #ifdef CONFIG_IPSEC_AH
867 #endif /* CONFIG_IPSEC_AH */
869 int headroom = 0, tailroom = 0, len = 0;
872 spin_lock (&tdb_lock);
873 addXmitDesc_to_salist(tdbp, pXmitDesc);
874 iphlen = iph->ihl << 2;
875 pyldsz = ntohs(iph->tot_len) - iphlen;
876 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
877 spin_unlock (&tdb_lock);
878 KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
879 "klips_debug:ipsec_tunnel_start_xmit: "
880 "calling output for <%s%s%s>, SA:%s\n",
881 IPS_XFORM_NAME(tdbp),
882 sa_len ? sa : " (error)");
884 switch(tdbp->tdb_said.proto) {
885 #ifdef CONFIG_IPSEC_AH
887 headroom += sizeof(struct ah);
889 #endif /* CONFIG_IPSEC_AH */
890 #ifdef CONFIG_IPSEC_ESP
892 switch(tdbp->tdb_encalg) {
893 #ifdef CONFIG_IPSEC_ENC_DES
895 #endif /* CONFIG_IPSEC_ENC_DES */
896 #ifdef CONFIG_IPSEC_ENC_3DES
898 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
900 #endif /* CONFIG_IPSEC_ENC_3DES */
901 #ifdef CONFIG_IPSEC_ALG
903 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
905 #endif /* CONFIG_IPSEC_ALG */
907 spin_lock (&tdb_lock);
908 delXmitDesc_from_salist(tdbp, pXmitDesc);
909 spin_unlock (&tdb_lock);
913 switch(tdbp->tdb_authalg) {
914 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
916 authlen = AHHMAC_HASHLEN;
918 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
919 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
921 authlen = AHHMAC_HASHLEN;
923 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
928 spin_lock (&tdb_lock);
929 delXmitDesc_from_salist(tdbp, pXmitDesc);
930 spin_unlock (&tdb_lock);
933 tailroom += ((tdbp->ips_enc_blksize - ((pyldsz + 2 * sizeof(unsigned char))
934 % tdbp->ips_enc_blksize)) % tdbp->ips_enc_blksize) + 2;
937 #endif /* !CONFIG_IPSEC_ESP */
938 #ifdef CONFIG_IPSEC_IPIP
940 headroom += sizeof(struct iphdr);
942 #endif /* !CONFIG_IPSEC_IPIP */
943 #ifdef CONFIG_IPSEC_IPCOMP
946 #endif /* CONFIG_IPSEC_IPCOMP */
949 spin_lock (&tdb_lock);
950 delXmitDesc_from_salist(tdbp, pXmitDesc);
951 spin_unlock (&tdb_lock);
955 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
956 "klips_debug:ipsec_tunnel_start_xmit: "
957 "pushing %d bytes, putting %d, proto %d.\n",
958 headroom, tailroom, tdbp->tdb_said.proto);
959 if(skb_headroom(skb) < headroom) {
961 "klips_error:ipsec_tunnel_start_xmit: "
962 "tried to skb_push headroom=%d, %d available. This should never happen, please report.\n",
963 headroom, skb_headroom(skb));
965 spin_lock (&tdb_lock);
966 delXmitDesc_from_salist(tdbp, pXmitDesc);
967 spin_unlock (&tdb_lock);
970 dat = skb_push(skb, headroom);
972 if(skb_tailroom(skb) < tailroom) {
974 "klips_error:ipsec_tunnel_start_xmit: "
975 "tried to skb_put %d, %d available. This should never happen, please report.\n",
976 tailroom, skb_tailroom(skb));
978 spin_lock (&tdb_lock);
979 delXmitDesc_from_salist(tdbp, pXmitDesc);
980 spin_unlock (&tdb_lock);
983 skb_put(skb, tailroom);
984 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
985 "klips_debug:ipsec_tunnel_start_xmit: "
986 "head,tailroom: %d,%d before xform.\n",
987 skb_headroom(skb), skb_tailroom(skb));
990 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
991 "tot_len (%d) > 65520. This should never happen, please report.\n",
994 spin_lock (&tdb_lock);
995 delXmitDesc_from_salist(tdbp, pXmitDesc);
996 spin_unlock (&tdb_lock);
999 memmove((void *)dat, (void *)(dat + headroom), iphlen);
1000 iph = (struct iphdr *)dat;
1001 iph->tot_len = htons(skb->len);
1003 switch(tdbp->tdb_said.proto) {
1004 #ifdef CONFIG_IPSEC_ESP
1006 espp = (struct esp *)(dat + iphlen);
1007 ivlen = tdbp->ips_iv_size;
1008 /* Get IV location pointer in payload - after ESP header */
1009 ivp = (char *) espp + sizeof (struct esp);
1010 espp->esp_spi = tdbp->tdb_said.spi;
1012 spin_lock(&tdb_lock);
1013 espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
1014 spin_unlock(&tdb_lock);
1016 switch(tdbp->tdb_encalg) {
1017 #ifdef CONFIG_IPSEC_ENC_DES
1019 #endif /* CONFIG_IPSEC_ENC_DES */
1020 #ifdef CONFIG_IPSEC_ENC_3DES
1022 /* To support multiple request from the same TDB at the same
1023 * time, chaining of IV from previous cipher block could not
1024 * be used. Thus random IV is generated per each packet */
1025 for (i = 0; i < ivlen; i++)
1027 iv[i] = (jiffies % 0xff) + i;
1029 memcpy (ivp, iv, ivlen);
1031 #endif /* CONFIG_IPSEC_ENC_3DES */
1032 #ifdef CONFIG_IPSEC_ALG
1034 /* To support multiple request from the same TDB at the same
1035 * time, chaining of IV from previous cipher block could not
1036 * be used. Thus random IV is generated per each packet */
1037 for (i = 0; i < ivlen; i++)
1039 iv[i] = (jiffies % 0xff) + i;
1041 memcpy (ivp, iv, ivlen);
1043 #endif /* CONFIG_IPSEC_ENCALG */
1047 spin_lock (&tdb_lock);
1048 delXmitDesc_from_salist(tdbp, pXmitDesc);
1049 spin_unlock (&tdb_lock);
1053 /* set offset for crypto perform */
1054 crypt_start_offset = iphlen + headroom;
1055 crypt_data_len = len - (iphlen + headroom + authlen);
1056 auth_start_offset = iphlen;
1057 auth_data_len = len - (iphlen + authlen);
1058 icv_offset = len - authlen;
1060 /* Self-describing padding */
1061 pad = &dat[len - tailroom];
1062 padlen = tailroom - 2 - authlen;
1063 for (i = 0; i < padlen; i++) {
1066 dat[len - authlen - 2] = padlen;
1068 dat[len - authlen - 1] = iph->protocol;
1069 iph->protocol = IPPROTO_ESP;
1072 skb->h.raw = (unsigned char*)espp;
1075 #endif /* !CONFIG_IPSEC_ESP */
1076 #ifdef CONFIG_IPSEC_AH
1078 ahp = (struct ah *)(dat + iphlen);
1079 ahp->ah_spi = tdbp->tdb_said.spi;
1080 spin_lock(&tdb_lock);
1081 ahp->ah_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
1082 spin_unlock(&tdb_lock);
1084 ahp->ah_nh = iph->protocol;
1085 ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32);
1086 iph->protocol = IPPROTO_AH;
1087 memset (&(ahp->ah_data[0]), 0, (AHHMAC_HASHLEN * sizeof(__u8)));
1089 dmp("ahp", (char*)ahp, sizeof(*ahp));
1091 /* Keep a copy of the original IP, modify iph to handle mutable fields */
1092 pXmitDesc->ip_tos = iph->tos;
1093 pXmitDesc->ip_frag_off = iph->frag_off;
1094 pXmitDesc->ip_ttl = iph->ttl;
1100 dmp("iph", (char*)&iph, sizeof(iph));
1102 /* set offset for crypto perform */
1103 auth_start_offset = 0;
1104 auth_data_len = len;
1105 icv_offset = iphlen + AUTH_DATA_IN_AH_OFFSET;
1107 /* Error checking */
1108 if ((tdbp->tdb_authalg != AH_MD5) && (tdbp->tdb_authalg != AH_SHA))
1111 spin_lock (&tdb_lock);
1112 delXmitDesc_from_salist(tdbp, pXmitDesc);
1113 spin_unlock (&tdb_lock);
1117 skb->h.raw = (unsigned char*)ahp;
1120 #endif /* CONFIG_IPSEC_AH */
1121 #ifdef CONFIG_IPSEC_IPIP
1124 switch(sysctl_ipsec_tos) {
1127 iph->tos = skb->nh.iph->tos;
1129 iph->tos = skb->ip_hdr->tos;
1140 iph->ttl = sysctl_ip_default_ttl;
1141 #else /* NETDEV_23 */
1142 iph->ttl = ip_statistics.IpDefaultTTL;
1143 #endif /* NETDEV_23 */
1145 iph->ttl = 64; /* ip_statistics.IpDefaultTTL; */
1148 iph->saddr = ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr;
1149 iph->daddr = ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr;
1150 iph->protocol = IPPROTO_IPIP;
1151 iph->ihl = sizeof(struct iphdr) >> 2 /* 5 */;
1152 #ifdef IP_SELECT_IDENT
1153 /* XXX use of skb->dst below is a questionable
1154 substitute for &rt->u.dst which is only
1155 available later-on */
1156 #ifdef IP_SELECT_IDENT_NEW
1157 ip_select_ident(iph, skb->dst, NULL);
1158 #else /* IP_SELECT_IDENT_NEW */
1159 ip_select_ident(iph, skb->dst);
1160 #endif /* IP_SELECT_IDENT_NEW */
1161 #else /* IP_SELECT_IDENT */
1162 iph->id = htons(ip_id_count++); /* Race condition here? */
1163 #endif /* IP_SELECT_IDENT */
1165 newdst = (__u32)iph->daddr;
1166 newsrc = (__u32)iph->saddr;
1169 skb->h.ipiph = skb->nh.iph;
1172 #endif /* !CONFIG_IPSEC_IPIP */
1173 #ifdef CONFIG_IPSEC_IPCOMP
1176 unsigned int flags = 0;
1177 #ifdef CONFIG_IPSEC_DEBUG
1178 unsigned int old_tot_len = ntohs(iph->tot_len);
1179 #endif /* CONFIG_IPSEC_DEBUG */
1181 spin_lock(&tdb_lock);
1182 tdbp->tdb_comp_ratio_dbytes += ntohs(iph->tot_len);
1183 skb = skb_compress(skb, tdbp, &flags);
1191 tdbp->tdb_comp_ratio_cbytes += ntohs(iph->tot_len);
1192 spin_unlock(&tdb_lock);
1194 #ifdef CONFIG_IPSEC_DEBUG
1195 if (debug_tunnel & DB_TN_CROUT)
1197 if (old_tot_len > ntohs(iph->tot_len))
1198 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1199 "klips_debug:ipsec_tunnel_start_xmit: "
1200 "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
1201 old_tot_len, ntohs(iph->tot_len),
1202 ntohs(((struct ipcomphdr*)(((char*)iph) + ((iph->ihl) << 2)))->ipcomp_cpi),
1203 ntohl(tdbp->tdb_said.spi),
1204 (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff));
1206 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1207 "klips_debug:ipsec_tunnel_start_xmit: "
1208 "packet did not compress (flags = %d).\n",
1211 #endif /* CONFIG_IPSEC_DEBUG */
1214 #endif /* CONFIG_IPSEC_IPCOMP */
1217 spin_lock(&tdb_lock);
1218 delXmitDesc_from_salist(tdbp, pXmitDesc);
1219 spin_unlock(&tdb_lock);
1223 /*IXP425 glue code : crypto perform */
1224 #if defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)
1225 if ((tdbp->tdb_said.proto == IPPROTO_AH) || (tdbp->tdb_said.proto == IPPROTO_ESP))
1227 /* Get mbuf from pool */
1228 if(IPSEC_GLUE_STATUS_SUCCESS != ipsec_glue_mbuf_header_get(&src_mbuf))
1230 KLIPS_PRINT(debug_tunnel,
1231 "klips_debug:ipsec_tunnel_start_xmit: "
1232 "running out of mbufs, dropped\n");
1234 spin_lock(&tdb_lock);
1235 delXmitDesc_from_salist(tdbp, pXmitDesc);
1236 spin_unlock(&tdb_lock);
1240 /* attach mbuf to sk_buff */
1241 mbuf_swap_skb(src_mbuf, skb);
1243 /* store xmit desc in mbuf */
1244 (IpsecXmitDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (src_mbuf) = pXmitDesc;
1246 if (IX_CRYPTO_ACC_STATUS_SUCCESS != ixCryptoAccAuthCryptPerform (
1247 tdbp->ips_crypto_context_id,
1257 KLIPS_PRINT(debug_tunnel,
1258 "klips_debug:ipsec_tunnel_start_xmit: "
1259 "warning, encapsulation of packet cannot be started\n");
1262 ipsec_glue_mbuf_header_rel(src_mbuf);
1263 spin_lock(&tdb_lock);
1264 delXmitDesc_from_salist(tdbp, pXmitDesc);
1265 spin_unlock(&tdb_lock);
1270 } /* end of if ((tdbp->tdb_said.proto == IPPROTO_AH)
1271 || (tdbp->tdb_said.proto == IPPROTO_ESP)) */
1272 #endif /* defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)*/
1275 skb->nh.raw = skb->data;
1277 skb->ip_hdr = skb->h.iph = (struct iphdr *) skb->data;
1280 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
1282 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1283 "klips_debug:ipsec_tunnel_start_xmit: "
1284 "after <%s%s%s>, SA:%s:\n",
1285 IPS_XFORM_NAME(tdbp),
1286 sa_len ? sa : " (error)");
1287 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
1289 spin_lock(&tdb_lock);
1290 tdbp->ips_life.ipl_bytes.ipl_count += len;
1291 tdbp->ips_life.ipl_bytes.ipl_last = len;
1293 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
1294 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
1296 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
1297 tdbp->ips_life.ipl_packets.ipl_count++;
1299 delXmitDesc_from_salist(tdbp, pXmitDesc);
1300 spin_unlock(&tdb_lock);
1303 tdbp = tdbp->ips_onext;
1304 /* store current tdbp into xmit desc */
1305 pXmitDesc->tdbp = tdbp;
1307 } /* end encapsulation loop here XXX */
1309 (pXmitDesc->matcher).sen_ip_src.s_addr = iph->saddr;
1310 (pXmitDesc->matcher).sen_ip_dst.s_addr = iph->daddr;
1311 spin_lock(&eroute_lock);
1312 er = ipsec_findroute(&(pXmitDesc->matcher));
1314 (pXmitDesc->outgoing_said) = er->er_said;
1315 pXmitDesc->eroute_pid = er->er_pid;
1317 er->er_lasttime = jiffies/HZ;
1319 spin_unlock(&eroute_lock);
1320 KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
1321 /* ((orgdst != newdst) || (orgsrc != newsrc)) */
1322 (pXmitDesc->orgedst != (pXmitDesc->outgoing_said).dst.s_addr) &&
1323 (pXmitDesc->outgoing_said).dst.s_addr &&
1325 "klips_debug:ipsec_tunnel_start_xmit: "
1326 "We are recursing here.\n");
1329 /* start encapsulation loop here XXX */
1330 while(/*((orgdst != newdst) || (orgsrc != newsrc))*/
1331 (pXmitDesc->orgedst != pXmitDesc->outgoing_said.dst.s_addr) &&
1332 pXmitDesc->outgoing_said.dst.s_addr &&
1335 struct ipsec_sa *tdbprev = NULL;
1337 newdst = orgdst = iph->daddr;
1338 newsrc = orgsrc = iph->saddr;
1339 pXmitDesc->orgedst = (pXmitDesc->outgoing_said).dst.s_addr;
1340 iphlen = iph->ihl << 2;
1341 pyldsz = ntohs(iph->tot_len) - iphlen;
1342 max_headroom = max_tailroom = 0;
1344 if ((pXmitDesc->outgoing_said).proto == IPPROTO_INT) {
1345 switch (ntohl((pXmitDesc->outgoing_said).spi)) {
1347 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1348 "klips_debug:ipsec_tunnel_start_xmit: "
1349 "shunt SA of DROP or no eroute: dropping.\n");
1350 stats->tx_dropped++;
1354 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1355 "klips_debug:ipsec_tunnel_start_xmit: "
1356 "shunt SA of REJECT: notifying and dropping.\n");
1362 stats->tx_dropped++;
1367 pXmitDesc->pass = 1;
1369 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1370 "klips_debug:ipsec_tunnel_start_xmit: "
1371 "PASS: calling dev_queue_xmit\n");
1374 #if 1 /* now moved up to finderoute so we don't need to lock it longer */
1376 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1377 "klips_debug:ipsec_tunnel_start_xmit: "
1378 "shunt SA of HOLD: this does not make sense here, dropping.\n");
1379 stats->tx_dropped++;
1383 case SPI_TRAPSUBNET:
1385 struct sockaddr_in src, dst;
1386 #ifdef CONFIG_IPSEC_DEBUG
1387 char bufsrc[ADDRTOA_BUF], bufdst[ADDRTOA_BUF];
1388 #endif /* CONFIG_IPSEC_DEBUG */
1389 struct eroute hold_eroute;
1390 struct sa_id hold_said;
1391 struct sk_buff *first = NULL, *last = NULL;
1393 /* Signal all listening KMds with a PF_KEY ACQUIRE */
1394 (pXmitDesc->tdb).tdb_said.proto = iph->protocol;
1395 src.sin_family = AF_INET;
1396 dst.sin_family = AF_INET;
1397 src.sin_addr.s_addr = iph->saddr;
1398 dst.sin_addr.s_addr = iph->daddr;
1400 (iph->protocol == IPPROTO_UDP
1401 ? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->source
1402 : (iph->protocol == IPPROTO_TCP
1403 ? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->source
1406 (iph->protocol == IPPROTO_UDP
1407 ? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->dest
1408 : (iph->protocol == IPPROTO_TCP
1409 ? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->dest
1412 i < sizeof(struct sockaddr_in)
1413 - offsetof(struct sockaddr_in, sin_zero);
1415 src.sin_zero[i] = 0;
1416 dst.sin_zero[i] = 0;
1419 (pXmitDesc->tdb).tdb_addr_s = (struct sockaddr*)(&src);
1420 (pXmitDesc->tdb).tdb_addr_d = (struct sockaddr*)(&dst);
1421 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1422 "klips_debug:ipsec_tunnel_start_xmit: "
1423 "SADB_ACQUIRE sent with src=%s:%d, dst=%s:%d, proto=%d.\n",
1424 addrtoa(((struct sockaddr_in*)((pXmitDesc->tdb).tdb_addr_s))->sin_addr, 0, bufsrc, sizeof(bufsrc)) <= ADDRTOA_BUF ? bufsrc : "BAD_ADDR",
1425 ntohs(((struct sockaddr_in*)((pXmitDesc->tdb).tdb_addr_s))->sin_port),
1426 addrtoa(((struct sockaddr_in*)((pXmitDesc->tdb).tdb_addr_d))->sin_addr, 0, bufdst, sizeof(bufdst)) <= ADDRTOA_BUF ? bufdst : "BAD_ADDR",
1427 ntohs(((struct sockaddr_in*)((pXmitDesc->tdb).tdb_addr_d))->sin_port),
1428 (pXmitDesc->tdb).tdb_said.proto);
1430 if (pfkey_acquire(&(pXmitDesc->tdb)) == 0) {
1432 if ((pXmitDesc->outgoing_said).spi==htonl(SPI_TRAPSUBNET)) {
1434 * The spinlock is to prevent any other
1435 * process from accessing or deleting
1436 * the eroute while we are using and
1439 spin_lock(&eroute_lock);
1440 er = ipsec_findroute(&(pXmitDesc->matcher));
1442 er->er_said.spi = htonl(SPI_HOLD);
1446 spin_unlock(&eroute_lock);
1448 /* install HOLD eroute */
1449 memset((caddr_t)&hold_eroute, 0, sizeof(hold_eroute));
1450 memset((caddr_t)&hold_said, 0, sizeof(hold_said));
1452 hold_said.proto = IPPROTO_INT;
1453 hold_said.spi = htonl(SPI_HOLD);
1454 hold_said.dst.s_addr = INADDR_ANY;
1456 hold_eroute.er_eaddr.sen_len = sizeof(struct sockaddr_encap);
1457 hold_eroute.er_emask.sen_len = sizeof(struct sockaddr_encap);
1458 hold_eroute.er_eaddr.sen_family = AF_ENCAP;
1459 hold_eroute.er_emask.sen_family = AF_ENCAP;
1460 hold_eroute.er_eaddr.sen_type = SENT_IP4;
1461 hold_eroute.er_emask.sen_type = 255;
1463 hold_eroute.er_eaddr.sen_ip_src.s_addr = iph->saddr;
1464 hold_eroute.er_eaddr.sen_ip_dst.s_addr = iph->daddr;
1465 hold_eroute.er_emask.sen_ip_src.s_addr = INADDR_BROADCAST;
1466 hold_eroute.er_emask.sen_ip_dst.s_addr = INADDR_BROADCAST;
1468 hold_eroute.er_pid = pXmitDesc->eroute_pid;
1469 hold_eroute.er_count = 0;
1470 hold_eroute.er_lasttime = jiffies/HZ;
1472 #ifdef IPSEC_CONFIG_FULL_SELECTOR_LIST
1473 /* These are ficticious. Don't uncomment these until
1474 proto, sport and dport exist in the SPDB */
1475 hold_eroute.er_proto = iph->protocol;
1476 hold_eroute.er_src_port =
1477 (iph->protocol == IPPROTO_UDP
1478 ? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->source
1479 : (iph->protocol == IPPROTO_TCP
1480 ? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->source
1482 hold_eroute.er_dst_port =
1483 (iph->protocol == IPPROTO_UDP
1484 ? ((struct udphdr*) (((caddr_t)iph) + (iph->ihl << 2)))->dest
1485 : (iph->protocol == IPPROTO_TCP
1486 ? ((struct tcphdr*)((caddr_t)iph + (iph->ihl << 2)))->dest
1488 #endif /* IPSEC_CONFIG_FULL_SELECTOR_LIST */
1490 #ifdef CONFIG_IPSEC_DEBUG
1492 char buf1[64], buf2[64];
1493 subnettoa(hold_eroute.er_eaddr.sen_ip_src,
1494 hold_eroute.er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
1495 subnettoa(hold_eroute.er_eaddr.sen_ip_dst,
1496 hold_eroute.er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
1497 KLIPS_PRINT(debug_pfkey,
1498 "klips_debug:ipsec_tunnel_start_xmit: "
1499 "calling breakeroute and makeroute for %s->%s HOLD eroute.\n",
1502 #endif /* CONFIG_IPSEC_DEBUG */
1503 if (ipsec_breakroute(&(hold_eroute.er_eaddr),
1504 &(hold_eroute.er_emask),
1505 &first, &last) != EINVAL) {
1506 KLIPS_PRINT(debug_pfkey,
1507 "klips_debug:ipsec_tunnel_start_xmit: "
1508 "breakeroute should have failed. first=%p, last=%p\n",
1516 /* SENDERR(-error); */
1518 KLIPS_PRINT(debug_pfkey,
1519 "klips_debug:ipsec_tunnel_start_xmit: "
1520 "HOLD breakeroute found nothing as expected.\n");
1529 if ((error = ipsec_makeroute(&(hold_eroute.er_eaddr),
1530 &(hold_eroute.er_emask),
1532 pXmitDesc->eroute_pid,
1536 KLIPS_PRINT(debug_pfkey,
1537 "klips_debug:ipsec_tunnel_start_xmit: "
1538 "HOLD makeroute returned %d, failed.\n", error);
1539 /* SENDERR(-error); */
1541 KLIPS_PRINT(debug_pfkey,
1542 "klips_debug:ipsec_tunnel_start_xmit: "
1543 "HOLD makeroute call successful.\n");
1548 stats->tx_dropped++;
1551 /* XXX what do we do with an unknown shunt spi? */
1553 } /* switch (ntohl((pXmitDesc->outgoing_said).spi)) */
1555 } /* if ((pXmitDesc->outgoing_said).proto == IPPROTO_INT) */
1557 tdbp = ipsec_sa_getbyid(&(pXmitDesc->outgoing_said));
1558 /* store current tdbp into xmit desc */
1559 pXmitDesc->tdbp = tdbp;
1560 sa_len = satoa((pXmitDesc->outgoing_said), 0, sa, SATOA_BUF);
1563 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1564 "klips_debug:ipsec_tunnel_start_xmit: "
1565 "no Tunnel Descriptor Block for SA%s: outgoing packet with no SA, dropped.\n",
1566 sa_len ? sa : " (error)");
1567 stats->tx_dropped++;
1571 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1572 "klips_debug:ipsec_tunnel_start_xmit: "
1573 "found Tunnel Descriptor Block -- SA:<%s%s%s> %s\n",
1574 IPS_XFORM_NAME(tdbp),
1575 sa_len ? sa : " (error)");
1578 * How much headroom do we need to be able to apply
1579 * all the grouped transforms?
1581 tdbq = tdbp; /* save the head of the tdb chain */
1582 spin_lock(&tdb_lock);
1583 addXmitDesc_to_salist(tdbp, pXmitDesc);
1586 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
1588 strcpy(sa, "(error)");
1591 /* If it is in larval state, drop the packet, we cannot process yet. */
1592 if(tdbp->tdb_state == SADB_SASTATE_LARVAL) {
1593 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1594 "klips_debug:ipsec_tunnel_start_xmit: "
1595 "TDB in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
1596 IPS_XFORM_NAME(tdbp),
1597 sa_len ? sa : " (error)");
1598 delXmitDesc_from_salist(tdbp, pXmitDesc);
1599 spin_unlock(&tdb_lock);
1604 if(tdbp->tdb_state == SADB_SASTATE_DEAD) {
1605 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1606 "klips_debug:ipsec_tunnel_start_xmit: "
1607 "TDB in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
1608 IPS_XFORM_NAME(tdbp),
1609 sa_len ? sa : " (error)");
1610 delXmitDesc_from_salist(tdbp, pXmitDesc);
1612 if(tdbp->ips_teardown_initiated == 1)
1613 ipsec_sa_delchain(tdbp);
1614 spin_unlock(&tdb_lock);
1618 /* If the replay window counter == -1, expire SA, it will roll */
1619 if(tdbp->tdb_replaywin && tdbp->tdb_replaywin_lastseq == -1) {
1620 pfkey_expire(tdbp, 1);
1621 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
1622 "klips_debug:ipsec_tunnel_start_xmit: "
1623 "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
1624 IPS_XFORM_NAME(tdbp),
1625 sa_len ? sa : " (error)");
1626 delXmitDesc_from_salist(tdbp, pXmitDesc);
1627 ipsec_sa_delchain(tdbp);
1628 spin_unlock(&tdb_lock);
1634 * if this is the first time we are using this SA, mark start time,
1635 * and offset hard/soft counters by "now" for later checking.
1638 if(tdbp->ips_life.ipl_usetime.count == 0) {
1639 tdbp->ips_life.ipl_usetime.count = jiffies;
1640 tdbp->ips_life.ipl_usetime.hard += jiffies;
1641 tdbp->ips_life.ipl_usetime.soft += jiffies;
1646 if(ipsec_lifetime_check(&tdbp->ips_life.ipl_bytes, "bytes", sa,
1647 ipsec_life_countbased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
1648 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "addtime",sa,
1649 ipsec_life_timebased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
1650 ipsec_lifetime_check(&tdbp->ips_life.ipl_usetime, "usetime",sa,
1651 ipsec_life_timebased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
1652 ipsec_lifetime_check(&tdbp->ips_life.ipl_packets, "packets",sa,
1653 ipsec_life_countbased, ipsec_outgoing, tdbp) == ipsec_life_harddied) {
1654 delXmitDesc_from_salist(tdbp, pXmitDesc);
1655 ipsec_sa_delchain(tdbp);
1656 spin_unlock(&tdb_lock);
1661 headroom = tailroom = 0;
1662 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1663 "klips_debug:ipsec_tunnel_start_xmit: "
1664 "calling room for <%s%s%s>, SA:%s\n",
1665 IPS_XFORM_NAME(tdbp),
1666 sa_len ? sa : " (error)");
1667 switch(tdbp->tdb_said.proto) {
1668 #ifdef CONFIG_IPSEC_AH
1670 headroom += sizeof(struct ah);
1672 #endif /* CONFIG_IPSEC_AH */
1673 #ifdef CONFIG_IPSEC_ESP
1675 switch(tdbp->tdb_encalg) {
1676 #ifdef CONFIG_IPSEC_ENC_DES
1678 #endif /* CONFIG_IPSEC_ENC_DES */
1679 #ifdef CONFIG_IPSEC_ENC_3DES
1681 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
1683 #endif /* CONFIG_IPSEC_ENC_3DES */
1684 #ifdef CONFIG_IPSEC_ALG
1686 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
1688 #endif /* CONFIG_IPSEC_ALG */
1690 delXmitDesc_from_salist(tdbp, pXmitDesc);
1691 spin_unlock(&tdb_lock);
1695 switch(tdbp->tdb_authalg) {
1696 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
1698 tailroom += AHHMAC_HASHLEN;
1700 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
1701 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
1703 tailroom += AHHMAC_HASHLEN;
1705 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
1709 delXmitDesc_from_salist(tdbp, pXmitDesc);
1710 spin_unlock(&tdb_lock);
1714 tailroom += ((tdbp->ips_enc_blksize - ((pyldsz + 2 * sizeof(unsigned char))
1715 % tdbp->ips_enc_blksize)) % tdbp->ips_enc_blksize) + 2;
1716 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1717 if ((tdbp->ips_natt_type) && (!natt_type)) {
1718 natt_type = tdbp->ips_natt_type;
1719 natt_sport = tdbp->ips_natt_sport;
1720 natt_dport = tdbp->ips_natt_dport;
1721 switch (natt_type) {
1722 case ESPINUDP_WITH_NON_IKE:
1723 natt_head = sizeof(struct udphdr)+(2*sizeof(__u32));
1725 case ESPINUDP_WITH_NON_ESP:
1726 natt_head = sizeof(struct udphdr);
1732 tailroom += natt_head;
1736 #endif /* !CONFIG_IPSEC_ESP */
1737 #ifdef CONFIG_IPSEC_IPIP
1739 headroom += sizeof(struct iphdr);
1741 #endif /* !CONFIG_IPSEC_IPIP */
1743 #ifdef CONFIG_IPSEC_IPCOMP
1745 We can't predict how much the packet will
1746 shrink without doing the actual compression.
1747 We could do it here, if we were the first
1748 encapsulation in the chain. That might save
1749 us a skb_copy_expand, since we might fit
1750 into the existing skb then. However, this
1751 would be a bit unclean (and this hack has
1752 bit us once), so we better not do it. After
1753 all, the skb_copy_expand is cheap in
1754 comparison to the actual compression.
1755 At least we know the packet will not grow.
1758 #endif /* CONFIG_IPSEC_IPCOMP */
1760 delXmitDesc_from_salist(tdbp, pXmitDesc);
1761 spin_unlock(&tdb_lock);
1765 tdbp = tdbp->tdb_onext;
1766 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1767 "klips_debug:ipsec_tunnel_start_xmit: "
1768 "Required head,tailroom: %d,%d\n",
1769 headroom, tailroom);
1770 max_headroom += headroom;
1771 max_tailroom += tailroom;
1772 pyldsz += (headroom + tailroom);
1775 spin_unlock(&tdb_lock);
1776 tdbp = tdbq; /* restore the head of the tdb chain */
1777 pXmitDesc->tdbp = tdbp;
1779 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1780 "klips_debug:ipsec_tunnel_start_xmit: "
1781 "existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n",
1782 skb_headroom(skb), skb_tailroom(skb),
1783 max_headroom, max_tailroom);
1785 pXmitDesc->tot_headroom += max_headroom;
1786 pXmitDesc->tot_tailroom += max_tailroom;
1788 mtudiff = prv->mtu + pXmitDesc->tot_headroom + pXmitDesc->tot_tailroom - physmtu;
1790 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1791 "klips_debug:ipsec_tunnel_start_xmit: "
1792 "mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
1794 pXmitDesc->tot_headroom, pXmitDesc->tot_tailroom, mtudiff, ntohs(iph->tot_len));
1796 int newmtu = physmtu - (pXmitDesc->tot_headroom + ((pXmitDesc->tot_tailroom + 2) & ~7) + 5);
1798 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1799 "klips_info:ipsec_tunnel_start_xmit: "
1800 "dev %s mtu of %d decreased by %d to %d\n",
1808 skb->dst->pmtu = prv->mtu; /* RGB */
1812 dev->mtu = prv->mtu; /* RGB */
1818 If the sender is doing PMTU discovery, and the
1819 packet doesn't fit within prv->mtu, notify him
1820 (unless it was an ICMP packet, or it was not the
1821 zero-offset packet) and send it anyways.
1823 Note: buggy firewall configuration may prevent the
1824 ICMP packet from getting back.
1826 if(sysctl_ipsec_icmp
1827 && prv->mtu < ntohs(iph->tot_len)
1828 && (iph->frag_off & __constant_htons(IP_DF)) ) {
1829 int notify = iph->protocol != IPPROTO_ICMP
1830 && (iph->frag_off & __constant_htons(IP_OFFSET)) == 0;
1832 #ifdef IPSEC_obey_DF
1833 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1834 "klips_debug:ipsec_tunnel_start_xmit: "
1835 "fragmentation needed and DF set; %sdropping packet\n",
1836 notify ? "sending ICMP and " : "");
1844 spin_lock (&tdb_lock);
1845 delXmitDesc_from_salist(tdbp, pXmitDesc);
1846 spin_unlock (&tdb_lock);
1848 #else /* IPSEC_obey_DF */
1849 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1850 "klips_debug:ipsec_tunnel_start_xmit: "
1851 "fragmentation needed and DF set; %spassing packet\n",
1852 notify ? "sending ICMP and " : "");
1859 #endif /* IPSEC_obey_DF */
1864 * If this is a transport mode TCP packet with
1865 * SYN set, determine an effective MSS based on
1866 * AH/ESP overheads determined above.
1868 if (iph->protocol == IPPROTO_TCP
1869 && (pXmitDesc->outgoing_said).proto != IPPROTO_IPIP) {
1870 struct tcphdr *tcph = skb->h.th;
1871 if (tcph->syn && !tcph->ack) {
1872 if(!ipsec_adjust_mss(skb, tcph, prv->mtu)) {
1874 "klips_warning:ipsec_tunnel_start_xmit: "
1875 "ipsec_adjust_mss() failed\n");
1877 spin_lock (&tdb_lock);
1878 delXmitDesc_from_salist(tdbp, pXmitDesc);
1879 spin_unlock (&tdb_lock);
1884 #endif /* MSS_HACK */
1885 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
1886 if ((natt_type) && ((pXmitDesc->outgoing_said).proto != IPPROTO_IPIP)) {
1888 * NAT-Traversal and Transport Mode:
1889 * we need to correct TCP/UDP checksum
1891 * If we've got NAT-OA, we can fix checksum without recalculation.
1892 * If we don't we can zero udp checksum.
1894 __u32 natt_oa = tdbp->ips_natt_oa ?
1895 ((struct sockaddr_in*)(tdbp->ips_natt_oa))->sin_addr.s_addr : 0;
1896 __u16 pkt_len = skb->tail - (unsigned char *)iph;
1897 __u16 data_len = pkt_len - (iph->ihl << 2);
1898 switch (iph->protocol) {
1900 if (data_len >= sizeof(struct tcphdr)) {
1901 struct tcphdr *tcp = (struct tcphdr *)((__u32 *)iph+iph->ihl);
1903 __u32 buff[2] = { ~iph->daddr, natt_oa };
1904 KLIPS_PRINT(debug_tunnel,
1905 "klips_debug:ipsec_tunnel_start_xmit: "
1906 "NAT-T & TRANSPORT: "
1907 "fix TCP checksum using NAT-OA\n");
1908 tcp->check = csum_fold(
1909 csum_partial((unsigned char *)buff, sizeof(buff),
1910 tcp->check^0xffff));
1913 KLIPS_PRINT(debug_tunnel,
1914 "klips_debug:ipsec_tunnel_start_xmit: "
1915 "NAT-T & TRANSPORT: do not recalc TCP checksum\n");
1919 KLIPS_PRINT(debug_tunnel,
1920 "klips_debug:ipsec_tunnel_start_xmit: "
1921 "NAT-T & TRANSPORT: can't fix TCP checksum\n");
1925 if (data_len >= sizeof(struct udphdr)) {
1926 struct udphdr *udp = (struct udphdr *)((__u32 *)iph+iph->ihl);
1927 if (udp->check == 0) {
1928 KLIPS_PRINT(debug_tunnel,
1929 "klips_debug:ipsec_tunnel_start_xmit: "
1930 "NAT-T & TRANSPORT: UDP checksum already 0\n");
1933 __u32 buff[2] = { ~iph->daddr, natt_oa };
1934 KLIPS_PRINT(debug_tunnel,
1935 "klips_debug:ipsec_tunnel_start_xmit: "
1936 "NAT-T & TRANSPORT: "
1937 "fix UDP checksum using NAT-OA\n");
1938 udp->check = csum_fold(
1939 csum_partial((unsigned char *)buff, sizeof(buff),
1940 udp->check^0xffff));
1943 KLIPS_PRINT(debug_tunnel,
1944 "klips_debug:ipsec_tunnel_start_xmit: "
1945 "NAT-T & TRANSPORT: zero UDP checksum\n");
1950 KLIPS_PRINT(debug_tunnel,
1951 "klips_debug:ipsec_tunnel_start_xmit: "
1952 "NAT-T & TRANSPORT: can't fix UDP checksum\n");
1956 KLIPS_PRINT(debug_tunnel,
1957 "klips_debug:ipsec_tunnel_start_xmit: "
1958 "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
1962 #endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
1964 ll_headroom = (pXmitDesc->hard_header_len + 15) & ~15;
1966 if ((skb_headroom(skb) >= max_headroom + 2 * ll_headroom) &&
1967 (skb_tailroom(skb) >= max_tailroom)
1970 #endif /* !NET_21 */
1972 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
1973 "klips_debug:ipsec_tunnel_start_xmit: "
1974 "data fits in existing skb\n");
1976 struct sk_buff* tskb = skb;
1978 if(!pXmitDesc->oskb) {
1979 pXmitDesc->oskb = skb;
1982 tskb = skb_copy_expand(skb,
1983 /* The reason for 2 * link layer length here still baffles me...RGB */
1984 max_headroom + 2 * ll_headroom,
1988 if(tskb && skb->sk) {
1989 skb_set_owner_w(tskb, skb->sk);
1992 if(!(skb == pXmitDesc->oskb) ) {
1993 dev_kfree_skb(skb, FREE_WRITE);
1998 "klips_debug:ipsec_tunnel_start_xmit: "
1999 "Failed, tried to allocate %d head and %d tailroom\n",
2000 max_headroom, max_tailroom);
2002 spin_lock (&tdb_lock);
2003 delXmitDesc_from_salist(tdbp, pXmitDesc);
2004 spin_unlock (&tdb_lock);
2007 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2008 "klips_debug:ipsec_tunnel_start_xmit: "
2009 "head,tailroom: %d,%d after allocation\n",
2010 skb_headroom(skb), skb_tailroom(skb));
2014 * Apply grouped transforms to packet
2017 #ifdef CONFIG_IPSEC_ESP
2021 char iv[ESP_IV_MAXSZ];
2023 int authlen = 0, padlen = 0, i;
2024 #endif /* !CONFIG_IPSEC_ESP */
2025 #ifdef CONFIG_IPSEC_AH
2027 #endif /* CONFIG_IPSEC_AH */
2029 int headroom = 0, tailroom = 0, len = 0;
2032 iphlen = iph->ihl << 2;
2033 pyldsz = ntohs(iph->tot_len) - iphlen;
2034 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
2035 KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
2036 "klips_debug:ipsec_tunnel_start_xmit: "
2037 "calling output for <%s%s%s>, SA:%s\n",
2038 IPS_XFORM_NAME(tdbp),
2039 sa_len ? sa : " (error)");
2041 switch(tdbp->tdb_said.proto) {
2042 #ifdef CONFIG_IPSEC_AH
2044 headroom += sizeof(struct ah);
2046 #endif /* CONFIG_IPSEC_AH */
2047 #ifdef CONFIG_IPSEC_ESP
2049 switch(tdbp->tdb_encalg) {
2050 #ifdef CONFIG_IPSEC_ENC_DES
2052 #endif /* CONFIG_IPSEC_ENC_DES */
2053 #ifdef CONFIG_IPSEC_ENC_3DES
2055 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
2057 #endif /* CONFIG_IPSEC_ENC_3DES */
2058 #ifdef CONFIG_IPSEC_ALG
2060 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
2062 #endif /* CONFIG_IPSEC_ALG */
2064 spin_lock (&tdb_lock);
2065 delXmitDesc_from_salist(tdbp, pXmitDesc);
2066 spin_unlock (&tdb_lock);
2070 switch(tdbp->tdb_authalg) {
2071 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
2073 authlen = AHHMAC_HASHLEN;
2075 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
2076 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
2078 authlen = AHHMAC_HASHLEN;
2080 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
2085 spin_lock (&tdb_lock);
2086 delXmitDesc_from_salist(tdbp, pXmitDesc);
2087 spin_unlock (&tdb_lock);
2090 tailroom += ((tdbp->ips_enc_blksize - ((pyldsz + 2 * sizeof(unsigned char))
2091 % tdbp->ips_enc_blksize)) % tdbp->ips_enc_blksize) + 2;
2092 tailroom += authlen;
2094 #endif /* !CONFIG_IPSEC_ESP */
2095 #ifdef CONFIG_IPSEC_IPIP
2097 headroom += sizeof(struct iphdr);
2099 #endif /* !CONFIG_IPSEC_IPIP */
2100 #ifdef CONFIG_IPSEC_IPCOMP
2103 #endif /* CONFIG_IPSEC_IPCOMP */
2106 spin_lock (&tdb_lock);
2107 delXmitDesc_from_salist(tdbp, pXmitDesc);
2108 spin_unlock (&tdb_lock);
2112 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2113 "klips_debug:ipsec_tunnel_start_xmit: "
2114 "pushing %d bytes, putting %d, proto %d.\n",
2115 headroom, tailroom, tdbp->tdb_said.proto);
2116 if(skb_headroom(skb) < headroom) {
2118 "klips_error:ipsec_tunnel_start_xmit: "
2119 "tried to skb_push headroom=%d, %d available. This should never happen, please report.\n",
2120 headroom, skb_headroom(skb));
2122 spin_lock (&tdb_lock);
2123 delXmitDesc_from_salist(tdbp, pXmitDesc);
2124 spin_unlock (&tdb_lock);
2127 dat = skb_push(skb, headroom);
2129 if(skb_tailroom(skb) < tailroom) {
2131 "klips_error:ipsec_tunnel_start_xmit: "
2132 "tried to skb_put %d, %d available. This should never happen, please report.\n",
2133 tailroom, skb_tailroom(skb));
2135 spin_lock (&tdb_lock);
2136 delXmitDesc_from_salist(tdbp, pXmitDesc);
2137 spin_unlock (&tdb_lock);
2140 skb_put(skb, tailroom);
2141 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2142 "klips_debug:ipsec_tunnel_start_xmit: "
2143 "head,tailroom: %d,%d before xform.\n",
2144 skb_headroom(skb), skb_tailroom(skb));
2147 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
2148 "tot_len (%d) > 65520. This should never happen, please report.\n",
2151 spin_lock (&tdb_lock);
2152 delXmitDesc_from_salist(tdbp, pXmitDesc);
2153 spin_unlock (&tdb_lock);
2156 memmove((void *)dat, (void *)(dat + headroom), iphlen);
2157 iph = (struct iphdr *)dat;
2158 iph->tot_len = htons(skb->len);
2160 switch(tdbp->tdb_said.proto) {
2161 #ifdef CONFIG_IPSEC_ESP
2163 espp = (struct esp *)(dat + iphlen);
2164 ivlen = tdbp->ips_iv_size;
2165 /* Get IV location pointer in payload - after ESP header */
2166 ivp = (char *) espp + sizeof (struct esp);
2167 espp->esp_spi = tdbp->tdb_said.spi;
2169 spin_lock(&tdb_lock);
2170 espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
2171 spin_unlock(&tdb_lock);
2173 switch(tdbp->tdb_encalg) {
2174 #ifdef CONFIG_IPSEC_ENC_DES
2176 #endif /* CONFIG_IPSEC_ENC_DES */
2177 #ifdef CONFIG_IPSEC_ENC_3DES
2179 /* To support multiple request from the same TDB at the same
2180 * time, chaining of IV from previous cipher block could not
2181 * be used. Thus random IV is generated per each packet */
2182 for (i = 0; i < ivlen; i++)
2184 iv[i] = (jiffies % 0xff) + i;
2186 memcpy (ivp, iv, ivlen);
2188 #endif /* CONFIG_IPSEC_ENC_3DES */
2189 #ifdef CONFIG_IPSEC_ALG
2191 /* To support multiple request from the same TDB at the same
2192 * time, chaining of IV from previous cipher block could not
2193 * be used. Thus random IV is generated per each packet */
2194 for (i = 0; i < ivlen; i++)
2196 iv[i] = (jiffies % 0xff) + i;
2198 memcpy (ivp, iv, ivlen);
2200 #endif /* CONFIG_IPSEC_ALG */
2203 spin_lock (&tdb_lock);
2204 delXmitDesc_from_salist(tdbp, pXmitDesc);
2205 spin_unlock (&tdb_lock);
2209 /* set offset for crypto perform */
2210 crypt_start_offset = iphlen + headroom;
2211 crypt_data_len = len - (iphlen + headroom + authlen);
2212 auth_start_offset = iphlen;
2213 auth_data_len = len - (iphlen + authlen);
2214 icv_offset = len - authlen;
2216 /* Self-describing padding */
2217 pad = &dat[len - tailroom];
2218 padlen = tailroom - 2 - authlen;
2219 for (i = 0; i < padlen; i++) {
2222 dat[len - authlen - 2] = padlen;
2224 dat[len - authlen - 1] = iph->protocol;
2225 iph->protocol = IPPROTO_ESP;
2228 skb->h.raw = (unsigned char*)espp;
2231 #endif /* !CONFIG_IPSEC_ESP */
2232 #ifdef CONFIG_IPSEC_AH
2234 ahp = (struct ah *)(dat + iphlen);
2235 ahp->ah_spi = tdbp->tdb_said.spi;
2236 spin_lock(&tdb_lock);
2237 ahp->ah_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
2238 spin_unlock(&tdb_lock);
2240 ahp->ah_nh = iph->protocol;
2241 ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32);
2242 iph->protocol = IPPROTO_AH;
2243 memset (&(ahp->ah_data[0]), 0, (AHHMAC_HASHLEN * sizeof(__u8)));
2245 dmp("ahp", (char*)ahp, sizeof(*ahp));
2247 /* Keep a copy of the original IP, modify iph to handle mutable fields */
2248 pXmitDesc->ip_tos = iph->tos;
2249 pXmitDesc->ip_frag_off = iph->frag_off;
2250 pXmitDesc->ip_ttl = iph->ttl;
2256 dmp("iph", (char*)&iph, sizeof(iph));
2258 /* set offset for crypto perform */
2259 auth_start_offset = 0;
2260 auth_data_len = len;
2261 icv_offset = iphlen + AUTH_DATA_IN_AH_OFFSET;
2263 /* Error checking */
2264 if ((tdbp->tdb_authalg != AH_MD5) && (tdbp->tdb_authalg != AH_SHA))
2267 spin_lock (&tdb_lock);
2268 delXmitDesc_from_salist(tdbp, pXmitDesc);
2269 spin_unlock (&tdb_lock);
2273 skb->h.raw = (unsigned char*)ahp;
2276 #endif /* CONFIG_IPSEC_AH */
2277 #ifdef CONFIG_IPSEC_IPIP
2280 switch(sysctl_ipsec_tos) {
2283 iph->tos = skb->nh.iph->tos;
2285 iph->tos = skb->ip_hdr->tos;
2296 iph->ttl = sysctl_ip_default_ttl;
2297 #else /* NETDEV_23 */
2298 iph->ttl = ip_statistics.IpDefaultTTL;
2299 #endif /* NETDEV_23 */
2301 iph->ttl = 64; /* ip_statistics.IpDefaultTTL; */
2304 iph->saddr = ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr;
2305 iph->daddr = ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr;
2306 iph->protocol = IPPROTO_IPIP;
2307 iph->ihl = sizeof(struct iphdr) >> 2 /* 5 */;
2308 #ifdef IP_SELECT_IDENT
2309 /* XXX use of skb->dst below is a questionable
2310 substitute for &rt->u.dst which is only
2311 available later-on */
2312 #ifdef IP_SELECT_IDENT_NEW
2313 ip_select_ident(iph, skb->dst, NULL);
2314 #else /* IP_SELECT_IDENT_NEW */
2315 ip_select_ident(iph, skb->dst);
2316 #endif /* IP_SELECT_IDENT_NEW */
2317 #else /* IP_SELECT_IDENT */
2318 iph->id = htons(ip_id_count++); /* Race condition here? */
2319 #endif /* IP_SELECT_IDENT */
2321 newdst = (__u32)iph->daddr;
2322 newsrc = (__u32)iph->saddr;
2325 skb->h.ipiph = skb->nh.iph;
2329 #endif /* !CONFIG_IPSEC_IPIP */
2330 #ifdef CONFIG_IPSEC_IPCOMP
2333 unsigned int flags = 0;
2334 #ifdef CONFIG_IPSEC_DEBUG
2335 unsigned int old_tot_len = ntohs(iph->tot_len);
2336 #endif /* CONFIG_IPSEC_DEBUG */
2338 spin_lock(&tdb_lock);
2339 tdbp->tdb_comp_ratio_dbytes += ntohs(iph->tot_len);
2341 skb = skb_compress(skb, tdbp, &flags);
2349 tdbp->tdb_comp_ratio_cbytes += ntohs(iph->tot_len);
2350 spin_unlock(&tdb_lock);
2351 #ifdef CONFIG_IPSEC_DEBUG
2352 if (debug_tunnel & DB_TN_CROUT)
2354 if (old_tot_len > ntohs(iph->tot_len))
2355 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2356 "klips_debug:ipsec_tunnel_start_xmit: "
2357 "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
2358 old_tot_len, ntohs(iph->tot_len),
2359 ntohs(((struct ipcomphdr*)(((char*)iph) + ((iph->ihl) << 2)))->ipcomp_cpi),
2360 ntohl(tdbp->tdb_said.spi),
2361 (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff));
2363 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2364 "klips_debug:ipsec_tunnel_start_xmit: "
2365 "packet did not compress (flags = %d).\n",
2368 #endif /* CONFIG_IPSEC_DEBUG */
2371 #endif /* CONFIG_IPSEC_IPCOMP */
2377 /*IXP425 glue code : crypto perform */
2378 #if defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)
2379 if ((tdbp->tdb_said.proto == IPPROTO_AH) || (tdbp->tdb_said.proto == IPPROTO_ESP))
2381 /* Get mbuf from pool */
2382 if(IPSEC_GLUE_STATUS_SUCCESS != ipsec_glue_mbuf_header_get(&src_mbuf))
2384 KLIPS_PRINT(debug_tunnel,
2385 "klips_debug:ipsec_tunnel_start_xmit: "
2386 "running out of mbufs, dropped\n");
2391 /* attach mbuf to sk_buff */
2392 mbuf_swap_skb(src_mbuf, skb);
2394 /* store xmit desc in mbuf */
2395 (IpsecXmitDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (src_mbuf) = pXmitDesc;
2397 if (IX_CRYPTO_ACC_STATUS_SUCCESS != ixCryptoAccAuthCryptPerform (
2398 tdbp->ips_crypto_context_id,
2408 KLIPS_PRINT(debug_tunnel,
2409 "klips_debug:ipsec_tunnel_start_xmit: "
2410 "warning, encapsulation of packet cannot be started\n");
2413 ipsec_glue_mbuf_header_rel(src_mbuf);
2419 } /* end of if ((tdbp->tdb_said.proto == IPPROTO_AH)
2420 || (tdbp->tdb_said.proto == IPPROTO_ESP)) */
2421 #endif /* defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)*/
2424 skb->nh.raw = skb->data;
2426 skb->ip_hdr = skb->h.iph = (struct iphdr *) skb->data;
2429 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
2431 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2432 "klips_debug:ipsec_tunnel_start_xmit: "
2433 "after <%s%s%s>, SA:%s:\n",
2434 IPS_XFORM_NAME(tdbp),
2435 sa_len ? sa : " (error)");
2436 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
2437 spin_lock (&tdb_lock);
2438 tdbp->ips_life.ipl_bytes.ipl_count += len;
2439 tdbp->ips_life.ipl_bytes.ipl_last = len;
2441 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
2442 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
2444 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
2445 tdbp->ips_life.ipl_packets.ipl_count++;
2447 delXmitDesc_from_salist(tdbp, pXmitDesc);
2448 spin_unlock (&tdb_lock);
2450 tdbp = tdbp->ips_onext;
2451 /* store current tdbp into xmit desc */
2452 pXmitDesc->tdbp = tdbp;
2454 } /* end encapsulation loop here XXX */
2456 (pXmitDesc->matcher).sen_ip_src.s_addr = iph->saddr;
2457 (pXmitDesc->matcher).sen_ip_dst.s_addr = iph->daddr;
2458 spin_lock(&eroute_lock);
2459 er = ipsec_findroute(&(pXmitDesc->matcher));
2461 (pXmitDesc->outgoing_said) = er->er_said;
2462 pXmitDesc->eroute_pid = er->er_pid;
2464 er->er_lasttime = jiffies/HZ;
2466 spin_unlock(&eroute_lock);
2467 KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
2468 /* ((orgdst != newdst) || (orgsrc != newsrc)) */
2469 (pXmitDesc->orgedst != (pXmitDesc->outgoing_said).dst.s_addr) &&
2470 (pXmitDesc->outgoing_said).dst.s_addr &&
2472 "klips_debug:ipsec_tunnel_start_xmit: "
2473 "We are recursing here.\n");
2475 }/* end of edest processing */
2477 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2478 "klips_debug:ipsec_tunnel_start_xmit: "
2479 "After recursive xforms -- head,tailroom: %d,%d\n",
2480 skb_headroom(skb), skb_tailroom(skb));
2482 if(pXmitDesc->saved_header) {
2483 if(skb_headroom(skb) < pXmitDesc->hard_header_len) {
2485 "klips_error:ipsec_tunnel_start_xmit: "
2486 "tried to skb_push hhlen=%d, %d available. "
2487 "This should never happen, please report.\n",
2488 pXmitDesc->hard_header_len, skb_headroom(skb));
2492 skb_push(skb, pXmitDesc->hard_header_len);
2493 for (i = 0; i < pXmitDesc->hard_header_len; i++) {
2494 skb->data[i] = pXmitDesc->saved_header[i];
2497 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2498 if (natt_type && natt_head) {
2499 struct iphdr *ipp = skb->nh.iph;
2501 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2502 "klips_debug:ipsec_tunnel_start_xmit: "
2503 "encapsuling packet into UDP (NAT-Traversal)\n");
2504 iphlen = ipp->ihl << 2;
2506 htons(ntohs(ipp->tot_len) + natt_head);
2507 if(skb_tailroom(skb) < natt_head) {
2508 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
2509 "tried to skb_put %d, %d available. "
2510 "This should never happen, please report.\n",
2516 skb_put(skb, natt_head);
2517 udp = (struct udphdr *)((char *)ipp + iphlen);
2518 /* move ESP hdr after UDP hdr */
2519 memmove((void *)((char *)udp + natt_head),
2521 ntohs(ipp->tot_len) - iphlen - natt_head);
2522 /* clear UDP & Non-IKE Markers (if any) */
2523 memset(udp, 0, natt_head);
2524 /* fill UDP with usefull informations ;-) */
2525 udp->source = htons(natt_sport);
2526 udp->dest = htons(natt_dport);
2527 udp->len = htons(ntohs(ipp->tot_len) - iphlen);
2529 ipp->protocol = IPPROTO_UDP;
2530 /* fix IP checksum */
2532 ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
2536 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
2537 "klips_debug:ipsec_tunnel_start_xmit: "
2538 "With hard_header, final head,tailroom: %d,%d\n",
2539 skb_headroom(skb), skb_tailroom(skb));
2541 #ifdef NET_21 /* 2.2 and 2.4 kernels */
2542 /* new route/dst cache code from James Morris */
2544 /*skb_orphan(skb);*/
2545 if((error = ip_route_output(&rt,
2547 pXmitDesc->pass ? 0 : skb->nh.iph->saddr,
2548 RT_TOS(skb->nh.iph->tos),
2549 physdev->iflink /* rgb: should this be 0? */))) {
2551 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2552 "klips_debug:ipsec_tunnel_start_xmit: "
2553 "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
2555 rt->u.dst.dev->name);
2558 if(dev == rt->u.dst.dev) {
2560 /* This is recursion, drop it. */
2562 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2563 "klips_debug:ipsec_tunnel_start_xmit: "
2564 "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n", dev->name);
2567 dst_release(skb->dst);
2568 skb->dst = &rt->u.dst;
2569 stats->tx_bytes += skb->len;
2570 if(skb->len < skb->nh.raw - skb->data) {
2573 "klips_error:ipsec_tunnel_start_xmit: "
2574 "tried to __skb_pull nh-data=%d, %d available. This should never happen, please report.\n",
2575 skb->nh.raw - skb->data, skb->len);
2578 __skb_pull(skb, skb->nh.raw - skb->data);
2579 #ifdef SKB_RESET_NFCT
2580 nf_conntrack_put(skb->nfct);
2582 #ifdef CONFIG_NETFILTER_DEBUG
2584 #endif /* CONFIG_NETFILTER_DEBUG */
2585 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
2586 nf_bridge_put(skb->nf_bridge);
2587 skb->nf_bridge = NULL;
2589 #endif /* SKB_RESET_NFCT */
2590 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2591 "klips_debug:ipsec_tunnel_start_xmit: "
2592 "...done, 2 calling ip_send() on device:%s\n",
2593 skb->dev ? skb->dev->name : "NULL");
2594 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, skb->nh.iph);
2595 #ifdef NETDEV_23 /* 2.4 kernels */
2599 err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
2600 ipsec_tunnel_xmit2);
2601 if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
2604 "klips_error:ipsec_tunnel_start_xmit: "
2605 "ip_send() failed, err=%d\n",
2608 stats->tx_aborted_errors++;
2613 #else /* NETDEV_23 */ /* 2.2 kernels */
2615 #endif /* NETDEV_23 */
2616 #else /* NET_21 */ /* 2.0 kernels */
2618 /* ISDN/ASYNC PPP from Matjaz Godec. */
2619 /* skb->protocol = htons(ETH_P_IP); */
2620 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2621 "klips_debug:ipsec_tunnel_start_xmit: "
2622 "...done, calling dev_queue_xmit() or ip_fragment().\n");
2623 IP_SEND(skb, physdev);
2625 stats->tx_packets++;
2631 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
2632 netif_wake_queue(pXmitDesc->dev);
2633 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
2634 (pXmitDesc->dev)->tbusy = 0;
2635 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
2636 if(pXmitDesc->saved_header) {
2637 kfree(pXmitDesc->saved_header);
2639 if(pXmitDesc->oskb) {
2640 dev_kfree_skb(pXmitDesc->oskb, FREE_WRITE);
2642 if ((pXmitDesc->tdb).tdb_ident_s.data) {
2643 kfree((pXmitDesc->tdb).tdb_ident_s.data);
2645 if ((pXmitDesc->tdb).tdb_ident_d.data) {
2646 kfree((pXmitDesc->tdb).tdb_ident_d.data);
2649 ipsec_glue_xmit_desc_release (pXmitDesc);
2653 dev_kfree_skb(skb, FREE_WRITE);
2659 * This function assumes it is being called from dev_queue_xmit()
2660 * and that skb is filled properly by that function.
2664 ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
2666 struct ipsecpriv *prv; /* Our device' private space */
2667 struct net_device_stats *stats; /* This device's statistics */
2668 struct iphdr *iph; /* Our new IP header */
2669 __u32 newdst; /* The other SG's IP address */
2670 __u32 orgdst; /* Original IP destination address */
2671 __u32 newsrc; /* The new source SG's IP address */
2672 __u32 orgsrc; /* Original IP source address */
2673 __u32 innersrc; /* Innermost IP source address */
2674 int iphlen; /* IP header length */
2675 int pyldsz; /* upper protocol payload size */
2678 int max_headroom = 0; /* The extra header space needed */
2679 int max_tailroom = 0; /* The extra stuffing needed */
2680 int ll_headroom; /* The extra link layer hard_header space needed */
2682 unsigned short sport,dport;
2685 struct ipsec_sa *tdbp, *tdbq; /* Tunnel Descriptor Block pointers */
2688 int hard_header_stripped = 0; /* has the hard header been removed yet? */
2690 struct device *physdev;
2691 /* struct device *virtdev; */
2695 struct rtable *rt = NULL;
2699 /* IXP425 glue code */
2700 unsigned int auth_start_offset = 0;
2701 unsigned int auth_data_len = 0;
2702 unsigned int crypt_start_offset = 0;
2703 unsigned int crypt_data_len = 0;
2704 unsigned int icv_offset = 0;
2706 IpsecXmitDesc *pXmitDesc = NULL;
2707 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2708 uint8_t natt_type = 0, natt_head = 0;
2709 uint16_t natt_sport = 0, natt_dport = 0;
2714 * Return if there is nothing to do. (Does this ever happen?) XXX
2717 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2718 "klips_error:ipsec_tunnel_start_xmit: "
2719 "Nothing to do!\n" );
2723 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2724 "klips_error:ipsec_tunnel_start_xmit: "
2725 "No device associated with skb!\n" );
2731 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2732 "klips_error:ipsec_tunnel_start_xmit: "
2733 "Device has no private structure!\n" );
2738 if (physdev == NULL) {
2739 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2740 "klips_error:ipsec_tunnel_start_xmit: "
2741 "Device is not attached to physical device!\n" );
2745 physmtu = physdev->mtu;
2747 stats = (struct net_device_stats *) &(prv->mystats);
2750 /* if skb was cloned (most likely due to a packet sniffer such as
2751 tcpdump being momentarily attached to the interface), make
2752 a copy of our own to modify */
2753 if(skb_cloned(skb)) {
2756 (skb_cow(skb, skb_headroom(skb)) != 0)
2757 #else /* SKB_COW_NEW */
2758 ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
2759 #endif /* SKB_COW_NEW */
2761 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2762 "klips_error:ipsec_tunnel_start_xmit: "
2763 "skb_cow failed to allocate buffer, dropping.\n" );
2764 stats->tx_dropped++;
2771 if (ipsec_glue_xmit_desc_get(&pXmitDesc) != IPSEC_GLUE_STATUS_SUCCESS)
2777 kfree_skb(skb, FREE_WRITE);
2785 /* store dev pointer */
2786 pXmitDesc->dev = dev;
2794 /* sanity check for IP version as we can't handle IPv6 right now */
2795 if (iph->version != 4) {
2796 KLIPS_PRINT(debug_tunnel,
2797 "klips_debug:ipsec_tunnel_start_xmit: "
2798 "found IP Version %d but cannot process other IP versions than v4.\n",
2799 iph->version); /* XXX */
2800 stats->tx_dropped++;
2804 /* physdev->hard_header_len is unreliable and should not be used */
2805 pXmitDesc->hard_header_len = (unsigned char *)iph - skb->data;
2807 if(pXmitDesc->hard_header_len < 0) {
2808 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2809 "klips_error:ipsec_tunnel_start_xmit: "
2810 "Negative hard_header_len (%d)?!\n", pXmitDesc->hard_header_len);
2811 stats->tx_dropped++;
2815 if(pXmitDesc->hard_header_len == 0) { /* no hard header present */
2816 hard_header_stripped = 1;
2819 #ifdef CONFIG_IPSEC_DEBUG
2820 if (debug_tunnel & DB_TN_XMIT) {
2823 printk(KERN_INFO "klips_debug:ipsec_tunnel_start_xmit: "
2824 ">>> skb->len=%ld hard_header_len:%d",
2825 (unsigned long int)skb->len, pXmitDesc->hard_header_len);
2828 #endif /* CONFIG_IPSEC_DEBUG */
2830 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
2836 if ((iph->ihl << 2) != sizeof (struct iphdr)) {
2837 KLIPS_PRINT(debug_tunnel,
2838 "klips_debug:ipsec_tunnel_start_xmit: "
2839 "cannot process IP header options yet. May be mal-formed packet.\n"); /* XXX */
2840 stats->tx_dropped++;
2845 /* TTL decrement code (on the way out!) borrowed from ip_forward.c */
2847 unsigned long checksum = iph->check;
2850 * Re-compute the IP header checksum.
2851 * This is efficient. We know what has happened to the header
2852 * and can thus adjust the checksum as Phil Karn does in KA9Q
2853 * except we do this in "network byte order".
2855 checksum += htons(0x0100);
2856 /* carry overflow? */
2857 checksum += checksum >> 16;
2858 iph->check = checksum;
2860 if (iph->ttl <= 0) {
2861 /* Tell the sender its packet died... */
2862 ICMP_SEND(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, physdev);
2864 KLIPS_PRINT(debug_tunnel, "klips_debug:ipsec_tunnel_start_xmit: "
2865 "TTL=0, too many hops!\n");
2866 stats->tx_dropped++;
2869 #endif /* !NET_21 */
2872 * First things first -- look us up in the erouting tables.
2874 (pXmitDesc->matcher).sen_len = sizeof (struct sockaddr_encap);
2875 (pXmitDesc->matcher).sen_family = AF_ENCAP;
2876 (pXmitDesc->matcher).sen_type = SENT_IP4;
2877 (pXmitDesc->matcher).sen_ip_src.s_addr = iph->saddr;
2878 (pXmitDesc->matcher).sen_ip_dst.s_addr = iph->daddr;
2881 * The spinlock is to prevent any other process from accessing or deleting
2882 * the eroute while we are using and updating it.
2884 spin_lock(&eroute_lock);
2886 er = ipsec_findroute(&(pXmitDesc->matcher));
2888 if(iph->protocol == IPPROTO_UDP) {
2890 sport=ntohs(skb->sk->sport);
2891 dport=ntohs(skb->sk->dport);
2892 } else if((ntohs(iph->frag_off) & IP_OFFSET) == 0 &&
2893 iph->ihl << 2 > sizeof(struct iphdr) + sizeof(struct udphdr)) {
2894 sport=ntohs(((struct udphdr*)((caddr_t)iph+(iph->ihl<<2)))->source);
2895 dport=ntohs(((struct udphdr*)((caddr_t)iph + (iph->ihl<<2)))->dest);
2901 /* default to a %drop eroute */
2902 (pXmitDesc->outgoing_said).proto = IPPROTO_INT;
2903 (pXmitDesc->outgoing_said).spi = htonl(SPI_DROP);
2904 (pXmitDesc->outgoing_said).dst.s_addr = INADDR_ANY;
2905 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2906 "klips_debug:ipsec_tunnel_start_xmit: "
2907 "checking for local udp/500 IKE packet "
2908 "saddr=%x, er=%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
2909 ntohl((unsigned int)iph->saddr),
2911 ntohl((unsigned int)iph->daddr),
2912 er ? ntohl((unsigned int)er->er_said.dst.s_addr) : 0,
2918 * Quick cheat for now...are we udp/500? If so, let it through
2919 * without interference since it is most likely an IKE packet.
2922 if (ip_chk_addr((unsigned long)iph->saddr) == IS_MYADDR
2924 || iph->daddr == er->er_said.dst.s_addr
2925 || INADDR_ANY == er->er_said.dst.s_addr)
2926 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
2927 && ((sport == 500) || (sport == 4500))
2932 /* Whatever the eroute, this is an IKE message
2933 * from us (i.e. not being forwarded).
2934 * Furthermore, if there is a tunnel eroute,
2935 * the destination is the peer for this eroute.
2936 * So %pass the packet: modify the default %drop.
2938 (pXmitDesc->outgoing_said).spi = htonl(SPI_PASS);
2939 if(!(skb->sk) && ((ntohs(iph->frag_off) & IP_MF) != 0)) {
2940 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2941 "klips_debug:ipsec_tunnel_start_xmit: "
2942 "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
2946 er->er_lasttime = jiffies/HZ;
2947 if(er->er_said.proto==IPPROTO_INT
2948 && er->er_said.spi==htonl(SPI_HOLD)) {
2949 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
2950 "klips_debug:ipsec_tunnel_start_xmit: "
2951 "shunt SA of HOLD: skb stored in HOLD.\n");
2952 if(er->er_last != NULL) {
2953 kfree_skb(er->er_last);
2957 stats->tx_dropped++;
2958 spin_unlock(&eroute_lock);
2961 pXmitDesc->outgoing_said = er->er_said;
2962 pXmitDesc->eroute_pid = er->er_pid;
2963 /* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
2964 if((pXmitDesc->outgoing_said).proto==IPPROTO_INT
2965 && ((pXmitDesc->outgoing_said).spi==htonl(SPI_TRAP)
2966 || ((pXmitDesc->outgoing_said).spi==htonl(SPI_TRAPSUBNET)))) {
2969 (pXmitDesc->tdb).tdb_ident_s.type = er->er_ident_s.type;
2970 (pXmitDesc->tdb).tdb_ident_s.id = er->er_ident_s.id;
2971 (pXmitDesc->tdb).tdb_ident_s.len = er->er_ident_s.len;
2972 if ((pXmitDesc->tdb).tdb_ident_s.len) {
2973 len = (pXmitDesc->tdb).tdb_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
2974 if (((pXmitDesc->tdb).tdb_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
2975 printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
2976 "Failed, tried to allocate %d bytes for source ident.\n",
2978 stats->tx_dropped++;
2979 spin_unlock(&eroute_lock);
2982 memcpy((pXmitDesc->tdb).tdb_ident_s.data, er->er_ident_s.data, len);
2984 (pXmitDesc->tdb).tdb_ident_d.type = er->er_ident_d.type;
2985 (pXmitDesc->tdb).tdb_ident_d.id = er->er_ident_d.id;
2986 (pXmitDesc->tdb).tdb_ident_d.len = er->er_ident_d.len;
2987 if ((pXmitDesc->tdb).tdb_ident_d.len) {
2988 len = (pXmitDesc->tdb).tdb_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
2989 if (((pXmitDesc->tdb).tdb_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
2990 printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
2991 "Failed, tried to allocate %d bytes for dest ident.\n",
2993 stats->tx_dropped++;
2994 spin_unlock(&eroute_lock);
2997 memcpy((pXmitDesc->tdb).tdb_ident_d.data, er->er_ident_d.data, len);
3002 spin_unlock(&eroute_lock);
3004 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3005 "klips_debug:ipsec_tunnel_start_xmit: "
3006 "Original head,tailroom: %d,%d\n",
3007 skb_headroom(skb), skb_tailroom(skb));
3009 innersrc = iph->saddr;
3011 /* start encapsulation loop here XXX */
3013 struct ipsec_sa *tdbprev = NULL;
3015 newdst = orgdst = iph->daddr;
3016 newsrc = orgsrc = iph->saddr;
3017 pXmitDesc->orgedst = (pXmitDesc->outgoing_said).dst.s_addr;
3018 iphlen = iph->ihl << 2;
3019 pyldsz = ntohs(iph->tot_len) - iphlen;
3020 max_headroom = max_tailroom = 0;
3022 if ((pXmitDesc->outgoing_said).proto == IPPROTO_INT) {
3023 switch (ntohl((pXmitDesc->outgoing_said).spi)) {
3025 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3026 "klips_debug:ipsec_tunnel_start_xmit: "
3027 "shunt SA of DROP or no eroute: dropping.\n");
3028 stats->tx_dropped++;
3032 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3033 "klips_debug:ipsec_tunnel_start_xmit: "
3034 "shunt SA of REJECT: notifying and dropping.\n");
3040 stats->tx_dropped++;
3045 pXmitDesc->pass = 1;
3047 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3048 "klips_debug:ipsec_tunnel_start_xmit: "
3049 "PASS: calling dev_queue_xmit\n");
3052 #if 1 /* now moved up to finderoute so we don't need to lock it longer */
3054 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3055 "klips_debug:ipsec_tunnel_start_xmit: "
3056 "shunt SA of HOLD: this does not make sense here, dropping.\n");
3057 stats->tx_dropped++;
3061 case SPI_TRAPSUBNET:
3062 stats->tx_dropped++;
3064 /* XXX what do we do with an unknown shunt spi? */
3066 } /* switch (ntohl((pXmitDesc->outgoing_said).spi)) */
3068 } /* if ((pXmitDesc->outgoing_said).proto == IPPROTO_INT) */
3070 tdbp = ipsec_sa_getbyid(&(pXmitDesc->outgoing_said));
3071 /* store current tdbp into xmit desc */
3072 pXmitDesc->tdbp = tdbp;
3073 sa_len = satoa((pXmitDesc->outgoing_said), 0, sa, SATOA_BUF);
3076 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3077 "klips_debug:ipsec_tunnel_start_xmit: "
3078 "no Tunnel Descriptor Block for SA%s: outgoing packet with no SA, dropped.\n",
3079 sa_len ? sa : " (error)");
3080 stats->tx_dropped++;
3084 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3085 "klips_debug:ipsec_tunnel_start_xmit: "
3086 "found Tunnel Descriptor Block -- SA:<%s%s%s> %s\n",
3087 IPS_XFORM_NAME(tdbp),
3088 sa_len ? sa : " (error)");
3091 * How much headroom do we need to be able to apply
3092 * all the grouped transforms?
3094 tdbq = tdbp; /* save the head of the tdb chain */
3095 spin_lock(&tdb_lock);
3098 addXmitDesc_to_salist(tdbp, pXmitDesc);
3099 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
3101 strcpy(sa, "(error)");
3104 /* If it is in larval state, drop the packet, we cannot process yet. */
3105 if(tdbp->tdb_state == SADB_SASTATE_LARVAL) {
3106 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3107 "klips_debug:ipsec_tunnel_start_xmit: "
3108 "TDB in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
3109 IPS_XFORM_NAME(tdbp),
3110 sa_len ? sa : " (error)");
3111 delXmitDesc_from_salist(tdbp, pXmitDesc);
3112 spin_unlock(&tdb_lock);
3117 if(tdbp->tdb_state == SADB_SASTATE_DEAD) {
3118 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3119 "klips_debug:ipsec_tunnel_start_xmit: "
3120 "TDB in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
3121 IPS_XFORM_NAME(tdbp),
3122 sa_len ? sa : " (error)");
3123 delXmitDesc_from_salist(tdbp, pXmitDesc);
3125 if(tdbp->ips_teardown_initiated == 1)
3126 ipsec_sa_delchain(tdbp);
3127 spin_unlock(&tdb_lock);
3131 /* If the replay window counter == -1, expire SA, it will roll */
3132 if(tdbp->tdb_replaywin && tdbp->tdb_replaywin_lastseq == -1) {
3133 pfkey_expire(tdbp, 1);
3134 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
3135 "klips_debug:ipsec_tunnel_start_xmit: "
3136 "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
3137 IPS_XFORM_NAME(tdbp),
3138 sa_len ? sa : " (error)");
3139 delXmitDesc_from_salist(tdbp, pXmitDesc);
3140 ipsec_sa_delchain(tdbp);
3141 spin_unlock(&tdb_lock);
3147 * if this is the first time we are using this SA, mark start time,
3148 * and offset hard/soft counters by "now" for later checking.
3151 if(tdbp->ips_life.ipl_usetime.count == 0) {
3152 tdbp->ips_life.ipl_usetime.count = jiffies;
3153 tdbp->ips_life.ipl_usetime.hard += jiffies;
3154 tdbp->ips_life.ipl_usetime.soft += jiffies;
3159 if(ipsec_lifetime_check(&tdbp->ips_life.ipl_bytes, "bytes", sa,
3160 ipsec_life_countbased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
3161 ipsec_lifetime_check(&tdbp->ips_life.ipl_addtime, "addtime",sa,
3162 ipsec_life_timebased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
3163 ipsec_lifetime_check(&tdbp->ips_life.ipl_usetime, "usetime",sa,
3164 ipsec_life_timebased, ipsec_outgoing, tdbp) == ipsec_life_harddied ||
3165 ipsec_lifetime_check(&tdbp->ips_life.ipl_packets, "packets",sa,
3166 ipsec_life_countbased, ipsec_outgoing, tdbp) == ipsec_life_harddied) {
3167 delXmitDesc_from_salist(tdbp, pXmitDesc);
3169 ipsec_sa_delchain(tdbp);
3170 spin_unlock(&tdb_lock);
3175 headroom = tailroom = 0;
3176 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3177 "klips_debug:ipsec_tunnel_start_xmit: "
3178 "calling room for <%s%s%s>, SA:%s\n",
3179 IPS_XFORM_NAME(tdbp),
3180 sa_len ? sa : " (error)");
3181 switch(tdbp->tdb_said.proto) {
3182 #ifdef CONFIG_IPSEC_AH
3184 headroom += sizeof(struct ah);
3186 #endif /* CONFIG_IPSEC_AH */
3187 #ifdef CONFIG_IPSEC_ESP
3189 switch(tdbp->tdb_encalg) {
3190 #ifdef CONFIG_IPSEC_ENC_DES
3192 #endif /* CONFIG_IPSEC_ENC_DES */
3193 #ifdef CONFIG_IPSEC_ENC_3DES
3195 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
3197 #endif /* CONFIG_IPSEC_ENC_3DES */
3198 #ifdef CONFIG_IPSEC_ALG
3200 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
3202 #endif /* CONFIG_IPSEC_ALG */
3204 delXmitDesc_from_salist(tdbp, pXmitDesc);
3205 spin_unlock(&tdb_lock);
3209 switch(tdbp->tdb_authalg) {
3210 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
3212 tailroom += AHHMAC_HASHLEN;
3214 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
3215 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
3217 tailroom += AHHMAC_HASHLEN;
3219 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
3223 delXmitDesc_from_salist(tdbp, pXmitDesc);
3224 spin_unlock(&tdb_lock);
3228 tailroom += ((tdbp->ips_enc_blksize - ((pyldsz + 2 * sizeof(unsigned char))
3229 % tdbp->ips_enc_blksize)) % tdbp->ips_enc_blksize) + 2;
3230 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3231 if ((tdbp->ips_natt_type) && (!natt_type)) {
3232 natt_type = tdbp->ips_natt_type;
3233 natt_sport = tdbp->ips_natt_sport;
3234 natt_dport = tdbp->ips_natt_dport;
3235 switch (natt_type) {
3236 case ESPINUDP_WITH_NON_IKE:
3237 natt_head = sizeof(struct udphdr)+(2*sizeof(__u32));
3239 case ESPINUDP_WITH_NON_ESP:
3240 natt_head = sizeof(struct udphdr);
3246 tailroom += natt_head;
3250 #endif /* !CONFIG_IPSEC_ESP */
3251 #ifdef CONFIG_IPSEC_IPIP
3253 headroom += sizeof(struct iphdr);
3255 #endif /* !CONFIG_IPSEC_IPIP */
3257 #ifdef CONFIG_IPSEC_IPCOMP
3259 We can't predict how much the packet will
3260 shrink without doing the actual compression.
3261 We could do it here, if we were the first
3262 encapsulation in the chain. That might save
3263 us a skb_copy_expand, since we might fit
3264 into the existing skb then. However, this
3265 would be a bit unclean (and this hack has
3266 bit us once), so we better not do it. After
3267 all, the skb_copy_expand is cheap in
3268 comparison to the actual compression.
3269 At least we know the packet will not grow.
3272 #endif /* CONFIG_IPSEC_IPCOMP */
3274 delXmitDesc_from_salist(tdbp, pXmitDesc);
3275 spin_unlock(&tdb_lock);
3279 delXmitDesc_from_salist(tdbp, pXmitDesc);
3280 tdbp = tdbp->tdb_onext;
3281 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3282 "klips_debug:ipsec_tunnel_start_xmit: "
3283 "Required head,tailroom: %d,%d\n",
3284 headroom, tailroom);
3285 max_headroom += headroom;
3286 max_tailroom += tailroom;
3287 pyldsz += (headroom + tailroom);
3290 spin_unlock(&tdb_lock);
3291 tdbp = tdbq; /* restore the head of the tdb chain */
3292 pXmitDesc->tdbp = tdbp;
3293 spin_lock(&tdb_lock);
3294 addXmitDesc_to_salist(tdbp, pXmitDesc);
3295 spin_unlock(&tdb_lock);
3297 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3298 "klips_debug:ipsec_tunnel_start_xmit: "
3299 "existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n",
3300 skb_headroom(skb), skb_tailroom(skb),
3301 max_headroom, max_tailroom);
3303 pXmitDesc->tot_headroom += max_headroom;
3304 pXmitDesc->tot_tailroom += max_tailroom;
3306 mtudiff = prv->mtu + pXmitDesc->tot_headroom + pXmitDesc->tot_tailroom - physmtu;
3308 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3309 "klips_debug:ipsec_tunnel_start_xmit: "
3310 "mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
3312 pXmitDesc->tot_headroom, pXmitDesc->tot_tailroom, mtudiff, ntohs(iph->tot_len));
3314 int newmtu = physmtu - (pXmitDesc->tot_headroom + ((pXmitDesc->tot_tailroom + 2) & ~7) + 5);
3316 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3317 "klips_info:ipsec_tunnel_start_xmit: "
3318 "dev %s mtu of %d decreased by %d to %d\n",
3326 skb->dst->pmtu = prv->mtu; /* RGB */
3330 dev->mtu = prv->mtu; /* RGB */
3336 If the sender is doing PMTU discovery, and the
3337 packet doesn't fit within prv->mtu, notify him
3338 (unless it was an ICMP packet, or it was not the
3339 zero-offset packet) and send it anyways.
3341 Note: buggy firewall configuration may prevent the
3342 ICMP packet from getting back.
3344 if(sysctl_ipsec_icmp
3345 && prv->mtu < ntohs(iph->tot_len)
3346 && (iph->frag_off & __constant_htons(IP_DF)) ) {
3347 int notify = iph->protocol != IPPROTO_ICMP
3348 && (iph->frag_off & __constant_htons(IP_OFFSET)) == 0;
3350 #ifdef IPSEC_obey_DF
3351 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3352 "klips_debug:ipsec_tunnel_start_xmit: "
3353 "fragmentation needed and DF set; %sdropping packet\n",
3354 notify ? "sending ICMP and " : "");
3362 spin_lock (&tdb_lock);
3363 delXmitDesc_from_salist(tdbp, pXmitDesc);
3364 spin_unlock (&tdb_lock);
3366 #else /* IPSEC_obey_DF */
3367 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3368 "klips_debug:ipsec_tunnel_start_xmit: "
3369 "fragmentation needed and DF set; %spassing packet\n",
3370 notify ? "sending ICMP and " : "");
3377 #endif /* IPSEC_obey_DF */
3382 * If this is a transport mode TCP packet with
3383 * SYN set, determine an effective MSS based on
3384 * AH/ESP overheads determined above.
3386 if (iph->protocol == IPPROTO_TCP
3387 && (pXmitDesc->outgoing_said).proto != IPPROTO_IPIP) {
3388 struct tcphdr *tcph = skb->h.th;
3389 if (tcph->syn && !tcph->ack) {
3390 if(!ipsec_adjust_mss(skb, tcph, prv->mtu)) {
3392 "klips_warning:ipsec_tunnel_start_xmit: "
3393 "ipsec_adjust_mss() failed\n");
3395 spin_lock (&tdb_lock);
3396 delXmitDesc_from_salist(tdbp, pXmitDesc);
3397 spin_unlock (&tdb_lock);
3402 #endif /* MSS_HACK */
3404 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
3405 if ((natt_type) && ((pXmitDesc->outgoing_said).proto != IPPROTO_IPIP)) {
3407 * NAT-Traversal and Transport Mode:
3408 * we need to correct TCP/UDP checksum
3410 * If we've got NAT-OA, we can fix checksum without recalculation.
3411 * If we don't we can zero udp checksum.
3413 __u32 natt_oa = tdbp->ips_natt_oa ?
3414 ((struct sockaddr_in*)(tdbp->ips_natt_oa))->sin_addr.s_addr : 0;
3415 __u16 pkt_len = skb->tail - (unsigned char *)iph;
3416 __u16 data_len = pkt_len - (iph->ihl << 2);
3417 switch (iph->protocol) {
3419 if (data_len >= sizeof(struct tcphdr)) {
3420 struct tcphdr *tcp = (struct tcphdr *)((__u32 *)iph+iph->ihl);
3422 __u32 buff[2] = { ~iph->daddr, natt_oa };
3423 KLIPS_PRINT(debug_tunnel,
3424 "klips_debug:ipsec_tunnel_start_xmit: "
3425 "NAT-T & TRANSPORT: "
3426 "fix TCP checksum using NAT-OA\n");
3427 tcp->check = csum_fold(
3428 csum_partial((unsigned char *)buff, sizeof(buff),
3429 tcp->check^0xffff));
3432 KLIPS_PRINT(debug_tunnel,
3433 "klips_debug:ipsec_tunnel_start_xmit: "
3434 "NAT-T & TRANSPORT: do not recalc TCP checksum\n");
3438 KLIPS_PRINT(debug_tunnel,
3439 "klips_debug:ipsec_tunnel_start_xmit: "
3440 "NAT-T & TRANSPORT: can't fix TCP checksum\n");
3444 if (data_len >= sizeof(struct udphdr)) {
3445 struct udphdr *udp = (struct udphdr *)((__u32 *)iph+iph->ihl);
3446 if (udp->check == 0) {
3447 KLIPS_PRINT(debug_tunnel,
3448 "klips_debug:ipsec_tunnel_start_xmit: "
3449 "NAT-T & TRANSPORT: UDP checksum already 0\n");
3452 __u32 buff[2] = { ~iph->daddr, natt_oa };
3453 KLIPS_PRINT(debug_tunnel,
3454 "klips_debug:ipsec_tunnel_start_xmit: "
3455 "NAT-T & TRANSPORT: "
3456 "fix UDP checksum using NAT-OA\n");
3457 udp->check = csum_fold(
3458 csum_partial((unsigned char *)buff, sizeof(buff),
3459 udp->check^0xffff));
3462 KLIPS_PRINT(debug_tunnel,
3463 "klips_debug:ipsec_tunnel_start_xmit: "
3464 "NAT-T & TRANSPORT: zero UDP checksum\n");
3469 KLIPS_PRINT(debug_tunnel,
3470 "klips_debug:ipsec_tunnel_start_xmit: "
3471 "NAT-T & TRANSPORT: can't fix UDP checksum\n");
3475 KLIPS_PRINT(debug_tunnel,
3476 "klips_debug:ipsec_tunnel_start_xmit: "
3477 "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
3481 #endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
3483 if(!hard_header_stripped) {
3484 if((pXmitDesc->saved_header = kmalloc(pXmitDesc->hard_header_len, GFP_ATOMIC)) == NULL) {
3485 printk(KERN_WARNING "klips_debug:ipsec_tunnel_start_xmit: "
3486 "Failed, tried to allocate %d bytes for temp hard_header.\n",
3487 pXmitDesc->hard_header_len);
3489 spin_lock (&tdb_lock);
3490 delXmitDesc_from_salist(tdbp, pXmitDesc);
3491 spin_unlock (&tdb_lock);
3494 for (i = 0; i < pXmitDesc->hard_header_len; i++) {
3495 pXmitDesc->saved_header[i] = skb->data[i];
3497 if(skb->len < pXmitDesc->hard_header_len) {
3498 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
3499 "tried to skb_pull hhlen=%d, %d available. This should never happen, please report.\n",
3500 pXmitDesc->hard_header_len, (int)(skb->len));
3502 spin_lock (&tdb_lock);
3503 delXmitDesc_from_salist(tdbp, pXmitDesc);
3504 spin_unlock (&tdb_lock);
3507 skb_pull(skb, pXmitDesc->hard_header_len);
3508 hard_header_stripped = 1;
3510 /*iph = (struct iphdr *) (skb->data); */
3511 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3512 "klips_debug:ipsec_tunnel_start_xmit: "
3513 "head,tailroom: %d,%d after hard_header stripped.\n",
3514 skb_headroom(skb), skb_tailroom(skb));
3515 //KLIPS_IP_PRINT(debug_tunnel & DB_TN_CROUT, iph);
3517 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3518 "klips_debug:ipsec_tunnel_start_xmit: "
3519 "hard header already stripped.\n");
3522 ll_headroom = (pXmitDesc->hard_header_len + 15) & ~15;
3523 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,"A\n");
3524 if ((skb_headroom(skb) >= max_headroom + 2 * ll_headroom) &&
3525 (skb_tailroom(skb) >= max_tailroom)
3528 #endif /* !NET_21 */
3530 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3531 "klips_debug:ipsec_tunnel_start_xmit: "
3532 "data fits in existing skb\n");
3534 struct sk_buff* tskb = skb;
3536 if(!pXmitDesc->oskb) {
3537 pXmitDesc->oskb = skb;
3540 tskb = skb_copy_expand(skb,
3541 /* The reason for 2 * link layer length here still baffles me...RGB */
3542 max_headroom + 2 * ll_headroom,
3546 if(tskb && skb->sk) {
3547 skb_set_owner_w(tskb, skb->sk);
3550 if(!(skb == pXmitDesc->oskb) ) {
3551 dev_kfree_skb(skb, FREE_WRITE);
3556 "klips_debug:ipsec_tunnel_start_xmit: "
3557 "Failed, tried to allocate %d head and %d tailroom\n",
3558 max_headroom, max_tailroom);
3560 spin_lock (&tdb_lock);
3561 delXmitDesc_from_salist(tdbp, pXmitDesc);
3562 spin_unlock (&tdb_lock);
3565 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3566 "klips_debug:ipsec_tunnel_start_xmit: "
3567 "head,tailroom: %d,%d after allocation\n",
3568 skb_headroom(skb), skb_tailroom(skb));
3571 delXmitDesc_from_salist(tdbp, pXmitDesc);
3574 * Apply grouped transforms to packet
3577 #ifdef CONFIG_IPSEC_ESP
3581 char iv[ESP_IV_MAXSZ];
3583 int authlen = 0, padlen = 0, i;
3584 #endif /* !CONFIG_IPSEC_ESP */
3585 #ifdef CONFIG_IPSEC_AH
3587 #endif /* CONFIG_IPSEC_AH */
3589 int headroom = 0, tailroom = 0, len = 0;
3592 spin_lock(&tdb_lock);
3593 addXmitDesc_to_salist(tdbp, pXmitDesc);
3594 spin_unlock(&tdb_lock);
3596 iphlen = iph->ihl << 2;
3597 pyldsz = ntohs(iph->tot_len) - iphlen;
3598 sa_len = satoa(tdbp->tdb_said, 0, sa, SATOA_BUF);
3599 KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
3600 "klips_debug:ipsec_tunnel_start_xmit: "
3601 "calling output for <%s%s%s>, SA:%s\n",
3602 IPS_XFORM_NAME(tdbp),
3603 sa_len ? sa : " (error)");
3605 switch(tdbp->tdb_said.proto) {
3606 #ifdef CONFIG_IPSEC_AH
3608 headroom += sizeof(struct ah);
3610 #endif /* CONFIG_IPSEC_AH */
3611 #ifdef CONFIG_IPSEC_ESP
3613 switch(tdbp->tdb_encalg) {
3614 #ifdef CONFIG_IPSEC_ENC_DES
3616 #endif /* CONFIG_IPSEC_ENC_DES */
3617 #ifdef CONFIG_IPSEC_ENC_3DES
3619 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
3621 #endif /* CONFIG_IPSEC_ENC_3DES */
3622 #ifdef CONFIG_IPSEC_ALG
3624 headroom += (sizeof(struct esp) + tdbp->ips_iv_size);
3626 #endif /* CONFIG_IPSEC_ALG */
3628 spin_lock (&tdb_lock);
3629 delXmitDesc_from_salist(tdbp, pXmitDesc);
3630 spin_unlock (&tdb_lock);
3634 switch(tdbp->tdb_authalg) {
3635 #ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
3637 authlen = AHHMAC_HASHLEN;
3639 #endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
3640 #ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
3642 authlen = AHHMAC_HASHLEN;
3644 #endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
3649 spin_lock (&tdb_lock);
3650 delXmitDesc_from_salist(tdbp, pXmitDesc);
3651 spin_unlock (&tdb_lock);
3654 tailroom += ((tdbp->ips_enc_blksize - ((pyldsz + 2 * sizeof(unsigned char)) % tdbp->ips_enc_blksize))
3655 % tdbp->ips_enc_blksize) + 2;
3656 tailroom += authlen;
3658 #endif /* !CONFIG_IPSEC_ESP */
3659 #ifdef CONFIG_IPSEC_IPIP
3661 headroom += sizeof(struct iphdr);
3663 #endif /* !CONFIG_IPSEC_IPIP */
3664 #ifdef CONFIG_IPSEC_IPCOMP
3667 #endif /* CONFIG_IPSEC_IPCOMP */
3670 spin_lock (&tdb_lock);
3671 delXmitDesc_from_salist(tdbp, pXmitDesc);
3672 spin_unlock (&tdb_lock);
3676 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3677 "klips_debug:ipsec_tunnel_start_xmit: "
3678 "pushing %d bytes, putting %d, proto %d.\n",
3679 headroom, tailroom, tdbp->tdb_said.proto);
3680 if(skb_headroom(skb) < headroom) {
3682 "klips_error:ipsec_tunnel_start_xmit: "
3683 "tried to skb_push headroom=%d, %d available. This should never happen, please report.\n",
3684 headroom, skb_headroom(skb));
3686 spin_lock (&tdb_lock);
3687 delXmitDesc_from_salist(tdbp, pXmitDesc);
3688 spin_unlock (&tdb_lock);
3691 dat = skb_push(skb, headroom);
3693 if(skb_tailroom(skb) < tailroom) {
3695 "klips_error:ipsec_tunnel_start_xmit: "
3696 "tried to skb_put %d, %d available. This should never happen, please report.\n",
3697 tailroom, skb_tailroom(skb));
3699 spin_lock (&tdb_lock);
3700 delXmitDesc_from_salist(tdbp, pXmitDesc);
3701 spin_unlock (&tdb_lock);
3704 skb_put(skb, tailroom);
3705 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3706 "klips_debug:ipsec_tunnel_start_xmit: "
3707 "head,tailroom: %d,%d before xform.\n",
3708 skb_headroom(skb), skb_tailroom(skb));
3711 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
3712 "tot_len (%d) > 65520. This should never happen, please report.\n",
3715 spin_lock (&tdb_lock);
3716 delXmitDesc_from_salist(tdbp, pXmitDesc);
3717 spin_unlock (&tdb_lock);
3720 memmove((void *)dat, (void *)(dat + headroom), iphlen);
3721 iph = (struct iphdr *)dat;
3722 iph->tot_len = htons(skb->len);
3723 switch(tdbp->tdb_said.proto) {
3724 #ifdef CONFIG_IPSEC_ESP
3726 espp = (struct esp *)(dat + iphlen);
3727 ivlen = tdbp->ips_iv_size;
3728 /* Get IV location pointer in payload - after ESP header */
3729 ivp = (char *) espp + sizeof (struct esp);
3730 espp->esp_spi = tdbp->tdb_said.spi;
3732 spin_lock(&tdb_lock);
3733 espp->esp_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
3734 spin_unlock(&tdb_lock);
3736 switch(tdbp->tdb_encalg) {
3737 #ifdef CONFIG_IPSEC_ENC_DES
3739 #endif /* CONFIG_IPSEC_ENC_DES */
3740 #ifdef CONFIG_IPSEC_ENC_3DES
3742 /* To support multiple request from the same TDB at the same
3743 * time, chaining of IV from previous cipher block could not
3744 * be used. Thus random IV is generated per each packet */
3745 for (i = 0; i < ivlen; i++)
3747 iv[i] = (jiffies % 0xff) + i;
3749 memcpy (ivp, iv, ivlen);
3751 #endif /* CONFIG_IPSEC_ENC_3DES */
3752 #ifdef CONFIG_IPSEC_ALG
3754 /* To support multiple request from the same TDB at the same
3755 * time, chaining of IV from previous cipher block could not
3756 * be used. Thus random IV is generated per each packet */
3757 for (i = 0; i < ivlen; i++)
3759 iv[i] = (jiffies % 0xff) + i;
3761 memcpy (ivp, iv, ivlen);
3763 #endif /* CONFIG_IPSEC_ALG */
3766 spin_lock (&tdb_lock);
3767 delXmitDesc_from_salist(tdbp, pXmitDesc);
3768 spin_unlock (&tdb_lock);
3772 /* set offset for crypto perform */
3773 crypt_start_offset = iphlen + headroom;
3774 crypt_data_len = len - (iphlen + headroom + authlen);
3775 auth_start_offset = iphlen;
3776 auth_data_len = len - (iphlen + authlen);
3777 icv_offset = len - authlen;
3779 /* Self-describing padding */
3780 pad = &dat[len - tailroom];
3781 padlen = tailroom - 2 - authlen;
3782 for (i = 0; i < padlen; i++) {
3785 dat[len - authlen - 2] = padlen;
3787 dat[len - authlen - 1] = iph->protocol;
3788 iph->protocol = IPPROTO_ESP;
3791 skb->h.raw = (unsigned char*)espp;
3794 #endif /* !CONFIG_IPSEC_ESP */
3795 #ifdef CONFIG_IPSEC_AH
3797 ahp = (struct ah *)(dat + iphlen);
3798 ahp->ah_spi = tdbp->tdb_said.spi;
3799 spin_lock(&tdb_lock);
3800 ahp->ah_rpl = htonl(++(tdbp->tdb_replaywin_lastseq));
3801 spin_unlock(&tdb_lock);
3803 ahp->ah_nh = iph->protocol;
3804 ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32);
3805 iph->protocol = IPPROTO_AH;
3806 memset (&(ahp->ah_data[0]), 0, (AHHMAC_HASHLEN * sizeof(__u8)));
3808 dmp("ahp", (char*)ahp, sizeof(*ahp));
3810 /* Keep a copy of the original IP, modify iph to handle mutable fields */
3811 pXmitDesc->ip_tos = iph->tos;
3812 pXmitDesc->ip_frag_off = iph->frag_off;
3813 pXmitDesc->ip_ttl = iph->ttl;
3819 dmp("iph", (char*)&iph, sizeof(iph));
3821 /* set offset for crypto perform */
3822 auth_start_offset = 0;
3823 auth_data_len = len;
3824 icv_offset = iphlen + AUTH_DATA_IN_AH_OFFSET;
3826 /* Error checking */
3827 if ((tdbp->tdb_authalg != AH_MD5) && (tdbp->tdb_authalg != AH_SHA))
3830 spin_lock (&tdb_lock);
3831 delXmitDesc_from_salist(tdbp, pXmitDesc);
3832 spin_unlock (&tdb_lock);
3836 skb->h.raw = (unsigned char*)ahp;
3839 #endif /* CONFIG_IPSEC_AH */
3840 #ifdef CONFIG_IPSEC_IPIP
3843 switch(sysctl_ipsec_tos) {
3846 iph->tos = skb->nh.iph->tos;
3848 iph->tos = skb->ip_hdr->tos;
3859 iph->ttl = sysctl_ip_default_ttl;
3860 #else /* NETDEV_23 */
3861 iph->ttl = ip_statistics.IpDefaultTTL;
3862 #endif /* NETDEV_23 */
3864 iph->ttl = 64; /* ip_statistics.IpDefaultTTL; */
3867 iph->saddr = ((struct sockaddr_in*)(tdbp->tdb_addr_s))->sin_addr.s_addr;
3868 iph->daddr = ((struct sockaddr_in*)(tdbp->tdb_addr_d))->sin_addr.s_addr;
3869 iph->protocol = IPPROTO_IPIP;
3870 iph->ihl = sizeof(struct iphdr) >> 2 /* 5 */;
3871 #ifdef IP_SELECT_IDENT
3872 /* XXX use of skb->dst below is a questionable
3873 substitute for &rt->u.dst which is only
3874 available later-on */
3875 #ifdef IP_SELECT_IDENT_NEW
3876 ip_select_ident(iph, skb->dst, NULL);
3877 #else /* IP_SELECT_IDENT_NEW */
3878 ip_select_ident(iph, skb->dst);
3879 #endif /* IP_SELECT_IDENT_NEW */
3880 #else /* IP_SELECT_IDENT */
3881 iph->id = htons(ip_id_count++); /* Race condition here? */
3882 #endif /* IP_SELECT_IDENT */
3884 newdst = (__u32)iph->daddr;
3885 newsrc = (__u32)iph->saddr;
3888 skb->h.ipiph = skb->nh.iph;
3892 #endif /* !CONFIG_IPSEC_IPIP */
3893 #ifdef CONFIG_IPSEC_IPCOMP
3896 unsigned int flags = 0;
3897 #ifdef CONFIG_IPSEC_DEBUG
3898 unsigned int old_tot_len = ntohs(iph->tot_len);
3899 #endif /* CONFIG_IPSEC_DEBUG */
3901 spin_lock(&tdb_lock);
3902 tdbp->tdb_comp_ratio_dbytes += ntohs(iph->tot_len);
3904 skb = skb_compress(skb, tdbp, &flags);
3912 tdbp->tdb_comp_ratio_cbytes += ntohs(iph->tot_len);
3913 spin_unlock (&tdb_lock);
3914 #ifdef CONFIG_IPSEC_DEBUG
3915 if (debug_tunnel & DB_TN_CROUT)
3917 if (old_tot_len > ntohs(iph->tot_len))
3918 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3919 "klips_debug:ipsec_tunnel_start_xmit: "
3920 "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
3921 old_tot_len, ntohs(iph->tot_len),
3922 ntohs(((struct ipcomphdr*)(((char*)iph) + ((iph->ihl) << 2)))->ipcomp_cpi),
3923 ntohl(tdbp->tdb_said.spi),
3924 (__u16)(ntohl(tdbp->tdb_said.spi) & 0x0000ffff));
3926 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
3927 "klips_debug:ipsec_tunnel_start_xmit: "
3928 "packet did not compress (flags = %d).\n",
3931 #endif /* CONFIG_IPSEC_DEBUG */
3934 #endif /* CONFIG_IPSEC_IPCOMP */
3937 delXmitDesc_from_salist(tdbp, pXmitDesc);
3941 /*IXP425 glue code : crypto perform */
3942 #if defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)
3943 if ((tdbp->tdb_said.proto == IPPROTO_AH) || (tdbp->tdb_said.proto == IPPROTO_ESP))
3945 /* Get mbuf from pool */
3947 if(IPSEC_GLUE_STATUS_SUCCESS != ipsec_glue_mbuf_header_get(&src_mbuf))
3950 KLIPS_PRINT(debug_tunnel,
3951 "klips_debug:ipsec_tunnel_start_xmit: "
3952 "running out of mbufs, dropped\n");
3958 /* attach mbuf to sk_buff */
3959 mbuf_swap_skb(src_mbuf, skb);
3961 /* store xmit desc in mbuf */
3962 (IpsecXmitDesc *) IX_MBUF_NEXT_PKT_IN_CHAIN_PTR (src_mbuf) = pXmitDesc;
3964 if (IX_CRYPTO_ACC_STATUS_SUCCESS != ixCryptoAccAuthCryptPerform (
3965 tdbp->ips_crypto_context_id,
3976 KLIPS_PRINT(debug_tunnel,
3977 "klips_debug:ipsec_tunnel_start_xmit: "
3978 "warning, encapsulation of packet cannot be started\n");
3981 ipsec_glue_mbuf_header_rel(src_mbuf);
3982 delXmitDesc_from_salist(tdbp, pXmitDesc);
3987 } /* end of if ((tdbp->tdb_said.proto == IPPROTO_AH)
3988 || (tdbp->tdb_said.proto == IPPROTO_ESP)) */
3989 #endif /* defined(CONFIG_IPSEC_AH) || defined(CONFIG_IPSEC_ESP)*/
3992 skb->nh.raw = skb->data;
3994 skb->ip_hdr = skb->h.iph = (struct iphdr *) skb->data;
3997 iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
3999 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4000 "klips_debug:ipsec_tunnel_start_xmit: "
4001 "after <%s%s%s>, SA:%s:\n",
4002 IPS_XFORM_NAME(tdbp),
4003 sa_len ? sa : " (error)");
4004 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, iph);
4006 spin_lock (&tdb_lock);
4007 tdbp->ips_life.ipl_bytes.ipl_count += len;
4008 tdbp->ips_life.ipl_bytes.ipl_last = len;
4010 if(!tdbp->ips_life.ipl_usetime.ipl_count) {
4011 tdbp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
4013 tdbp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
4014 tdbp->ips_life.ipl_packets.ipl_count++;
4016 delXmitDesc_from_salist(tdbp, pXmitDesc);
4017 spin_unlock (&tdb_lock);
4020 tdbp = tdbp->ips_onext;
4021 /* store current tdbp into xmit desc */
4022 pXmitDesc->tdbp = tdbp;
4024 } /* end encapsulation loop here XXX */
4026 (pXmitDesc->matcher).sen_ip_src.s_addr = iph->saddr;
4027 (pXmitDesc->matcher).sen_ip_dst.s_addr = iph->daddr;
4028 spin_lock(&eroute_lock);
4029 er = ipsec_findroute(&(pXmitDesc->matcher));
4031 (pXmitDesc->outgoing_said) = er->er_said;
4032 pXmitDesc->eroute_pid = er->er_pid;
4034 er->er_lasttime = jiffies/HZ;
4036 spin_unlock(&eroute_lock);
4037 KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
4038 /* ((orgdst != newdst) || (orgsrc != newsrc)) */
4039 (pXmitDesc->orgedst != (pXmitDesc->outgoing_said).dst.s_addr) &&
4040 (pXmitDesc->outgoing_said).dst.s_addr &&
4042 "klips_debug:ipsec_tunnel_start_xmit: "
4043 "We are recursing here.\n");
4045 } while(/*((orgdst != newdst) || (orgsrc != newsrc))*/
4046 (pXmitDesc->orgedst != (pXmitDesc->outgoing_said).dst.s_addr) &&
4047 (pXmitDesc->outgoing_said).dst.s_addr &&
4049 /* end of edest processing */
4051 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
4052 "klips_debug:ipsec_tunnel_start_xmit: "
4053 "After recursive xforms -- head,tailroom: %d,%d\n",
4054 skb_headroom(skb), skb_tailroom(skb));
4056 if(pXmitDesc->saved_header) {
4057 if(skb_headroom(skb) < pXmitDesc->hard_header_len) {
4059 "klips_error:ipsec_tunnel_start_xmit: "
4060 "tried to skb_push hhlen=%d, %d available. This should never happen, please report.\n",
4061 pXmitDesc->hard_header_len, skb_headroom(skb));
4065 skb_push(skb, pXmitDesc->hard_header_len);
4066 for (i = 0; i < pXmitDesc->hard_header_len; i++) {
4067 skb->data[i] = pXmitDesc->saved_header[i];
4070 #ifdef CONFIG_IPSEC_NAT_TRAVERSAL
4071 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4072 "klips_debug:ipsec_tunnel_start_xmit: "
4073 "natt_type: %d natt_head:%d\n", natt_type, natt_head);
4074 if (natt_type && natt_head) {
4075 struct iphdr *ipp = skb->nh.iph;
4077 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4078 "klips_debug:ipsec_tunnel_start_xmit: "
4079 "encapsuling packet into UDP (NAT-Traversal)\n");
4080 iphlen = ipp->ihl << 2;
4082 htons(ntohs(ipp->tot_len) + natt_head);
4083 if(skb_tailroom(skb) < natt_head) {
4084 printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
4085 "tried to skb_put %d, %d available. "
4086 "This should never happen, please report.\n",
4092 skb_put(skb, natt_head);
4093 udp = (struct udphdr *)((char *)ipp + iphlen);
4094 /* move ESP hdr after UDP hdr */
4095 memmove((void *)((char *)udp + natt_head),
4097 ntohs(ipp->tot_len) - iphlen - natt_head);
4098 /* clear UDP & Non-IKE Markers (if any) */
4099 memset(udp, 0, natt_head);
4100 /* fill UDP with usefull informations ;-) */
4101 udp->source = htons(natt_sport);
4102 udp->dest = htons(natt_dport);
4103 udp->len = htons(ntohs(ipp->tot_len) - iphlen);
4105 ipp->protocol = IPPROTO_UDP;
4106 /* fix IP checksum */
4108 ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
4112 KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
4113 "klips_debug:ipsec_tunnel_start_xmit: "
4114 "With hard_header, final head,tailroom: %d,%d\n",
4115 skb_headroom(skb), skb_tailroom(skb));
4117 #ifdef NET_21 /* 2.2 and 2.4 kernels */
4118 /* new route/dst cache code from James Morris */
4120 /*skb_orphan(skb);*/
4121 if((error = ip_route_output(&rt,
4123 pXmitDesc->pass ? 0 : skb->nh.iph->saddr,
4124 RT_TOS(skb->nh.iph->tos),
4125 physdev->iflink /* rgb: should this be 0? */))) {
4128 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4129 "klips_debug:ipsec_tunnel_start_xmit: "
4130 "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
4132 rt->u.dst.dev->name);
4135 if(dev == rt->u.dst.dev) {
4137 /* This is recursion, drop it. */
4139 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4140 "klips_debug:ipsec_tunnel_start_xmit: "
4141 "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n", dev->name);
4144 dst_release(skb->dst);
4145 skb->dst = &rt->u.dst;
4146 stats->tx_bytes += skb->len;
4147 if(skb->len < skb->nh.raw - skb->data) {
4150 "klips_error:ipsec_tunnel_start_xmit: "
4151 "tried to __skb_pull nh-data=%d, %d available. This should never happen, please report.\n",
4152 skb->nh.raw - skb->data, skb->len);
4155 __skb_pull(skb, skb->nh.raw - skb->data);
4156 #ifdef SKB_RESET_NFCT
4157 nf_conntrack_put(skb->nfct);
4159 #ifdef CONFIG_NETFILTER_DEBUG
4161 #endif /* CONFIG_NETFILTER_DEBUG */
4162 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
4163 nf_bridge_put(skb->nf_bridge);
4164 skb->nf_bridge = NULL;
4166 #endif /* SKB_RESET_NFCT */
4167 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4168 "klips_debug:ipsec_tunnel_start_xmit: "
4169 "...done, calling ip_send() on device:%s\n",
4170 skb->dev ? skb->dev->name : "NULL");
4171 KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, skb->nh.iph);
4172 #ifdef NETDEV_23 /* 2.4 kernels */
4176 err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
4177 ipsec_tunnel_xmit2);
4178 if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
4181 "klips_error:ipsec_tunnel_start_xmit: "
4182 "ip_send() failed, err=%d\n",
4185 stats->tx_aborted_errors++;
4190 #else /* NETDEV_23 */ /* 2.2 kernels */
4192 #endif /* NETDEV_23 */
4193 #else /* NET_21 */ /* 2.0 kernels */
4195 /* ISDN/ASYNC PPP from Matjaz Godec. */
4196 /* skb->protocol = htons(ETH_P_IP); */
4197 KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
4198 "klips_debug:ipsec_tunnel_start_xmit: "
4199 "...done, calling dev_queue_xmit() or ip_fragment().\n");
4200 IP_SEND(skb, physdev);
4202 stats->tx_packets++;
4208 #if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
4209 netif_wake_queue(dev);
4210 #else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
4212 #endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
4215 if(pXmitDesc->saved_header) {
4216 kfree(pXmitDesc->saved_header);
4218 if(pXmitDesc->oskb) {
4219 dev_kfree_skb(pXmitDesc->oskb, FREE_WRITE);
4221 if ((pXmitDesc->tdb).tdb_ident_s.data) {
4222 kfree((pXmitDesc->tdb).tdb_ident_s.data);
4224 if ((pXmitDesc->tdb).tdb_ident_d.data) {
4225 kfree((pXmitDesc->tdb).tdb_ident_d.data);
4228 ipsec_glue_xmit_desc_release (pXmitDesc);
4231 dev_kfree_skb(skb, FREE_WRITE);
4237 DEBUG_NO_STATIC struct net_device_stats *
4238 ipsec_tunnel_get_stats(struct device *dev)
4240 return &(((struct ipsecpriv *)(dev->priv))->mystats);
4245 * For each of these calls, a field exists in our private structure.
4249 ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev,
4250 unsigned short type, void *daddr, void *saddr, unsigned len)
4252 struct ipsecpriv *prv = dev->priv;
4255 struct net_device_stats *stats; /* This device's statistics */
4258 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4259 "klips_debug:ipsec_tunnel_hard_header: "
4265 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4266 "klips_debug:ipsec_tunnel_hard_header: "
4271 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4272 "klips_debug:ipsec_tunnel_hard_header: "
4273 "skb->dev=%s dev=%s.\n",
4274 skb->dev ? skb->dev->name : "NULL",
4278 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4279 "klips_debug:ipsec_tunnel_hard_header: "
4280 "no private space associated with dev=%s\n",
4281 dev->name ? dev->name : "NULL");
4285 stats = (struct net_device_stats *) &(prv->mystats);
4287 if(prv->dev == NULL) {
4288 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4289 "klips_debug:ipsec_tunnel_hard_header: "
4290 "no physical device associated with dev=%s\n",
4291 dev->name ? dev->name : "NULL");
4292 stats->tx_dropped++;
4296 /* check if we have to send a IPv6 packet. It might be a Router
4297 Solicitation, where the building of the packet happens in
4302 -> skb->nh.raw is still uninitialized when this function is
4303 called!! If this is no IPv6 packet, we can print debugging
4304 messages, otherwise we skip all debugging messages and just
4305 build the ll header */
4306 if(type != ETH_P_IPV6) {
4307 /* execute this only, if we don't have to build the
4308 header for a IPv6 packet */
4309 if(!prv->hard_header) {
4310 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4311 "klips_debug:ipsec_tunnel_hard_header: "
4312 "physical device has been detached, packet dropped 0x%p->0x%p len=%d type=%d dev=%s->NULL ",
4319 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
4321 (__u32)ntohl(skb->nh.iph->saddr),
4322 (__u32)ntohl(skb->nh.iph->daddr) );
4324 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
4326 (__u32)ntohl(skb->ip_hdr->saddr),
4327 (__u32)ntohl(skb->ip_hdr->daddr) );
4329 stats->tx_dropped++;
4333 #define da ((struct device *)(prv->dev))->dev_addr
4334 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4335 "klips_debug:ipsec_tunnel_hard_header: "
4336 "Revectored 0x%p->0x%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
4343 da[0], da[1], da[2], da[3], da[4], da[5]);
4345 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
4347 (__u32)ntohl(skb->nh.iph->saddr),
4348 (__u32)ntohl(skb->nh.iph->daddr) );
4350 KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
4352 (__u32)ntohl(skb->ip_hdr->saddr),
4353 (__u32)ntohl(skb->ip_hdr->daddr) );
4356 KLIPS_PRINT(debug_tunnel,
4357 "klips_debug:ipsec_tunnel_hard_header: "
4358 "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
4361 skb->dev = prv->dev;
4362 ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
4369 ipsec_tunnel_rebuild_header(struct sk_buff *skb)
4371 ipsec_tunnel_rebuild_header(void *buff, struct device *dev,
4372 unsigned long raddr, struct sk_buff *skb)
4375 struct ipsecpriv *prv = skb->dev->priv;
4378 struct net_device_stats *stats; /* This device's statistics */
4380 if(skb->dev == NULL) {
4381 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4382 "klips_debug:ipsec_tunnel_rebuild_header: "
4388 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4389 "klips_debug:ipsec_tunnel_rebuild_header: "
4390 "no private space associated with dev=%s",
4391 skb->dev->name ? skb->dev->name : "NULL");
4395 stats = (struct net_device_stats *) &(prv->mystats);
4397 if(prv->dev == NULL) {
4398 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4399 "klips_debug:ipsec_tunnel_rebuild_header: "
4400 "no physical device associated with dev=%s",
4401 skb->dev->name ? skb->dev->name : "NULL");
4402 stats->tx_dropped++;
4406 if(!prv->rebuild_header) {
4407 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4408 "klips_debug:ipsec_tunnel_rebuild_header: "
4409 "physical device has been detached, packet dropped skb->dev=%s->NULL ",
4412 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4414 (__u32)ntohl(skb->nh.iph->saddr),
4415 (__u32)ntohl(skb->nh.iph->daddr) );
4417 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4419 (__u32)ntohl(skb->ip_hdr->saddr),
4420 (__u32)ntohl(skb->ip_hdr->daddr) );
4422 stats->tx_dropped++;
4426 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4427 "klips_debug:ipsec_tunnel: "
4428 "Revectored rebuild_header dev=%s->%s ",
4429 skb->dev->name, prv->dev->name);
4431 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4433 (__u32)ntohl(skb->nh.iph->saddr),
4434 (__u32)ntohl(skb->nh.iph->daddr) );
4436 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4438 (__u32)ntohl(skb->ip_hdr->saddr),
4439 (__u32)ntohl(skb->ip_hdr->daddr) );
4442 skb->dev = prv->dev;
4445 ret = prv->rebuild_header(skb);
4447 ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
4454 ipsec_tunnel_set_mac_address(struct device *dev, void *addr)
4456 struct ipsecpriv *prv = dev->priv;
4458 struct net_device_stats *stats; /* This device's statistics */
4461 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4462 "klips_debug:ipsec_tunnel_set_mac_address: "
4468 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4469 "klips_debug:ipsec_tunnel_set_mac_address: "
4470 "no private space associated with dev=%s",
4471 dev->name ? dev->name : "NULL");
4475 stats = (struct net_device_stats *) &(prv->mystats);
4477 if(prv->dev == NULL) {
4478 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4479 "klips_debug:ipsec_tunnel_set_mac_address: "
4480 "no physical device associated with dev=%s",
4481 dev->name ? dev->name : "NULL");
4482 stats->tx_dropped++;
4486 if(!prv->set_mac_address) {
4487 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4488 "klips_debug:ipsec_tunnel_set_mac_address: "
4489 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
4494 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4495 "klips_debug:ipsec_tunnel_set_mac_address: "
4496 "Revectored dev=%s->%s addr=%p\n",
4497 dev->name, prv->dev->name, addr);
4498 return prv->set_mac_address(prv->dev, addr);
4503 DEBUG_NO_STATIC void
4504 ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev,
4505 unsigned short htype, __u32 daddr)
4507 struct ipsecpriv *prv = dev->priv;
4509 struct net_device_stats *stats; /* This device's statistics */
4512 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4513 "klips_debug:ipsec_tunnel_cache_bind: "
4519 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4520 "klips_debug:ipsec_tunnel_cache_bind: "
4521 "no private space associated with dev=%s",
4522 dev->name ? dev->name : "NULL");
4526 stats = (struct net_device_stats *) &(prv->mystats);
4528 if(prv->dev == NULL) {
4529 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4530 "klips_debug:ipsec_tunnel_cache_bind: "
4531 "no physical device associated with dev=%s",
4532 dev->name ? dev->name : "NULL");
4533 stats->tx_dropped++;
4537 if(!prv->header_cache_bind) {
4538 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4539 "klips_debug:ipsec_tunnel_cache_bind: "
4540 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
4542 stats->tx_dropped++;
4546 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4547 "klips_debug:ipsec_tunnel_cache_bind: "
4549 prv->header_cache_bind(hhp, prv->dev, htype, daddr);
4552 #endif /* !NET_21 */
4555 DEBUG_NO_STATIC void
4556 ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char * haddr)
4558 struct ipsecpriv *prv = dev->priv;
4560 struct net_device_stats *stats; /* This device's statistics */
4563 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4564 "klips_debug:ipsec_tunnel_cache_update: "
4570 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4571 "klips_debug:ipsec_tunnel_cache_update: "
4572 "no private space associated with dev=%s",
4573 dev->name ? dev->name : "NULL");
4577 stats = (struct net_device_stats *) &(prv->mystats);
4579 if(prv->dev == NULL) {
4580 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4581 "klips_debug:ipsec_tunnel_cache_update: "
4582 "no physical device associated with dev=%s",
4583 dev->name ? dev->name : "NULL");
4584 stats->tx_dropped++;
4588 if(!prv->header_cache_update) {
4589 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4590 "klips_debug:ipsec_tunnel_cache_update: "
4591 "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
4596 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4597 "klips_debug:ipsec_tunnel: "
4598 "Revectored cache_update\n");
4599 prv->header_cache_update(hh, prv->dev, haddr);
4605 ipsec_tunnel_neigh_setup(struct neighbour *n)
4607 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4608 "klips_debug:ipsec_tunnel_neigh_setup:\n");
4610 if (n->nud_state == NUD_NONE) {
4611 n->ops = &arp_broken_ops;
4612 n->output = n->ops->output;
4618 ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
4620 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4621 "klips_debug:ipsec_tunnel_neigh_setup_dev: "
4623 dev ? dev->name : "NULL");
4625 if (p->tbl->family == AF_INET) {
4626 p->neigh_setup = ipsec_tunnel_neigh_setup;
4627 p->ucast_probes = 0;
4628 p->mcast_probes = 0;
4635 * We call the attach routine to attach another device.
4639 ipsec_tunnel_attach(struct device *dev, struct device *physdev)
4642 struct ipsecpriv *prv = dev->priv;
4645 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4646 "klips_debug:ipsec_tunnel_attach: "
4652 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4653 "klips_debug:ipsec_tunnel_attach: "
4654 "no private space associated with dev=%s",
4655 dev->name ? dev->name : "NULL");
4660 prv->hard_start_xmit = physdev->hard_start_xmit;
4661 prv->get_stats = physdev->get_stats;
4663 if (physdev->hard_header) {
4664 prv->hard_header = physdev->hard_header;
4665 dev->hard_header = ipsec_tunnel_hard_header;
4667 dev->hard_header = NULL;
4669 if (physdev->rebuild_header) {
4670 prv->rebuild_header = physdev->rebuild_header;
4671 dev->rebuild_header = ipsec_tunnel_rebuild_header;
4673 dev->rebuild_header = NULL;
4675 if (physdev->set_mac_address) {
4676 prv->set_mac_address = physdev->set_mac_address;
4677 dev->set_mac_address = ipsec_tunnel_set_mac_address;
4679 dev->set_mac_address = NULL;
4682 if (physdev->header_cache_bind) {
4683 prv->header_cache_bind = physdev->header_cache_bind;
4684 dev->header_cache_bind = ipsec_tunnel_cache_bind;
4686 dev->header_cache_bind = NULL;
4687 #endif /* !NET_21 */
4689 if (physdev->header_cache_update) {
4690 prv->header_cache_update = physdev->header_cache_update;
4691 dev->header_cache_update = ipsec_tunnel_cache_update;
4693 dev->header_cache_update = NULL;
4695 dev->hard_header_len = physdev->hard_header_len;
4698 /* prv->neigh_setup = physdev->neigh_setup; */
4699 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
4701 dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
4702 prv->mtu = physdev->mtu;
4705 dev->type = physdev->type /* ARPHRD_TUNNEL */; /* initially */
4706 #endif /* PHYSDEV_TYPE */
4708 dev->addr_len = physdev->addr_len;
4709 for (i=0; i<dev->addr_len; i++) {
4710 dev->dev_addr[i] = physdev->dev_addr[i];
4712 #ifdef CONFIG_IPSEC_DEBUG
4713 if(debug_tunnel & DB_TN_INIT) {
4714 printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
4715 "physical device %s being attached has HW address: %2x",
4716 physdev->name, physdev->dev_addr[0]);
4717 for (i=1; i < physdev->addr_len; i++) {
4718 printk(":%02x", physdev->dev_addr[i]);
4722 #endif /* CONFIG_IPSEC_DEBUG */
4728 * We call the detach routine to detach the ipsec tunnel from another device.
4732 ipsec_tunnel_detach(struct device *dev)
4735 struct ipsecpriv *prv = dev->priv;
4738 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4739 "klips_debug:ipsec_tunnel_detach: "
4745 KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
4746 "klips_debug:ipsec_tunnel_detach: "
4747 "no private space associated with dev=%s",
4748 dev->name ? dev->name : "NULL");
4752 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4753 "klips_debug:ipsec_tunnel_detach: "
4754 "physical device %s being detached from virtual device %s\n",
4755 prv->dev ? prv->dev->name : "NULL",
4759 prv->hard_start_xmit = NULL;
4760 prv->get_stats = NULL;
4762 prv->hard_header = NULL;
4763 #ifdef DETACH_AND_DOWN
4764 dev->hard_header = NULL;
4765 #endif /* DETACH_AND_DOWN */
4767 prv->rebuild_header = NULL;
4768 #ifdef DETACH_AND_DOWN
4769 dev->rebuild_header = NULL;
4770 #endif /* DETACH_AND_DOWN */
4772 prv->set_mac_address = NULL;
4773 #ifdef DETACH_AND_DOWN
4774 dev->set_mac_address = NULL;
4775 #endif /* DETACH_AND_DOWN */
4778 prv->header_cache_bind = NULL;
4779 #ifdef DETACH_AND_DOWN
4780 dev->header_cache_bind = NULL;
4781 #endif /* DETACH_AND_DOWN */
4782 #endif /* !NET_21 */
4784 prv->header_cache_update = NULL;
4785 #ifdef DETACH_AND_DOWN
4786 dev->header_cache_update = NULL;
4787 #endif /* DETACH_AND_DOWN */
4790 /* prv->neigh_setup = NULL; */
4791 #ifdef DETACH_AND_DOWN
4792 dev->neigh_setup = NULL;
4793 #endif /* DETACH_AND_DOWN */
4795 dev->hard_header_len = 0;
4796 #ifdef DETACH_AND_DOWN
4798 #endif /* DETACH_AND_DOWN */
4800 for (i=0; i<MAX_ADDR_LEN; i++) {
4801 dev->dev_addr[i] = 0;
4805 dev->type = ARPHRD_TUNNEL;
4806 #endif /* PHYSDEV_TYPE */
4812 * We call the clear routine to detach all ipsec tunnels from other devices.
4815 ipsec_tunnel_clear(void)
4818 struct device *ipsecdev = NULL, *prvdev;
4819 struct ipsecpriv *prv;
4823 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4824 "klips_debug:ipsec_tunnel_clear: .\n");
4826 for(i = 0; i < IPSEC_NUM_IF; i++) {
4827 sprintf(name, "ipsec%d", i);
4828 if((ipsecdev = ipsec_dev_get(name)) != NULL) {
4829 if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
4830 prvdev = (struct device *)(prv->dev);
4832 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4833 "klips_debug:ipsec_tunnel_clear: "
4834 "physical device for device %s is %s\n",
4835 name, prvdev->name);
4836 if((ret = ipsec_tunnel_detach(ipsecdev))) {
4837 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4838 "klips_debug:ipsec_tunnel_clear: "
4839 "error %d detatching device %s from device %s.\n",
4840 ret, name, prvdev->name);
4851 ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
4853 struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
4854 struct ipsecpriv *prv = dev->priv;
4855 struct device *them; /* physical device */
4856 #if defined(NET_21) && defined(CONFIG_IP_ALIAS)
4858 char realphysname[IFNAMSIZ];
4859 #endif /* NET_21 && CONFIG_IP_ALIAS */
4862 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4863 "klips_debug:ipsec_tunnel_ioctl: "
4864 "device not supplied.\n");
4868 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4869 "klips_debug:ipsec_tunnel_ioctl: "
4870 "tncfg service call #%d for dev=%s\n",
4872 dev->name ? dev->name : "NULL");
4874 /* attach a virtual ipsec? device to a physical device */
4876 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4877 "klips_debug:ipsec_tunnel_ioctl: "
4878 "calling ipsec_tunnel_attatch...\n");
4879 #if defined(NET_21) && defined(CONFIG_IP_ALIAS)
4880 /* If this is an IP alias interface, get its real physical name */
4881 strncpy(realphysname, cf->cf_name, IFNAMSIZ);
4882 realphysname[IFNAMSIZ-1] = 0;
4883 colon = strchr(realphysname, ':');
4884 if (colon) *colon = 0;
4885 them = ipsec_dev_get(realphysname);
4886 #else /* NET_21 && CONFIG_IP_ALIAS */
4887 them = ipsec_dev_get(cf->cf_name);
4888 #endif /* NET_21 && CONFIG_IP_ALIAS */
4891 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4892 "klips_debug:ipsec_tunnel_ioctl: "
4893 "physical device %s requested is null\n",
4899 if (them->flags & IFF_UP) {
4900 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4901 "klips_debug:ipsec_tunnel_ioctl: "
4902 "physical device %s requested is not up.\n",
4908 if (prv && prv->dev) {
4909 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4910 "klips_debug:ipsec_tunnel_ioctl: "
4911 "virtual device is already connected to %s.\n",
4912 prv->dev->name ? prv->dev->name : "NULL");
4915 return ipsec_tunnel_attach(dev, them);
4918 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4919 "klips_debug:ipsec_tunnel_ioctl: "
4920 "calling ipsec_tunnel_detatch.\n");
4922 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4923 "klips_debug:ipsec_tunnel_ioctl: "
4924 "physical device not connected.\n");
4927 return ipsec_tunnel_detach(dev);
4930 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4931 "klips_debug:ipsec_tunnel_ioctl: "
4932 "calling ipsec_tunnel_clear.\n");
4933 return ipsec_tunnel_clear();
4936 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4937 "klips_debug:ipsec_tunnel_ioctl: "
4938 "unknown command %d.\n",
4945 ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
4947 struct device *dev = ptr;
4948 struct device *ipsec_dev;
4949 struct ipsecpriv *priv;
4954 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4955 "klips_debug:ipsec_device_event: "
4956 "dev=NULL for event type %ld.\n",
4958 return(NOTIFY_DONE);
4961 /* check for loopback devices */
4962 if (dev && (dev->flags & IFF_LOOPBACK)) {
4963 return(NOTIFY_DONE);
4968 /* look very carefully at the scope of these compiler
4969 directives before changing anything... -- RGB */
4971 case NETDEV_UNREGISTER:
4975 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4976 "klips_debug:ipsec_device_event: "
4977 "NETDEV_DOWN dev=%s flags=%x\n",
4980 if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
4981 printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
4986 case NETDEV_UNREGISTER:
4987 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
4988 "klips_debug:ipsec_device_event: "
4989 "NETDEV_UNREGISTER dev=%s flags=%x\n",
4996 /* find the attached physical device and detach it. */
4997 for(i = 0; i < IPSEC_NUM_IF; i++) {
4998 sprintf(name, "ipsec%d", i);
4999 ipsec_dev = ipsec_dev_get(name);
5001 priv = (struct ipsecpriv *)(ipsec_dev->priv);
5004 if(((struct device *)(priv->dev)) == dev) {
5005 /* dev_close(ipsec_dev); */
5006 /* return */ ipsec_tunnel_detach(ipsec_dev);
5007 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5008 "klips_debug:ipsec_device_event: "
5009 "device '%s' has been detached.\n",
5014 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5015 "klips_debug:ipsec_device_event: "
5016 "device '%s' has no private data space!\n",
5023 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5024 "klips_debug:ipsec_device_event: "
5025 "NETDEV_UP dev=%s\n",
5030 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5031 "klips_debug:ipsec_device_event: "
5032 "NETDEV_REBOOT dev=%s\n",
5036 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5037 "klips_debug:ipsec_device_event: "
5038 "NETDEV_CHANGE dev=%s flags=%x\n",
5042 case NETDEV_REGISTER:
5043 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5044 "klips_debug:ipsec_device_event: "
5045 "NETDEV_REGISTER dev=%s\n",
5048 case NETDEV_CHANGEMTU:
5049 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5050 "klips_debug:ipsec_device_event: "
5051 "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
5055 case NETDEV_CHANGEADDR:
5056 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5057 "klips_debug:ipsec_device_event: "
5058 "NETDEV_CHANGEADDR dev=%s\n",
5061 case NETDEV_GOING_DOWN:
5062 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5063 "klips_debug:ipsec_device_event: "
5064 "NETDEV_GOING_DOWN dev=%s\n",
5067 case NETDEV_CHANGENAME:
5068 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5069 "klips_debug:ipsec_device_event: "
5070 "NETDEV_CHANGENAME dev=%s\n",
5075 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5076 "klips_debug:ipsec_device_event: "
5077 "event type %ld unrecognised for dev=%s\n",
5086 * Called when an ipsec tunnel device is initialized.
5087 * The ipsec tunnel device structure is passed to us.
5091 ipsec_tunnel_init(struct device *dev)
5097 "klips_debug:ipsec_tunnel_init: "
5098 "initialisation of device: %s\n",
5099 dev->name ? dev->name : "NULL");
5102 /* Add our tunnel functions to the device */
5103 dev->open = ipsec_tunnel_open;
5104 dev->stop = ipsec_tunnel_close;
5105 dev->hard_start_xmit = ipsec_tunnel_start_xmit;
5106 dev->get_stats = ipsec_tunnel_get_stats;
5108 dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
5109 if (dev->priv == NULL)
5111 memset(dev->priv, 0, sizeof(struct ipsecpriv));
5113 for(i = 0; i < sizeof(zeroes); i++) {
5114 ((__u8*)(zeroes))[i] = 0;
5118 /* Initialize the tunnel device structure */
5119 for (i = 0; i < DEV_NUMBUFFS; i++)
5120 skb_queue_head_init(&dev->buffs[i]);
5121 #endif /* !NET_21 */
5123 dev->set_multicast_list = NULL;
5124 dev->do_ioctl = ipsec_tunnel_ioctl;
5125 dev->hard_header = NULL;
5126 dev->rebuild_header = NULL;
5127 dev->set_mac_address = NULL;
5129 dev->header_cache_bind = NULL;
5130 #endif /* !NET_21 */
5131 dev->header_cache_update= NULL;
5134 /* prv->neigh_setup = NULL; */
5135 dev->neigh_setup = ipsec_tunnel_neigh_setup_dev;
5137 dev->hard_header_len = 0;
5140 dev->type = ARPHRD_TUNNEL; /* 0 */ /* ARPHRD_ETHER; */ /* initially */
5141 dev->tx_queue_len = 10; /* Small queue */
5142 memset(dev->broadcast,0xFF, ETH_ALEN); /* what if this is not attached to ethernet? */
5144 /* New-style flags. */
5145 dev->flags = IFF_NOARP /* 0 */ /* Petr Novak */;
5147 dev_init_buffers(dev);
5149 dev->family = AF_INET;
5151 dev->pa_brdaddr = 0;
5156 /* We're done. Have I forgotten anything? */
5160 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
5161 /* Module specific interface (but it links with the rest of IPSEC */
5162 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
5165 ipsec_tunnel_probe(struct device *dev)
5167 ipsec_tunnel_init(dev);
5171 static struct device dev_ipsec3 =
5173 "ipsec3\0 ", /* name */
5174 0, /* recv memory end */
5175 0, /* recv memory start */
5177 0, /* memory start */
5178 0x0, /* base I/O address */
5180 0, 0, 0, /* flags */
5181 NULL, /* next device */
5182 ipsec_tunnel_probe /* setup */
5185 static struct device dev_ipsec2 =
5187 "ipsec2\0 ", /* name */
5188 0, /* recv memory end */
5189 0, /* recv memory start */
5191 0, /* memory start */
5192 0x0, /* base I/O address */
5194 0, 0, 0, /* flags */
5195 NULL, /* next device */
5196 ipsec_tunnel_probe /* setup */
5199 static struct device dev_ipsec1 =
5201 "ipsec1\0 ", /* name */
5202 0, /* recv memory end */
5203 0, /* recv memory start */
5205 0, /* memory start */
5206 0x0, /* base I/O address */
5208 0, 0, 0, /* flags */
5209 NULL, /* next device */
5210 ipsec_tunnel_probe /* setup */
5213 static struct device dev_ipsec0 =
5215 "ipsec0\0 ", /* name */
5216 0, /* recv memory end */
5217 0, /* recv memory start */
5219 0, /* memory start */
5220 0x0, /* base I/O address */
5222 0, 0, 0, /* flags */
5223 NULL, /* next device */
5224 ipsec_tunnel_probe /* setup */
5228 ipsec_tunnel_init_devices(void)
5231 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5232 "klips_debug:ipsec_tunnel_init_devices: "
5233 "registering device %s\n",
5236 if (register_netdev(&dev_ipsec0) != 0)
5239 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5240 "klips_debug:ipsec_tunnel_init_devices: "
5241 "registering device %s\n",
5244 if (register_netdev(&dev_ipsec1) != 0)
5247 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5248 "klips_debug:ipsec_tunnel_init_devices: "
5249 "registering device %s\n",
5252 if (register_netdev(&dev_ipsec2) != 0)
5255 KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
5256 "klips_debug:ipsec_tunnel_init_devices: "
5257 "registering device %s\n",
5260 if (register_netdev(&dev_ipsec3) != 0)
5267 ipsec_tunnel_cleanup_devices(void)
5271 unregister_netdev(&dev_ipsec0);
5272 unregister_netdev(&dev_ipsec1);
5273 unregister_netdev(&dev_ipsec2);
5274 unregister_netdev(&dev_ipsec3);
5275 kfree(dev_ipsec0.priv);
5276 kfree(dev_ipsec1.priv);
5277 kfree(dev_ipsec2.priv);
5278 kfree(dev_ipsec3.priv);
5279 dev_ipsec0.priv=NULL;
5280 dev_ipsec1.priv=NULL;
5281 dev_ipsec2.priv=NULL;
5282 dev_ipsec3.priv=NULL;
5288 * $Log: ipsec_tunnel.c,v $
5289 * Revision 1.187 2002/03/23 19:55:17 rgb
5290 * Fix for 2.2 local IKE fragmentation blackhole. Still won't work if
5291 * iptraf or another pcap app is running.
5293 * Revision 1.186 2002/03/19 03:26:22 rgb
5294 * Applied DHR's tunnel patch to streamline IKE/specialSA processing.
5296 * Revision 1.185 2002/02/20 04:13:05 rgb
5297 * Send back ICMP_PKT_FILTERED upon %reject.
5299 * Revision 1.184 2002/01/29 17:17:56 mcr
5300 * moved include of ipsec_param.h to after include of linux/kernel.h
5301 * otherwise, it seems that some option that is set in ipsec_param.h
5302 * screws up something subtle in the include path to kernel.h, and
5303 * it complains on the snprintf() prototype.
5305 * Revision 1.183 2002/01/29 04:00:53 mcr
5306 * more excise of kversions.h header.
5308 * Revision 1.182 2002/01/29 02:13:18 mcr
5309 * introduction of ipsec_kversion.h means that include of
5310 * ipsec_param.h must preceed any decisions about what files to
5311 * include to deal with differences in kernel source.
5313 * Revision 1.181 2002/01/07 20:00:33 rgb
5314 * Added IKE destination port debugging.
5316 * Revision 1.180 2001/12/21 21:49:54 rgb
5317 * Fixed bug as a result of moving IKE bypass above %trap/%hold code.
5319 * Revision 1.179 2001/12/19 21:08:14 rgb
5320 * Added transport protocol ports to ipsec_print_ip().
5321 * Update eroute info for non-SA targets.
5322 * Added obey DF code disabled.
5323 * Fixed formatting bugs in ipsec_tunnel_hard_header().
5325 * Revision 1.178 2001/12/05 09:36:10 rgb
5326 * Moved the UDP/500 IKE check just above the %hold/%trap checks to avoid
5327 * IKE packets being stolen by the %hold (and returned to the sending KMd
5328 * in an ACQUIRE, ironically ;-).
5330 * Revision 1.177 2001/11/26 09:23:50 rgb
5331 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
5333 * Revision 1.170.2.1 2001/09/25 02:28:27 mcr
5334 * struct tdb -> struct ipsec_sa.
5335 * lifetime checks moved to common routines.
5336 * cleaned up includes.
5338 * Revision 1.170.2.2 2001/10/22 21:08:01 mcr
5339 * include des.h, removed phony prototypes and fixed calling
5340 * conventions to match real prototypes.
5342 * Revision 1.176 2001/11/09 18:32:31 rgb
5343 * Added Hans Schultz' fragmented UDP/500 IKE socket port selector.
5345 * Revision 1.175 2001/11/06 20:47:00 rgb
5346 * Added Eric Espie's TRAPSUBNET fix, minus spin-lock-bh dabbling.
5348 * Revision 1.174 2001/11/06 19:50:43 rgb
5349 * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for
5350 * use also by pfkey_v2_parser.c
5352 * Revision 1.173 2001/10/29 21:53:44 henry
5353 * tone down the device-down message slightly, until we can make it smarter
5355 * Revision 1.172 2001/10/26 04:59:37 rgb
5356 * Added a critical level syslog message if an ipsec device goes down.
5358 * Revision 1.171 2001/10/18 04:45:21 rgb
5359 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
5360 * lib/freeswan.h version macros moved to lib/kversions.h.
5361 * Other compiler directive cleanups.
5363 * Revision 1.170 2001/09/25 00:09:50 rgb
5364 * Added NetCelo's TRAPSUBNET code to convert a new type TRAPSUBNET into a
5367 * Revision 1.169 2001/09/15 16:24:05 rgb
5368 * Re-inject first and last HOLD packet when an eroute REPLACE is done.
5370 * Revision 1.168 2001/09/14 16:58:37 rgb
5371 * Added support for storing the first and last packets through a HOLD.
5373 * Revision 1.167 2001/09/08 21:13:33 rgb
5374 * Added pfkey ident extension support for ISAKMPd. (NetCelo)
5376 * Revision 1.166 2001/08/27 19:47:59 rgb
5377 * Clear tdb before usage.
5378 * Added comment: clear IF before calling routing?
5380 * Revision 1.165 2001/07/03 01:23:53 rgb
5381 * Send back ICMP iff DF set, !ICMP, offset==0, sysctl_icmp, iph->tot_len >
5382 * emtu, and don't drop.
5384 * Revision 1.164 2001/06/14 19:35:10 rgb
5385 * Update copyright date.
5387 * Revision 1.163 2001/06/06 20:28:51 rgb
5388 * Added sanity checks for NULL skbs and devices.
5389 * Added more debugging output to various functions.
5390 * Removed redundant dev->priv argument to ipsec_tunnel_{at,de}tach().
5391 * Renamed ipsec_tunnel_attach() virtual and physical device arguments.
5392 * Corrected neigh_setup() device function assignment.
5393 * Keep valid pointers to ipsec_tunnel_*() on detach.
5394 * Set dev->type to the originally-initiallised value.
5396 * Revision 1.162 2001/06/01 07:28:04 rgb
5397 * Added sanity checks for detached devices. Don't down virtual devices
5398 * to prevent packets going out in the clear if the detached device comes
5401 * Revision 1.161 2001/05/30 08:14:52 rgb
5402 * Removed vestiges of esp-null transforms.
5403 * NetDev Notifier instrumentation to track down disappearing devices.
5405 * Revision 1.160 2001/05/29 05:15:12 rgb
5406 * Added SS' PMTU patch which notifies sender if packet doesn't fit
5407 * physical MTU (if it wasn't ICMP) and then drops it.
5409 * Revision 1.159 2001/05/27 06:12:12 rgb
5410 * Added structures for pid, packet count and last access time to eroute.
5411 * Added packet count to beginning of /proc/net/ipsec_eroute.
5413 * Revision 1.158 2001/05/24 05:39:33 rgb
5414 * Applied source zeroing to 2.2 ip_route_output() call as well to enable
5415 * PASS eroutes for opportunism.
5417 * Revision 1.157 2001/05/23 22:35:28 rgb
5418 * 2.4 source override simplification.
5420 * Revision 1.156 2001/05/23 21:41:31 rgb
5421 * Added error return code printing on ip_route_output().
5423 * Revision 1.155 2001/05/23 05:09:13 rgb
5424 * Fixed incorrect ip_route_output() failure message.
5426 * Revision 1.154 2001/05/21 14:53:31 rgb
5427 * Added debug statement for case when ip_route_output() fails, causing
5428 * packet to be dropped, but log looked ok.
5430 * Revision 1.153 2001/05/19 02:37:54 rgb
5431 * Fixed missing comment termination.
5433 * Revision 1.152 2001/05/19 02:35:50 rgb
5434 * Debug code optimisation for non-debug speed.
5435 * Kernel version compiler define comments.
5436 * 2.2 and 2.4 kernel ip_send device and ip debug output added.
5438 * Revision 1.151 2001/05/18 16:17:35 rgb
5439 * Changed reference from "magic" to "shunt" SAs.
5441 * Revision 1.150 2001/05/18 16:12:19 rgb
5442 * Changed UDP/500 bypass test from 3 nested ifs to one anded if.
5444 * Revision 1.149 2001/05/16 04:39:33 rgb
5445 * Add default == eroute.dest to IKE bypass conditions for magic eroutes.
5447 * Revision 1.148 2001/05/05 03:31:41 rgb
5448 * IP frag debugging updates and enhancements.
5450 * Revision 1.147 2001/05/03 19:41:40 rgb
5451 * Added SS' skb_cow fix for 2.4.4.
5453 * Revision 1.146 2001/04/30 19:28:16 rgb
5454 * Update for 2.4.4. ip_select_ident() now has 3 args.
5456 * Revision 1.145 2001/04/23 14:56:10 rgb
5457 * Added spin_lock() check to prevent double-locking for multiple
5458 * transforms and hence kernel lock-ups with SMP kernels.
5460 * Revision 1.144 2001/04/21 23:04:45 rgb
5461 * Define out skb->used for 2.4 kernels.
5462 * Check if soft expire has already been sent before sending another to
5463 * prevent ACQUIRE flooding.
5465 * Revision 1.143 2001/03/16 07:37:21 rgb
5466 * Added comments to all #endifs.
5468 * Revision 1.142 2001/02/28 05:03:27 rgb
5469 * Clean up and rationalise startup messages.
5471 * Revision 1.141 2001/02/27 22:24:54 rgb
5472 * Re-formatting debug output (line-splitting, joining, 1arg/line).
5473 * Check for satoa() return codes.
5475 * Revision 1.140 2001/02/27 06:40:12 rgb
5476 * Fixed TRAP->HOLD eroute byte order.
5478 * Revision 1.139 2001/02/26 20:38:59 rgb
5479 * Added compiler defines for 2.4.x-specific code.
5481 * Revision 1.138 2001/02/26 19:57:27 rgb
5482 * Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
5483 * of the new SPD and to support opportunistic.
5484 * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
5486 * Revision 1.137 2001/02/19 22:29:49 rgb
5487 * Fixes for presence of active ipv6 segments which share ipsec physical
5490 * Revision 1.136 2001/01/29 22:30:38 rgb
5491 * Fixed minor acquire debug printing bug.
5493 * Revision 1.135 2001/01/29 22:19:45 rgb
5494 * Zero source address for 2.4 bypass route lookup.
5496 * Revision 1.134 2001/01/23 20:19:49 rgb
5497 * 2.4 fix to remove removed is_clone member.
5499 * Revision 1.133 2000/12/09 22:08:35 rgb
5500 * Fix NET_23 bug, should be NETDEV_23.
5502 * Revision 1.132 2000/12/01 06:54:50 rgb
5503 * Fix for new 2.4 IP TTL default variable name.
5505 * Revision 1.131 2000/11/09 20:52:15 rgb
5506 * More spinlock shuffling, locking earlier and unlocking later in rcv to
5507 * include ipcomp and prevent races, renaming some tdb variables that got
5508 * forgotten, moving some unlocks to include tdbs and adding a missing
5509 * unlock. Thanks to Svenning for some of these.
5511 * Revision 1.130 2000/11/09 20:11:22 rgb
5512 * Minor shuffles to fix non-standard kernel config option selection.
5514 * Revision 1.129 2000/11/06 04:32:49 rgb
5515 * Clean up debug printing.
5516 * Copy skb->protocol for all kernel versions.
5517 * Ditched spin_lock_irqsave in favour of spin_lock.
5518 * Disabled TTL decrement, done in ip_forward.
5519 * Added debug printing before pfkey_acquire().
5520 * Fixed printk-deltdbchain-spin_lock races (Svenning).
5521 * Use defaultTTL for 2.1+ kernels.
5522 * Add Svenning's adaptive content compression.
5523 * Fix up debug display arguments.
5525 * Revision 1.128 2000/09/28 00:58:57 rgb
5526 * Moved the IKE passthrough check after the eroute lookup so we can pass
5527 * IKE through intermediate tunnels.
5529 * Revision 1.127 2000/09/22 17:52:11 rgb
5530 * Fixed misleading ipcomp debug output.
5532 * Revision 1.126 2000/09/22 04:22:56 rgb
5533 * Fixed dumb spi->cpi conversion error.
5535 * Revision 1.125 2000/09/21 04:34:48 rgb
5536 * A few debug-specific things should be hidden under
5537 * CONFIG_IPSEC_DEBUG.(MB)
5538 * Improved ip_send() error handling.(MB)
5540 * Revision 1.124 2000/09/21 03:40:58 rgb
5541 * Added more debugging to try and track down the cpi outward copy problem.
5543 * Revision 1.123 2000/09/19 07:08:49 rgb
5544 * Added debugging to outgoing compression report.
5546 * Revision 1.122 2000/09/18 19:21:26 henry
5547 * RGB-supplied fix for RH5.2 problem
5549 * Revision 1.121 2000/09/17 21:05:09 rgb
5550 * Added tdb to skb_compress call to write in cpi.
5552 * Revision 1.120 2000/09/17 16:57:16 rgb
5553 * Added Svenning's patch to remove restriction of ipcomp to innermost
5556 * Revision 1.119 2000/09/15 11:37:01 rgb
5557 * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
5558 * IPCOMP zlib deflate code.
5560 * Revision 1.118 2000/09/15 04:57:16 rgb
5561 * Moved debug output after sanity check.
5562 * Added tos copy sysctl.
5564 * Revision 1.117 2000/09/12 03:22:51 rgb
5565 * Converted ipsec_icmp, no_eroute_pass, opportunistic and #if0 debugs to
5568 * Revision 1.116 2000/09/08 19:18:19 rgb
5569 * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
5570 * Added outgoing opportunistic hook, ifdef'ed out.
5572 * Revision 1.115 2000/08/30 05:27:29 rgb
5573 * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
5574 * Kill remainder of tdb_xform, tdb_xdata, xformsw.
5576 * Revision 1.114 2000/08/28 18:15:46 rgb
5577 * Added MB's nf-debug reset patch.
5579 * Revision 1.113 2000/08/27 02:26:40 rgb
5580 * Send all no-eroute-bypass, pluto-bypass and passthrough packets through
5581 * fragmentation machinery for 2.0, 2.2 and 2.4 kernels.
5583 * Revision 1.112 2000/08/20 21:37:33 rgb
5584 * Activated pfkey_expire() calls.
5585 * Added a hard/soft expiry parameter to pfkey_expire(). (Momchil)
5586 * Re-arranged the order of soft and hard expiry to conform to RFC2367.
5587 * Clean up references to CONFIG_IPSEC_PFKEYv2.
5589 * Revision 1.111 2000/08/01 14:51:51 rgb
5590 * Removed _all_ remaining traces of DES.
5592 * Revision 1.110 2000/07/28 14:58:31 rgb
5593 * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
5595 * Revision 1.109 2000/07/28 13:50:54 rgb
5596 * Changed enet_statistics to net_device_stats and added back compatibility
5599 * Revision 1.108 2000/05/16 03:03:11 rgb
5600 * Updates for 2.3.99pre8 from MB.
5602 * Revision 1.107 2000/05/10 23:08:21 rgb
5603 * Print a debug warning about bogus packets received by the outgoing
5604 * processing machinery only when klipsdebug is not set to none.
5605 * Comment out the device initialisation informational messages.
5607 * Revision 1.106 2000/05/10 19:17:14 rgb
5608 * Define an IP_SEND macro, intending to have all packet passthroughs
5609 * use fragmentation. This didn't quite work, but is a step in the
5611 * Added buffer allocation debugging statements.
5612 * Added configure option to shut off no eroute passthrough.
5613 * Only check usetime against soft and hard limits if the tdb has been
5615 * Cast output of ntohl so that the broken prototype doesn't make our
5618 * Revision 1.105 2000/03/22 16:15:37 rgb
5619 * Fixed renaming of dev_get (MB).
5621 * Revision 1.104 2000/03/16 14:04:15 rgb
5622 * Indented headers for readability.
5623 * Fixed debug scope to enable compilation with debug off.
5624 * Added macros for ip_chk_addr and IS_MYADDR for identifying self.
5626 * Revision 1.103 2000/03/16 07:11:07 rgb
5627 * Hardcode PF_KEYv2 support.
5628 * Fixed bug which allowed UDP/500 packet from another machine
5629 * through in the clear.
5630 * Added disabled skb->protocol fix for ISDN/ASYNC PPP from Matjaz Godec.
5632 * Revision 1.102 2000/03/14 12:26:59 rgb
5633 * Added skb->nfct support for clearing netfilter conntrack bits (MB).
5635 * Revision 1.101 2000/02/14 21:05:22 rgb
5636 * Added MB's netif_queue fix for kernels 2.3.43+.
5638 * Revision 1.100 2000/01/26 10:04:57 rgb
5639 * Fixed noisy 2.0 printk arguments.
5641 * Revision 1.99 2000/01/21 06:16:25 rgb
5642 * Added sanity checks on skb_push(), skb_pull() to prevent panics.
5643 * Switched to AF_ENCAP macro.
5644 * Shortened debug output per packet and re-arranging debug_tunnel
5645 * bitmap flags, while retaining necessary information to avoid
5646 * trampling the kernel print ring buffer.
5647 * Reformatted recursion switch code.
5648 * Changed all references to tdb_proto to tdb_said.proto for clarity.
5650 * Revision 1.98 2000/01/13 08:09:31 rgb
5651 * Shuffled debug_tunnel switches to focus output.
5652 * Fixed outgoing recursion bug, limiting to recursing only if the remote
5653 * SG changes and if it is valid, ie. not passthrough.
5654 * Clarified a number of debug messages.
5656 * Revision 1.97 2000/01/10 16:37:16 rgb
5657 * MB support for new ip_select_ident() upon disappearance of
5658 * ip_id_count in 2.3.36+.
5660 * Revision 1.96 1999/12/31 14:59:08 rgb
5661 * MB fix to use new skb_copy_expand in kernel 2.3.35.
5663 * Revision 1.95 1999/12/29 21:15:44 rgb
5664 * Fix tncfg to aliased device bug.
5666 * Revision 1.94 1999/12/22 04:26:06 rgb
5667 * Converted all 'static' functions to 'DEBUG_NO_STATIC' to enable
5668 * debugging by providing external labels to all functions with debugging
5671 * Revision 1.93 1999/12/13 13:30:14 rgb
5672 * Changed MTU reports and HW address reporting back to debug only.
5674 * Revision 1.92 1999/12/07 18:57:56 rgb
5675 * Fix PFKEY symbol compile error (SADB_*) without pfkey enabled.
5677 * Revision 1.91 1999/12/01 22:15:36 rgb
5678 * Add checks for LARVAL and DEAD SAs.
5679 * Change state of SA from MATURE to DYING when a soft lifetime is
5680 * reached and print debug warning.
5682 * Revision 1.90 1999/11/23 23:04:04 rgb
5683 * Use provided macro ADDRTOA_BUF instead of hardcoded value.
5684 * Sort out pfkey and freeswan headers, putting them in a library path.
5686 * Revision 1.89 1999/11/18 18:50:59 rgb
5687 * Changed all device registrations for static linking to
5688 * dynamic to reduce the number and size of patches.
5690 * Revision 1.88 1999/11/18 04:09:19 rgb
5691 * Replaced all kernel version macros to shorter, readable form.
5693 * Revision 1.87 1999/11/17 15:53:40 rgb
5694 * Changed all occurrences of #include "../../../lib/freeswan.h"
5695 * to #include <freeswan.h> which works due to -Ilibfreeswan in the
5696 * klips/net/ipsec/Makefile.
5698 * Revision 1.86 1999/10/16 18:25:37 rgb
5699 * Moved SA lifetime expiry checks before packet processing.
5700 * Expire SA on replay counter rollover.
5702 * Revision 1.85 1999/10/16 04:24:31 rgb
5703 * Add stats for time since last packet.
5705 * Revision 1.84 1999/10/16 00:30:47 rgb
5706 * Added SA lifetime counting.
5708 * Revision 1.83 1999/10/15 22:15:57 rgb
5712 * Revision 1.82 1999/10/08 18:26:19 rgb
5713 * Fix 2.0.3x outgoing fragmented packet memory leak.
5715 * Revision 1.81 1999/10/05 02:38:54 rgb
5716 * Lower the default mtu of virtual devices to 16260.
5718 * Revision 1.80 1999/10/03 18:56:41 rgb
5719 * Spinlock support for 2.3.xx.
5720 * Don't forget to undo spinlocks on error!
5721 * Check for valid eroute before copying the structure.
5723 * Revision 1.79 1999/10/01 15:44:53 rgb
5724 * Move spinlock header include to 2.1> scope.
5726 * Revision 1.78 1999/10/01 00:02:43 rgb
5727 * Added tdb structure locking.
5728 * Added eroute structure locking.
5730 * Revision 1.77 1999/09/30 02:52:29 rgb
5731 * Add Marc Boucher's Copy-On-Write code (same as ipsec_rcv.c).
5733 * Revision 1.76 1999/09/25 19:31:27 rgb
5734 * Refine MSS hack to affect SYN, but not SYN+ACK packets.
5736 * Revision 1.75 1999/09/24 22:52:38 rgb
5737 * Fix two things broken in 2.0.38 by trying to fix network notifiers.
5739 * Revision 1.74 1999/09/24 00:30:37 rgb
5740 * Add test for changed source as well as destination to check for
5743 * Revision 1.73 1999/09/23 20:52:24 rgb
5744 * Add James Morris' MSS hack patch, disabled.
5746 * Revision 1.72 1999/09/23 20:22:40 rgb
5747 * Enable, tidy and fix network notifier code.
5749 * Revision 1.71 1999/09/23 18:09:05 rgb
5750 * Clean up 2.2.x fragmenting traces.
5751 * Disable dev->type switching, forcing ARPHRD_TUNNEL.
5753 * Revision 1.70 1999/09/22 14:14:24 rgb
5754 * Add sanity checks for revectored calls to prevent calling a downed I/F.
5756 * Revision 1.69 1999/09/21 15:00:57 rgb
5757 * Add Marc Boucher's packet size check.
5758 * Flesh out network device notifier code.
5760 * Revision 1.68 1999/09/18 11:39:57 rgb
5761 * Start to add (disabled) netdevice notifier code.
5763 * Revision 1.67 1999/09/17 23:44:40 rgb
5764 * Add a comment warning potential code hackers to stay away from mac.raw.
5766 * Revision 1.66 1999/09/17 18:04:02 rgb
5767 * Add fix for unpredictable hard_header_len for ISDN folks (thanks MB).
5768 * Ditch TTL decrement in 2.2 (MB).
5770 * Revision 1.65 1999/09/15 23:15:35 henry
5771 * Marc Boucher's PPP fixes
5773 * Revision 1.64 1999/09/07 13:40:53 rgb
5774 * Ditch unreliable references to skb->mac.raw.
5776 * Revision 1.63 1999/08/28 11:33:09 rgb
5777 * Check for null skb->mac pointer.
5779 * Revision 1.62 1999/08/28 02:02:30 rgb
5780 * Add Marc Boucher's fix for properly dealing with skb->sk.
5782 * Revision 1.61 1999/08/27 05:23:05 rgb
5783 * Clean up skb->data/raw/nh/h manipulation.
5784 * Add Marc Boucher's mods to aid tcpdump.
5785 * Add sanity checks to skb->raw/nh/h pointer copies in skb_copy_expand.
5786 * Re-order hard_header stripping -- might be able to remove it...
5788 * Revision 1.60 1999/08/26 20:01:02 rgb
5789 * Tidy up compiler directives and macros.
5790 * Re-enable ICMP for tunnels where inner_dst != outer_dst.
5791 * Remove unnecessary skb->dev = physdev assignment affecting 2.2.x.
5793 * Revision 1.59 1999/08/25 15:44:41 rgb
5794 * Clean up from 2.2.x instrumenting for compilation under 2.0.36.
5796 * Revision 1.58 1999/08/25 15:00:54 rgb
5797 * Add dst cache code for 2.2.xx.
5798 * Add sanity check for skb packet header pointers.
5799 * Add/modify debugging instrumentation to *_start_xmit, *_hard_header and
5801 * Add neigh_* cache code.
5802 * Change dev->type back to ARPHRD_TUNNEL.
5804 * Revision 1.57 1999/08/17 21:50:23 rgb
5805 * Fixed minor debug output bugs.
5806 * Regrouped error recovery exit code.
5807 * Added compiler directives to remove unwanted code and symbols.
5808 * Shut off ICMP messages: to be refined to only send ICMP to remote systems.
5809 * Add debugging code for output function addresses.
5810 * Fix minor bug in (possibly unused) header_cache_bind function.
5811 * Add device neighbour caching code.
5812 * Change dev->type from ARPHRD_TUNNEL to physdev->type.
5814 * Revision 1.56 1999/08/03 17:22:56 rgb
5815 * Debug output clarification using KERN_* macros. Other inactive changes
5818 * Revision 1.55 1999/08/03 16:58:46 rgb
5819 * Fix skb_copy_expand size bug. Was getting incorrect size.
5821 * Revision 1.54 1999/07/14 19:32:38 rgb
5822 * Fix oversize packet crash and ssh stalling in 2.2.x kernels.
5824 * Revision 1.53 1999/06/10 15:44:02 rgb
5825 * Minor reformatting and clean-up.
5827 * Revision 1.52 1999/05/09 03:25:36 rgb
5828 * Fix bug introduced by 2.2 quick-and-dirty patch.
5830 * Revision 1.51 1999/05/08 21:24:59 rgb
5831 * Add casting to silence the 2.2.x compile.
5833 * Revision 1.50 1999/05/05 22:02:32 rgb
5834 * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
5836 * Revision 1.49 1999/04/29 15:18:52 rgb
5837 * Change gettdb parameter to a pointer to reduce stack loading and
5838 * facilitate parameter sanity checking.
5839 * Fix undetected bug that might have tried to access a null pointer.
5840 * Eliminate unnessessary usage of tdb_xform member to further switch
5841 * away from the transform switch to the algorithm switch.
5842 * Add return values to init and cleanup functions.
5844 * Revision 1.48 1999/04/16 15:38:00 rgb
5845 * Minor rearrangement of freeing code to avoid memory leaks with impossible or
5848 * Revision 1.47 1999/04/15 15:37:25 rgb
5849 * Forward check changes from POST1_00 branch.
5851 * Revision 1.32.2.4 1999/04/13 21:00:18 rgb
5852 * Ditch 'things I wish I had known before...'.
5854 * Revision 1.32.2.3 1999/04/13 20:34:38 rgb
5855 * Free skb after fragmentation.
5856 * Use stats more effectively.
5857 * Add I/F to mtu notch-down reporting.
5859 * Revision 1.32.2.2 1999/04/02 04:26:14 rgb
5860 * Backcheck from HEAD, pre1.0.
5862 * Revision 1.46 1999/04/11 00:29:00 henry
5865 * Revision 1.45 1999/04/07 15:42:01 rgb
5866 * Fix mtu/ping bug AGAIN!
5868 * Revision 1.44 1999/04/06 04:54:27 rgb
5869 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes
5870 * patch shell fixes.
5872 * Revision 1.43 1999/04/04 03:57:07 rgb
5873 * ip_fragment() doesn't free the supplied skb. Freed.
5875 * Revision 1.42 1999/04/01 23:27:15 rgb
5876 * Preload size of virtual mtu.
5878 * Revision 1.41 1999/04/01 09:31:23 rgb
5879 * Invert meaning of ICMP PMTUD config option and clarify.
5882 * Revision 1.40 1999/04/01 04:37:17 rgb
5883 * SSH stalling bug fix.
5885 * Revision 1.39 1999/03/31 23:44:28 rgb
5886 * Don't send ICMP on DF and frag_off.
5888 * Revision 1.38 1999/03/31 15:20:10 rgb
5889 * Quiet down debugging.
5891 * Revision 1.37 1999/03/31 08:30:31 rgb
5892 * Add switch to shut off ICMP PMTUD packets.
5894 * Revision 1.36 1999/03/31 05:44:47 rgb
5895 * Keep PMTU reduction private.
5897 * Revision 1.35 1999/03/27 15:13:02 rgb
5898 * PMTU/fragmentation bug fix.
5900 * Revision 1.34 1999/03/17 21:19:26 rgb
5901 * Fix kmalloc nonatomic bug.
5903 * Revision 1.33 1999/03/17 15:38:42 rgb
5905 * ESP_NULL IV bug fix.
5907 * Revision 1.32 1999/03/01 20:44:25 rgb
5909 * Memory leak bug fix.
5911 * Revision 1.31 1999/02/27 00:02:09 rgb
5912 * Tune to report the MTU reduction once, rather than after every recursion
5913 * through the encapsulating code, preventing tcp stream stalling.
5915 * Revision 1.30 1999/02/24 20:21:01 rgb
5916 * Reformat debug printk's.
5917 * Fix recursive encapsulation, dynamic MTU bugs and add debugging code.
5920 * Revision 1.29 1999/02/22 17:08:14 rgb
5921 * Fix recursive encapsulation code.
5923 * Revision 1.28 1999/02/19 18:27:02 rgb
5924 * Improve DF, fragmentation and PMTU behaviour and add dynamic MTU discovery.
5926 * Revision 1.27 1999/02/17 16:51:37 rgb
5927 * Clean out unused cruft.
5928 * Temporarily tone down volume of debug output.
5929 * Temporarily shut off fragment rejection.
5930 * Disabled temporary failed recursive encapsulation loop.
5932 * Revision 1.26 1999/02/12 21:21:26 rgb
5933 * Move KLIPS_PRINT to ipsec_netlink.h for accessibility.
5935 * Revision 1.25 1999/02/11 19:38:27 rgb
5937 * Add sanity checking for skb_copy_expand() to prevent kernel panics on
5938 * skb_put() values out of range.
5939 * Fix head/tailroom calculation causing skb_put() out-of-range values.
5940 * Fix return values to prevent 'nonatomic alloc_skb' warnings.
5941 * Allocate new skb iff needed.
5942 * Added more debug statements.
5943 * Make headroom depend on structure, not hard-coded values.
5945 * Revision 1.24 1999/02/10 23:20:33 rgb
5946 * Shut up annoying 'statement has no effect' compiler warnings with
5947 * debugging compiled out.
5949 * Revision 1.23 1999/02/10 22:36:30 rgb
5950 * Clean-up obsolete, unused and messy code.
5951 * Converted most IPSEC_DEBUG statements to KLIPS_PRINT macros.
5952 * Rename ipsec_tunnel_do_xmit to ipsec_tunnel_start_xmit and eliminated
5953 * original ipsec_tunnel_start_xmit.
5954 * Send all packet with different inner and outer destinations directly to
5955 * the attached physical device, rather than back through ip_forward,
5956 * preventing disappearing routes problems.
5957 * Do sanity checking before investing too much CPU in allocating new
5959 * Fail on IP header options: We cannot process them yet.
5960 * Add some helpful comments.
5961 * Use virtual device for parameters instead of physical device.
5963 * Revision 1.22 1999/02/10 03:03:02 rgb
5964 * Duh. Fixed the TTL bug: forgot to update the checksum.
5966 * Revision 1.21 1999/02/09 23:17:53 rgb
5967 * Add structure members to ipsec_print_ip debug function.
5968 * Temporarily fix TTL bug preventing tunnel mode from functioning.
5970 * Revision 1.20 1999/02/09 00:14:25 rgb
5971 * Add KLIPSPRINT macro. (Not used yet, though.)
5972 * Delete old ip_tunnel code (BADCODE).
5973 * Decrement TTL in outgoing packet.
5974 * Set TTL on new IPIP_TUNNEL to default, not existing packet TTL.
5975 * Delete ethernet only feature and fix hard-coded hard_header_len.
5977 * Revision 1.19 1999/01/29 17:56:22 rgb
5978 * 64-bit re-fix submitted by Peter Onion.
5980 * Revision 1.18 1999/01/28 22:43:24 rgb
5981 * Fixed bug in ipsec_print_ip that caused an OOPS, found by P.Onion.
5983 * Revision 1.17 1999/01/26 02:08:16 rgb
5984 * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
5985 * Removed dead code.
5987 * Revision 1.16 1999/01/22 06:25:26 rgb
5989 * Added algorithm switch code.
5991 * Passthrough on IPIP protocol, spi 0x0 fix.
5992 * Enhanced debugging.
5994 * Revision 1.15 1998/12/01 13:22:04 rgb
5995 * Added support for debug printing of version info.
5997 * Revision 1.14 1998/11/30 13:22:55 rgb
5998 * Rationalised all the klips kernel file headers. They are much shorter
5999 * now and won't conflict under RH5.2.
6001 * Revision 1.13 1998/11/17 21:13:52 rgb
6002 * Put IKE port bypass debug output in user-switched debug statements.
6004 * Revision 1.12 1998/11/13 13:20:25 rgb
6005 * Fixed ntohs bug in udp/500 hole for IKE.
6007 * Revision 1.11 1998/11/10 08:01:19 rgb
6008 * Kill tcp/500 hole, keep udp/500 hole.
6010 * Revision 1.10 1998/11/09 21:29:26 rgb
6011 * If no eroute is found, discard packet and incr. tx_error.
6013 * Revision 1.9 1998/10/31 06:50:00 rgb
6014 * Add tcp/udp/500 bypass.
6015 * Fixed up comments in #endif directives.
6017 * Revision 1.8 1998/10/27 00:34:31 rgb
6018 * Reformat debug output of IP headers.
6019 * Newlines added before calls to ipsec_print_ip.
6021 * Revision 1.7 1998/10/19 14:44:28 rgb
6022 * Added inclusion of freeswan.h.
6023 * sa_id structure implemented and used: now includes protocol.
6025 * Revision 1.6 1998/10/09 04:31:35 rgb
6026 * Added 'klips_debug' prefix to all klips printk debug statements.
6028 * Revision 1.5 1998/08/28 03:09:51 rgb
6029 * Prevent kernel log spam with default route through ipsec.
6031 * Revision 1.4 1998/08/05 22:23:09 rgb
6032 * Change setdev return code to ENXIO for a non-existant physical device.
6034 * Revision 1.3 1998/07/29 20:41:11 rgb
6035 * Add ipsec_tunnel_clear to clear all tunnel attachments.
6037 * Revision 1.2 1998/06/25 20:00:33 rgb
6038 * Clean up #endif comments.
6039 * Rename dev_ipsec to dev_ipsec0 for consistency.
6040 * Document ipsec device fields.
6041 * Make ipsec_tunnel_probe visible from rest of kernel for static linking.
6042 * Get debugging report for *every* ipsec device initialisation.
6043 * Comment out redundant code.
6045 * Revision 1.1 1998/06/18 21:27:50 henry
6046 * move sources from klips/src to klips/net/ipsec, to keep stupid
6047 * kernel-build scripts happier in the presence of symlinks
6049 * Revision 1.8 1998/06/14 23:49:40 rgb
6050 * Clarify version reporting on module loading.
6052 * Revision 1.7 1998/05/27 23:19:20 rgb
6053 * Added version reporting.
6055 * Revision 1.6 1998/05/18 21:56:23 rgb
6056 * Clean up for numerical consistency of output and cleaning up debug code.
6058 * Revision 1.5 1998/05/12 02:44:23 rgb
6059 * Clarifying 'no e-route to host' message.
6061 * Revision 1.4 1998/04/30 15:34:35 rgb
6062 * Enclosed most remaining debugging statements in #ifdef's to make it quieter.
6064 * Revision 1.3 1998/04/21 21:28:54 rgb
6065 * Rearrange debug switches to change on the fly debug output from user
6066 * space. Only kernel changes checked in at this time. radij.c was also
6067 * changed to temporarily remove buggy debugging code in rj_delete causing
6068 * an OOPS and hence, netlink device open errors.
6070 * Revision 1.2 1998/04/12 22:03:24 rgb
6071 * Updated ESP-3DES-HMAC-MD5-96,
6072 * ESP-DES-HMAC-MD5-96,
6074 * AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
6075 * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
6077 * Fixed eroute references in /proc/net/ipsec*.
6079 * Started to patch module unloading memory leaks in ipsec_netlink and
6080 * radij tree unloading.
6082 * Revision 1.1 1998/04/09 03:06:12 henry
6083 * sources moved up from linux/net/ipsec
6085 * Revision 1.1.1.1 1998/04/08 05:35:04 henry
6086 * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
6088 * Revision 0.5 1997/06/03 04:24:48 ji
6089 * Added transport mode.
6090 * Changed the way routing is done.
6091 * Lots of bug fixes.
6093 * Revision 0.4 1997/01/15 01:28:15 ji
6096 * Revision 0.3 1996/11/20 14:39:04 ji
6098 * Rationalized debugging code.
6100 * Revision 0.2 1996/11/02 00:18:33 ji
6101 * First limited release.