^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * xfrm4_input.c
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Changes:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) * YOSHIFUJI Hideaki @USAGI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Split up af-specific portion
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Derek Atkins <derek@ihtfp.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * Add Encapsulation support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <linux/slab.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) #include <linux/string.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include <linux/netfilter.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) #include <linux/netfilter_ipv4.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) #include <net/ip.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) #include <net/xfrm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) static int xfrm4_rcv_encap_finish2(struct net *net, struct sock *sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) return dst_input(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) static inline int xfrm4_rcv_encap_finish(struct net *net, struct sock *sk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) if (!skb_dst(skb)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) const struct iphdr *iph = ip_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) if (ip_route_input_noref(skb, iph->daddr, iph->saddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) iph->tos, skb->dev))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) if (xfrm_trans_queue(skb, xfrm4_rcv_encap_finish2))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) drop:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) kfree_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) return NET_RX_DROP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) int xfrm4_transport_finish(struct sk_buff *skb, int async)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) struct xfrm_offload *xo = xfrm_offload(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) struct iphdr *iph = ip_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) #ifndef CONFIG_NETFILTER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) if (!async)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) return -iph->protocol;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) #endif
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) __skb_push(skb, skb->data - skb_network_header(skb));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) iph->tot_len = htons(skb->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) ip_send_check(iph);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) if (xo && (xo->flags & XFRM_GRO)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) skb_mac_header_rebuild(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) skb_reset_transport_header(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) dev_net(skb->dev), NULL, skb, skb->dev, NULL,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) xfrm4_rcv_encap_finish);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) /* If it's a keepalive packet, then just eat it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) * If it's an encapsulated packet, then pass it to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) * IPsec xfrm input.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) * Returns 0 if skb passed to xfrm or was dropped.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) * Returns >0 if skb should be passed to UDP.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) * Returns <0 if skb should be resubmitted (-ret is protocol)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) struct udp_sock *up = udp_sk(sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) struct udphdr *uh;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) struct iphdr *iph;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) int iphlen, len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) __u8 *udpdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) __be32 *udpdata32;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) __u16 encap_type = up->encap_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) /* if this is not encapsulated socket, then just return now */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) if (!encap_type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) /* If this is a paged skb, make sure we pull up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) * whatever data we need to look at. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) len = skb->len - sizeof(struct udphdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) /* Now we can get the pointers */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) uh = udp_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) udpdata = (__u8 *)uh + sizeof(struct udphdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) udpdata32 = (__be32 *)udpdata;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) switch (encap_type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) case UDP_ENCAP_ESPINUDP:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) /* Check if this is a keepalive packet. If so, eat it. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) if (len == 1 && udpdata[0] == 0xff) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) } else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) /* ESP Packet without Non-ESP header */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) len = sizeof(struct udphdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) /* Must be an IKE packet.. pass it through */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) case UDP_ENCAP_ESPINUDP_NON_IKE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) /* Check if this is a keepalive packet. If so, eat it. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) if (len == 1 && udpdata[0] == 0xff) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) udpdata32[0] == 0 && udpdata32[1] == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) /* ESP Packet with Non-IKE marker */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) len = sizeof(struct udphdr) + 2 * sizeof(u32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) } else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) /* Must be an IKE packet.. pass it through */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) /* At this point we are sure that this is an ESPinUDP packet,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) * so we need to remove 'len' bytes from the packet (the UDP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) * header and optional ESP marker bytes) and then modify the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) * protocol to ESP, and then call into the transform receiver.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) if (skb_unclone(skb, GFP_ATOMIC))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) /* Now we can update and verify the packet length... */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) iph = ip_hdr(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) iphlen = iph->ihl << 2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) iph->tot_len = htons(ntohs(iph->tot_len) - len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) if (skb->len < iphlen + len) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) /* packet is too small!?! */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) goto drop;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) /* pull the data buffer up to the ESP header and set the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) * transport header to point to ESP. Keep UDP on the stack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) * for later.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) __skb_pull(skb, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) skb_reset_transport_header(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) /* process ESP */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) return xfrm4_rcv_encap(skb, IPPROTO_ESP, 0, encap_type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) drop:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) kfree_skb(skb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) int xfrm4_rcv(struct sk_buff *skb)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) return xfrm4_rcv_spi(skb, ip_hdr(skb)->protocol, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) EXPORT_SYMBOL(xfrm4_rcv);
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags
| Donate