33
33
#include <linux/types.h> /* size_t */
34
34
#include <linux/interrupt.h> /* mark_bh */
38
#include <linux/skbuff.h>
36
40
#include <linux/netdevice.h> /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
37
41
#include <linux/etherdevice.h> /* eth_type_trans */
38
42
#include <linux/ip.h> /* struct iphdr */
39
#include <linux/tcp.h> /* struct tcphdr */
40
#include <linux/udp.h> /* struct udphdr */
41
43
#include <linux/skbuff.h>
44
48
# include <asm/uaccess.h>
45
49
# include <linux/in6.h>
60
64
#include <linux/if_arp.h>
62
#include "freeswan/radij.h"
63
#include "freeswan/ipsec_life.h"
64
#include "freeswan/ipsec_xform.h"
65
#include "freeswan/ipsec_eroute.h"
66
#include "freeswan/ipsec_encap.h"
67
#include "freeswan/ipsec_radij.h"
68
#include "freeswan/ipsec_sa.h"
69
#include "freeswan/ipsec_tunnel.h"
70
#include "freeswan/ipsec_xmit.h"
71
#include "freeswan/ipsec_ipe4.h"
72
#include "freeswan/ipsec_ah.h"
73
#include "freeswan/ipsec_esp.h"
66
#include "openswan/ipsec_kversion.h"
67
#include "openswan/radij.h"
68
#include "openswan/ipsec_life.h"
69
#include "openswan/ipsec_xform.h"
70
#include "openswan/ipsec_eroute.h"
71
#include "openswan/ipsec_encap.h"
72
#include "openswan/ipsec_radij.h"
73
#include "openswan/ipsec_sa.h"
74
#include "openswan/ipsec_tunnel.h"
75
#include "openswan/ipsec_xmit.h"
76
#include "openswan/ipsec_ipe4.h"
77
#include "openswan/ipsec_ah.h"
78
#include "openswan/ipsec_esp.h"
79
#include "openswan/ipsec_kern24.h"
75
81
#include <pfkeyv2.h>
78
#include "freeswan/ipsec_proto.h"
79
#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
84
#include "openswan/ipsec_proto.h"
85
#ifdef CONFIG_KLIPS_NAT_TRAVERSAL
80
86
#include <linux/udp.h>
83
89
static __u32 zeroes[64];
85
#ifdef CONFIG_IPSEC_DEBUG
91
#ifdef CONFIG_KLIPS_DEBUG
86
92
int debug_tunnel = 0;
87
#endif /* CONFIG_IPSEC_DEBUG */
93
#endif /* CONFIG_KLIPS_DEBUG */
89
95
DEBUG_NO_STATIC int
90
ipsec_tunnel_open(struct device *dev)
96
ipsec_tunnel_open(struct net_device *dev)
92
98
struct ipsecpriv *prv = dev->priv;
199
209
ixs->eroute = ipsec_findroute(&ixs->matcher);
201
211
if(ixs->iph->protocol == IPPROTO_UDP) {
203
ixs->sport=ntohs(ixs->skb->sk->sport);
204
ixs->dport=ntohs(ixs->skb->sk->dport);
205
} else if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
206
((ixs->skb->len - ixs->hard_header_len) >=
207
((ixs->iph->ihl << 2) + sizeof(struct udphdr)))) {
208
ixs->sport=ntohs(((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)))->source);
209
ixs->dport=ntohs(((struct udphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl<<2)))->dest);
211
ixs->sport=0; ixs->dport=0;
212
struct udphdr *t = NULL;
214
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
215
"klips_debug:udp port check: "
216
"fragoff: %d len: %d>%ld \n",
217
ntohs(ixs->iph->frag_off) & IP_OFFSET,
218
(ixs->skb->len - ixs->hard_header_len),
219
(unsigned long int) ((ixs->iph->ihl << 2) + sizeof(struct udphdr)));
221
if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
222
((ixs->skb->len - ixs->hard_header_len) >=
223
((ixs->iph->ihl << 2) + sizeof(struct udphdr))))
225
t =((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
226
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
227
"klips_debug:udp port in packet: "
229
ntohs(t->source), ntohs(t->dest));
232
ixs->sport=0; ixs->dport=0;
238
us = (struct udp_sock *)ixs->skb->sk;
240
ixs->sport = ntohs(us->inet.sport);
241
ixs->dport = ntohs(us->inet.dport);
243
ixs->sport = ntohs(ixs->skb->sk->sport);
244
ixs->dport = ntohs(ixs->skb->sk->dport);
250
if(ixs->sport == 0) {
251
ixs->sport = ntohs(t->source);
253
if(ixs->dport == 0) {
254
ixs->dport = ntohs(t->dest);
260
* practically identical to above, but let's be careful about
263
if(ixs->iph->protocol == IPPROTO_TCP) {
264
struct tcphdr *t = NULL;
266
if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
267
((ixs->skb->len - ixs->hard_header_len) >=
268
((ixs->iph->ihl << 2) + sizeof(struct tcphdr)))) {
269
t =((struct tcphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)));
272
ixs->sport=0; ixs->dport=0;
276
struct tcp_tw_bucket *tw;
278
tw = (struct tcp_tw_bucket *)ixs->skb->sk;
280
ixs->sport = ntohs(tw->tw_sport);
281
ixs->dport = ntohs(tw->tw_dport);
283
ixs->sport = ntohs(ixs->skb->sk->sport);
284
ixs->dport = ntohs(ixs->skb->sk->dport);
289
if(ixs->sport == 0) {
290
ixs->sport = ntohs(t->source);
292
if(ixs->dport == 0) {
293
ixs->dport = ntohs(t->dest);
215
298
/* default to a %drop eroute */
216
299
ixs->outgoing_said.proto = IPPROTO_INT;
217
300
ixs->outgoing_said.spi = htonl(SPI_DROP);
232
* Quick cheat for now...are we udp/500? If so, let it through
315
* cheat for now...are we udp/500? If so, let it through
233
316
* without interference since it is most likely an IKE packet.
236
319
if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
320
&& (ixs->eroute==NULL
238
321
|| ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
239
322
|| INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
241
&& ((ixs->sport == 500) || (ixs->sport == 4500))) {
242
/* Whatever the eroute, this is an IKE message
323
&& (ixs->iph->protocol == IPPROTO_UDP && ixs->sport == 500)) {
324
/* Whatever the eroute, this is an IKE message
243
325
* from us (i.e. not being forwarded).
244
326
* Furthermore, if there is a tunnel eroute,
245
327
* the destination is the peer for this eroute.
246
328
* So %pass the packet: modify the default %drop.
248
331
ixs->outgoing_said.spi = htonl(SPI_PASS);
249
332
if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
250
333
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
251
334
"klips_debug:ipsec_xmit_SAlookup: "
252
335
"local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
254
} else if (ixs->eroute) {
340
#ifdef KLIPS_EXCEPT_DNS53
343
* if we are udp/53 or tcp/53, also let it through a %trap or %hold,
344
* since it is DNS, but *also* follow the %trap.
346
* we do not do this for tunnels, only %trap's and %hold's.
350
if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
351
&& (ixs->eroute==NULL
352
|| ixs->iph->daddr == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr
353
|| INADDR_ANY == ixs->eroute->er_said.dst.u.v4.sin_addr.s_addr)
354
&& ((ixs->iph->protocol == IPPROTO_UDP
355
|| ixs->iph->protocol == IPPROTO_TCP)
356
&& ixs->dport == 53)) {
358
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
359
"klips_debug:ipsec_xmit_SAlookup: "
360
"possible DNS packet\n");
364
if(ixs->eroute->er_said.spi == htonl(SPI_TRAP)
365
|| ixs->eroute->er_said.spi == htonl(SPI_HOLD))
367
ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
373
ixs->outgoing_said.spi = htonl(SPI_PASSTRAP);
377
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
378
"klips_debug:ipsec_xmit_SAlookup: "
379
"bypass = %d\n", bypass);
383
&& ((ntohs(ixs->iph->frag_off) & IP_MF) != 0))
385
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
386
"klips_debug:ipsec_xmit_SAlookup: "
387
"local port 53 (probably DNS) passthrough:"
388
"base fragment, rest of fragments will "
389
"probably get filtered.\n");
394
if (bypass==FALSE && ixs->eroute) {
255
395
ixs->eroute->er_count++;
256
396
ixs->eroute->er_lasttime = jiffies/HZ;
257
397
if(ixs->eroute->er_said.proto==IPPROTO_INT
258
&& ixs->eroute->er_said.spi==htonl(SPI_HOLD)) {
398
&& ixs->eroute->er_said.spi==htonl(SPI_HOLD))
259
400
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
260
401
"klips_debug:ipsec_xmit_SAlookup: "
261
402
"shunt SA of HOLD: skb stored in HOLD.\n");
542
687
* and that skb is filled properly by that function.
545
ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
690
ipsec_tunnel_start_xmit(struct sk_buff *skb, struct net_device *dev)
547
692
struct ipsec_xmit_state ixs_mem;
548
693
struct ipsec_xmit_state *ixs = &ixs_mem;
549
694
enum ipsec_xmit_value stat;
551
#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
696
#ifdef CONFIG_KLIPS_NAT_TRAVERSAL
552
697
ixs->natt_type = 0, ixs->natt_head = 0;
553
698
ixs->natt_sport = 0, ixs->natt_dport = 0;
1571
1718
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1574
ipsec_tunnel_probe(struct device *dev)
1721
ipsec_tunnel_probe(struct net_device *dev)
1576
1723
ipsec_tunnel_init(dev);
1580
struct device *ipsecdevices[IPSEC_NUM_IF];
1727
struct net_device *ipsecdevices[IPSEC_NUM_IF];
1583
1730
ipsec_tunnel_init_devices(void)
1586
1733
char name[IFNAMSIZ];
1587
struct device *dev_ipsec;
1734
struct net_device *dev_ipsec;
1589
1736
KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1590
1737
"klips_debug:ipsec_tunnel_init_devices: "
1591
1738
"creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
1593
(unsigned long) (sizeof(struct device) + IFNAMSIZ),
1740
(unsigned long) (sizeof(struct net_device) + IFNAMSIZ),
1596
1743
for(i = 0; i < IPSEC_NUM_IF; i++) {
1597
1744
sprintf(name, IPSEC_DEV_FORMAT, i);
1598
dev_ipsec = (struct device*)kmalloc(sizeof(struct device), GFP_KERNEL);
1745
dev_ipsec = (struct net_device*)kmalloc(sizeof(struct net_device), GFP_KERNEL);
1599
1746
if (dev_ipsec == NULL) {
1600
1747
KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
1601
1748
"klips_debug:ipsec_tunnel_init_devices: "
1683
1830
* $Log: ipsec_tunnel.c,v $
1831
* Revision 1.227 2004/12/10 21:16:08 ken
1832
* 64bit fixes from Opteron port of KLIPS 2.6
1834
* Revision 1.226 2004/12/04 07:11:23 mcr
1835
* fix for snmp SIOCPRIVATE use of snmpd.
1836
* http://bugs.xelerance.com/view.php?id=144
1838
* Revision 1.225 2004/12/03 21:25:57 mcr
1839
* compile time fixes for running on 2.6.
1840
* still experimental.
1842
* Revision 1.224 2004/08/14 03:28:24 mcr
1843
* fixed log comment to remove warning about embedded comment.
1845
* Revision 1.223 2004/08/04 15:57:07 mcr
1846
* moved des .h files to include/des/ *
1847
* included 2.6 protocol specific things
1848
* started at NAT-T support, but it will require a kernel patch.
1850
* Revision 1.222 2004/08/03 18:19:08 mcr
1851
* in 2.6, use "net_device" instead of #define device->net_device.
1852
* this probably breaks 2.0 compiles.
1854
* Revision 1.221 2004/07/10 19:11:18 mcr
1855
* CONFIG_IPSEC -> CONFIG_KLIPS.
1857
* Revision 1.220 2004/04/06 02:49:26 mcr
1858
* pullup of algo code from alg-branch.
1684
1860
* Revision 1.219 2004/02/03 03:13:17 mcr
1685
1861
* minor edits for readability, and error reporting.