xfrm: Add mode handlers for IPsec on layer 2
This patch adds a gso_segment and xmit callback for the xfrm_mode and implement these functions for tunnel and transport mode. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
21f42cc95f
commit
c35fe4106b
@ -444,6 +444,16 @@ struct xfrm_mode {
|
|||||||
*/
|
*/
|
||||||
int (*output)(struct xfrm_state *x, struct sk_buff *skb);
|
int (*output)(struct xfrm_state *x, struct sk_buff *skb);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Adjust pointers into the packet and do GSO segmentation.
|
||||||
|
*/
|
||||||
|
struct sk_buff *(*gso_segment)(struct xfrm_state *x, struct sk_buff *skb, netdev_features_t features);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Adjust pointers into the packet when IPsec is done at layer2.
|
||||||
|
*/
|
||||||
|
void (*xmit)(struct xfrm_state *x, struct sk_buff *skb);
|
||||||
|
|
||||||
struct xfrm_state_afinfo *afinfo;
|
struct xfrm_state_afinfo *afinfo;
|
||||||
struct module *owner;
|
struct module *owner;
|
||||||
unsigned int encap;
|
unsigned int encap;
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
#include <net/dst.h>
|
#include <net/dst.h>
|
||||||
#include <net/ip.h>
|
#include <net/ip.h>
|
||||||
#include <net/xfrm.h>
|
#include <net/xfrm.h>
|
||||||
|
#include <net/protocol.h>
|
||||||
|
|
||||||
/* Add encapsulation header.
|
/* Add encapsulation header.
|
||||||
*
|
*
|
||||||
@ -56,9 +57,40 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static struct sk_buff *xfrm4_transport_gso_segment(struct xfrm_state *x,
|
||||||
|
struct sk_buff *skb,
|
||||||
|
netdev_features_t features)
|
||||||
|
{
|
||||||
|
const struct net_offload *ops;
|
||||||
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
||||||
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
|
||||||
|
skb->transport_header += x->props.header_len;
|
||||||
|
ops = rcu_dereference(inet_offloads[xo->proto]);
|
||||||
|
if (likely(ops && ops->callbacks.gso_segment))
|
||||||
|
segs = ops->callbacks.gso_segment(skb, features);
|
||||||
|
|
||||||
|
return segs;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void xfrm4_transport_xmit(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
|
||||||
|
skb_reset_mac_len(skb);
|
||||||
|
pskb_pull(skb, skb->mac_len + sizeof(struct iphdr) + x->props.header_len);
|
||||||
|
|
||||||
|
if (xo->flags & XFRM_GSO_SEGMENT) {
|
||||||
|
skb_reset_transport_header(skb);
|
||||||
|
skb->transport_header -= x->props.header_len;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static struct xfrm_mode xfrm4_transport_mode = {
|
static struct xfrm_mode xfrm4_transport_mode = {
|
||||||
.input = xfrm4_transport_input,
|
.input = xfrm4_transport_input,
|
||||||
.output = xfrm4_transport_output,
|
.output = xfrm4_transport_output,
|
||||||
|
.gso_segment = xfrm4_transport_gso_segment,
|
||||||
|
.xmit = xfrm4_transport_xmit,
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
.encap = XFRM_MODE_TRANSPORT,
|
.encap = XFRM_MODE_TRANSPORT,
|
||||||
};
|
};
|
||||||
|
@ -96,11 +96,36 @@ out:
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static struct sk_buff *xfrm4_mode_tunnel_gso_segment(struct xfrm_state *x,
|
||||||
|
struct sk_buff *skb,
|
||||||
|
netdev_features_t features)
|
||||||
|
{
|
||||||
|
__skb_push(skb, skb->mac_len);
|
||||||
|
return skb_mac_gso_segment(skb, features);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
static void xfrm4_mode_tunnel_xmit(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
|
||||||
|
if (xo->flags & XFRM_GSO_SEGMENT) {
|
||||||
|
skb->network_header = skb->network_header - x->props.header_len;
|
||||||
|
skb->transport_header = skb->network_header +
|
||||||
|
sizeof(struct iphdr);
|
||||||
|
}
|
||||||
|
|
||||||
|
skb_reset_mac_len(skb);
|
||||||
|
pskb_pull(skb, skb->mac_len + x->props.header_len);
|
||||||
|
}
|
||||||
|
|
||||||
static struct xfrm_mode xfrm4_tunnel_mode = {
|
static struct xfrm_mode xfrm4_tunnel_mode = {
|
||||||
.input2 = xfrm4_mode_tunnel_input,
|
.input2 = xfrm4_mode_tunnel_input,
|
||||||
.input = xfrm_prepare_input,
|
.input = xfrm_prepare_input,
|
||||||
.output2 = xfrm4_mode_tunnel_output,
|
.output2 = xfrm4_mode_tunnel_output,
|
||||||
.output = xfrm4_prepare_output,
|
.output = xfrm4_prepare_output,
|
||||||
|
.gso_segment = xfrm4_mode_tunnel_gso_segment,
|
||||||
|
.xmit = xfrm4_mode_tunnel_xmit,
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
.encap = XFRM_MODE_TUNNEL,
|
.encap = XFRM_MODE_TUNNEL,
|
||||||
.flags = XFRM_MODE_FLAG_TUNNEL,
|
.flags = XFRM_MODE_FLAG_TUNNEL,
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
#include <net/dst.h>
|
#include <net/dst.h>
|
||||||
#include <net/ipv6.h>
|
#include <net/ipv6.h>
|
||||||
#include <net/xfrm.h>
|
#include <net/xfrm.h>
|
||||||
|
#include <net/protocol.h>
|
||||||
|
|
||||||
/* Add encapsulation header.
|
/* Add encapsulation header.
|
||||||
*
|
*
|
||||||
@ -61,9 +62,41 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static struct sk_buff *xfrm4_transport_gso_segment(struct xfrm_state *x,
|
||||||
|
struct sk_buff *skb,
|
||||||
|
netdev_features_t features)
|
||||||
|
{
|
||||||
|
const struct net_offload *ops;
|
||||||
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
||||||
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
|
||||||
|
skb->transport_header += x->props.header_len;
|
||||||
|
ops = rcu_dereference(inet6_offloads[xo->proto]);
|
||||||
|
if (likely(ops && ops->callbacks.gso_segment))
|
||||||
|
segs = ops->callbacks.gso_segment(skb, features);
|
||||||
|
|
||||||
|
return segs;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void xfrm6_transport_xmit(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
|
||||||
|
skb_reset_mac_len(skb);
|
||||||
|
pskb_pull(skb, skb->mac_len + sizeof(struct ipv6hdr) + x->props.header_len);
|
||||||
|
|
||||||
|
if (xo->flags & XFRM_GSO_SEGMENT) {
|
||||||
|
skb_reset_transport_header(skb);
|
||||||
|
skb->transport_header -= x->props.header_len;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static struct xfrm_mode xfrm6_transport_mode = {
|
static struct xfrm_mode xfrm6_transport_mode = {
|
||||||
.input = xfrm6_transport_input,
|
.input = xfrm6_transport_input,
|
||||||
.output = xfrm6_transport_output,
|
.output = xfrm6_transport_output,
|
||||||
|
.gso_segment = xfrm4_transport_gso_segment,
|
||||||
|
.xmit = xfrm6_transport_xmit,
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
.encap = XFRM_MODE_TRANSPORT,
|
.encap = XFRM_MODE_TRANSPORT,
|
||||||
};
|
};
|
||||||
|
@ -96,11 +96,35 @@ out:
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static struct sk_buff *xfrm6_mode_tunnel_gso_segment(struct xfrm_state *x,
|
||||||
|
struct sk_buff *skb,
|
||||||
|
netdev_features_t features)
|
||||||
|
{
|
||||||
|
__skb_push(skb, skb->mac_len);
|
||||||
|
return skb_mac_gso_segment(skb, features);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
static void xfrm6_mode_tunnel_xmit(struct xfrm_state *x, struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
|
||||||
|
if (xo->flags & XFRM_GSO_SEGMENT) {
|
||||||
|
skb->network_header = skb->network_header - x->props.header_len;
|
||||||
|
skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
|
||||||
|
}
|
||||||
|
|
||||||
|
skb_reset_mac_len(skb);
|
||||||
|
pskb_pull(skb, skb->mac_len + x->props.header_len);
|
||||||
|
}
|
||||||
|
|
||||||
static struct xfrm_mode xfrm6_tunnel_mode = {
|
static struct xfrm_mode xfrm6_tunnel_mode = {
|
||||||
.input2 = xfrm6_mode_tunnel_input,
|
.input2 = xfrm6_mode_tunnel_input,
|
||||||
.input = xfrm_prepare_input,
|
.input = xfrm_prepare_input,
|
||||||
.output2 = xfrm6_mode_tunnel_output,
|
.output2 = xfrm6_mode_tunnel_output,
|
||||||
.output = xfrm6_prepare_output,
|
.output = xfrm6_prepare_output,
|
||||||
|
.gso_segment = xfrm6_mode_tunnel_gso_segment,
|
||||||
|
.xmit = xfrm6_mode_tunnel_xmit,
|
||||||
.owner = THIS_MODULE,
|
.owner = THIS_MODULE,
|
||||||
.encap = XFRM_MODE_TUNNEL,
|
.encap = XFRM_MODE_TUNNEL,
|
||||||
.flags = XFRM_MODE_FLAG_TUNNEL,
|
.flags = XFRM_MODE_FLAG_TUNNEL,
|
||||||
|
Loading…
Reference in New Issue
Block a user