diff options
| author | Steffen Klassert <steffen.klassert@secunet.com> | 2022-12-22 09:35:58 +0100 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2022-12-22 11:29:27 +0100 |
| commit | 40e33b819407cc753c87441225eabf29323baefe (patch) | |
| tree | 361f1fd0daf64c080216c038675ae78e75cea91b | |
| parent | 5f813ab23c7d597a3970713da1e0a9e77fb6015c (diff) | |
| download | linux-stk-ipsec-next-for-v6.3.tar.gz | |
xfrm: Restructure the xfrm control buffer.ipsec-next-for-v6.3
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
| -rw-r--r-- | include/net/xfrm.h | 36 | ||||
| -rw-r--r-- | net/ipv4/esp4_offload.c | 8 | ||||
| -rw-r--r-- | net/ipv4/ip_vti.c | 12 | ||||
| -rw-r--r-- | net/ipv4/xfrm4_protocol.c | 12 | ||||
| -rw-r--r-- | net/ipv6/esp6_offload.c | 10 | ||||
| -rw-r--r-- | net/ipv6/ip6_vti.c | 9 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_input.c | 9 | ||||
| -rw-r--r-- | net/ipv6/xfrm6_protocol.c | 12 | ||||
| -rw-r--r-- | net/xfrm/xfrm_input.c | 18 |
9 files changed, 60 insertions, 66 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 640f5244241257..d15a5587382f63 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -603,23 +603,12 @@ struct xfrm_mgr { void xfrm_register_km(struct xfrm_mgr *km); void xfrm_unregister_km(struct xfrm_mgr *km); -struct xfrm_tunnel_skb_cb { - union { - struct ip_tunnel *ip4; - struct ip6_tnl *ip6; - } tunnel; -}; - -#define XFRM_TUNNEL_SKB_CB(__skb) ((struct xfrm_tunnel_skb_cb *)&((__skb)->cb[0])) - /* * This structure is used for the duration where packets are being * transformed by IPsec. As soon as the packet leaves IPsec the * area beyond the generic IP part may be overwritten. */ struct xfrm_skb_cb { - struct xfrm_tunnel_skb_cb header; - /* Sequence number for replay protection. */ union { struct { @@ -631,6 +620,8 @@ struct xfrm_skb_cb { __be32 hi; } input; } seq; + + __u16 nhoff; }; #define XFRM_SKB_CB(__skb) ((struct xfrm_skb_cb *)&((__skb)->cb[0])) @@ -640,7 +631,7 @@ struct xfrm_skb_cb { * to transmit header information to the mode input/output functions. */ struct xfrm_mode_skb_cb { - struct xfrm_tunnel_skb_cb header; + struct xfrm_skb_cb header; /* Copied from header for IPv4, always set to zero and DF for IPv6. */ __be16 id; @@ -671,15 +662,18 @@ struct xfrm_mode_skb_cb { * This structure is used by the input processing to locate the SPI and * related information. */ -struct xfrm_spi_skb_cb { - struct xfrm_tunnel_skb_cb header; +struct xfrm_input_skb_cb { + struct xfrm_skb_cb header; unsigned int daddroff; unsigned int family; - __be32 seq; + union { + struct ip_tunnel *ip4; + struct ip6_tnl *ip6; + } tunnel; }; -#define XFRM_SPI_SKB_CB(__skb) ((struct xfrm_spi_skb_cb *)&((__skb)->cb[0])) +#define XFRM_INPUT_SKB_CB(__skb) ((struct xfrm_input_skb_cb *)&((__skb)->cb[0])) #ifdef CONFIG_AUDITSYSCALL static inline struct audit_buffer *xfrm_audit_start(const char *op) @@ -1666,9 +1660,9 @@ int xfrm4_rcv(struct sk_buff *skb); static inline int xfrm4_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) { - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; - XFRM_SPI_SKB_CB(skb)->family = AF_INET; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = NULL; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); return xfrm_input(skb, nexthdr, spi, 0); } @@ -2101,11 +2095,11 @@ static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x, switch(family) { case AF_INET: - if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) + if (XFRM_INPUT_SKB_CB(skb)->tunnel.ip4) tunnel = true; break; case AF_INET6: - if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) + if (XFRM_INPUT_SKB_CB(skb)->tunnel.ip6) tunnel = true; break; } diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index 8769bb669fdd63..de1bf94819723d 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -78,10 +78,10 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head, skb->sk = NULL; } - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; - XFRM_SPI_SKB_CB(skb)->family = AF_INET; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); - XFRM_SPI_SKB_CB(skb)->seq = seq; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = NULL; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + XFRM_SKB_CB(skb)->seq.input.low = seq; /* We don't need to handle errors from xfrm_input, it does all * the error handling and frees the resources on error. */ diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index 53bfd8af692036..4e8854279c9551 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -58,7 +58,7 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) goto drop; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = tunnel; if (update_skb_dev) skb->dev = tunnel->dev; @@ -80,8 +80,8 @@ static int vti_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi, static int vti_rcv(struct sk_buff *skb, __be32 spi, bool update_skb_dev) { - XFRM_SPI_SKB_CB(skb)->family = AF_INET; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + XFRM_INPUT_SKB_CB(skb)->family = AF_INET; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); return vti_input(skb, ip_hdr(skb)->protocol, spi, 0, update_skb_dev); } @@ -97,7 +97,7 @@ static int vti_rcv_cb(struct sk_buff *skb, int err) struct net_device *dev; struct xfrm_state *x; const struct xfrm_mode *inner_mode; - struct ip_tunnel *tunnel = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4; + struct ip_tunnel *tunnel = XFRM_INPUT_SKB_CB(skb)->tunnel.ip4; u32 orig_mark = skb->mark; int ret; @@ -473,8 +473,8 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { #if IS_ENABLED(CONFIG_INET_XFRM_TUNNEL) static int vti_rcv_tunnel(struct sk_buff *skb) { - XFRM_SPI_SKB_CB(skb)->family = AF_INET; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + XFRM_INPUT_SKB_CB(skb)->family = AF_INET; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); return vti_input(skb, IPPROTO_IPIP, ip_hdr(skb)->saddr, 0, false); } diff --git a/net/ipv4/xfrm4_protocol.c b/net/ipv4/xfrm4_protocol.c index b146ce88c5d0c4..64566d6d7dc13a 100644 --- a/net/ipv4/xfrm4_protocol.c +++ b/net/ipv4/xfrm4_protocol.c @@ -65,9 +65,9 @@ int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, struct xfrm4_protocol *handler; struct xfrm4_protocol __rcu **head = proto_handlers(nexthdr); - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; - XFRM_SPI_SKB_CB(skb)->family = AF_INET; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = NULL; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); if (!head) goto out; @@ -98,7 +98,7 @@ static int xfrm4_esp_rcv(struct sk_buff *skb) int ret; struct xfrm4_protocol *handler; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = NULL; for_each_protocol_rcu(esp4_handlers, handler) if ((ret = handler->handler(skb)) != -EINVAL) @@ -126,7 +126,7 @@ static int xfrm4_ah_rcv(struct sk_buff *skb) int ret; struct xfrm4_protocol *handler; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = NULL; for_each_protocol_rcu(ah4_handlers, handler) if ((ret = handler->handler(skb)) != -EINVAL) @@ -154,7 +154,7 @@ static int xfrm4_ipcomp_rcv(struct sk_buff *skb) int ret; struct xfrm4_protocol *handler; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip4 = NULL; for_each_protocol_rcu(ipcomp4_handlers, handler) if ((ret = handler->handler(skb)) != -EINVAL) diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c index 395bfee94d8406..f07ce2e4ffa4ca 100644 --- a/net/ipv6/esp6_offload.c +++ b/net/ipv6/esp6_offload.c @@ -106,11 +106,11 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head, if (!nhoff) goto out; - IP6CB(skb)->nhoff = nhoff; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; - XFRM_SPI_SKB_CB(skb)->family = AF_INET6; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); - XFRM_SPI_SKB_CB(skb)->seq = seq; + XFRM_SKB_CB(skb)->nhoff = nhoff; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = NULL; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET6; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); + XFRM_SKB_CB(skb)->seq.input.low = seq; /* We don't need to handle errors from xfrm_input, it does all * the error handling and frees the resources on error. */ diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 10b222865d46a8..66b28cbd4266b9 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -324,9 +324,10 @@ static int vti6_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi, rcu_read_unlock(); - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t; - XFRM_SPI_SKB_CB(skb)->family = AF_INET6; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); + XFRM_SKB_CB(skb)->nhoff = IP6CB(skb)->nhoff; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = t; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET6; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); return xfrm_input(skb, nexthdr, spi, encap_type); } rcu_read_unlock(); @@ -349,7 +350,7 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err) struct net_device *dev; struct xfrm_state *x; const struct xfrm_mode *inner_mode; - struct ip6_tnl *t = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6; + struct ip6_tnl *t = XFRM_INPUT_SKB_CB(skb)->tunnel.ip6; u32 orig_mark = skb->mark; int ret; diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index cacf43f6ea3a07..063997666c8d8d 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c @@ -22,9 +22,10 @@ int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi, struct ip6_tnl *t) { - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t; - XFRM_SPI_SKB_CB(skb)->family = AF_INET6; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); + XFRM_SKB_CB(skb)->nhoff = IP6CB(skb)->nhoff; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = t; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET6; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); return xfrm_input(skb, nexthdr, spi, 0); } EXPORT_SYMBOL(xfrm6_rcv_spi); @@ -45,7 +46,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) struct xfrm_offload *xo = xfrm_offload(skb); int nhlen = skb->data - skb_network_header(skb); - skb_network_header(skb)[IP6CB(skb)->nhoff] = + skb_network_header(skb)[XFRM_SKB_CB(skb)->nhoff] = XFRM_MODE_SKB_CB(skb)->protocol; #ifndef CONFIG_NETFILTER diff --git a/net/ipv6/xfrm6_protocol.c b/net/ipv6/xfrm6_protocol.c index ea2f805d3b014c..c1ab423046823d 100644 --- a/net/ipv6/xfrm6_protocol.c +++ b/net/ipv6/xfrm6_protocol.c @@ -66,9 +66,9 @@ int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, struct xfrm6_protocol *handler; struct xfrm6_protocol __rcu **head = proto_handlers(nexthdr); - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; - XFRM_SPI_SKB_CB(skb)->family = AF_INET6; - XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = NULL; + XFRM_INPUT_SKB_CB(skb)->family = AF_INET6; + XFRM_INPUT_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); if (!head) goto out; @@ -111,7 +111,7 @@ static int xfrm6_esp_rcv(struct sk_buff *skb) int ret; struct xfrm6_protocol *handler; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = NULL; for_each_protocol_rcu(esp6_handlers, handler) if ((ret = handler->handler(skb)) != -EINVAL) @@ -140,7 +140,7 @@ static int xfrm6_ah_rcv(struct sk_buff *skb) int ret; struct xfrm6_protocol *handler; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = NULL; for_each_protocol_rcu(ah6_handlers, handler) if ((ret = handler->handler(skb)) != -EINVAL) @@ -169,7 +169,7 @@ static int xfrm6_ipcomp_rcv(struct sk_buff *skb) int ret; struct xfrm6_protocol *handler; - XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL; + XFRM_INPUT_SKB_CB(skb)->tunnel.ip6 = NULL; for_each_protocol_rcu(ipcomp6_handlers, handler) if ((ret = handler->handler(skb)) != -EINVAL) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 46ee3bb08bc03d..e3d38f554daf0d 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -522,21 +522,19 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto drop; } + + seq = XFRM_SKB_CB(skb)->seq.input.low; family = x->outer_mode.family; /* An encap_type of -1 indicates async resumption. */ if (encap_type < 0) { async = 1; - seq = XFRM_SKB_CB(skb)->seq.input.low; goto resume; } else { /* GRO call */ - seq = XFRM_SPI_SKB_CB(skb)->seq; if (xo && (xo->flags & CRYPTO_DONE)) { crypto_done = true; - family = XFRM_SPI_SKB_CB(skb)->family; - err = xfrm_input_check_offload(net, skb, x, xo); if (err) @@ -552,17 +550,17 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto lock; } - family = XFRM_SPI_SKB_CB(skb)->family; + family = XFRM_INPUT_SKB_CB(skb)->family; /* if tunnel is present override skb->mark value with tunnel i_key */ switch (family) { case AF_INET: - if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) - mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key); + if (XFRM_INPUT_SKB_CB(skb)->tunnel.ip4) + mark = be32_to_cpu(XFRM_INPUT_SKB_CB(skb)->tunnel.ip4->parms.i_key); break; case AF_INET6: - if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6) - mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key); + if (XFRM_INPUT_SKB_CB(skb)->tunnel.ip6) + mark = be32_to_cpu(XFRM_INPUT_SKB_CB(skb)->tunnel.ip6->parms.i_key); break; } @@ -580,7 +578,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) } daddr = (xfrm_address_t *)(skb_network_header(skb) + - XFRM_SPI_SKB_CB(skb)->daddroff); + XFRM_INPUT_SKB_CB(skb)->daddroff); do { sp = skb_sec_path(skb); |