Re: [RFC][PATCH][IPSEC][2/3] IPv6 over IPv4 IPsec tunnel
From: Noriaki TAKAMIYA <[EMAIL PROTECTED]> Date: Tue, 20 Feb 2007 12:24:32 +0900 (JST) > More fix is needed for __xfrm6_bundle_create(). > > Signed-off-by: Noriaki TAKAMIYA <[EMAIL PROTECTED]> > Acked-by: Masahide NAKAMURA <[EMAIL PROTECTED]> > > -- > fixed to set fl_tunnel.fl6_src correctly in xfrm6_bundle_create(). Patch applied, thank you very much. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH][IPSEC][2/3] IPv6 over IPv4 IPsec tunnel
Hi, More fix is needed for __xfrm6_bundle_create(). Signed-off-by: Noriaki TAKAMIYA <[EMAIL PROTECTED]> Acked-by: Masahide NAKAMURA <[EMAIL PROTECTED]> -- fixed to set fl_tunnel.fl6_src correctly in xfrm6_bundle_create(). --- net/ipv6/xfrm6_policy.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index b1133f2..d8a585b 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -189,7 +189,7 @@ __xfrm6_bundle_create(struct xfrm_policy case AF_INET6: ipv6_addr_copy(&fl_tunnel.fl6_dst, __xfrm6_bundle_addr_remote(xfrm[i], &fl->fl6_dst)); - ipv6_addr_copy(&fl_tunnel.fl6_src, __xfrm6_bundle_addr_remote(xfrm[i], &fl->fl6_src)); + ipv6_addr_copy(&fl_tunnel.fl6_src, __xfrm6_bundle_addr_local(xfrm[i], &fl->fl6_src)); break; default: BUG_ON(1); -- Noriaki TAKAMIYA - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH][IPSEC][2/3] IPv6 over IPv4 IPsec tunnel
From: Masahide NAKAMURA <[EMAIL PROTECTED]> Date: Sat, 10 Feb 2007 12:25:33 +0900 > Please give me comments for the attached patch. > I hope it will be applied (or replaced the original patch with including > mine). Thank you Mashide, I've applied your patch for now. If anyone wants to provide some corrections, we can make them on top of Mashide's version of the fix. Thank you! - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH][IPSEC][2/3] IPv6 over IPv4 IPsec tunnel
Hello,
Kazunori MIYAZAWA wrote:
> This is the patch to support IPv6 over IPv4 IPsec
>
> Signed-off-by: Miika Komu <[EMAIL PROTECTED]>
> Signed-off-by: Diego Beltrami <[EMAIL PROTECTED]>
> Signed-off-by: Kazunori Miyazawa <[EMAIL PROTECTED]>
This seems to break Mobile IPv6 route optimization (RO).
(This patch is commited as c82f963efe823d3cacaf1f1b7f1a35cc9628b188
to David's tree.)
Please find my comment below.
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 8dffd4d..a1ac537 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -131,13 +131,11 @@ __xfrm6_bundle_create(struct xfrm_policy
> struct dst_entry *dst, *dst_prev;
> struct rt6_info *rt0 = (struct rt6_info*)(*dst_p);
> struct rt6_info *rt = rt0;
> - struct in6_addr *remote = &fl->fl6_dst;
> - struct in6_addr *local = &fl->fl6_src;
> struct flowi fl_tunnel = {
> .nl_u = {
> .ip6_u = {
> - .saddr = *local,
> - .daddr = *remote
> + .saddr = fl->fl6_src,
> + .daddr = fl->fl6_dst,
> }
> }
> };
> @@ -153,7 +151,6 @@ __xfrm6_bundle_create(struct xfrm_policy
> for (i = 0; i < nx; i++) {
> struct dst_entry *dst1 = dst_alloc(&xfrm6_dst_ops);
> struct xfrm_dst *xdst;
> - int tunnel = 0;
>
> if (unlikely(dst1 == NULL)) {
> err = -ENOBUFS;
> @@ -177,19 +174,27 @@ __xfrm6_bundle_create(struct xfrm_policy
>
> dst1->next = dst_prev;
> dst_prev = dst1;
> - if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
> - remote = __xfrm6_bundle_addr_remote(xfrm[i], remote);
> - local = __xfrm6_bundle_addr_local(xfrm[i], local);
> - tunnel = 1;
> - }
> +
> __xfrm6_bundle_len_inc(&header_len, &nfheader_len, xfrm[i]);
> trailer_len += xfrm[i]->props.trailer_len;
>
> - if (tunnel) {
> - ipv6_addr_copy(&fl_tunnel.fl6_dst, remote);
> - ipv6_addr_copy(&fl_tunnel.fl6_src, local);
> - err = xfrm_dst_lookup((struct xfrm_dst **) &rt,
> - &fl_tunnel, AF_INET6);
> + if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL) {
> + unsigned short encap_family = xfrm[i]->props.family;
> + switch(encap_family) {
> + case AF_INET:
> + fl_tunnel.fl4_dst = xfrm[i]->id.daddr.a4;
> + fl_tunnel.fl4_src = xfrm[i]->props.saddr.a4;
> + break;
> + case AF_INET6:
> + ipv6_addr_copy(&fl_tunnel.fl6_dst, (struct
> in6_addr*)&xfrm[i]->id.daddr.a6);
> + ipv6_addr_copy(&fl_tunnel.fl6_src, (struct
> in6_addr*)&xfrm[i]->props.saddr.a6);
> + break;
> + default:
> + BUG_ON(1);
> + }
> +
> + err = xfrm_dst_lookup((struct xfrm_dst **) &rt,
> + &fl_tunnel, encap_family);
> if (err)
> goto error;
> } else
You missed RO mode path when you changed semantics to check the mode
from "xfrm[i]->props.mode != XFRM_MODE_TRANSPORT"
to "xfrm[i]->props.mode == XFRM_MODE_TUNNEL" before
changing address. Your patch also makes two incline functions
__xfrm6_bundle_addr_{remote,local} are used by nobody.
I suggest a fix to add "|| xfrm[i]->props.mode == XFRM_MODE_ROUTEOPTIMIZATION"
there
to make it clearer for other developers about RO-is-there than restoring the
code.
# FYI, we don't have to fix another side of inter-family IPsec tunneling
(xfrm4_policy.c)
# where you have similar patch (IPv4 over IPv6 IPsec tunnel) because the RO
# is used only for the case of "IPv6 flow and IPv6 extension headers".
Please give me comments for the attached patch.
I hope it will be applied (or replaced the original patch with including mine).
Regards,
--
Masahide NAKAMURA
From ce9f1ac8c8df22b462a15d4609d05ec939930208 Mon Sep 17 00:00:00 2001
From: Masahide NAKAMURA <[EMAIL PROTECTED]>
Date: Sat, 10 Feb 2007 11:48:49 +0900
Subject: [PATCH][XFRM] IPV6: Fix outbound RO transformation which is broken by
IPsec tunnel patch.
It seems to miss RO mode path by IPv6 over IPv4 IPsec tunnel patch
when it changed semantics to check the mode from
"xfrm[i]->props.mode != XFRM_MODE_TRANSPORT" to
"xfrm[i]->props.mode == XFRM_MODE_TUNNEL" before changing address.
It also makes two incline functions __xfrm6_bundle_addr_{remote,local}
are used by nobody.
This patch fixes it.
Signed-off-by: Masahide NAKAMURA <[
[RFC][PATCH][IPSEC][2/3] IPv6 over IPv4 IPsec tunnel
This is the patch to support IPv6 over IPv4 IPsec
Signed-off-by: Miika Komu <[EMAIL PROTECTED]>
Signed-off-by: Diego Beltrami <[EMAIL PROTECTED]>
Signed-off-by: Kazunori Miyazawa <[EMAIL PROTECTED]>
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index e23c21d..e54c549 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -23,6 +23,12 @@ static inline void ipip_ecn_decapsulate(
IP_ECN_set_ce(inner_iph);
}
+static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff
*skb)
+{
+ if (INET_ECN_is_ce(iph->tos))
+ IP6_ECN_set_ce(skb->nh.ipv6h);
+}
+
/* Add encapsulation header.
*
* The top IP header will be constructed per RFC 2401. The following fields
@@ -36,6 +42,7 @@ static inline void ipip_ecn_decapsulate(
static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
{
struct dst_entry *dst = skb->dst;
+ struct xfrm_dst *xdst = (struct xfrm_dst*)dst;
struct iphdr *iph, *top_iph;
int flags;
@@ -48,15 +55,27 @@ static int xfrm4_tunnel_output(struct xf
top_iph->ihl = 5;
top_iph->version = 4;
+ flags = x->props.flags;
+
/* DS disclosed */
- top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
+ if (xdst->route->ops->family == AF_INET) {
+ top_iph->protocol = IPPROTO_IPIP;
+ top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
+ top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
+ 0 : (iph->frag_off & htons(IP_DF));
+ }
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+ else {
+ struct ipv6hdr *ipv6h = (struct ipv6hdr*)iph;
+ top_iph->protocol = IPPROTO_IPV6;
+ top_iph->tos = INET_ECN_encapsulate(iph->tos,
ipv6_get_dsfield(ipv6h));
+ top_iph->frag_off = 0;
+ }
+#endif
- flags = x->props.flags;
if (flags & XFRM_STATE_NOECN)
IP_ECN_clear(top_iph);
- top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
- 0 : (iph->frag_off & htons(IP_DF));
if (!top_iph->frag_off)
__ip_select_ident(top_iph, dst->child, 0);
@@ -64,7 +83,6 @@ static int xfrm4_tunnel_output(struct xf
top_iph->saddr = x->props.saddr.a4;
top_iph->daddr = x->id.daddr.a4;
- top_iph->protocol = IPPROTO_IPIP;
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
return 0;
@@ -75,8 +93,16 @@ static int xfrm4_tunnel_input(struct xfr
struct iphdr *iph = skb->nh.iph;
int err = -EINVAL;
- if (iph->protocol != IPPROTO_IPIP)
- goto out;
+ switch(iph->protocol){
+ case IPPROTO_IPIP:
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+ case IPPROTO_IPV6:
+ break;
+#endif
+ default:
+ goto out;
+ }
+
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
goto out;
@@ -84,10 +110,19 @@ static int xfrm4_tunnel_input(struct xfr
(err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
goto out;
- if (x->props.flags & XFRM_STATE_DECAP_DSCP)
- ipv4_copy_dscp(iph, skb->h.ipiph);
- if (!(x->props.flags & XFRM_STATE_NOECN))
- ipip_ecn_decapsulate(skb);
+ if (iph->protocol == IPPROTO_IPIP) {
+ if (x->props.flags & XFRM_STATE_DECAP_DSCP)
+ ipv4_copy_dscp(iph, skb->h.ipiph);
+ if (!(x->props.flags & XFRM_STATE_NOECN))
+ ipip_ecn_decapsulate(skb);
+ }
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+ else {
+ if (!(x->props.flags & XFRM_STATE_NOECN))
+ ipip6_ecn_decapsulate(iph, skb);
+ skb->protocol = htons(ETH_P_IPV6);
+ }
+#endif
skb->mac.raw = memmove(skb->data - skb->mac_len,
skb->mac.raw, skb->mac_len);
skb->nh.raw = skb->data;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 8dffd4d..a1ac537 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -131,13 +131,11 @@ __xfrm6_bundle_create(struct xfrm_policy
struct dst_entry *dst, *dst_prev;
struct rt6_info *rt0 = (struct rt6_info*)(*dst_p);
struct rt6_info *rt = rt0;
- struct in6_addr *remote = &fl->fl6_dst;
- struct in6_addr *local = &fl->fl6_src;
struct flowi fl_tunnel = {
.nl_u = {
.ip6_u = {
- .saddr = *local,
- .daddr = *remote
+ .saddr = fl->fl6_src,
+ .daddr = fl->fl6_dst,
}
}
};
@@ -153,7 +151,6 @@ __xfrm6_bundle_create(struct xfrm_policy
