~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/netfilter/ipvs/ip_vs_proto_ah_esp.c

Version: ~ [ linux-5.12-rc1 ] ~ [ linux-5.11.2 ] ~ [ linux-5.10.19 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.101 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.177 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.222 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.258 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.258 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * ip_vs_proto_ah_esp.c:        AH/ESP IPSec load balancing support for IPVS
  3  *
  4  * Authors:     Julian Anastasov <ja@ssi.bg>, February 2002
  5  *              Wensong Zhang <wensong@linuxvirtualserver.org>
  6  *
  7  *              This program is free software; you can redistribute it and/or
  8  *              modify it under the terms of the GNU General Public License
  9  *              version 2 as published by the Free Software Foundation;
 10  *
 11  */
 12 
 13 #define KMSG_COMPONENT "IPVS"
 14 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
 15 
 16 #include <linux/in.h>
 17 #include <linux/ip.h>
 18 #include <linux/module.h>
 19 #include <linux/kernel.h>
 20 #include <linux/netfilter.h>
 21 #include <linux/netfilter_ipv4.h>
 22 
 23 #include <net/ip_vs.h>
 24 
 25 
 26 /* TODO:
 27 
 28 struct isakmp_hdr {
 29         __u8            icookie[8];
 30         __u8            rcookie[8];
 31         __u8            np;
 32         __u8            version;
 33         __u8            xchgtype;
 34         __u8            flags;
 35         __u32           msgid;
 36         __u32           length;
 37 };
 38 
 39 */
 40 
 41 #define PORT_ISAKMP     500
 42 
 43 static void
 44 ah_esp_conn_fill_param_proto(struct netns_ipvs *ipvs, int af,
 45                              const struct ip_vs_iphdr *iph,
 46                              struct ip_vs_conn_param *p)
 47 {
 48         if (likely(!ip_vs_iph_inverse(iph)))
 49                 ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP,
 50                                       &iph->saddr, htons(PORT_ISAKMP),
 51                                       &iph->daddr, htons(PORT_ISAKMP), p);
 52         else
 53                 ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP,
 54                                       &iph->daddr, htons(PORT_ISAKMP),
 55                                       &iph->saddr, htons(PORT_ISAKMP), p);
 56 }
 57 
 58 static struct ip_vs_conn *
 59 ah_esp_conn_in_get(struct netns_ipvs *ipvs, int af, const struct sk_buff *skb,
 60                    const struct ip_vs_iphdr *iph)
 61 {
 62         struct ip_vs_conn *cp;
 63         struct ip_vs_conn_param p;
 64 
 65         ah_esp_conn_fill_param_proto(ipvs, af, iph, &p);
 66         cp = ip_vs_conn_in_get(&p);
 67         if (!cp) {
 68                 /*
 69                  * We are not sure if the packet is from our
 70                  * service, so our conn_schedule hook should return NF_ACCEPT
 71                  */
 72                 IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for outin packet "
 73                               "%s%s %s->%s\n",
 74                               ip_vs_iph_icmp(iph) ? "ICMP+" : "",
 75                               ip_vs_proto_get(iph->protocol)->name,
 76                               IP_VS_DBG_ADDR(af, &iph->saddr),
 77                               IP_VS_DBG_ADDR(af, &iph->daddr));
 78         }
 79 
 80         return cp;
 81 }
 82 
 83 
 84 static struct ip_vs_conn *
 85 ah_esp_conn_out_get(struct netns_ipvs *ipvs, int af, const struct sk_buff *skb,
 86                     const struct ip_vs_iphdr *iph)
 87 {
 88         struct ip_vs_conn *cp;
 89         struct ip_vs_conn_param p;
 90 
 91         ah_esp_conn_fill_param_proto(ipvs, af, iph, &p);
 92         cp = ip_vs_conn_out_get(&p);
 93         if (!cp) {
 94                 IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for inout packet "
 95                               "%s%s %s->%s\n",
 96                               ip_vs_iph_icmp(iph) ? "ICMP+" : "",
 97                               ip_vs_proto_get(iph->protocol)->name,
 98                               IP_VS_DBG_ADDR(af, &iph->saddr),
 99                               IP_VS_DBG_ADDR(af, &iph->daddr));
100         }
101 
102         return cp;
103 }
104 
105 
106 static int
107 ah_esp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
108                      struct ip_vs_proto_data *pd,
109                      int *verdict, struct ip_vs_conn **cpp,
110                      struct ip_vs_iphdr *iph)
111 {
112         /*
113          * AH/ESP is only related traffic. Pass the packet to IP stack.
114          */
115         *verdict = NF_ACCEPT;
116         return 0;
117 }
118 
119 #ifdef CONFIG_IP_VS_PROTO_AH
120 struct ip_vs_protocol ip_vs_protocol_ah = {
121         .name =                 "AH",
122         .protocol =             IPPROTO_AH,
123         .num_states =           1,
124         .dont_defrag =          1,
125         .init =                 NULL,
126         .exit =                 NULL,
127         .conn_schedule =        ah_esp_conn_schedule,
128         .conn_in_get =          ah_esp_conn_in_get,
129         .conn_out_get =         ah_esp_conn_out_get,
130         .snat_handler =         NULL,
131         .dnat_handler =         NULL,
132         .csum_check =           NULL,
133         .state_transition =     NULL,
134         .register_app =         NULL,
135         .unregister_app =       NULL,
136         .app_conn_bind =        NULL,
137         .debug_packet =         ip_vs_tcpudp_debug_packet,
138         .timeout_change =       NULL,           /* ISAKMP */
139 };
140 #endif
141 
142 #ifdef CONFIG_IP_VS_PROTO_ESP
143 struct ip_vs_protocol ip_vs_protocol_esp = {
144         .name =                 "ESP",
145         .protocol =             IPPROTO_ESP,
146         .num_states =           1,
147         .dont_defrag =          1,
148         .init =                 NULL,
149         .exit =                 NULL,
150         .conn_schedule =        ah_esp_conn_schedule,
151         .conn_in_get =          ah_esp_conn_in_get,
152         .conn_out_get =         ah_esp_conn_out_get,
153         .snat_handler =         NULL,
154         .dnat_handler =         NULL,
155         .csum_check =           NULL,
156         .state_transition =     NULL,
157         .register_app =         NULL,
158         .unregister_app =       NULL,
159         .app_conn_bind =        NULL,
160         .debug_packet =         ip_vs_tcpudp_debug_packet,
161         .timeout_change =       NULL,           /* ISAKMP */
162 };
163 #endif
164 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp