Commit 60d5fcfb19d8a958fc563e52240cd05ec23f36c9

Authored by Herbert Xu
Committed by David S. Miller
1 parent d26f398400

[IPSEC]: Remove nhoff from xfrm_input

The nhoff field isn't actually necessary in xfrm_input.  For tunnel
mode transforms we now throw away the output IP header so it makes no
sense to fill in the nexthdr field.  For transport mode we can now let
the function transport_finish do the setting and it knows where the
nexthdr field is.

The only other thing that needs the nexthdr field to be set is the
header extraction code.  However, we can simply move the protocol
extraction out of the generic header extraction.

We want to minimise the amount of info we have to carry around between
transforms as this simplifies the resumption process for async crypto.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 8 changed files with 16 additions and 15 deletions Side-by-side Diff

... ... @@ -534,7 +534,6 @@
534 534 struct inet6_skb_parm h6;
535 535 } header;
536 536  
537   - unsigned int nhoff;
538 537 unsigned int daddroff;
539 538 };
540 539  
net/ipv4/xfrm4_input.c
... ... @@ -21,7 +21,6 @@
21 21 return xfrm4_extract_header(skb);
22 22 }
23 23  
24   -#ifdef CONFIG_NETFILTER
25 24 static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
26 25 {
27 26 if (skb->dst == NULL) {
28 27  
... ... @@ -36,12 +35,10 @@
36 35 kfree_skb(skb);
37 36 return NET_RX_DROP;
38 37 }
39   -#endif
40 38  
41 39 int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
42 40 int encap_type)
43 41 {
44   - XFRM_SPI_SKB_CB(skb)->nhoff = offsetof(struct iphdr, protocol);
45 42 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
46 43 return xfrm_input(skb, nexthdr, spi, encap_type);
47 44 }
48 45  
49 46  
... ... @@ -49,16 +46,20 @@
49 46  
50 47 int xfrm4_transport_finish(struct sk_buff *skb, int async)
51 48 {
  49 + struct iphdr *iph = ip_hdr(skb);
  50 +
  51 + iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol;
  52 +
52 53 #ifdef CONFIG_NETFILTER
53 54 __skb_push(skb, skb->data - skb_network_header(skb));
54   - ip_hdr(skb)->tot_len = htons(skb->len);
55   - ip_send_check(ip_hdr(skb));
  55 + iph->tot_len = htons(skb->len);
  56 + ip_send_check(iph);
56 57  
57 58 NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
58 59 xfrm4_rcv_encap_finish);
59 60 return 0;
60 61 #else
61   - return -ip_hdr(skb)->protocol;
  62 + return -iph->protocol;
62 63 #endif
63 64 }
64 65  
net/ipv4/xfrm4_output.c
... ... @@ -47,6 +47,8 @@
47 47 if (err)
48 48 return err;
49 49  
  50 + XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol;
  51 +
50 52 return xfrm4_extract_header(skb);
51 53 }
52 54  
net/ipv4/xfrm4_state.c
... ... @@ -56,7 +56,6 @@
56 56 XFRM_MODE_SKB_CB(skb)->frag_off = iph->frag_off;
57 57 XFRM_MODE_SKB_CB(skb)->tos = iph->tos;
58 58 XFRM_MODE_SKB_CB(skb)->ttl = iph->ttl;
59   - XFRM_MODE_SKB_CB(skb)->protocol = iph->protocol;
60 59 memset(XFRM_MODE_SKB_CB(skb)->flow_lbl, 0,
61 60 sizeof(XFRM_MODE_SKB_CB(skb)->flow_lbl));
62 61  
net/ipv6/xfrm6_input.c
... ... @@ -23,7 +23,6 @@
23 23  
24 24 int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
25 25 {
26   - XFRM_SPI_SKB_CB(skb)->nhoff = IP6CB(skb)->nhoff;
27 26 XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
28 27 return xfrm_input(skb, nexthdr, spi, 0);
29 28 }
... ... @@ -31,6 +30,9 @@
31 30  
32 31 int xfrm6_transport_finish(struct sk_buff *skb, int async)
33 32 {
  33 + skb_network_header(skb)[IP6CB(skb)->nhoff] =
  34 + XFRM_MODE_SKB_CB(skb)->protocol;
  35 +
34 36 #ifdef CONFIG_NETFILTER
35 37 ipv6_hdr(skb)->payload_len = htons(skb->len);
36 38 __skb_push(skb, skb->data - skb_network_header(skb));
net/ipv6/xfrm6_output.c
... ... @@ -53,7 +53,8 @@
53 53 if (err)
54 54 return err;
55 55  
56   - IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
  56 + XFRM_MODE_SKB_CB(skb)->protocol = ipv6_hdr(skb)->nexthdr;
  57 +
57 58 return xfrm6_extract_header(skb);
58 59 }
59 60  
net/ipv6/xfrm6_state.c
... ... @@ -178,8 +178,6 @@
178 178 XFRM_MODE_SKB_CB(skb)->frag_off = htons(IP_DF);
179 179 XFRM_MODE_SKB_CB(skb)->tos = ipv6_get_dsfield(iph);
180 180 XFRM_MODE_SKB_CB(skb)->ttl = iph->hop_limit;
181   - XFRM_MODE_SKB_CB(skb)->protocol =
182   - skb_network_header(skb)[IP6CB(skb)->nhoff];
183 181 memcpy(XFRM_MODE_SKB_CB(skb)->flow_lbl, iph->flow_lbl,
184 182 sizeof(XFRM_MODE_SKB_CB(skb)->flow_lbl));
185 183  
net/xfrm/xfrm_input.c
... ... @@ -102,7 +102,6 @@
102 102 __be32 seq;
103 103 struct xfrm_state *x;
104 104 int decaps = 0;
105   - unsigned int nhoff = XFRM_SPI_SKB_CB(skb)->nhoff;
106 105 unsigned int daddroff = XFRM_SPI_SKB_CB(skb)->daddroff;
107 106  
108 107 /* Allocate new secpath or COW existing one. */
... ... @@ -157,8 +156,6 @@
157 156 goto drop_unlock;
158 157 }
159 158  
160   - skb_network_header(skb)[nhoff] = nexthdr;
161   -
162 159 /* only the first xfrm gets the encap type */
163 160 encap_type = 0;
164 161  
... ... @@ -169,6 +166,8 @@
169 166 x->curlft.packets++;
170 167  
171 168 spin_unlock(&x->lock);
  169 +
  170 + XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
172 171  
173 172 if (x->inner_mode->input(x, skb))
174 173 goto drop;