Commit 60d5fcfb19d8a958fc563e52240cd05ec23f36c9
Committed by
David S. Miller
1 parent
d26f398400
Exists in
master
and in
39 other branches
[IPSEC]: Remove nhoff from xfrm_input
The nhoff field isn't actually necessary in xfrm_input. For tunnel mode transforms we now throw away the output IP header so it makes no sense to fill in the nexthdr field. For transport mode we can now let the function transport_finish do the setting and it knows where the nexthdr field is. The only other thing that needs the nexthdr field to be set is the header extraction code. However, we can simply move the protocol extraction out of the generic header extraction. We want to minimise the amount of info we have to carry around between transforms as this simplifies the resumption process for async crypto. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 8 changed files with 16 additions and 15 deletions Side-by-side Diff
include/net/xfrm.h
net/ipv4/xfrm4_input.c
... | ... | @@ -21,7 +21,6 @@ |
21 | 21 | return xfrm4_extract_header(skb); |
22 | 22 | } |
23 | 23 | |
24 | -#ifdef CONFIG_NETFILTER | |
25 | 24 | static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb) |
26 | 25 | { |
27 | 26 | if (skb->dst == NULL) { |
28 | 27 | |
... | ... | @@ -36,12 +35,10 @@ |
36 | 35 | kfree_skb(skb); |
37 | 36 | return NET_RX_DROP; |
38 | 37 | } |
39 | -#endif | |
40 | 38 | |
41 | 39 | int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, |
42 | 40 | int encap_type) |
43 | 41 | { |
44 | - XFRM_SPI_SKB_CB(skb)->nhoff = offsetof(struct iphdr, protocol); | |
45 | 42 | XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); |
46 | 43 | return xfrm_input(skb, nexthdr, spi, encap_type); |
47 | 44 | } |
48 | 45 | |
49 | 46 | |
... | ... | @@ -49,16 +46,20 @@ |
49 | 46 | |
50 | 47 | int xfrm4_transport_finish(struct sk_buff *skb, int async) |
51 | 48 | { |
49 | + struct iphdr *iph = ip_hdr(skb); | |
50 | + | |
51 | + iph->protocol = XFRM_MODE_SKB_CB(skb)->protocol; | |
52 | + | |
52 | 53 | #ifdef CONFIG_NETFILTER |
53 | 54 | __skb_push(skb, skb->data - skb_network_header(skb)); |
54 | - ip_hdr(skb)->tot_len = htons(skb->len); | |
55 | - ip_send_check(ip_hdr(skb)); | |
55 | + iph->tot_len = htons(skb->len); | |
56 | + ip_send_check(iph); | |
56 | 57 | |
57 | 58 | NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL, |
58 | 59 | xfrm4_rcv_encap_finish); |
59 | 60 | return 0; |
60 | 61 | #else |
61 | - return -ip_hdr(skb)->protocol; | |
62 | + return -iph->protocol; | |
62 | 63 | #endif |
63 | 64 | } |
64 | 65 |
net/ipv4/xfrm4_output.c
net/ipv4/xfrm4_state.c
... | ... | @@ -56,7 +56,6 @@ |
56 | 56 | XFRM_MODE_SKB_CB(skb)->frag_off = iph->frag_off; |
57 | 57 | XFRM_MODE_SKB_CB(skb)->tos = iph->tos; |
58 | 58 | XFRM_MODE_SKB_CB(skb)->ttl = iph->ttl; |
59 | - XFRM_MODE_SKB_CB(skb)->protocol = iph->protocol; | |
60 | 59 | memset(XFRM_MODE_SKB_CB(skb)->flow_lbl, 0, |
61 | 60 | sizeof(XFRM_MODE_SKB_CB(skb)->flow_lbl)); |
62 | 61 |
net/ipv6/xfrm6_input.c
... | ... | @@ -23,7 +23,6 @@ |
23 | 23 | |
24 | 24 | int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi) |
25 | 25 | { |
26 | - XFRM_SPI_SKB_CB(skb)->nhoff = IP6CB(skb)->nhoff; | |
27 | 26 | XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr); |
28 | 27 | return xfrm_input(skb, nexthdr, spi, 0); |
29 | 28 | } |
... | ... | @@ -31,6 +30,9 @@ |
31 | 30 | |
32 | 31 | int xfrm6_transport_finish(struct sk_buff *skb, int async) |
33 | 32 | { |
33 | + skb_network_header(skb)[IP6CB(skb)->nhoff] = | |
34 | + XFRM_MODE_SKB_CB(skb)->protocol; | |
35 | + | |
34 | 36 | #ifdef CONFIG_NETFILTER |
35 | 37 | ipv6_hdr(skb)->payload_len = htons(skb->len); |
36 | 38 | __skb_push(skb, skb->data - skb_network_header(skb)); |
net/ipv6/xfrm6_output.c
net/ipv6/xfrm6_state.c
... | ... | @@ -178,8 +178,6 @@ |
178 | 178 | XFRM_MODE_SKB_CB(skb)->frag_off = htons(IP_DF); |
179 | 179 | XFRM_MODE_SKB_CB(skb)->tos = ipv6_get_dsfield(iph); |
180 | 180 | XFRM_MODE_SKB_CB(skb)->ttl = iph->hop_limit; |
181 | - XFRM_MODE_SKB_CB(skb)->protocol = | |
182 | - skb_network_header(skb)[IP6CB(skb)->nhoff]; | |
183 | 181 | memcpy(XFRM_MODE_SKB_CB(skb)->flow_lbl, iph->flow_lbl, |
184 | 182 | sizeof(XFRM_MODE_SKB_CB(skb)->flow_lbl)); |
185 | 183 |
net/xfrm/xfrm_input.c
... | ... | @@ -102,7 +102,6 @@ |
102 | 102 | __be32 seq; |
103 | 103 | struct xfrm_state *x; |
104 | 104 | int decaps = 0; |
105 | - unsigned int nhoff = XFRM_SPI_SKB_CB(skb)->nhoff; | |
106 | 105 | unsigned int daddroff = XFRM_SPI_SKB_CB(skb)->daddroff; |
107 | 106 | |
108 | 107 | /* Allocate new secpath or COW existing one. */ |
... | ... | @@ -157,8 +156,6 @@ |
157 | 156 | goto drop_unlock; |
158 | 157 | } |
159 | 158 | |
160 | - skb_network_header(skb)[nhoff] = nexthdr; | |
161 | - | |
162 | 159 | /* only the first xfrm gets the encap type */ |
163 | 160 | encap_type = 0; |
164 | 161 | |
... | ... | @@ -169,6 +166,8 @@ |
169 | 166 | x->curlft.packets++; |
170 | 167 | |
171 | 168 | spin_unlock(&x->lock); |
169 | + | |
170 | + XFRM_MODE_SKB_CB(skb)->protocol = nexthdr; | |
172 | 171 | |
173 | 172 | if (x->inner_mode->input(x, skb)) |
174 | 173 | goto drop; |