projects / mirror_ubuntu-hirsute-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
| 1da177e4 | 2 | /* |
| 409a1966 | 3 | * ip_vs_proto_ah_esp.c: AH/ESP IPSec load balancing support for IPVS |
| 1da177e4 | 4 | * |
| 1da177e4 LT |
5 | * Authors: Julian Anastasov <ja@ssi.bg>, February 2002 |
| 6 | * Wensong Zhang <wensong@linuxvirtualserver.org> | |
| 1da177e4 LT |
7 | */ |
| 8 | ||
| 9aada7ac HE |
9 | #define KMSG_COMPONENT "IPVS" |
| 10 | #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt | |
| 11 | ||
| 14c85021 ACM |
12 | #include <linux/in.h> |
| 13 | #include <linux/ip.h> | |
| 1da177e4 LT |
14 | #include <linux/module.h> |
| 15 | #include <linux/kernel.h> | |
| 16 | #include <linux/netfilter.h> | |
| 17 | #include <linux/netfilter_ipv4.h> | |
| 18 | ||
| 19 | #include <net/ip_vs.h> | |
| 20 | ||
| 21 | ||
| 22 | /* TODO: | |
| 23 | ||
| 24 | struct isakmp_hdr { | |
| 25 | __u8 icookie[8]; | |
| 26 | __u8 rcookie[8]; | |
| 27 | __u8 np; | |
| 28 | __u8 version; | |
| 29 | __u8 xchgtype; | |
| 30 | __u8 flags; | |
| 31 | __u32 msgid; | |
| 32 | __u32 length; | |
| 33 | }; | |
| 34 | ||
| 35 | */ | |
| 36 | ||
| 37 | #define PORT_ISAKMP 500 | |
| 38 | ||
| f11017ec | 39 | static void |
| 19913dec | 40 | ah_esp_conn_fill_param_proto(struct netns_ipvs *ipvs, int af, |
| 802c41ad | 41 | const struct ip_vs_iphdr *iph, |
| 6e67e586 | 42 | struct ip_vs_conn_param *p) |
| f11017ec | 43 | { |
| 802c41ad | 44 | if (likely(!ip_vs_iph_inverse(iph))) |
| 19913dec | 45 | ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP, |
| f11017ec SH |
46 | &iph->saddr, htons(PORT_ISAKMP), |
| 47 | &iph->daddr, htons(PORT_ISAKMP), p); | |
| 48 | else | |
| 19913dec | 49 | ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP, |
| f11017ec SH |
50 | &iph->daddr, htons(PORT_ISAKMP), |
| 51 | &iph->saddr, htons(PORT_ISAKMP), p); | |
| 52 | } | |
| 1da177e4 LT |
53 | |
| 54 | static struct ip_vs_conn * | |
| ab161976 | 55 | ah_esp_conn_in_get(struct netns_ipvs *ipvs, int af, const struct sk_buff *skb, |
| 802c41ad | 56 | const struct ip_vs_iphdr *iph) |
| 1da177e4 LT |
57 | { |
| 58 | struct ip_vs_conn *cp; | |
| f11017ec | 59 | struct ip_vs_conn_param p; |
| 1da177e4 | 60 | |
| 19913dec | 61 | ah_esp_conn_fill_param_proto(ipvs, af, iph, &p); |
| f11017ec | 62 | cp = ip_vs_conn_in_get(&p); |
| 1da177e4 LT |
63 | if (!cp) { |
| 64 | /* | |
| 65 | * We are not sure if the packet is from our | |
| 66 | * service, so our conn_schedule hook should return NF_ACCEPT | |
| 67 | */ | |
| 51ef348b JV |
68 | IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for outin packet " |
| 69 | "%s%s %s->%s\n", | |
| 802c41ad | 70 | ip_vs_iph_icmp(iph) ? "ICMP+" : "", |
| 9330419d | 71 | ip_vs_proto_get(iph->protocol)->name, |
| 51ef348b JV |
72 | IP_VS_DBG_ADDR(af, &iph->saddr), |
| 73 | IP_VS_DBG_ADDR(af, &iph->daddr)); | |
| 1da177e4 LT |
74 | } |
| 75 | ||
| 76 | return cp; | |
| 77 | } | |
| 78 | ||
| 79 | ||
| 80 | static struct ip_vs_conn * | |
| 0cf705c8 | 81 | ah_esp_conn_out_get(struct netns_ipvs *ipvs, int af, const struct sk_buff *skb, |
| 802c41ad | 82 | const struct ip_vs_iphdr *iph) |
| 1da177e4 LT |
83 | { |
| 84 | struct ip_vs_conn *cp; | |
| f11017ec | 85 | struct ip_vs_conn_param p; |
| 1da177e4 | 86 | |
| 19913dec | 87 | ah_esp_conn_fill_param_proto(ipvs, af, iph, &p); |
| f11017ec | 88 | cp = ip_vs_conn_out_get(&p); |
| 1da177e4 | 89 | if (!cp) { |
| 51ef348b JV |
90 | IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for inout packet " |
| 91 | "%s%s %s->%s\n", | |
| 802c41ad | 92 | ip_vs_iph_icmp(iph) ? "ICMP+" : "", |
| 9330419d | 93 | ip_vs_proto_get(iph->protocol)->name, |
| 51ef348b JV |
94 | IP_VS_DBG_ADDR(af, &iph->saddr), |
| 95 | IP_VS_DBG_ADDR(af, &iph->daddr)); | |
| 1da177e4 LT |
96 | } |
| 97 | ||
| 98 | return cp; | |
| 99 | } | |
| 100 | ||
| 101 | ||
| 102 | static int | |
| d8f44c33 EB |
103 | ah_esp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, |
| 104 | struct ip_vs_proto_data *pd, | |
| d4383f04 JDB |
105 | int *verdict, struct ip_vs_conn **cpp, |
| 106 | struct ip_vs_iphdr *iph) | |
| 1da177e4 LT |
107 | { |
| 108 | /* | |
| 409a1966 | 109 | * AH/ESP is only related traffic. Pass the packet to IP stack. |
| 1da177e4 LT |
110 | */ |
| 111 | *verdict = NF_ACCEPT; | |
| 112 | return 0; | |
| 113 | } | |
| 114 | ||
| 409a1966 | 115 | #ifdef CONFIG_IP_VS_PROTO_AH |
| 1da177e4 LT |
116 | struct ip_vs_protocol ip_vs_protocol_ah = { |
| 117 | .name = "AH", | |
| 118 | .protocol = IPPROTO_AH, | |
| 2ad17def | 119 | .num_states = 1, |
| 1da177e4 | 120 | .dont_defrag = 1, |
| 88fe2d37 HS |
121 | .init = NULL, |
| 122 | .exit = NULL, | |
| 409a1966 JV |
123 | .conn_schedule = ah_esp_conn_schedule, |
| 124 | .conn_in_get = ah_esp_conn_in_get, | |
| 125 | .conn_out_get = ah_esp_conn_out_get, | |
| 1da177e4 LT |
126 | .snat_handler = NULL, |
| 127 | .dnat_handler = NULL, | |
| 1da177e4 LT |
128 | .state_transition = NULL, |
| 129 | .register_app = NULL, | |
| 130 | .unregister_app = NULL, | |
| 131 | .app_conn_bind = NULL, | |
| 0d79641a | 132 | .debug_packet = ip_vs_tcpudp_debug_packet, |
| 1da177e4 | 133 | .timeout_change = NULL, /* ISAKMP */ |
| 1da177e4 | 134 | }; |
| 409a1966 JV |
135 | #endif |
| 136 | ||
| 137 | #ifdef CONFIG_IP_VS_PROTO_ESP | |
| 138 | struct ip_vs_protocol ip_vs_protocol_esp = { | |
| 139 | .name = "ESP", | |
| 140 | .protocol = IPPROTO_ESP, | |
| 141 | .num_states = 1, | |
| 142 | .dont_defrag = 1, | |
| 88fe2d37 HS |
143 | .init = NULL, |
| 144 | .exit = NULL, | |
| 409a1966 JV |
145 | .conn_schedule = ah_esp_conn_schedule, |
| 146 | .conn_in_get = ah_esp_conn_in_get, | |
| 147 | .conn_out_get = ah_esp_conn_out_get, | |
| 148 | .snat_handler = NULL, | |
| 149 | .dnat_handler = NULL, | |
| 409a1966 JV |
150 | .state_transition = NULL, |
| 151 | .register_app = NULL, | |
| 152 | .unregister_app = NULL, | |
| 153 | .app_conn_bind = NULL, | |
| 0d79641a | 154 | .debug_packet = ip_vs_tcpudp_debug_packet, |
| 409a1966 JV |
155 | .timeout_change = NULL, /* ISAKMP */ |
| 156 | }; | |
| 157 | #endif |