[deliverable/linux.git] / net / netfilter / ipvs / ip_vs_proto_ah_esp.c

/*
 * ip_vs_proto_ah_esp.c:	AH/ESP IPSec load balancing support for IPVS
 *
 * Authors:	Julian Anastasov <ja@ssi.bg>, February 2002
 *		Wensong Zhang <wensong@linuxvirtualserver.org>
 *
 *		This program is free software; you can redistribute it and/or
 *		modify it under the terms of the GNU General Public License
 *		version 2 as published by the Free Software Foundation;
 *
 */

#define KMSG_COMPONENT "IPVS"
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt

#include <linux/in.h>
#include <linux/ip.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>

#include <net/ip_vs.h>


/* TODO:

struct isakmp_hdr {
	__u8		icookie[8];
	__u8		rcookie[8];
	__u8		np;
	__u8		version;
	__u8		xchgtype;
	__u8		flags;
	__u32		msgid;
	__u32		length;
};

*/

#define PORT_ISAKMP	500

static void
ah_esp_conn_fill_param_proto(struct netns_ipvs *ipvs, int af,
			     const struct ip_vs_iphdr *iph,
			     struct ip_vs_conn_param *p)
{
	if (likely(!ip_vs_iph_inverse(iph)))
		ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP,
				      &iph->saddr, htons(PORT_ISAKMP),
				      &iph->daddr, htons(PORT_ISAKMP), p);
	else
		ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP,
				      &iph->daddr, htons(PORT_ISAKMP),
				      &iph->saddr, htons(PORT_ISAKMP), p);
}

static struct ip_vs_conn *
ah_esp_conn_in_get(struct netns_ipvs *ipvs, int af, const struct sk_buff *skb,
		   const struct ip_vs_iphdr *iph)
{
	struct ip_vs_conn *cp;
	struct ip_vs_conn_param p;

	ah_esp_conn_fill_param_proto(ipvs, af, iph, &p);
	cp = ip_vs_conn_in_get(&p);
	if (!cp) {
		/*
		 * We are not sure if the packet is from our
		 * service, so our conn_schedule hook should return NF_ACCEPT
		 */
		IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for outin packet "
			      "%s%s %s->%s\n",
			      ip_vs_iph_icmp(iph) ? "ICMP+" : "",
			      ip_vs_proto_get(iph->protocol)->name,
			      IP_VS_DBG_ADDR(af, &iph->saddr),
			      IP_VS_DBG_ADDR(af, &iph->daddr));
	}

	return cp;
}


static struct ip_vs_conn *
ah_esp_conn_out_get(struct netns_ipvs *ipvs, int af, const struct sk_buff *skb,
		    const struct ip_vs_iphdr *iph)
{
	struct ip_vs_conn *cp;
	struct ip_vs_conn_param p;

	ah_esp_conn_fill_param_proto(ipvs, af, iph, &p);
	cp = ip_vs_conn_out_get(&p);
	if (!cp) {
		IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for inout packet "
			      "%s%s %s->%s\n",
			      ip_vs_iph_icmp(iph) ? "ICMP+" : "",
			      ip_vs_proto_get(iph->protocol)->name,
			      IP_VS_DBG_ADDR(af, &iph->saddr),
			      IP_VS_DBG_ADDR(af, &iph->daddr));
	}

	return cp;
}


static int
ah_esp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
		     struct ip_vs_proto_data *pd,
		     int *verdict, struct ip_vs_conn **cpp,
		     struct ip_vs_iphdr *iph)
{
	/*
	 * AH/ESP is only related traffic. Pass the packet to IP stack.
	 */
	*verdict = NF_ACCEPT;
	return 0;
}

#ifdef CONFIG_IP_VS_PROTO_AH
struct ip_vs_protocol ip_vs_protocol_ah = {
	.name =			"AH",
	.protocol =		IPPROTO_AH,
	.num_states =		1,
	.dont_defrag =		1,
	.init =			NULL,
	.exit =			NULL,
	.conn_schedule =	ah_esp_conn_schedule,
	.conn_in_get =		ah_esp_conn_in_get,
	.conn_out_get =		ah_esp_conn_out_get,
	.snat_handler =		NULL,
	.dnat_handler =		NULL,
	.csum_check =		NULL,
	.state_transition =	NULL,
	.register_app =		NULL,
	.unregister_app =	NULL,
	.app_conn_bind =	NULL,
	.debug_packet =		ip_vs_tcpudp_debug_packet,
	.timeout_change =	NULL,		/* ISAKMP */
};
#endif

#ifdef CONFIG_IP_VS_PROTO_ESP
struct ip_vs_protocol ip_vs_protocol_esp = {
	.name =			"ESP",
	.protocol =		IPPROTO_ESP,
	.num_states =		1,
	.dont_defrag =		1,
	.init =			NULL,
	.exit =			NULL,
	.conn_schedule =	ah_esp_conn_schedule,
	.conn_in_get =		ah_esp_conn_in_get,
	.conn_out_get =		ah_esp_conn_out_get,
	.snat_handler =		NULL,
	.dnat_handler =		NULL,
	.csum_check =		NULL,
	.state_transition =	NULL,
	.register_app =		NULL,
	.unregister_app =	NULL,
	.app_conn_bind =	NULL,
	.debug_packet =		ip_vs_tcpudp_debug_packet,
	.timeout_change =	NULL,		/* ISAKMP */
};
#endif
Commit	Line	Data
1da177e4	1	/*
409a1966	2	* ip_vs_proto_ah_esp.c: AH/ESP IPSec load balancing support for IPVS
1da177e4	3	*
1da177e4 LT	4	* Authors: Julian Anastasov <ja@ssi.bg>, February 2002
	5	* Wensong Zhang <wensong@linuxvirtualserver.org>
	6	*
	7	* This program is free software; you can redistribute it and/or
	8	* modify it under the terms of the GNU General Public License
	9	* version 2 as published by the Free Software Foundation;
	10	*
	11	*/
	12
9aada7ac HE	13	#define KMSG_COMPONENT "IPVS"
	14	#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
	15
14c85021 ACM	16	#include <linux/in.h>
14c85021 ACM	17	#include <linux/ip.h>
1da177e4 LT	18	#include <linux/module.h>
	19	#include <linux/kernel.h>
	20	#include <linux/netfilter.h>
	21	#include <linux/netfilter_ipv4.h>
	22
	23	#include <net/ip_vs.h>
	24
	25
	26	/* TODO:
	27
	28	struct isakmp_hdr {
	29	__u8 icookie[8];
	30	__u8 rcookie[8];
	31	__u8 np;
	32	__u8 version;
	33	__u8 xchgtype;
	34	__u8 flags;
	35	__u32 msgid;
	36	__u32 length;
	37	};
	38
	39	*/
	40
	41	#define PORT_ISAKMP 500
	42
f11017ec	43	static void
19913dec	44	ah_esp_conn_fill_param_proto(struct netns_ipvs *ipvs, int af,
802c41ad	45	const struct ip_vs_iphdr *iph,
6e67e586	46	struct ip_vs_conn_param *p)
f11017ec	47	{
802c41ad	48	if (likely(!ip_vs_iph_inverse(iph)))
19913dec	49	ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP,
f11017ec SH	50	&iph->saddr, htons(PORT_ISAKMP),
	51	&iph->daddr, htons(PORT_ISAKMP), p);
	52	else
19913dec	53	ip_vs_conn_fill_param(ipvs, af, IPPROTO_UDP,
f11017ec SH	54	&iph->daddr, htons(PORT_ISAKMP),
	55	&iph->saddr, htons(PORT_ISAKMP), p);
	56	}
1da177e4 LT	57
1da177e4 LT	58	static struct ip_vs_conn *
ab161976	59	ah_esp_conn_in_get(struct netns_ipvs ipvs, int af, const struct sk_buff skb,
802c41ad	60	const struct ip_vs_iphdr *iph)
1da177e4 LT	61	{
1da177e4 LT	62	struct ip_vs_conn *cp;
f11017ec	63	struct ip_vs_conn_param p;
1da177e4	64
19913dec	65	ah_esp_conn_fill_param_proto(ipvs, af, iph, &p);
f11017ec	66	cp = ip_vs_conn_in_get(&p);
1da177e4 LT	67	if (!cp) {
	68	/*
	69	* We are not sure if the packet is from our
	70	* service, so our conn_schedule hook should return NF_ACCEPT
	71	*/
51ef348b JV	72	IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for outin packet "
51ef348b JV	73	"%s%s %s->%s\n",
802c41ad	74	ip_vs_iph_icmp(iph) ? "ICMP+" : "",
9330419d	75	ip_vs_proto_get(iph->protocol)->name,
51ef348b JV	76	IP_VS_DBG_ADDR(af, &iph->saddr),
51ef348b JV	77	IP_VS_DBG_ADDR(af, &iph->daddr));
1da177e4 LT	78	}
	79
	80	return cp;
	81	}
	82
	83
	84	static struct ip_vs_conn *
0cf705c8	85	ah_esp_conn_out_get(struct netns_ipvs ipvs, int af, const struct sk_buff skb,
802c41ad	86	const struct ip_vs_iphdr *iph)
1da177e4 LT	87	{
1da177e4 LT	88	struct ip_vs_conn *cp;
f11017ec	89	struct ip_vs_conn_param p;
1da177e4	90
19913dec	91	ah_esp_conn_fill_param_proto(ipvs, af, iph, &p);
f11017ec	92	cp = ip_vs_conn_out_get(&p);
1da177e4	93	if (!cp) {
51ef348b JV	94	IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for inout packet "
51ef348b JV	95	"%s%s %s->%s\n",
802c41ad	96	ip_vs_iph_icmp(iph) ? "ICMP+" : "",
9330419d	97	ip_vs_proto_get(iph->protocol)->name,
51ef348b JV	98	IP_VS_DBG_ADDR(af, &iph->saddr),
51ef348b JV	99	IP_VS_DBG_ADDR(af, &iph->daddr));
1da177e4 LT	100	}
	101
	102	return cp;
	103	}
	104
	105
	106	static int
d8f44c33 EB	107	ah_esp_conn_schedule(struct netns_ipvs ipvs, int af, struct sk_buff skb,
d8f44c33 EB	108	struct ip_vs_proto_data *pd,
d4383f04 JDB	109	int verdict, struct ip_vs_conn *cpp,
d4383f04 JDB	110	struct ip_vs_iphdr *iph)
1da177e4 LT	111	{
1da177e4 LT	112	/*
409a1966	113	* AH/ESP is only related traffic. Pass the packet to IP stack.
1da177e4 LT	114	*/
	115	*verdict = NF_ACCEPT;
	116	return 0;
	117	}
	118
409a1966	119	#ifdef CONFIG_IP_VS_PROTO_AH
1da177e4 LT	120	struct ip_vs_protocol ip_vs_protocol_ah = {
	121	.name = "AH",
	122	.protocol = IPPROTO_AH,
2ad17def	123	.num_states = 1,
1da177e4	124	.dont_defrag = 1,
88fe2d37 HS	125	.init = NULL,
88fe2d37 HS	126	.exit = NULL,
409a1966 JV	127	.conn_schedule = ah_esp_conn_schedule,
	128	.conn_in_get = ah_esp_conn_in_get,
	129	.conn_out_get = ah_esp_conn_out_get,
1da177e4 LT	130	.snat_handler = NULL,
	131	.dnat_handler = NULL,
	132	.csum_check = NULL,
	133	.state_transition = NULL,
	134	.register_app = NULL,
	135	.unregister_app = NULL,
	136	.app_conn_bind = NULL,
0d79641a	137	.debug_packet = ip_vs_tcpudp_debug_packet,
1da177e4	138	.timeout_change = NULL, /* ISAKMP */
1da177e4	139	};
409a1966 JV	140	#endif
	141
	142	#ifdef CONFIG_IP_VS_PROTO_ESP
	143	struct ip_vs_protocol ip_vs_protocol_esp = {
	144	.name = "ESP",
	145	.protocol = IPPROTO_ESP,
	146	.num_states = 1,
	147	.dont_defrag = 1,
88fe2d37 HS	148	.init = NULL,
88fe2d37 HS	149	.exit = NULL,
409a1966 JV	150	.conn_schedule = ah_esp_conn_schedule,
	151	.conn_in_get = ah_esp_conn_in_get,
	152	.conn_out_get = ah_esp_conn_out_get,
	153	.snat_handler = NULL,
	154	.dnat_handler = NULL,
	155	.csum_check = NULL,
	156	.state_transition = NULL,
	157	.register_app = NULL,
	158	.unregister_app = NULL,
	159	.app_conn_bind = NULL,
0d79641a	160	.debug_packet = ip_vs_tcpudp_debug_packet,
409a1966 JV	161	.timeout_change = NULL, /* ISAKMP */
	162	};
	163	#endif