X-Git-Url: http://git.rot13.org/?p=bcm963xx.git;a=blobdiff_plain;f=kernel%2Flinux%2Fnet%2Fipv4%2Fnetfilter%2Fip_conntrack_proto_esp.c;h=a27f354b591f2a9d427b700ce2dbd4877d223401;hp=0eebbe699e3076c16a653a3861e1bc634899499b;hb=57a096f051259ceaefd5977f30d269884e1dd248;hpb=9887430fc6b7c0f8eb8e81de2bfe3bba12d8d4a1 diff --git a/kernel/linux/net/ipv4/netfilter/ip_conntrack_proto_esp.c b/kernel/linux/net/ipv4/netfilter/ip_conntrack_proto_esp.c index 0eebbe69..a27f354b 100755 --- a/kernel/linux/net/ipv4/netfilter/ip_conntrack_proto_esp.c +++ b/kernel/linux/net/ipv4/netfilter/ip_conntrack_proto_esp.c @@ -82,8 +82,8 @@ struct _esp_table *alloc_esp_entry ( void ) if ( esp_entry->inuse == IPSEC_FREE ) { esp_entry->tspi = cur_spi = TEMP_SPI_START + idx; esp_entry->inuse = IPSEC_INUSE; - //printk ( KERN_DEBUG "%s:%s New esp_entry at %p" - // " tspi %u cspi %u\n", __FILE__, __FUNCTION__, + //printk ( KERN_DEBUG "%s:%s New esp_entry at idx %d entry %p" + // " tspi %u cspi %u\n", __FILE__, __FUNCTION__, idx, // esp_entry, esp_entry->tspi, cur_spi ); return esp_entry; } @@ -101,6 +101,8 @@ struct _esp_table *search_esp_entry_by_spi ( const struct esphdr *esph, int idx = 0; struct _esp_table *esp_entry = esp_table; + //printk ( KERN_DEBUG "%s:%s (0x%x) %u.%u.%u.%u\n", __FILE__, __FUNCTION__, + // ntohl(esph->spi), NIPQUAD(daddr)); for ( ; idx < MAX_PORTS; idx++, esp_entry++ ) { if ( esp_entry->inuse == IPSEC_FREE ) { continue; @@ -146,6 +148,12 @@ static int esp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, if (skb_copy_bits(skb, dataoff, &esph, sizeof(esph)) != 0) return 0; + //printk ( KERN_DEBUG "%s:%s (0x%x) IP Pkt Hdr %u.%u.%u.%u <-> %u.%u.%u.%u\n", + // __FILE__, __FUNCTION__, ntohl(esph.spi), + // NIPQUAD(iph->saddr), NIPQUAD(iph->daddr)); + //printk ( KERN_DEBUG "%s:%s (0x%x) %u.%u.%u.%u <-> %u.%u.%u.%u\n", + // __FILE__, __FUNCTION__, ntohl(esph.spi), + // NIPQUAD(tuple->src.ip), NIPQUAD(tuple->dst.ip) ); if ( (esp_entry = search_esp_entry_by_spi ( &esph, tuple->dst.ip ) ) == NULL ) { esp_entry = alloc_esp_entry(); @@ -158,7 +166,7 @@ static int esp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, //printk ( KERN_DEBUG "%s:%s tspi %u cspi %u spi 0x%x seq 0x%x" // " sip %u.%u.%u.%u dip %u.%u.%u.%u\n", __FILE__, // __FUNCTION__, esp_entry->tspi, cur_spi, - // ntohl(esph->spi), ntohl(esph->seq), + // ntohl(esph.spi), ntohl(esph.seq), // NIPQUAD(tuple->src.ip), NIPQUAD(tuple->dst.ip) ); tuple->dst.u.esp.spi = esp_entry->tspi; tuple->src.u.esp.spi = esp_entry->tspi; @@ -168,8 +176,8 @@ static int esp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, static int esp_invert_tuple(struct ip_conntrack_tuple *tuple, const struct ip_conntrack_tuple *orig) { - //printk ( KERN_DEBUG "%s:%s cspi %u dspi %u sspi %u" - // " sip %u.%u.%u.%u dip %u.%u.%u.%u\n", + //printk ( KERN_DEBUG "%s:%s cspi 0x%x dspi 0x%x sspi 0x%x" + // " %u.%u.%u.%u <-> %u.%u.%u.%u\n", // __FILE__, __FUNCTION__, cur_spi, orig->dst.u.esp.spi, // orig->src.u.esp.spi, NIPQUAD(tuple->src.ip), // NIPQUAD(tuple->dst.ip) ); @@ -202,19 +210,24 @@ static int esp_packet(struct ip_conntrack *conntrack, const struct esphdr *esph = (void *)iph + iph->ihl*4; struct _esp_table *esp_entry; - //printk ( KERN_DEBUG "%s:%s ctinfo %d status %d spi 0x%x seq 0x%x\n", - // __FILE__, __FUNCTION__, conntrackinfo, conntrack->status, - // ntohl(esph->spi), ntohl(esph->seq) ); + //printk ( KERN_DEBUG "%s:%s (0x%x) %u.%u.%u.%u <-> %u.%u.%u.%u %s\n", + // __FILE__, __FUNCTION__, ntohl(esph->spi), + // NIPQUAD(iph->saddr), NIPQUAD(iph->daddr), + // (conntrackinfo == IP_CT_NEW ) ? "CT_NEW" : "SEEN_REPLY" ); /* * This should not happen. We get into this routine only if there is * an existing stream. */ if (conntrackinfo == IP_CT_NEW ) { + //printk ( KERN_DEBUG "%s:%s IP_CT_NEW (0x%x) %u.%u.%u.%u <-> %u.%u.%u.%u\n", + // __FILE__, __FUNCTION__, esph->spi, NIPQUAD(iph->saddr), NIPQUAD(iph->daddr)); if ( (esp_entry = search_esp_entry_by_spi ( esph, iph->daddr ) ) == NULL ) { esp_entry = alloc_esp_entry (); if ( esp_entry == NULL ) { /* All entries are currently in use */ + //printk ( KERN_DEBUG "%s:%s All connections in use\n", + // __FILE__, __FUNCTION__); return NF_DROP; } esp_entry->l_spi = ntohl(esph->spi); @@ -224,14 +237,14 @@ static int esp_packet(struct ip_conntrack *conntrack, } /* If we've seen traffic both ways, this is some kind of UDP stream. Extend timeout. */ - if (conntrack->status & IPS_SEEN_REPLY) { + if (conntrack->status & IPS_SEEN_REPLY) { ip_ct_refresh(conntrack, ESP_STREAM_TIMEOUT); /* Also, more likely to be important, and not a probe */ set_bit(IPS_ASSURED_BIT, &conntrack->status); } else { ip_ct_refresh(conntrack, ESP_TIMEOUT); } - esp_entry = search_esp_entry_by_spi ( esph, iph->daddr ); + //esp_entry = search_esp_entry_by_spi ( esph, iph->daddr ); if ( esp_entry != NULL ) { //printk ( KERN_DEBUG "%s:%s can modify this %u.%u.%u.%u" // " with %u.%u.%u.%u\n", @@ -249,10 +262,9 @@ static int esp_new(struct ip_conntrack *conntrack, const struct sk_buff *skb) const struct iphdr *iph = skb->nh.iph; const struct esphdr *esph = (void *)iph + iph->ihl*4; struct _esp_table *esp_entry; - //printk ( KERN_DEBUG "%s:%s spi 0x%x seq 0x%x sip %u.%u.%u.%u" - // " daddr %u.%u.%u.%u\n", __FILE__, __FUNCTION__, - // ntohl(esph->spi), ntohl(esph->seq), NIPQUAD(iph->saddr), - // NIPQUAD(iph->daddr) ); + //printk ( KERN_DEBUG "%s:%s (0x%x) %u.%u.%u.%u <-> %u.%u.%u.%u\n", + // __FILE__, __FUNCTION__, ntohl(esph->spi), + // NIPQUAD(iph->saddr), NIPQUAD(iph->daddr)); if ( (esp_entry = search_esp_entry_by_spi ( esph, iph->daddr ) ) == NULL ) { /* * Check if this is the same LAN client creating another session. @@ -263,6 +275,8 @@ static int esp_new(struct ip_conntrack *conntrack, const struct sk_buff *skb) esp_entry = alloc_esp_entry (); if ( esp_entry == NULL ) { /* All entries are currently in use */ + //printk ( KERN_DEBUG "%s:%s All connections in use\n", + // __FILE__, __FUNCTION__); return NF_DROP; } esp_entry->l_spi = ntohl(esph->spi);