Re: [RFC PATCH resend]: Fix output for BEET ipsec

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Patrick McHardy]

Joakim Koskela wrote:
> diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> index 091e670..20d214f 100644
> --- a/net/ipv4/esp4.c
> +++ b/net/ipv4/esp4.c
> @@ -404,7 +404,8 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
>  		break;
>  	case XFRM_MODE_BEET:
>  		/* The worst case. */
> -		mtu += min_t(u32, IPV4_BEET_PHMAXLEN, rem);
> +		/* This will be seen to in the esp header_len */
> +		/* mtu += min_t(u32, IPV4_BEET_PHMAXLEN, rem); */
>  		break;
>  	}


Why are you disabling this?

[RFC PATCH resend]: Fix output for BEET ipsec

[Joakim Koskela]

Hi,

Any comments on this? Would be great to get beet working soon!

br, j

== original post:

This patch fixes the ipsec BEET (Bound End-to-End Tunnel) mode
interfamily handling of the net-2.6 (25-rc3) kernel, as specified by
the ietf draft found at:

http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-08.txt

It is sent as a RFC as it doesn't fit that neatly into the newly
cleaned-up xfrm model - I suspect that there could be a better way to
solve this.

Signed-off-by: Joakim Koskela <jookos@gmail.com>
---
 net/ipv4/esp4.c            |   10 +++-
 net/ipv4/xfrm4_mode_beet.c |  104 +++++++++++++++++++++++++++++---------------
 net/ipv6/esp6.c            |    6 +++
 net/ipv6/xfrm6_mode_beet.c |   83 ++++++++++++++++++++++++++++++-----
 4 files changed, 153 insertions(+), 50 deletions(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 091e670..20d214f 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -404,7 +404,8 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
 		break;
 	case XFRM_MODE_BEET:
 		/* The worst case. */
-		mtu += min_t(u32, IPV4_BEET_PHMAXLEN, rem);
+		/* This will be seen to in the esp header_len */
+		/* mtu += min_t(u32, IPV4_BEET_PHMAXLEN, rem); */
 		break;
 	}
 
@@ -575,8 +576,11 @@ static int esp_init_state(struct xfrm_state *x)
 			      crypto_aead_ivsize(aead);
 	if (x->props.mode == XFRM_MODE_TUNNEL)
 		x->props.header_len += sizeof(struct iphdr);
-	else if (x->props.mode == XFRM_MODE_BEET)
-		x->props.header_len += IPV4_BEET_PHMAXLEN;
+	else if (x->props.mode == XFRM_MODE_BEET) {
+		if (x->sel.family == AF_INET) {
+			x->props.header_len += IPV4_BEET_PHMAXLEN;
+		}
+	}
 	if (x->encap) {
 		struct xfrm_encap_tmpl *encap = x->encap;
 
diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
index b47030b..83db9b2 100644
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -6,6 +6,7 @@
  *                    Herbert Xu     <herbert@gondor.apana.org.au>
  *                    Abhinav Pathak <abhinav.pathak@hiit.fi>
  *                    Jeff Ahrenholz <ahrenholz@gmail.com>
+ *                    Joakim Koskela <jookos@gmail.com>
  */
 
 #include <linux/init.h>
@@ -38,45 +39,78 @@ static void xfrm4_beet_make_header(struct sk_buff *skb)
  */
 static int xfrm4_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
-	struct ip_beet_phdr *ph;
 	struct iphdr *iph, *top_iph;
-	int hdrlen, optlen;
 
 	iph = ip_hdr(skb);
-
-	hdrlen = 0;
-	optlen = iph->ihl * 4 - sizeof(*iph);
-	if (unlikely(optlen))
-		hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4);
-
-	skb_set_network_header(skb, IPV4_BEET_PHMAXLEN - x->props.header_len -
-				    hdrlen);
-	skb->mac_header = skb->network_header +
-			  offsetof(struct iphdr, protocol);
-	skb->transport_header = skb->network_header + sizeof(*iph);
-
-	xfrm4_beet_make_header(skb);
-
-	ph = (struct ip_beet_phdr *)__skb_pull(skb, sizeof(*iph) - hdrlen);
-
-	top_iph = ip_hdr(skb);
-
-	if (unlikely(optlen)) {
-		BUG_ON(optlen < 0);
-
-		ph->padlen = 4 - (optlen & 4);
-		ph->hdrlen = optlen / 8;
-		ph->nexthdr = top_iph->protocol;
-		if (ph->padlen)
-			memset(ph + 1, IPOPT_NOP, ph->padlen);
-
-		top_iph->protocol = IPPROTO_BEETPH;
-		top_iph->ihl = sizeof(struct iphdr) / 4;
+	if (iph->version == 4) {
+		struct ip_beet_phdr *ph;
+		int hdrlen, optlen;
+
+		hdrlen = 0;
+		optlen = iph->ihl * 4 - sizeof(*iph);
+		if (unlikely(optlen))
+			hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4);
+
+		skb_set_network_header(skb, IPV4_BEET_PHMAXLEN - x->props.header_len -
+				       hdrlen);
+		skb->mac_header = skb->network_header +
+			offsetof(struct iphdr, protocol);
+		skb->transport_header = skb->network_header + sizeof(*iph);
+
+		xfrm4_beet_make_header(skb);
+
+		ph = (struct ip_beet_phdr *)__skb_pull(skb, sizeof(*iph) - hdrlen);
+
+		top_iph = ip_hdr(skb);
+
+		if (unlikely(optlen)) {
+			BUG_ON(optlen < 0);
+
+			ph->padlen = 4 - (optlen & 4);
+			ph->hdrlen = optlen / 8;
+			ph->nexthdr = top_iph->protocol;
+			if (ph->padlen)
+				memset(ph + 1, IPOPT_NOP, ph->padlen);
+
+			top_iph->protocol = IPPROTO_BEETPH;
+			top_iph->ihl = sizeof(struct iphdr) / 4;
+		}
+
+		top_iph->saddr = x->props.saddr.a4;
+		top_iph->daddr = x->id.daddr.a4;
+
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+	} else if (iph->version == 6) {
+		struct dst_entry *dst = skb->dst;
+
+		int delta = sizeof(struct ipv6hdr) - sizeof(struct iphdr);
+		u8 protocol = ipv6_hdr(skb)->nexthdr;
+
+		/* Inner = 6, Outer = 4 : changing the external IP hdr
+		 * to the outer addresses
+		 */
+		skb_set_network_header(skb, delta - x->props.header_len);
+		skb->transport_header = skb->network_header + sizeof(*iph);
+		skb->mac_header = skb->network_header +
+			offsetof(struct iphdr, protocol);
+		skb_pull(skb, sizeof(struct ipv6hdr));
+
+		top_iph = ip_hdr(skb);
+		top_iph->ihl = 5;
+		top_iph->version = 4;
+		top_iph->id = 0;
+		top_iph->frag_off = htons(IP_DF);
+		top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
+		top_iph->protocol = protocol;
+
+		top_iph->saddr = x->props.saddr.a4;
+		top_iph->daddr = x->id.daddr.a4;
+		IPCB(skb)->flags = 0;
+
+		skb->protocol = htons(ETH_P_IP);
+		memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+#endif
 	}
-
-	top_iph->saddr = x->props.saddr.a4;
-	top_iph->daddr = x->id.daddr.a4;
-
 	return 0;
 }
 
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 0ec1402..984a03e 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -344,6 +344,7 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
 	rem = mtu & (align - 1);
 	mtu &= ~(align - 1);
 
+	/* hm, is this right? maybe we shouldn't do this for beet either? */
 	if (x->props.mode != XFRM_MODE_TUNNEL) {
 		u32 padsize = ((blksize - 1) & 7) + 1;
 		mtu -= blksize - padsize;
@@ -521,6 +522,11 @@ static int esp6_init_state(struct xfrm_state *x)
 			      crypto_aead_ivsize(aead);
 	switch (x->props.mode) {
 	case XFRM_MODE_BEET:
+		if (x->sel.family == AF_INET) {
+			x->props.header_len += IPV4_BEET_PHMAXLEN +
+				(sizeof(struct ipv6hdr) - sizeof(struct iphdr));
+		}
+		break;
 	case XFRM_MODE_TRANSPORT:
 		break;
 	case XFRM_MODE_TUNNEL:
diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
index 0527d11..2547c51 100644
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -6,6 +6,7 @@
  *                    Herbert Xu     <herbert@gondor.apana.org.au>
  *                    Abhinav Pathak <abhinav.pathak@hiit.fi>
  *                    Jeff Ahrenholz <ahrenholz@gmail.com>
+ *                    Joakim Koskela <jookos@gmail.com>
  */
 
 #include <linux/init.h>
@@ -40,18 +41,76 @@ static void xfrm6_beet_make_header(struct sk_buff *skb)
 static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
 	struct ipv6hdr *top_iph;
-
-	skb_set_network_header(skb, -x->props.header_len);
-	skb->mac_header = skb->network_header +
-			  offsetof(struct ipv6hdr, nexthdr);
-	skb->transport_header = skb->network_header + sizeof(*top_iph);
-
-	xfrm6_beet_make_header(skb);
-
-	top_iph = ipv6_hdr(skb);
-
-	ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
-	ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+	int hdr_len;
+
+	if (ip_hdr(skb)->version == 6) {
+		u8 *prevhdr;
+
+		hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
+		skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+		skb_set_network_header(skb, -x->props.header_len);
+		skb->transport_header = skb->network_header + hdr_len;
+		__skb_pull(skb, hdr_len);
+
+		xfrm6_beet_make_header(skb);
+
+		top_iph = ipv6_hdr(skb);
+
+		ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
+		ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+	} else {
+		struct dst_entry *dst = skb->dst;
+		struct iphdr *iphv4;
+		int flags, optlen, dsfield;
+		struct ip_beet_phdr *ph;
+		u8 protocol;
+
+		iphv4 = ip_hdr(skb);
+		hdr_len = 0;
+		optlen = iphv4->ihl * 4 - sizeof(*iphv4);
+		if (unlikely(optlen))
+			hdr_len += IPV4_BEET_PHMAXLEN - (optlen & 4);
+
+		skb_set_network_header(skb, IPV4_BEET_PHMAXLEN - x->props.header_len -
+				       hdr_len);
+		skb->mac_header = skb->network_header + offsetof(struct ipv6hdr, nexthdr);
+		skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
+
+		ph = (struct ip_beet_phdr *)__skb_pull(skb, sizeof(*iphv4) - hdr_len);
+		if (unlikely(optlen)) {
+
+			BUG_ON(optlen < 0);
+
+			ph->padlen = 4 - (optlen & 4);
+			ph->hdrlen = optlen / 8;
+			ph->nexthdr = iphv4->protocol;
+			if (ph->padlen)
+				memset(ph + 1, IPOPT_NOP, ph->padlen);
+
+			protocol = IPPROTO_BEETPH;
+		} else
+			protocol = iphv4->protocol;
+
+		top_iph = ipv6_hdr(skb);
+
+		/* DS disclosed */
+		top_iph->version = 6;
+		top_iph->priority = 0;
+		top_iph->flow_lbl[0] = 0;
+		top_iph->flow_lbl[1] = 0;
+		top_iph->flow_lbl[2] = 0;
+		dsfield = ipv6_get_dsfield(top_iph);
+		dsfield = INET_ECN_encapsulate(dsfield, dsfield);
+		flags = x->props.flags;
+		if (flags & XFRM_STATE_NOECN)
+			dsfield &= ~INET_ECN_MASK;
+		ipv6_change_dsfield(top_iph, 0, dsfield);
+
+		top_iph->nexthdr = protocol;
+		top_iph->hop_limit = dst_metric(dst->child, RTAX_HOPLIMIT);
+		ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
+		ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+	}
 	return 0;
 }

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Joakim Koskela]

On Wednesday 26 March 2008 11:14, Patrick McHardy wrote:
> Joakim Koskela wrote:
> > diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> > index 091e670..20d214f 100644
> > --- a/net/ipv4/esp4.c
> > +++ b/net/ipv4/esp4.c
> > @@ -404,7 +404,8 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int
> > mtu) break;
> >  	case XFRM_MODE_BEET:
> >  		/* The worst case. */
> > -		mtu += min_t(u32, IPV4_BEET_PHMAXLEN, rem);
> > +		/* This will be seen to in the esp header_len */
> > +		/* mtu += min_t(u32, IPV4_BEET_PHMAXLEN, rem); */
> >  		break;
> >  	}
>
> Why are you disabling this?

Thanks - can't remember and doesn't seem necessary. I'll reverse that.

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Herbert Xu]

On Wed, Mar 26, 2008 at 11:15:26AM +0200, Joakim Koskela wrote:
> Hi,
> 
> Any comments on this? Would be great to get beet working soon!
> 
> br, j
> 
> == original post:
> 
> This patch fixes the ipsec BEET (Bound End-to-End Tunnel) mode
> interfamily handling of the net-2.6 (25-rc3) kernel, as specified by
> the ietf draft found at:
> 
> http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-08.txt
> 
> It is sent as a RFC as it doesn't fit that neatly into the newly
> cleaned-up xfrm model - I suspect that there could be a better way to
> solve this.
> 
> Signed-off-by: Joakim Koskela <jookos@gmail.com>

Thanks for the patch!

In light of the patch I just posted I believe we can drop everything
but the props_header_len adjustments.  Please let me know if it still
doesn't work with my earlier patch.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Joakim Koskela]

On Wednesday 26 March 2008 15:31, Herbert Xu wrote:
> In light of the patch I just posted I believe we can drop everything
> but the props_header_len adjustments.  Please let me know if it still
> doesn't work with my earlier patch.
>
> Cheers,

Thanks, but I'm still having problems with 6-6 and the interfamilies.

Here's what I'm using right now to get net-2.6 beet working (testing with older
versions and another implementation). It's basically the same as I sent before, 
slightly updated (to use the protocol-independent accessors).

br, j

Signed-off-by: Joakim Koskela <jookos@gmail.com>
--
 net/ipv4/esp4.c            |    2 +-
 net/ipv4/xfrm4_mode_beet.c |  101 ++++++++++++++++++++++++++++---------------
 net/ipv6/esp6.c            |    5 ++
 net/ipv6/xfrm6_mode_beet.c |   65 ++++++++++++++++++++++++----
 4 files changed, 128 insertions(+), 45 deletions(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 4e73e57..135094e 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -575,7 +575,7 @@ static int esp_init_state(struct xfrm_state *x)
 			      crypto_aead_ivsize(aead);
 	if (x->props.mode == XFRM_MODE_TUNNEL)
 		x->props.header_len += sizeof(struct iphdr);
-	else if (x->props.mode == XFRM_MODE_BEET)
+	else if (x->props.mode == XFRM_MODE_BEET && x->sel.family == AF_INET)
 		x->props.header_len += IPV4_BEET_PHMAXLEN;
 	if (x->encap) {
 		struct xfrm_encap_tmpl *encap = x->encap;
diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
index 9c798ab..7f218cc 100644
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -6,6 +6,7 @@
  *                    Herbert Xu     <herbert@gondor.apana.org.au>
  *                    Abhinav Pathak <abhinav.pathak@hiit.fi>
  *                    Jeff Ahrenholz <ahrenholz@gmail.com>
+ *                    Joakim Koskela <jookos@gmail.com>
  */
 
 #include <linux/init.h>
@@ -38,44 +39,74 @@ static void xfrm4_beet_make_header(struct sk_buff *skb)
  */
 static int xfrm4_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
-	struct ip_beet_phdr *ph;
-	struct iphdr *top_iph;
-	int hdrlen, optlen;
+	struct iphdr *iph, *top_iph;
 
-	hdrlen = 0;
-	optlen = XFRM_MODE_SKB_CB(skb)->optlen;
-	if (unlikely(optlen))
-		hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4);
-
-	skb_set_network_header(skb, IPV4_BEET_PHMAXLEN - x->props.header_len -
-				    hdrlen);
-	skb->mac_header = skb->network_header +
-			  offsetof(struct iphdr, protocol);
-	skb->transport_header = skb->network_header + sizeof(*top_iph);
-
-	xfrm4_beet_make_header(skb);
-
-	ph = (struct ip_beet_phdr *)
-		__skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdrlen);
-
-	top_iph = ip_hdr(skb);
-
-	if (unlikely(optlen)) {
-		BUG_ON(optlen < 0);
-
-		ph->padlen = 4 - (optlen & 4);
-		ph->hdrlen = optlen / 8;
-		ph->nexthdr = top_iph->protocol;
-		if (ph->padlen)
-			memset(ph + 1, IPOPT_NOP, ph->padlen);
-
-		top_iph->protocol = IPPROTO_BEETPH;
-		top_iph->ihl = sizeof(struct iphdr) / 4;
+	iph = ip_hdr(skb);
+	if (iph->version == 4) {
+		struct ip_beet_phdr *ph;
+		int hdrlen, optlen;
+
+		hdrlen = 0;
+		optlen = XFRM_MODE_SKB_CB(skb)->optlen;
+		if (unlikely(optlen))
+			hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4);
+
+		skb_set_network_header(skb, IPV4_BEET_PHMAXLEN - x->props.header_len -
+				       hdrlen);
+		skb->mac_header = skb->network_header +
+			offsetof(struct iphdr, protocol);
+		skb->transport_header = skb->network_header + sizeof(*top_iph);
+
+		xfrm4_beet_make_header(skb);
+
+		ph = (struct ip_beet_phdr *)
+			__skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdrlen);
+
+		top_iph = ip_hdr(skb);
+
+		if (unlikely(optlen)) {
+			BUG_ON(optlen < 0);
+
+			ph->padlen = 4 - (optlen & 4);
+			ph->hdrlen = optlen / 8;
+			ph->nexthdr = top_iph->protocol;
+			if (ph->padlen)
+				memset(ph + 1, IPOPT_NOP, ph->padlen);
+
+			top_iph->protocol = IPPROTO_BEETPH;
+			top_iph->ihl = sizeof(struct iphdr) / 4;
+		}
+
+		top_iph->saddr = x->props.saddr.a4;
+		top_iph->daddr = x->id.daddr.a4;
+
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+	} else if (iph->version == 6) {
+		int delta = sizeof(struct ipv6hdr) - sizeof(struct iphdr);
+		u8 protocol = ipv6_hdr(skb)->nexthdr;
+
+		/* Inner = 6, Outer = 4 : changing the external IP hdr
+		 * to the outer addresses
+		 */
+		skb_set_network_header(skb, delta - x->props.header_len);
+		skb->transport_header = skb->network_header + sizeof(*iph);
+		skb->mac_header = skb->network_header +
+			offsetof(struct iphdr, protocol);
+		skb_pull(skb, sizeof(struct ipv6hdr));
+
+		xfrm4_beet_make_header(skb);
+
+		top_iph = ip_hdr(skb);
+		top_iph->protocol = protocol;
+		top_iph->saddr = x->props.saddr.a4;
+		top_iph->daddr = x->id.daddr.a4;
+		IPCB(skb)->flags = 0;
+
+		skb->protocol = htons(ETH_P_IP);
+		memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+#endif
 	}
 
-	top_iph->saddr = x->props.saddr.a4;
-	top_iph->daddr = x->id.daddr.a4;
-
 	return 0;
 }
 
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index c6bb4c6..8356c11 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -521,6 +521,11 @@ static int esp6_init_state(struct xfrm_state *x)
 			      crypto_aead_ivsize(aead);
 	switch (x->props.mode) {
 	case XFRM_MODE_BEET:
+		if (x->sel.family == AF_INET) {
+			x->props.header_len += IPV4_BEET_PHMAXLEN +
+				(sizeof(struct ipv6hdr) - sizeof(struct iphdr));
+		}
+		break;
 	case XFRM_MODE_TRANSPORT:
 		break;
 	case XFRM_MODE_TUNNEL:
diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
index d6ce400..a11af00 100644
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -40,19 +40,66 @@ static void xfrm6_beet_make_header(struct sk_buff *skb)
 static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
 	struct ipv6hdr *top_iph;
+	int hdr_len;
 
-	skb_set_network_header(skb, -x->props.header_len);
-	skb->mac_header = skb->network_header +
-			  offsetof(struct ipv6hdr, nexthdr);
-	skb->transport_header = skb->network_header + sizeof(*top_iph);
-	__skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl);
+	if (ip_hdr(skb)->version == 6) {
+		u8 *prevhdr;
 
-	xfrm6_beet_make_header(skb);
+		hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
+		skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+		skb_set_network_header(skb, -x->props.header_len);
+		skb->transport_header = skb->network_header + hdr_len;
+		__skb_pull(skb, hdr_len);
+
+		xfrm6_beet_make_header(skb);
+
+		top_iph = ipv6_hdr(skb);
+
+		ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
+		ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+	} else {
+		struct iphdr *iphv4;
+		int optlen;
+		struct ip_beet_phdr *ph;
+		u8 protocol;
+
+		iphv4 = ip_hdr(skb);
+		hdr_len = 0;
+		optlen = XFRM_MODE_SKB_CB(skb)->optlen;
+		if (unlikely(optlen))
+			hdr_len += IPV4_BEET_PHMAXLEN - (optlen & 4);
+
+		skb_set_network_header(skb, IPV4_BEET_PHMAXLEN - x->props.header_len -
+				       hdr_len);
+		skb->mac_header = skb->network_header +
+			offsetof(struct ipv6hdr, nexthdr);
+		skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
+
+		ph = (struct ip_beet_phdr *)
+			__skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdr_len);
+		if (unlikely(optlen)) {
+
+			BUG_ON(optlen < 0);
+
+			ph->padlen = 4 - (optlen & 4);
+			ph->hdrlen = optlen / 8;
+			ph->nexthdr = iphv4->protocol;
+			if (ph->padlen)
+				memset(ph + 1, IPOPT_NOP, ph->padlen);
+
+			protocol = IPPROTO_BEETPH;
+		} else
+			protocol = iphv4->protocol;
+
+		xfrm6_beet_make_header(skb);
+
+		top_iph = ipv6_hdr(skb);
 
-	top_iph = ipv6_hdr(skb);
+		top_iph->nexthdr = protocol;
+		ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
+		ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+	}
 
-	ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
-	ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
 	return 0;
 }

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Herbert Xu]

On Tue, Apr 22, 2008 at 03:12:40PM +0300, Joakim Koskela wrote:
> 
> Thanks, but I'm still having problems with 6-6 and the interfamilies.
> 
> Here's what I'm using right now to get net-2.6 beet working (testing with older
> versions and another implementation). It's basically the same as I sent before, 
> slightly updated (to use the protocol-independent accessors).

You know it would really help if you told us what problems you're
having rather than just resending the patch over and over again :)

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Joakim Koskela]

On Tuesday 22 April 2008 16:13, Herbert Xu wrote:
> On Tue, Apr 22, 2008 at 03:12:40PM +0300, Joakim Koskela wrote:
> > Thanks, but I'm still having problems with 6-6 and the interfamilies.
> >
> > Here's what I'm using right now to get net-2.6 beet working (testing with
> > older versions and another implementation). It's basically the same as I
> > sent before, slightly updated (to use the protocol-independent
> > accessors).
>
> You know it would really help if you told us what problems you're
> having rather than just resending the patch over and over again :)

Sorry, I know really should. I'll try to get back on this asap with some more 
details. But in a nutshell - I get crashes on 4-6 (inner-outer), and although 
6-4 gets packets on the wire, they're somehow wrong. Hm, don't actually think 
there's anything wrong with 6-6 though, I'll have to recheck that.. 

Cheers, 
j

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Herbert Xu]

On Wed, Apr 23, 2008 at 10:13:38AM +0300, Joakim Koskela wrote:
>
> Sorry, I know really should. I'll try to get back on this asap with some more 
> details. But in a nutshell - I get crashes on 4-6 (inner-outer), and although 
> 6-4 gets packets on the wire, they're somehow wrong. Hm, don't actually think 
> there's anything wrong with 6-6 though, I'll have to recheck that.. 

OK I'll try to get my test environment back up to have a look.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [RFC PATCH resend]: Fix output for BEET ipsec

[Joakim Koskela]

On Wednesday 23 April 2008 10:30, Herbert Xu wrote:
> On Wed, Apr 23, 2008 at 10:13:38AM +0300, Joakim Koskela wrote:
> > Sorry, I know really should. I'll try to get back on this asap with some
> > more details. But in a nutshell - I get crashes on 4-6 (inner-outer), and
> > although 6-4 gets packets on the wire, they're somehow wrong. Hm, don't
> > actually think there's anything wrong with 6-6 though, I'll have to
> > recheck that..
>
> OK I'll try to get my test environment back up to have a look.
>
> Thanks,

Here's a calltrace from 4 inner, 6 outer. I do a manual key setup, and try to
ping the other host.

------------[ cut here ]------------
invalid opcode: 0000 [#4] PREEMPT
Process ping (pid: 5516, ti=d9598000 task=d957b140 task.ti=d9598000)
Stack: e086f700 e1b9a5ec 00000000 00000014 d9599c17 dc3fbc40 dfa68a80 dfa68a80
       00000078 00000000 00000001 c069a3a0 deef2000 00000000 dc3fbc40 dfa68aa0
       d9569040 dfa68a80 c03d2c04 00000054 d9569038 c0476b1d 00000054 dc35e600
Call Trace:
 [<c03d2c04>] skb_to_sgvec+0x14/0x30
 [<c0476b1d>] esp6_output+0x1ad/0x270
 [<c0441fa4>] xfrm_output_resume+0x2a4/0x320
 [<c03fad17>] __ip_local_out+0x97/0xa0
 [<c03fad35>] ip_local_out+0x15/0x20
 [<c03faf4a>] ip_push_pending_frames+0x20a/0x350
 [<c03f3ea4>] ip_route_output_flow+0x74/0x290
 [<c041688f>] raw_sendmsg+0x69f/0x750
 [<c041eb27>] inet_sendmsg+0x37/0x70
 [<c03cde7d>] sock_sendmsg+0xcd/0x100
 [<c03fd407>] ip_setsockopt+0x147/0xc40
 [<c0136550>] autoremove_wake_function+0x0/0x50
 [<c011ce9c>] set_next_entity+0x1c/0x50
 [<c04cbfb7>] schedule+0x177/0x310
 [<c03d5afa>] verify_iovec+0x2a/0x90
 [<c03ce011>] sys_sendmsg+0x161/0x270
 [<c0359f6a>] tty_ioctl+0x73a/0xec0
 [<c014e7ae>] find_lock_page+0x2e/0xd0
 [<c0150e2f>] filemap_fault+0x1ef/0x460
 [<c015b291>] __do_fault+0x171/0x3b0
 [<c0150c40>] filemap_fault+0x0/0x460
 [<c015d0c2>] handle_mm_fault+0xf2/0x600
 [<c03cf42f>] sys_socketcall+0x24f/0x280
 [<c013b62d>] do_gettimeofday+0xd/0x30
 [<c0102f3d>] sysenter_past_esp+0x6a/0x91
 =======================
Code: ff ff c7 44 24 0c 74 09 00 00 c7 44 24 08 a9 37 5a c0 c7 44 24 04 bb 37 5a c0 c7 04 24 2c 6e 5a c0 e8 95 1c d5 ff e9 02 ff ff ff <0f> 0b eb fe 0f 0b eb fe 90 8d b4 26 00 00 00 00 53 89 d3 83 ec
EIP: [<c03d2be0>] __skb_to_sgvec+0x280/0x290 SS:ESP 0068:d9599bd0

Modules linked in: radeon drm rfcomm l2cap binfmt_misc ppdev lp cpufreq_userspace cpufreq_conservative cpufreq_powersave cpufreq_ondemand ipt_TTL ipt_ttl ipt_REDIRECT ipt_recent ipt_NETMAP ipt_MASQUERADE ipt_ECN ipt_ecn ipt_addrtype nf_nat_tftp nf_nat_snmp_basic nf_nat_sip nf_nat_pptp nf_nat_proto_gre nf_nat_irc nf_nat_h323 nf_nat_ftp nf_nat_amanda ts_kmp nf_conntrack_amanda nf_conntrack_tftp nf_conntrack_sip nf_conntrack_proto_sctp nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_netbios_ns nf_conntrack_irc nf_conntrack_h323 nf_conntrack_ftp xt_tcpmss xt_pkttype xt_mark xt_mac xt_limit xt_length xt_helper xt_hashlimit xt_dccp xt_conntrack xt_CONNMARK xt_connmark xt_state iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nls_cp437 loop 8250_pci hci_usb bluetooth snd_intel8x0m snd_inte
 l8x0 snd_ac97_codec irtty_sir ac97_bus sir_dev snd_pcm_oss snd_mixer_oss parport_pc 8250_pnp snd_pcm 8250 irda snd_timer serial_core snd parport crc_ccitt floppy soundcore ide_cd_mod ipw2100 cdro
 i2c_i801 snd_page_alloc ieee80211 ieee80211_crypt e1000 ehci_hcd uhci_hcd video usbcore output evdev

Pid: 5516, comm: ping Tainted: G      D  (2.6.25-02632-g358c129 #3)
EIP: 0060:[<c03d2be0>] EFLAGS: 00010206 CPU: 0
EIP is at __skb_to_sgvec+0x280/0x290
EAX: dc3fbc40 EBX: 00000048 ECX: dfa68a80 EDX: d9569100
ESI: 00000000 EDI: 00000014 EBP: 00000078 ESP: d9599bd0
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
---[ end trace ff7f9acec52365a5 ]---