struct ipsec_sa *
__ipsec_sa_get(struct ipsec_sa *ips, const char *func, int line)
{
if (ips == NULL)
return NULL;
#ifdef CONFIG_KLIPS_DEBUG
if(debug_xform) {
char sa[SATOT_BUF];
size_t sa_len;
sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
KLIPS_PRINT(debug_xform,
"ipsec_sa_get: "
"ipsec_sa %p SA:%s, ref:%d reference count (%d++) incremented by %s:%d.\n",
ips,
sa_len ? sa : " (error)",
ips->ips_ref,
atomic_read(&ips->ips_refcount),
func, line);
}
#endif
atomic_inc(&ips->ips_refcount);
// check to make sure we were not deleted
if (ips->ips_marked_deleted) {
// we cannot use this reference
ipsec_sa_put (ips);
ips = NULL;
}
return ips;
}
IPSEC_PROCFS_DEBUG_NO_STATIC
int ipsec_spigrp_show(struct seq_file *seq, void *offset)
{
int i;
struct ipsec_sa *sa_p, *sa_p2;
char sa[SATOT_BUF];
size_t sa_len;
KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
"klips_debug:ipsec_spigrp_show: seq=%p offset=%p\n",
seq, offset);
spin_lock_bh(&tdb_lock);
for (i = 0; i < SADB_HASHMOD; i++) {
for (sa_p = ipsec_sadb_hash[i]; sa_p != NULL; sa_p = sa_p->ips_hnext) {
sa_p2 = sa_p;
while (sa_p2 != NULL) {
struct ipsec_sa *sa2n;
sa_len = satot(&sa_p2->ips_said,
'x', sa, sizeof(sa));
seq_printf(seq, "%s ", sa_len ? sa : " (error)");
sa2n = sa_p2->ips_next;
sa_p2 = sa2n;
}
seq_printf(seq, "\n");
}
}
spin_unlock_bh(&tdb_lock);
return 0;
}
void
__ipsec_sa_put(struct ipsec_sa *ips, const char *func, int line)
{
if(ips == NULL) {
KLIPS_PRINT(debug_xform,
"ipsec_sa_put: "
"null pointer passed in!\n");
return;
}
#ifdef CONFIG_KLIPS_DEBUG
if(debug_xform) {
char sa[SATOT_BUF];
size_t sa_len;
sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
KLIPS_PRINT(debug_xform,
"ipsec_sa_put: "
"ipsec_sa %p SA:%s, ref:%d reference count (%d--) decremented by %s:%d.\n",
ips,
sa_len ? sa : " (error)",
ips->ips_ref,
atomic_read(&ips->ips_refcount),
func, line);
}
#endif
if(atomic_dec_and_test(&ips->ips_refcount)) {
KLIPS_PRINT(debug_xform,
"ipsec_sa_put: freeing %p\n",
ips);
/* it was zero */
ipsec_sa_wipe(ips);
}
return;
}
IPSEC_PROCFS_DEBUG_NO_STATIC
int ipsec_spi_format(struct ipsec_sa *sa_p, struct seq_file *seq)
{
char sa[SATOT_BUF];
char buf_s[SUBNETTOA_BUF];
char buf_d[SUBNETTOA_BUF];
size_t sa_len;
ipsec_sa_get(sa_p, IPSEC_REFPROC);
sa_len = satot(&sa_p->ips_said, 'x', sa, sizeof(sa));
seq_printf(seq, "%s ", sa_len ? sa : " (error)");
seq_printf(seq, "%s%s%s", IPS_XFORM_NAME(sa_p));
seq_printf(seq, ": dir=%s", (sa_p->ips_flags & EMT_INBOUND) ? "in " : "out");
if (sa_p->ips_addr_s) {
sin_addrtot(sa_p->ips_addr_s, 0, buf_s, sizeof(buf_s));
seq_printf(seq, " src=%s", buf_s);
}
if ((sa_p->ips_said.proto == IPPROTO_IPIP)
&& (sa_p->ips_flags & (SADB_X_SAFLAGS_INFLOW
|SADB_X_SAFLAGS_POLICYONLY))) {
if (sa_p->ips_flow_s.u.v4.sin_family == AF_INET) {
subnettoa(sa_p->ips_flow_s.u.v4.sin_addr,
sa_p->ips_mask_s.u.v4.sin_addr,
0,
buf_s,
sizeof(buf_s));
subnettoa(sa_p->ips_flow_d.u.v4.sin_addr,
sa_p->ips_mask_d.u.v4.sin_addr,
0,
buf_d,
sizeof(buf_d));
} else {
subnet6toa(&sa_p->ips_flow_s.u.v6.sin6_addr,
&sa_p->ips_mask_s.u.v6.sin6_addr,
0,
buf_s,
sizeof(buf_s));
subnet6toa(&sa_p->ips_flow_d.u.v6.sin6_addr,
&sa_p->ips_mask_d.u.v6.sin6_addr,
0,
buf_d,
sizeof(buf_d));
}
seq_printf(seq, " policy=%s->%s", buf_s, buf_d);
}
if (sa_p->ips_iv_bits) {
int j;
seq_printf(seq, " iv_bits=%dbits iv=0x", sa_p->ips_iv_bits);
for (j = 0; j < sa_p->ips_iv_bits / 8; j++) {
#ifdef CONFIG_KLIPS_OCF
if (sa_p->ips_iv == NULL) {
/*
* ocf doesn't set the IV
* so fake it for the test cases
*/
seq_printf(seq, "%02x", 0xA5 + j);
} else
#endif
seq_printf(seq, "%02x", ((__u8*)sa_p->ips_iv)[j]);
}
}
if (sa_p->ips_encalg || sa_p->ips_authalg) {
if (sa_p->ips_replaywin)
seq_printf(seq, " ooowin=%d", sa_p->ips_replaywin);
if (sa_p->ips_errs.ips_replaywin_errs)
seq_printf(seq, " ooo_errs=%d", sa_p->ips_errs.ips_replaywin_errs);
if (sa_p->ips_replaywin_lastseq)
seq_printf(seq, " seq=%d", sa_p->ips_replaywin_lastseq);
if (sa_p->ips_replaywin_bitmap)
seq_printf(seq, " bit=0x%Lx", sa_p->ips_replaywin_bitmap);
if (sa_p->ips_replaywin_maxdiff)
seq_printf(seq, " max_seq_diff=%d", sa_p->ips_replaywin_maxdiff);
}
if (sa_p->ips_flags & ~EMT_INBOUND) {
seq_printf(seq, " flags=0x%x", sa_p->ips_flags & ~EMT_INBOUND);
seq_printf(seq, "<");
/* flag printing goes here */
seq_printf(seq, ">");
}
if (sa_p->ips_auth_bits)
seq_printf(seq, " alen=%d", sa_p->ips_auth_bits);
if (sa_p->ips_key_bits_a)
seq_printf(seq, " aklen=%d", sa_p->ips_key_bits_a);
if (sa_p->ips_errs.ips_auth_errs)
seq_printf(seq, " auth_errs=%d", sa_p->ips_errs.ips_auth_errs);
if (sa_p->ips_key_bits_e)
seq_printf(seq, " eklen=%d", sa_p->ips_key_bits_e);
if (sa_p->ips_errs.ips_encsize_errs)
seq_printf(seq, " encr_size_errs=%d", sa_p->ips_errs.ips_encsize_errs);
if (sa_p->ips_errs.ips_encpad_errs)
seq_printf(seq, " encr_pad_errs=%d", sa_p->ips_errs.ips_encpad_errs);
seq_printf(seq, " jiffies=%lu", jiffies);
seq_printf(seq, " life(c,s,h)=");
ipsec_lifetime_format(seq, "alloc",
ipsec_life_countbased, &sa_p->ips_life.ipl_allocations);
ipsec_lifetime_format(seq, "bytes",
ipsec_life_countbased, &sa_p->ips_life.ipl_bytes);
ipsec_lifetime_format(seq, "addtime",
ipsec_life_timebased, &sa_p->ips_life.ipl_addtime);
ipsec_lifetime_format(seq, "usetime",
ipsec_life_timebased, &sa_p->ips_life.ipl_usetime);
ipsec_lifetime_format(seq, "packets",
ipsec_life_countbased, &sa_p->ips_life.ipl_packets);
if (sa_p->ips_life.ipl_usetime.ipl_last) { /* XXX-MCR should be last? */
seq_printf(seq, " idle=%Ld",
ipsec_jiffieshz_elapsed(jiffies/HZ, sa_p->ips_life.ipl_usetime.ipl_last));
}
#ifdef CONFIG_KLIPS_IPCOMP
if (sa_p->ips_said.proto == IPPROTO_COMP &&
(sa_p->ips_comp_ratio_dbytes ||
sa_p->ips_comp_ratio_cbytes)) {
seq_printf(seq, " ratio=%Ld:%Ld",
sa_p->ips_comp_ratio_dbytes,
sa_p->ips_comp_ratio_cbytes);
}
#endif /* CONFIG_KLIPS_IPCOMP */
seq_printf(seq, " natencap=");
switch (sa_p->ips_natt_type) {
case 0:
seq_printf(seq, "none");
break;
case ESPINUDP_WITH_NON_IKE:
seq_printf(seq, "nonike");
break;
case ESPINUDP_WITH_NON_ESP:
seq_printf(seq, "nonesp");
break;
default:
seq_printf(seq, "unknown");
break;
}
seq_printf(seq, " natsport=%d", sa_p->ips_natt_sport);
seq_printf(seq, " natdport=%d", sa_p->ips_natt_dport);
/* we decrement by one, because this SA has been referenced in order to dump this info */
seq_printf(seq, " refcount=%d", atomic_read(&sa_p->ips_refcount)-1);
#ifdef IPSEC_SA_RECOUNT_DEBUG
{
int f;
seq_printf(seq, "[");
for (f = 0; f < sizeof(sa_p->ips_track); f++)
seq_printf(seq, "%s%d", f == 0 ? "" : ",", sa_p->ips_track[f]);
seq_printf(seq, "]");
}
#endif
seq_printf(seq, " ref=%d", sa_p->ips_ref);
seq_printf(seq, " refhim=%d", sa_p->ips_refhim);
if (sa_p->ips_out) {
seq_printf(seq, " outif=%s:%d",
sa_p->ips_out->name,
sa_p->ips_transport_direct);
}
if (debug_xform) {
seq_printf(seq, " reftable=%lu refentry=%lu",
(unsigned long)IPsecSAref2table(sa_p->ips_ref),
(unsigned long)IPsecSAref2entry(sa_p->ips_ref));
}
seq_printf(seq, "\n");
ipsec_sa_put(sa_p, IPSEC_REFPROC);
return 0;
}
int main(int argc, char *argv[])
{
__u32 spi = 0;
int c;
ip_said said;
const char *error_s;
char ipsaid_txt[SATOT_BUF];
int outif = 0;
int error = 0;
ssize_t io_error;
int argcount = argc;
pid_t mypid;
int listenreply = 0;
unsigned char authalg, encryptalg;
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
struct sadb_msg *pfkey_msg;
char *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt,
*src_opt;
u_int32_t natt;
u_int16_t sport, dport;
uint32_t life[life_maxsever][life_maxtype];
char *life_opt[life_maxsever][life_maxtype];
struct stat sts;
struct sadb_builds sab;
progname = argv[0];
mypid = getpid();
natt = 0;
sport = 0;
dport = 0;
tool_init_log();
zero(&said); /* OK: no pointer fields */
edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt =
src_opt = NULL;
{
int i, j;
for (i = 0; i < life_maxsever; i++) {
for (j = 0; j < life_maxtype; j++) {
life_opt[i][j] = NULL;
life[i][j] = 0;
}
}
}
while ((c = getopt_long(argc, argv,
"" /*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/,
longopts, 0)) != EOF) {
unsigned long u;
err_t ugh;
switch (c) {
case 'g':
debug = TRUE;
pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
/* paul: this is a plutoism? cur_debugging = 0xffffffff; */
argcount--;
break;
case 'R':
listenreply = 1;
argcount--;
break;
case 'r':
dumpsaref = 1;
argcount--;
break;
case 'b': /* set the SAref to use */
ugh = ttoulb(optarg, 0, 0, INT_MAX, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid SAREFi parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
saref_me = u;
argcount--;
break;
case 'B': /* set the SAref to use for outgoing packets */
ugh = ttoulb(optarg, 0, 0, INT_MAX, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid SAREFo parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
saref_him = u;
argcount--;
break;
case 'O': /* set interface from which packet should arrive */
ugh = ttoulb(optarg, 0, 0, INT_MAX, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid outif parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
outif = u;
argcount--;
break;
case 'l':
{
static const char combine_fmt[] = "%s --label %s";
size_t room = strlen(argv[0]) +
sizeof(combine_fmt) +
strlen(optarg);
progname = malloc(room);
snprintf(progname, room, combine_fmt,
argv[0],
optarg);
tool_close_log();
tool_init_log();
argcount -= 2;
break;
}
case 'H':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
if (streq(optarg, "hmac-md5-96")) {
alg = XF_AHHMACMD5;
} else if (streq(optarg, "hmac-sha1-96")) {
alg = XF_AHHMACSHA1;
} else {
fprintf(stderr,
"%s: Unknown authentication algorithm '%s' follows '--ah' option.\n",
progname, optarg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'P':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = decode_esp(optarg);
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'Z':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
if (streq(optarg, "deflate")) {
alg = XF_COMPDEFLATE;
} else if (streq(optarg, "lzs")) {
alg = XF_COMPLZS;
} else {
fprintf(stderr,
"%s: Unknown compression algorithm '%s' follows '--comp' option.\n",
progname, optarg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case '4':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_IP4;
address_family = AF_INET;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case '6':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_IP6;
address_family = AF_INET6;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'd':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_DEL;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'c':
if (alg) {
fprintf(stderr,
"%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
progname);
exit(1);
}
alg = XF_CLR;
if (debug) {
fprintf(stdout, "%s: Algorithm %d selected.\n",
progname,
alg);
}
break;
case 'e':
if (said_opt) {
fprintf(stderr,
"%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (edst_opt) {
fprintf(stderr,
"%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit(1);
}
error_s = ttoaddr(optarg, 0, address_family, &edst);
if (error_s != NULL) {
if (error_s) {
fprintf(stderr,
"%s: Error, %s converting --edst argument:%s\n",
progname, error_s, optarg);
exit(1);
}
}
edst_opt = optarg;
if (debug) {
ipstr_buf b;
fprintf(stdout, "%s: edst=%s.\n",
progname,
ipstr(&edst, &b));
}
break;
case 's':
if (said_opt != NULL) {
fprintf(stderr,
"%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (spi_opt != NULL) {
fprintf(stderr,
"%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit(1);
}
ugh = ttoulb(optarg, 0, 0, 0xFFFFFFFFul, &u);
if (ugh == NULL && u < 0x100)
ugh = "0 - 0xFF are reserved";
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid SPI parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
spi = u;
spi_opt = optarg;
break;
case 'p':
if (said_opt != NULL) {
fprintf(stderr,
"%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (proto_opt != NULL) {
fprintf(stderr,
"%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit(1);
}
if (streq(optarg, "ah")) {
proto = SA_AH;
} else if (streq(optarg, "esp")) {
proto = SA_ESP;
} else if (streq(optarg, "tun")) {
proto = SA_IPIP;
} else if (streq(optarg, "comp")) {
proto = SA_COMP;
} else {
fprintf(stderr,
"%s: Invalid PROTO parameter: %s\n",
progname, optarg);
exit(1);
}
proto_opt = optarg;
break;
case 'a':
if (said_opt) {
fprintf(stderr,
"%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (af_opt) {
fprintf(stderr,
"%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n",
progname, optarg, af_opt);
exit(1);
}
if (streq(optarg, "inet")) {
address_family = AF_INET;
/* currently we ensure that all addresses belong to the same address family */
anyaddr(address_family, &dst);
anyaddr(address_family, &edst);
anyaddr(address_family, &src);
} else if (streq(optarg, "inet6")) {
address_family = AF_INET6;
/* currently we ensure that all addresses belong to the same address family */
anyaddr(address_family, &dst);
anyaddr(address_family, &edst);
anyaddr(address_family, &src);
} else {
fprintf(stderr,
"%s: Invalid ADDRESS FAMILY parameter: %s.\n",
progname, optarg);
exit(1);
}
af_opt = optarg;
break;
case 'I':
if (said_opt) {
fprintf(stderr,
"%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
progname, optarg, said_opt);
exit(1);
}
if (proto_opt) {
fprintf(stderr,
"%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, proto_opt);
exit(1);
}
if (edst_opt) {
fprintf(stderr,
"%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, edst_opt);
exit(1);
}
if (spi_opt) {
fprintf(stderr,
"%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
progname, optarg, spi_opt);
exit(1);
}
error_s = ttosa(optarg, 0, &said);
if (error_s != NULL) {
fprintf(stderr,
"%s: Error, %s converting --sa argument:%s\n",
progname, error_s, optarg);
exit(1);
}
if (debug) {
satot(&said, 0, ipsaid_txt,
sizeof(ipsaid_txt));
fprintf(stdout, "%s: said=%s.\n",
progname,
ipsaid_txt);
}
/* init the src and dst with the same address family */
if (address_family == 0) {
address_family = addrtypeof(&said.dst);
} else if (address_family != addrtypeof(&said.dst)) {
fprintf(stderr,
"%s: Error, specified address family (%d) is different that of SAID: %s\n",
progname, address_family, optarg);
exit(1);
}
anyaddr(address_family, &dst);
anyaddr(address_family, &edst);
anyaddr(address_family, &src);
said_opt = optarg;
break;
case 'A':
decode_blob(optarg, "Authentication Key", &authkey, &authkeylen);
break;
case 'E':
decode_blob(optarg, "Encryption Key", &enckey, &enckeylen);
break;
case 'w':
{
err_t ugh = ttoul(optarg, 0, 0, &replay_window);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid replay_window parameter: %s\n",
progname, ugh);
exit(1);
}
if (!(1 <= replay_window && replay_window <= 64)) {
fprintf(stderr,
"%s: Failed -- Illegal window size: arg=%s, replay_window=%lu, must be 1 <= size <= 64.\n",
progname, optarg, replay_window);
exit(1);
}
}
break;
case 'i':
decode_blob(optarg, "IV", &iv, &ivlen);
break;
case 'D':
if (dst_opt) {
fprintf(stderr,
"%s: Error, DST parameter redefined:%s, already defined as:%s\n",
progname, optarg, dst_opt);
exit(1);
}
error_s = ttoaddr(optarg, 0, address_family, &dst);
if (error_s != NULL) {
fprintf(stderr,
"%s: Error, %s converting --dst argument:%s\n",
progname, error_s, optarg);
exit(1);
}
dst_opt = optarg;
if (debug) {
ipstr_buf b;
fprintf(stdout, "%s: dst=%s.\n",
progname,
ipstr(&dst, &b));
}
break;
case 'F': /* src port */
{
unsigned long u;
err_t ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid source port parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
sport = u;
}
break;
case 'G': /* dst port */
{
unsigned long u;
err_t ugh = ttoulb(optarg, 0, 0, 0xFFFF, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid destination port parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
dport = u;
}
break;
case 'N': /* nat-type */
if (strcaseeq(optarg, "nonesp")) {
natt = ESPINUDP_WITH_NON_ESP;
} else if (strcaseeq(optarg, "none")) {
natt = 0;
} else {
/* ??? what does this do? Where is it documented? */
unsigned long u;
err_t ugh = ttoulb(optarg, 0, 0, 0xFFFFFFFFul, &u);
if (ugh != NULL) {
fprintf(stderr,
"%s: Invalid character in natt parameter \"%s\": %s\n",
progname, optarg, ugh);
exit(1);
}
natt = u;
}
break;
case 'S':
if (src_opt) {
fprintf(stderr,
"%s: Error, SRC parameter redefined:%s, already defined as:%s\n",
progname, optarg, src_opt);
exit(1);
}
error_s = ttoaddr(optarg, 0, address_family, &src);
if (error_s != NULL) {
fprintf(stderr,
"%s: Error, %s converting --src argument:%s\n",
progname, error_s, optarg);
exit(1);
}
src_opt = optarg;
if (debug) {
ipstr_buf b;
fprintf(stdout, "%s: src=%s.\n",
progname,
ipstr(&src, &b));
}
break;
case 'h':
usage(progname, stdout);
exit(0);
case '?':
usage(progname, stderr);
exit(1);
case 'v':
fprintf(stdout, "%s, %s\n", progname,
ipsec_version_code());
exit(1);
case 'f':
if (parse_life_options(life,
life_opt,
optarg) != 0)
exit(1);
break;
default:
fprintf(stderr,
"%s: unrecognized option '%c', update option processing.\n",
progname, c);
exit(1);
}
}
if (debug) {
fprintf(stdout, "%s: All options processed.\n",
progname);
}
if (stat("/proc/net/pfkey", &sts) == 0) {
fprintf(stderr,
"%s: NETKEY does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
progname);
exit(1);
}
if (argcount == 1) {
int ret = 1;
if ((stat("/proc/net/ipsec_spi", &sts)) != 0) {
fprintf(stderr,
"%s: No spi - no IPsec support in kernel (are the modules loaded?)\n",
progname);
} else {
ret = system("cat /proc/net/ipsec_spi");
ret = ret != -1 &&
WIFEXITED(ret) ? WEXITSTATUS(ret) : 1;
}
exit(ret);
}
switch (alg) {
case XF_OTHER_ALG:
/* validate keysizes */
if (proc_read_ok) {
const struct sadb_alg *alg_p;
size_t keylen, minbits, maxbits;
alg_p = kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,
SADB_EXT_SUPPORTED_ENCRYPT,
esp_info->encryptalg);
assert(alg_p != NULL);
keylen = enckeylen * 8;
minbits = alg_p->sadb_alg_minbits;
maxbits = alg_p->sadb_alg_maxbits;
/*
* if explicit keylen told in encrypt algo, eg "aes128"
* check actual keylen "equality"
*/
if (esp_info->enckeylen &&
esp_info->enckeylen != keylen) {
fprintf(stderr, "%s: invalid encryption keylen=%d, "
"required %d by encrypt algo string=\"%s\"\n",
progname,
(int)keylen,
(int)esp_info->enckeylen,
alg_string);
exit(1);
}
/* thanks DES for this sh*t */
if (minbits > keylen || maxbits < keylen) {
fprintf(stderr, "%s: invalid encryption keylen=%d, "
"must be between %d and %d bits\n",
progname,
(int)keylen,
(int)minbits,
(int)maxbits);
exit(1);
}
alg_p = kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,
SADB_EXT_SUPPORTED_AUTH,
esp_info->authalg);
assert(alg_p);
keylen = authkeylen * 8;
minbits = alg_p->sadb_alg_minbits;
maxbits = alg_p->sadb_alg_maxbits;
if (minbits > keylen || maxbits < keylen) {
fprintf(stderr, "%s: invalid auth keylen=%d, "
"must be between %d and %d bits\n",
progname,
(int)keylen,
(int)minbits,
(int)maxbits);
exit(1);
}
}
/*
* ??? this break was added in a2791fda77a5cfcc6bc992fbc5019f4448112f88
* It is likely correct, but we're not sure.
* Luckily this code is probably never used.
*/
break;
case XF_IP4:
case XF_IP6:
case XF_DEL:
case XF_COMPDEFLATE:
case XF_COMPLZS:
if (!said_opt) {
if (isanyaddr(&edst)) {
fprintf(stderr,
"%s: SA destination not specified.\n",
progname);
exit(1);
}
if (!spi) {
fprintf(stderr, "%s: SA SPI not specified.\n",
progname);
exit(1);
}
if (!proto) {
fprintf(stderr,
"%s: SA PROTO not specified.\n",
progname);
exit(1);
}
initsaid(&edst, htonl(spi), proto, &said);
} else {
proto = said.proto;
spi = ntohl(said.spi);
edst = said.dst;
}
if ((address_family != 0) &&
(address_family != addrtypeof(&said.dst))) {
fprintf(stderr,
"%s: Defined address family and address family of SA missmatch.\n",
progname);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: SA valid.\n",
progname);
}
break;
case XF_CLR:
break;
default:
fprintf(stderr,
"%s: No action chosen. See '%s --help' for usage.\n",
progname, progname);
exit(1);
}
switch (alg) {
case XF_CLR:
case XF_DEL:
case XF_IP4:
case XF_IP6:
case XF_COMPDEFLATE:
case XF_COMPLZS:
case XF_OTHER_ALG:
break;
default:
fprintf(stderr,
"%s: No action chosen. See '%s --help' for usage.\n",
progname, progname);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: Algorithm ok.\n",
progname);
}
pfkey_sock = pfkey_open_sock_with_error();
if (pfkey_sock < 0)
exit(1);
/* Build an SADB_ADD message to send down. */
/* It needs <base, SA, address(SD), key(AE)> minimum. */
/* Lifetime(HS) could be added before addresses. */
pfkey_extensions_init(extensions);
error = pfkey_msg_hdr_build(&extensions[0],
alg == XF_DEL ? SADB_DELETE :
alg == XF_CLR ? SADB_FLUSH :
SADB_ADD,
proto2satype(proto),
0,
++pfkey_seq,
mypid);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building message header, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
switch (alg) {
case XF_OTHER_ALG:
authalg = esp_info->authalg;
if (debug) {
fprintf(stdout, "%s: debug: authalg=%d\n",
progname, authalg);
}
break;
default:
authalg = SADB_AALG_NONE;
}
switch (alg) {
case XF_COMPDEFLATE:
encryptalg = SADB_X_CALG_DEFLATE;
break;
case XF_COMPLZS:
encryptalg = SADB_X_CALG_LZS;
break;
case XF_OTHER_ALG:
encryptalg = esp_info->encryptalg;
if (debug) {
fprintf(stdout, "%s: debug: encryptalg=%d\n",
progname, encryptalg);
}
break;
default:
encryptalg = SADB_EALG_NONE;
}
/* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */
if (!(alg == XF_CLR)) {
sab.sa_base.sadb_sa_len = 0;
sab.sa_base.sadb_sa_exttype = SADB_EXT_SA;
sab.sa_base.sadb_sa_spi = htonl(spi);
sab.sa_base.sadb_sa_replay = replay_window;
sab.sa_base.sadb_sa_state = K_SADB_SASTATE_MATURE;
sab.sa_base.sadb_sa_auth = authalg;
sab.sa_base.sadb_sa_encrypt = encryptalg;
sab.sa_base.sadb_sa_flags = 0;
sab.sa_base.sadb_x_sa_ref = IPSEC_SAREF_NULL;
sab.sa_base.sadb_x_reserved[0] = 0;
sab.sa_base.sadb_x_reserved[1] = 0;
sab.sa_base.sadb_x_reserved[2] = 0;
sab.sa_base.sadb_x_reserved[3] = 0;
error = pfkey_sa_builds(&extensions[SADB_EXT_SA], sab);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building sa extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if (saref_me || saref_him) {
error = pfkey_saref_build(&extensions[
K_SADB_X_EXT_SAREF],
saref_me, saref_him);
if (error) {
fprintf(stderr,
"%s: Trouble building saref extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if (outif != 0) {
error = pfkey_outif_build(&extensions[
SADB_X_EXT_PLUMBIF],
outif);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building outif extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
}
if (debug) {
fprintf(stdout,
"%s: extensions[0]=0p%p previously set with msg_hdr.\n",
progname,
extensions[0]);
}
if (debug) {
fprintf(stdout,
"%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n",
progname,
authalg,
encryptalg);
}
if (debug) {
int i, j;
for (i = 0; i < life_maxsever; i++) {
for (j = 0; j < life_maxtype; j++) {
fprintf(stdout,
"%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n",
progname,
i, j, i, j, life_opt[i][j], i, j,
life[i][j]);
}
}
}
emit_lifetime("lifetime_s", SADB_EXT_LIFETIME_SOFT, extensions, life_opt[life_soft], life[life_soft]);
emit_lifetime("lifetime_h", SADB_EXT_LIFETIME_HARD, extensions, life_opt[life_hard], life[life_hard]);
if (debug) {
ipstr_buf b;
fprintf(stdout,
"%s: assembling address_s extension (%s).\n",
progname, ipstr(&src, &b));
}
error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
SADB_EXT_ADDRESS_SRC,
0,
0,
sockaddrof(&src));
if (error != 0) {
ipstr_buf b;
fprintf(stderr,
"%s: Trouble building address_s extension (%s), error=%d.\n",
progname, ipstr(&src, &b), error);
pfkey_extensions_free(extensions);
exit(1);
}
error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
SADB_EXT_ADDRESS_DST,
0,
0,
sockaddrof(&edst));
if (error != 0) {
ipstr_buf b;
fprintf(stderr,
"%s: Trouble building address_d extension (%s), error=%d.\n",
progname, ipstr(&edst, &b), error);
pfkey_extensions_free(extensions);
exit(1);
}
switch (alg) {
/* Allow no auth ... after all is local root decision 8) */
case XF_OTHER_ALG:
if (!authalg)
break;
error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH],
SADB_EXT_KEY_AUTH,
authkeylen * 8,
authkey);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building key_a extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if (debug) {
fprintf(stdout,
"%s: key_a extension assembled.\n",
progname);
}
break;
default:
break;
}
switch (alg) {
case XF_OTHER_ALG:
if (enckeylen == 0) {
if (debug)
fprintf(stdout, "%s: key not provided (NULL alg?).\n",
progname);
break;
}
error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT],
SADB_EXT_KEY_ENCRYPT,
enckeylen * 8,
enckey);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building key_e extension, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
exit(1);
}
if (debug) {
fprintf(stdout,
"%s: key_e extension assembled.\n",
progname);
}
break;
default:
break;
}
}
if (natt != 0) {
bool success;
int err;
err = pfkey_x_nat_t_type_build(&extensions[
K_SADB_X_EXT_NAT_T_TYPE],
natt);
success = pfkey_build(err,
"pfkey_nat_t_type Add ESP SA",
ipsaid_txt, extensions);
if (!success)
return FALSE;
if (debug)
fprintf(stderr, "setting natt_type to %d\n", natt);
if (sport != 0) {
err = pfkey_x_nat_t_port_build(
&extensions[K_SADB_X_EXT_NAT_T_SPORT],
K_SADB_X_EXT_NAT_T_SPORT,
sport);
success = pfkey_build(err,
"pfkey_nat_t_sport Add ESP SA",
ipsaid_txt, extensions);
if (debug)
fprintf(stderr, "setting natt_sport to %d\n",
sport);
if (!success)
return FALSE;
}
if (dport != 0) {
err = pfkey_x_nat_t_port_build(
&extensions[K_SADB_X_EXT_NAT_T_DPORT],
K_SADB_X_EXT_NAT_T_DPORT,
dport);
success = pfkey_build(err,
"pfkey_nat_t_dport Add ESP SA",
ipsaid_txt, extensions);
if (debug)
fprintf(stderr, "setting natt_dport to %d\n",
dport);
if (!success)
return FALSE;
}
#if 0
/* not yet implemented */
if (natt != 0 && !isanyaddr(&natt_oa)) {
ip_str_buf b;
success = pfkeyext_address(SADB_X_EXT_NAT_T_OA,
&natt_oa,
"pfkey_nat_t_oa Add ESP SA",
ipsaid_txt, extensions);
if (debug)
fprintf(stderr, "setting nat_oa to %s\n",
ipstr(&natt_oa, &b));
if (!success)
return FALSE;
}
#endif
}
if (debug) {
fprintf(stdout, "%s: assembling pfkey msg....\n",
progname);
}
error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
if (error != 0) {
fprintf(stderr,
"%s: Trouble building pfkey message, error=%d.\n",
progname, error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: assembled.\n",
progname);
}
if (debug) {
fprintf(stdout, "%s: writing pfkey msg.\n",
progname);
}
io_error = write(pfkey_sock,
pfkey_msg,
pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
if (io_error < 0) {
fprintf(stderr, "%s: pfkey write failed (errno=%d): ",
progname, errno);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
switch (errno) {
case EACCES:
fprintf(stderr, "access denied. ");
if (getuid() == 0)
fprintf(stderr,
"Check permissions. Should be 600.\n");
else
fprintf(stderr,
"You must be root to open this file.\n");
break;
case EUNATCH:
fprintf(stderr,
"Netlink not enabled OR KLIPS not loaded.\n");
break;
case EBUSY:
fprintf(stderr,
"KLIPS is busy. Most likely a serious internal error occured in a previous command. Please report as much detail as possible to development team.\n");
break;
case EINVAL:
fprintf(stderr,
"Invalid argument, check kernel log messages for specifics.\n");
break;
case ENODEV:
fprintf(stderr, "KLIPS not loaded or enabled.\n");
fprintf(stderr, "No device?!?\n");
break;
case ENOBUFS:
fprintf(stderr, "No kernel memory to allocate SA.\n");
break;
case ESOCKTNOSUPPORT:
fprintf(stderr,
"Algorithm support not available in the kernel. Please compile in support.\n");
break;
case EEXIST:
fprintf(stderr,
"SA already in use. Delete old one first.\n");
break;
case ENOENT:
fprintf(stderr,
"device does not exist. See Libreswan installation procedure.\n");
break;
case ENXIO:
case ESRCH:
fprintf(stderr,
"SA does not exist. Cannot delete.\n");
break;
case ENOSPC:
fprintf(stderr,
"no room in kernel SAref table. Cannot process request.\n");
break;
case ESPIPE:
fprintf(stderr,
"kernel SAref table internal error. Cannot process request.\n");
break;
default:
fprintf(stderr,
"Unknown socket write error %d (%s). Please report as much detail as possible to development team.\n",
errno, strerror(errno));
}
exit(1);
} else if (io_error !=
(ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
fprintf(stderr, "%s: pfkey write truncated to %d bytes\n",
progname, (int)io_error);
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
exit(1);
}
if (debug) {
fprintf(stdout, "%s: pfkey command written to socket.\n",
progname);
}
if (pfkey_msg != NULL) {
pfkey_extensions_free(extensions);
pfkey_msg_free(&pfkey_msg);
}
if (debug) {
fprintf(stdout, "%s: pfkey message buffer freed.\n",
progname);
}
if (authkey != NULL) {
memset(authkey, 0, authkeylen);
free(authkey);
}
if (enckey != NULL) {
memset(enckey, 0, enckeylen);
free(enckey);
}
if (iv != NULL) {
memset(iv, 0, ivlen);
free(iv);
}
if (listenreply || saref_me || dumpsaref) {
ssize_t readlen;
unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE];
while ((readlen = read(pfkey_sock, pfkey_buf,
sizeof(pfkey_buf))) > 0) {
struct sadb_ext *extensions[K_SADB_EXT_MAX + 1];
pfkey_extensions_init(extensions);
pfkey_msg = (struct sadb_msg *)pfkey_buf;
/* first, see if we got enough for an sadb_msg */
if ((size_t)readlen < sizeof(struct sadb_msg)) {
if (debug) {
printf("%s: runt packet of size: %ld (<%lu)\n",
progname, (long)readlen,
(unsigned long)sizeof(struct
sadb_msg));
}
continue;
}
/* okay, we got enough for a message, print it out */
if (debug) {
printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
progname,
pfkey_msg->sadb_msg_version,
pfkey_msg->sadb_msg_type,
pfkey_v2_sadb_type_string(pfkey_msg->
sadb_msg_type),
pfkey_msg->sadb_msg_seq,
pfkey_msg->sadb_msg_len,
pfkey_msg->sadb_msg_pid,
pfkey_msg->sadb_msg_errno,
pfkey_msg->sadb_msg_satype,
satype2name(pfkey_msg->sadb_msg_satype));
}
if (readlen !=
(ssize_t)(pfkey_msg->sadb_msg_len *
IPSEC_PFKEYv2_ALIGN)) {
if (debug) {
printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n",
progname,
(int)readlen,
(unsigned)pfkey_msg->sadb_msg_len,
(unsigned)IPSEC_PFKEYv2_ALIGN);
}
continue;
}
if (pfkey_msg_parse(pfkey_msg, NULL, extensions,
EXT_BITS_OUT)) {
if (debug) {
printf("%s: unparseable PF_KEY message.\n",
progname);
}
continue;
}
if (debug) {
printf("%s: parseable PF_KEY message.\n",
progname);
}
if ((pid_t)pfkey_msg->sadb_msg_pid == mypid) {
if (saref_me || dumpsaref) {
struct sadb_x_saref *s =
(struct sadb_x_saref *)
extensions[
K_SADB_X_EXT_SAREF];
if (s != NULL) {
printf("%s: saref=%d/%d\n",
progname,
s->sadb_x_saref_me,
s->sadb_x_saref_him);
}
}
break;
}
}
}
(void) close(pfkey_sock); /* close the socket */
if (debug || listenreply)
printf("%s: exited normally\n", progname);
exit(0);
}
int
ipsec_sa_print(struct ipsec_sa *ips)
{
char sa[SATOT_BUF];
size_t sa_len;
printk(KERN_INFO "klips_debug: SA:");
if(ips == NULL) {
printk("NULL\n");
return -ENOENT;
}
printk(" ref=%d", ips->ips_ref);
printk(" refcount=%d", atomic_read(&ips->ips_refcount));
if(ips->ips_hnext != NULL) {
printk(" hnext=0p%p", ips->ips_hnext);
}
if(ips->ips_next != NULL) {
printk(" next=0p%p", ips->ips_next);
}
sa_len = satot(&ips->ips_said, 0, sa, sizeof(sa));
printk(" said=%s", sa_len ? sa : " (error)");
if(ips->ips_seq) {
printk(" seq=%u", ips->ips_seq);
}
if(ips->ips_pid) {
printk(" pid=%u", ips->ips_pid);
}
if(ips->ips_authalg) {
printk(" authalg=%u", ips->ips_authalg);
}
if(ips->ips_encalg) {
printk(" encalg=%u", ips->ips_encalg);
}
printk(" XFORM=%s%s%s", IPS_XFORM_NAME(ips));
if(ips->ips_replaywin) {
printk(" ooowin=%u", ips->ips_replaywin);
}
if(ips->ips_flags) {
printk(" flags=%u", ips->ips_flags);
}
if(ips->ips_addr_s) {
char buf[SUBNETTOA_BUF];
addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr,
0, buf, sizeof(buf));
printk(" src=%s", buf);
}
if(ips->ips_addr_d) {
char buf[SUBNETTOA_BUF];
addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr,
0, buf, sizeof(buf));
printk(" dst=%s", buf);
}
if(ips->ips_addr_p) {
char buf[SUBNETTOA_BUF];
addrtoa(((struct sockaddr_in*)(ips->ips_addr_p))->sin_addr,
0, buf, sizeof(buf));
printk(" proxy=%s", buf);
}
if(ips->ips_key_bits_a) {
printk(" key_bits_a=%u", ips->ips_key_bits_a);
}
if(ips->ips_key_bits_e) {
printk(" key_bits_e=%u", ips->ips_key_bits_e);
}
printk("\n");
return 0;
}
enum ipsec_rcv_value
ipsec_rcv_ipcomp_decomp(struct ipsec_rcv_state *irs)
{
unsigned int flags = 0;
struct ipsec_sa *ipsp = irs->ipsp;
struct sk_buff *skb;
skb=irs->skb;
ipsec_xmit_dmp("ipcomp", skb->data, skb->len);
if(ipsp == NULL) {
return IPSEC_RCV_SAIDNOTFOUND;
}
#if 0
/* we want to check that this wasn't the first SA on the list, because
* we don't support bare IPCOMP, for unexplained reasons. MCR
*/
if (ipsp->ips_onext != NULL) {
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv: "
"Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n",
irs->sa_len ? irs->sa : " (error)");
if(irs->stats) {
irs->stats->rx_dropped++;
}
return IPSEC_RCV_IPCOMPALONE;
}
#endif
if(sysctl_ipsec_inbound_policy_check &&
((((ntohl(ipsp->ips_said.spi) & 0x0000ffff) != ntohl(irs->said.spi)) &&
(ipsp->ips_encalg != ntohl(irs->said.spi)) /* this is a workaround for peer non-compliance with rfc2393 */
))) {
char sa2[SATOT_BUF];
size_t sa_len2 = 0;
sa_len2 = satot(&ipsp->ips_said, 0, sa2, sizeof(sa2));
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv: "
"Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
irs->sa_len ? irs->sa : " (error)",
ipsp != NULL ? (sa_len2 ? sa2 : " (error)") : "NULL",
ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi),
(__u32)ntohl(irs->said.spi),
ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0);
if(irs->stats) {
irs->stats->rx_dropped++;
}
return IPSEC_RCV_SAIDNOTFOUND;
}
ipsp->ips_comp_ratio_cbytes += ntohs(irs->ipp->tot_len);
irs->next_header = irs->protostuff.ipcompstuff.compp->ipcomp_nh;
skb = skb_decompress(skb, ipsp, &flags);
if (!skb || flags) {
spin_unlock(&tdb_lock);
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv: "
"skb_decompress() returned error flags=%x, dropped.\n",
flags);
if (irs->stats) {
if (flags)
irs->stats->rx_errors++;
else
irs->stats->rx_dropped++;
}
return IPSEC_RCV_IPCOMPFAILED;
}
/* make sure we update the pointer */
irs->skb = skb;
#ifdef NET_21
irs->ipp = skb->nh.iph;
#else /* NET_21 */
irs->ipp = skb->ip_hdr;
#endif /* NET_21 */
ipsp->ips_comp_ratio_dbytes += ntohs(irs->ipp->tot_len);
KLIPS_PRINT(debug_rcv,
"klips_debug:ipsec_rcv: "
"packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
irs->sa_len ? irs->sa : " (error)",
(__u32)ntohl(irs->said.spi),
ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0,
irs->next_header);
KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, irs->ipp);
return IPSEC_RCV_OK;
}
