ipsec_tunnel.c

This a good VPN source

		ipsecdevices[i]=dev_ipsec;

		if (register_netdev(dev_ipsec) != 0) {
			KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT,
				    "klips_debug:ipsec_tunnel_init_devices: "
				    "registering device %s failed, quitting device init.\n",
				    dev_ipsec->name);
			return -EIO;
		} else {
			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
				    "klips_debug:ipsec_tunnel_init_devices: "
				    "registering device %s succeeded, continuing...\n",
				    dev_ipsec->name);
		}
	}
	return 0;
}

/* void */
int
ipsec_tunnel_cleanup_devices(void)
{
	int error = 0;
	int i;
	char name[32];
	struct net_device *dev_ipsec;
	
	for(i = 0; i < IPSEC_NUM_IF; i++) {
   	        dev_ipsec = ipsecdevices[i];
		if(dev_ipsec == NULL) {
		  continue;
		}

		/* release reference */
		ipsecdevices[i]=NULL;
		ipsec_dev_put(dev_ipsec);

		KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
			    name,
			    atomic_read(&dev_ipsec->refcnt));
		unregister_netdev(dev_ipsec);
		KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", name);
#ifndef NETDEV_23
		kfree(dev_ipsec->name);
		dev_ipsec->name=NULL;
#endif /* !NETDEV_23 */
		kfree(dev_ipsec->priv);
		dev_ipsec->priv=NULL;
	}
	return error;
}

/*
 * $Log: ipsec_tunnel.c,v $
 * Revision 1.227  2004/12/10 21:16:08  ken
 * 64bit fixes from Opteron port of KLIPS 2.6
 *
 * Revision 1.226  2004/12/04 07:11:23  mcr
 * 	fix for snmp SIOCPRIVATE use of snmpd.
 * 	http://bugs.xelerance.com/view.php?id=144
 *
 * Revision 1.225  2004/12/03 21:25:57  mcr
 * 	compile time fixes for running on 2.6.
 * 	still experimental.
 *
 * Revision 1.224  2004/08/14 03:28:24  mcr
 * 	fixed log comment to remove warning about embedded comment.
 *
 * Revision 1.223  2004/08/04 15:57:07  mcr
 * 	moved des .h files to include/des/ *
 * 	included 2.6 protocol specific things
 * 	started at NAT-T support, but it will require a kernel patch.
 *
 * Revision 1.222  2004/08/03 18:19:08  mcr
 * 	in 2.6, use "net_device" instead of #define device->net_device.
 * 	this probably breaks 2.0 compiles.
 *
 * Revision 1.221  2004/07/10 19:11:18  mcr
 * 	CONFIG_IPSEC -> CONFIG_KLIPS.
 *
 * Revision 1.220  2004/04/06 02:49:26  mcr
 * 	pullup of algo code from alg-branch.
 *
 * Revision 1.219  2004/02/03 03:13:17  mcr
 * 	minor edits for readability, and error reporting.
 *
 * Revision 1.218  2004/01/27 20:29:20  mcr
 * 	fix for unregister_netdev() problem for underlying eth0.
 *
 * Revision 1.217  2003/12/10 01:14:27  mcr
 * 	NAT-traversal patches to KLIPS.
 *
 * Revision 1.216  2003/12/04 23:01:17  mcr
 * 	removed ipsec_netlink.h
 *
 * Revision 1.215  2003/12/04 16:35:16  ken
 * Fix for ATM devices where physdev->hard_header_len *is* correct
 *
 * Revision 1.214  2003/11/25 23:52:37  mcr
 * 	fix typo in patch - ixs-> needed.
 *
 * Revision 1.213  2003/11/24 18:25:49  mcr
 * 	patch from willy@w.ods.org to fix problems with ATM interfaces.
 *
 * Revision 1.212  2003/10/31 02:27:55  mcr
 * 	pulled up port-selector patches and sa_id elimination.
 *
 * Revision 1.211.2.2  2003/10/29 01:30:41  mcr
 * 	elimited "struct sa_id".
 *
 * Revision 1.211.2.1  2003/09/21 13:59:56  mcr
 * 	pre-liminary X.509 patch - does not yet pass tests.
 *
 * Revision 1.211  2003/09/10 16:46:30  mcr
 * 	patches for 2.4 backport/2.6 existence.
 *
 * Revision 1.210  2003/07/31 22:47:16  mcr
 * 	preliminary (untested by FS-team) 2.5 patches.
 *
 * Revision 1.209  2003/06/22 21:28:43  mcr
 * 	inability to unload module was caused by calls to dev_get
 * 	(ipsec_dev_get), to gather a device from a name. There is
 * 	simply no reason to look the devices up - they should be kept
 * 	in a nice array, ready for use.
 *
 * Revision 1.208  2003/06/22 21:25:07  mcr
 * 	all staticly counted ipsecXXX device support removed.
 *
 * Revision 1.207  2003/04/02 20:15:37  mcr
 * 	fix for PR#204 - do not clear connection tracking info if we
 * 	the packet is being sent in the clear.
 *
 * Revision 1.206  2003/02/12 19:32:51  rgb
 * Refactored file to:
 * ipsec_xmit.c
 * ipsec_xmit.h
 * ipsec_mast.c
 *
 * Revision 1.205  2003/02/06 17:47:00  rgb
 *
 * Remove unused ipsec_tunnel_lock() and ipsec_tunnel_unlock() code.
 * Refactor ipsec_tunnel_start_xmit() further into:
 *         ipsec_xmit_sanity_check_dev()
 *         ipsec_xmit_sanity_check_skb()
 *         ipsec_xmit_strip_hard_header()
 *         ipsec_xmit_restore_hard_header()
 *         ipsec_xmit_send()
 *         ipsec_xmit_cleanup()
 * and start a skeletal ipsec_mast_start_xmit() .
 *
 * Revision 1.204  2003/02/06 06:43:46  rgb
 *
 * Refactor ipsec_tunnel_start_xmit, bringing out:
 *     ipsec_xmit_SAlookup
 *     ipsec_xmit_encap_once
 *     ipsec_xmit_encap_bundle
 *
 * Revision 1.203  2003/02/06 02:21:34  rgb
 *
 * Moved "struct auth_alg" from ipsec_rcv.c to ipsec_ah.h .
 * Changed "struct ah" to "struct ahhdr" and "struct esp" to "struct esphdr".
 * Removed "#ifdef INBOUND_POLICY_CHECK_eroute" dead code.
 *
 * Revision 1.202  2003/01/03 07:38:01  rgb
 *
 * Start to refactor ipsec_tunnel_start_xmit() by putting local variables
 * into struct ipsec_xmit_state and renaming a few variables to give more
 * unique or searchable names.
 *
 * Revision 1.201  2003/01/03 00:31:28  rgb
 *
 * Clean up memset usage, including fixing 2 places where keys were not
 * properly wiped.
 *
 * Revision 1.200  2002/12/06 02:24:02  mcr
 * 	patches for compiling against SUSE 8.1 kernels. Requires
 * 	an additional -DSUSE_LINUX_2_4_19_IS_STUPID.
 *
 * Revision 1.199  2002/10/12 23:11:53  dhr
 *
 * [KenB + DHR] more 64-bit cleanup
 *
 * Revision 1.198  2002/10/05 05:02:58  dhr
 *
 * C labels go on statements
 *
 * Revision 1.197  2002/09/20 05:01:50  rgb
 * Added compiler directive to switch on IP options and fix IP options bug.
 * Make ip->ihl treatment consistent using shifts rather than multiplications.
 * Check for large enough packet before accessing udp header for IKE bypass.
 * Added memory allocation debugging.
 * Fixed potential memory allocation failure-induced oops.
 *
 * Revision 1.196  2002/07/24 18:44:54  rgb
 * Type fiddling to tame ia64 compiler.
 *
 * Revision 1.195  2002/07/23 03:36:07  rgb
 * Fixed 2.2 device initialisation hang.
 *
 * Revision 1.194  2002/05/27 21:40:34  rgb
 * Set unused ipsec devices to ARPHRD_VOID to avoid confusing iproute2.
 * Cleaned up intermediate step to dynamic device allocation.
 *
 * Revision 1.193  2002/05/27 19:31:36  rgb
 * Convert to dynamic ipsec device allocation.
 * Remove final vistiges of tdb references via IPSEC_KLIPS1_COMPAT.
 *
 * Revision 1.192  2002/05/23 07:14:28  rgb
 * Added refcount code.
 * Cleaned up %p variants to 0p%p for test suite cleanup.
 *
 * Revision 1.191  2002/05/14 02:34:37  rgb
 * Change all references to tdb, TDB or Tunnel Descriptor Block to ips,
 * ipsec_sa or ipsec_sa.
 *
 * Revision 1.190  2002/04/24 07:55:32  mcr
 * 	#include patches and Makefiles for post-reorg compilation.
 *
 * Revision 1.189  2002/04/24 07:36:32  mcr
 * Moved from ./klips/net/ipsec/ipsec_tunnel.c,v
 *
 * Revision 1.188  2002/04/20 00:12:25  rgb
 * Added esp IV CBC attack fix, disabled.
 *
 * Revision 1.187  2002/03/23 19:55:17  rgb
 * Fix for 2.2 local IKE fragmentation blackhole.  Still won't work if
 * iptraf or another pcap app is running.
 *
 * Revision 1.186  2002/03/19 03:26:22  rgb
 * Applied DHR's tunnel patch to streamline IKE/specialSA processing.
 *
 * Revision 1.185  2002/02/20 04:13:05  rgb
 * Send back ICMP_PKT_FILTERED upon %reject.
 *
 * Revision 1.184  2002/01/29 17:17:56  mcr
 * 	moved include of ipsec_param.h to after include of linux/kernel.h
 * 	otherwise, it seems that some option that is set in ipsec_param.h
 * 	screws up something subtle in the include path to kernel.h, and
 * 	it complains on the snprintf() prototype.
 *
 * Revision 1.183  2002/01/29 04:00:53  mcr
 * 	more excise of kversions.h header.
 *
 * Revision 1.182  2002/01/29 02:13:18  mcr
 * 	introduction of ipsec_kversion.h means that include of
 * 	ipsec_param.h must preceed any decisions about what files to
 * 	include to deal with differences in kernel source.
 *
 * Revision 1.181  2002/01/07 20:00:33  rgb
 * Added IKE destination port debugging.
 *
 * Revision 1.180  2001/12/21 21:49:54  rgb
 * Fixed bug as a result of moving IKE bypass above %trap/%hold code.
 *
 * Revision 1.179  2001/12/19 21:08:14  rgb
 * Added transport protocol ports to ipsec_print_ip().
 * Update eroute info for non-SA targets.
 * Added obey DF code disabled.
 * Fixed formatting bugs in ipsec_tunnel_hard_header().
 *
 * Revision 1.178  2001/12/05 09:36:10  rgb
 * Moved the UDP/500 IKE check just above the %hold/%trap checks to avoid
 * IKE packets being stolen by the %hold (and returned to the sending KMd
 * in an ACQUIRE, ironically  ;-).
 *
 * Revision 1.177  2001/11/26 09:23:50  rgb
 * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
 *
 * Revision 1.170.2.1  2001/09/25 02:28:27  mcr
 * 	struct tdb -> struct ipsec_sa.
 * 	lifetime checks moved to common routines.
 * 	cleaned up includes.
 *
 * Revision 1.170.2.2  2001/10/22 21:08:01  mcr
 * 	include des.h, removed phony prototypes and fixed calling
 * 	conventions to match real prototypes.
 *
 * Revision 1.176  2001/11/09 18:32:31  rgb
 * Added Hans Schultz' fragmented UDP/500 IKE socket port selector.
 *
 * Revision 1.175  2001/11/06 20:47:00  rgb
 * Added Eric Espie's TRAPSUBNET fix, minus spin-lock-bh dabbling.
 *
 * Revision 1.174  2001/11/06 19:50:43  rgb
 * Moved IP_SEND, ICMP_SEND, DEV_QUEUE_XMIT macros to ipsec_tunnel.h for
 * use also by pfkey_v2_parser.c
 *
 * Revision 1.173  2001/10/29 21:53:44  henry
 * tone down the device-down message slightly, until we can make it smarter
 *
 * Revision 1.172  2001/10/26 04:59:37  rgb
 * Added a critical level syslog message if an ipsec device goes down.
 *
 * Revision 1.171  2001/10/18 04:45:21  rgb
 * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
 * lib/freeswan.h version macros moved to lib/kversions.h.
 * Other compiler directive cleanups.
 *
 * Revision 1.170  2001/09/25 00:09:50  rgb
 * Added NetCelo's TRAPSUBNET code to convert a new type TRAPSUBNET into a
 * HOLD.
 *
 * Revision 1.169  2001/09/15 16:24:05  rgb
 * Re-inject first and last HOLD packet when an eroute REPLACE is done.
 *
 * Revision 1.168  2001/09/14 16:58:37  rgb
 * Added support for storing the first and last packets through a HOLD.
 *
 * Revision 1.167  2001/09/08 21:13:33  rgb
 * Added pfkey ident extension support for ISAKMPd. (NetCelo)
 *
 * Revision 1.166  2001/08/27 19:47:59  rgb
 * Clear tdb  before usage.
 * Added comment: clear IF before calling routing?
 *
 * Revision 1.165  2001/07/03 01:23:53  rgb
 * Send back ICMP iff DF set, !ICMP, offset==0, sysctl_icmp, iph->tot_len >
 * emtu, and don't drop.
 *
 * Revision 1.164  2001/06/14 19:35:10  rgb
 * Update copyright date.
 *
 * Revision 1.163  2001/06/06 20:28:51  rgb
 * Added sanity checks for NULL skbs and devices.
 * Added more debugging output to various functions.
 * Removed redundant dev->priv argument to ipsec_tunnel_{at,de}tach().
 * Renamed ipsec_tunnel_attach() virtual and physical device arguments.
 * Corrected neigh_setup() device function assignment.
 * Keep valid pointers to ipsec_tunnel_*() on detach.
 * Set dev->type to the originally-initiallised value.
 *
 * Revision 1.162  2001/06/01 07:28:04  rgb
 * Added sanity checks for detached devices.  Don't down virtual devices
 * to prevent packets going out in the clear if the detached device comes
 * back up.
 *
 * Revision 1.161  2001/05/30 08:14:52  rgb
 * Removed vestiges of esp-null transforms.
 * NetDev Notifier instrumentation to track down disappearing devices.
 *
 * Revision 1.160  2001/05/29 05:15:12  rgb
 * Added SS' PMTU patch which notifies sender if packet doesn't fit
 * physical MTU (if it wasn't ICMP) and then drops it.
 *
 * Revision 1.159  2001/05/27 06:12:12  rgb
 * Added structures for pid, packet count and last access time to eroute.
 * Added packet count to beginning of /proc/net/ipsec_eroute.
 *
 * Revision 1.158  2001/05/24 05:39:33  rgb
 * Applied source zeroing to 2.2 ip_route_output() call as well to enable
 * PASS eroutes for opportunism.
 *
 * Revision 1.157  2001/05/23 22:35:28  rgb
 * 2.4 source override simplification.
 *
 * Revision 1.156  2001/05/23 21:41:31  rgb
 * Added error return code printing on ip_route_output().
 *
 * Revision 1.155  2001/05/23 05:09:13  rgb
 * Fixed incorrect ip_route_output() failure message.
 *
 * Revision 1.154  2001/05/21 14:53:31  rgb
 * Added debug statement for case when ip_route_output() fails, causing
 * packet to be dropped, but log looked ok.
 *
 * Revision 1.153  2001/05/19 02:37:54  rgb
 * Fixed missing comment termination.
 *
 * Revision 1.152  2001/05/19 02:35:50  rgb
 * Debug code optimisation for non-debug speed.
 * Kernel version compiler define comments.
 * 2.2 and 2.4 kernel ip_send device and ip debug output added.
 *
 * Revision 1.151  2001/05/18 16:17:35  rgb
 * Changed reference from "magic" to "shunt" SAs.
 *
 * Revision 1.150  2001/05/18 16:12:19  rgb
 * Changed UDP/500 bypass test from 3 nested ifs to one anded if.
 *
 * Revision 1.149  2001/05/16 04:39:33  rgb
 * Add default == eroute.dest to IKE bypass conditions for magic eroutes.
 *
 * Revision 1.148  2001/05/05 03:31:41  rgb
 * IP frag debugging updates and enhancements.
 *
 * Revision 1.147  2001/05/03 19:41:40  rgb
 * Added SS' skb_cow fix for 2.4.4.
 *
 * Revision 1.146  2001/04/30 19:28:16  rgb
 * Update for 2.4.4.  ip_select_ident() now has 3 args.
 *
 * Revision 1.145  2001/04/23 14:56:10  rgb
 * Added spin_lock() check to prevent double-locking for multiple
 * transforms and hence kernel lock-ups with SMP kernels.
 *
 * Revision 1.144  2001/04/21 23:04:45  rgb
 * Define out skb->used for 2.4 kernels.
 * Check if soft expire has already been sent before sending another to
 * prevent ACQUIRE flooding.
 *
 * Revision 1.143  2001/03/16 07:37:21  rgb
 * Added comments to all #endifs.
 *
 * Revision 1.142  2001/02/28 05:03:27  rgb
 * Clean up and rationalise startup messages.
 *
 * Revision 1.141  2001/02/27 22:24:54  rgb
 * Re-formatting debug output (line-splitting, joining, 1arg/line).
 * Check for satoa() return codes.
 *
 * Revision 1.140  2001/02/27 06:40:12  rgb
 * Fixed TRAP->HOLD eroute byte order.
 *
 * Revision 1.139  2001/02/26 20:38:59  rgb
 * Added compiler defines for 2.4.x-specific code.
 *
 * Revision 1.138  2001/02/26 19:57:27  rgb
 * Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
 * of the new SPD and to support opportunistic.
 * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
 *
 * Revision 1.137  2001/02/19 22:29:49  rgb
 * Fixes for presence of active ipv6 segments which share ipsec physical
 * device (gg).
 *
 * Revision 1.136  2001/01/29 22:30:38  rgb
 * Fixed minor acquire debug printing bug.
 *
 * Revision 1.135  2001/01/29 22:19:45  rgb
 * Zero source address for 2.4 bypass route lookup.
 *
 * Revision 1.134  2001/01/23 20:19:49  rgb
 * 2.4 fix to remove removed is_clone member.
 *
 * Revision 1.133  2000/12/09 22:08:35  rgb
 * Fix NET_23 bug, should be NETDEV_23.
 *
 * Revision 1.132  2000/12/01 06:54:50  rgb
 * Fix for new 2.4 IP TTL default variable name.
 *
 * Revision 1.131  2000/11/09 20:52:15  rgb
 * More spinlock shuffling, locking earlier and unlocking later in rcv to
 * include ipcomp and prevent races, renaming some tdb variables that got
 * forgotten, moving some unlocks to in