📄 ipsec_io.c
字号:
if (pSABundle->pmtu != 0) { #ifdef IPSEC_PMTU if (ipsecPmtuIsPacketBiggerThanPmtu (*pp_memory_buffer, pSABundle) != OK) { ipsecPmtuSendPmtuMessage (*pp_memory_buffer, pSABundle); if ((flags & IP_FORWARDING) == 0) { pSABundle->pmtu = 0; } return (ERROR); } #endif }#if defined (__IPSEC_QUEUING__) if ((direction == INBOUND) || ((flags & IP_FORWARDING) != 0)) { wrSecTrace(WRS_TRACE_IPSEC_DIR(direction), L1, "Adding packet to IPsec queue...\n" ); return(ipsecEnqueue (direction, *pp_memory_buffer, pSABundle, *pp_ip_header, header_length, flags)); }#endif /* __IPSEC_QUEUING__ */ wrSecTrace( WRS_TRACE_IPSEC_DIR(direction), L1, "Calling ipsecSecureAndReinsert() from main hook...\n"); return_value = ipsecSecureAndReinsert(direction, pSABundle, pp_memory_buffer, pp_ip_header, header_length); } else if (security_check == BYPASS) { /* should increment count based on a MKM BYPASS policy within a bundle */ /* allow the IP Packet */ return_value = OK; } else /* security_check == DISCARD */ { /* should increment count based on a MKM DISCARD policy within a bundle */ /* Drop the IP Packet*/ WRN_M_FREEM (*pp_memory_buffer); } pSABundle = NULL; } else { if (security_check == APPLY) { if (direction == OUTBOUND) { /* Build a new Security Association for IP Packet */ if (sadbBuildSABundle (p_traffic_info) == FALSE) { /* TRACKSPR #99468: Log error? */ } } #ifdef INCLUDE_COUNTERS_NETWORK_INTERFACE updateNetworkInterfaceCounters (direction, pp_memory_buffer, pp_ip_header, NO_PS_DISCARD_COUNT, NOT_USED); #endif #ifdef INCLUDE_LOGGING_SPD_PACKET_DISCARD if (ipsecLoggerIsLogEventEnabled (SPD_PACKET_DISCARD)) { ipsecEventLogFromNetworkTrafficInfo (p_traffic_info, NULL, SPD_PACKET_DISCARD, NO_PROTECTION_SUITE); } #endif /* INCLUDE_LOGGING_SPD_PACKET_DISCARD */ WRN_M_FREEM (*pp_memory_buffer); } else if (security_check == BYPASS) { #ifdef INCLUDE_COUNTERS_NETWORK_INTERFACE updateNetworkInterfaceCounters (direction, pp_memory_buffer, pp_ip_header, EXPLICIT_BYPASS_COUNT, NOT_USED); #endif spdIncrementPolicyCounters (sptr_policy,((struct ip *) *pp_ip_header)->ip_len - header_length); /* allow the IP Packet */ return_value = OK; } else if (security_check == DISCARD) { #ifdef INCLUDE_COUNTERS_NETWORK_INTERFACE updateNetworkInterfaceCounters (direction, pp_memory_buffer, pp_ip_header, EXPLICIT_DISCARD_COUNT, NOT_USED); #endif #ifdef INCLUDE_LOGGING_SPD_PACKET_DISCARD if (ipsecLoggerIsLogEventEnabled (SPD_PACKET_DISCARD)) { ipsecEventLogFromNetworkTrafficInfo (p_traffic_info, NULL, SPD_PACKET_DISCARD, EXPLICIT_DISCARD_POLICY); } #endif /* INCLUDE_LOGGING_SPD_PACKET_DISCARD */ spdIncrementPolicyCounters (sptr_policy,((struct ip *) *pp_ip_header)->ip_len - header_length); WRN_M_FREEM (*pp_memory_buffer); /* Drop the IP Packet*/ } else /* else if (security_check == NOT_VALID) */ { security_check = ipsecGetDefaultPI (direction, p_traffic_info); if (security_check == BYPASS) { /* should increment bypass count based on the default policy indicator */ /* allow the IP Packet */ return_value = OK; } else /* if (security_check == DISCARD) */ { #ifdef INCLUDE_COUNTERS_NETWORK_INTERFACE updateNetworkInterfaceCounters (direction, pp_memory_buffer, pp_ip_header, NO_POLICY_DISCARD_COUNT, NOT_USED); #endif #ifdef INCLUDE_LOGGING_SPD_PACKET_DISCARD if (ipsecLoggerIsLogEventEnabled (SPD_PACKET_DISCARD)) { ipsecEventLogFromNetworkTrafficInfo (p_traffic_info, NULL, SPD_PACKET_DISCARD, NO_POLICY); } #endif /* INCLUDE_LOGGING_SPD_PACKET_DISCARD */ WRN_M_FREEM (*pp_memory_buffer); /* Drop the IP Packet*/ } } } return (return_value); }/******************************************************************************** ipsecSecureAndReinsert - Secure and re-insert packet* * NOMANUAL* * RETURNS: ERROR if ipsec processing fails, REINSERT if processing succeeds*/int ipsecSecureAndReinsert ( TRAFFIC_DIRECTION direction, SA_BUNDLE *p_sa_bundle, struct mbuf **pp_memory_buffer, struct ip **pp_ip_header, int header_length ){ IP_VI_MESSAGE *p_ip_message; BOOL tunnel_packet = FALSE; STATUS return_value; return_value = ipsecSecure(direction, p_sa_bundle, pp_memory_buffer, pp_ip_header, header_length, &p_ip_message, &tunnel_packet); if (return_value == ERROR) { UPDATE_NET_IF_COUNTERS(direction, pp_memory_buffer, pp_ip_header, POLICY_ERROR_COUNT, NOT_USED); WRN_M_FREEM(*pp_memory_buffer); wrSecTrace( WRS_TRACE_IPSEC_DIR(direction), L1, "PACKET DROPPED!! 'function::%s'\n", __FUNCTION__); } else /* return = REINSERT */ { wrSecTrace( WRS_TRACE_IPSEC_DIR(direction), L1, "Re-inserting packet onto stack...\n"); return_value = ipsecReinsert(direction, tunnel_packet, (struct mbuf ** )pp_memory_buffer, (struct ip ** )pp_ip_header, header_length, &p_ip_message, FALSE); } return (return_value);}/******************************************************************************** ipsecSecure - applies IPSEC SAs on IP packets* * This function creates an IP message from th mbuf and does ipsec SA bundle* processing on it** NOMANUAL* * RETURNS: ERROR if ipsec processing fails, REINSERT if processing succeeds*/int ipsecSecure ( TRAFFIC_DIRECTION direction, SA_BUNDLE *p_sa_bundle, struct mbuf ** pp_memory_buffer, struct ip ** pp_ip_header, int header_length, IP_VI_MESSAGE ** pp_ip_message, BOOL *p_tunnel_packet ) { struct mbuf *n; *pp_ip_message = NULL; *p_tunnel_packet = FALSE; /* Create an IP Message from memory buffer */ /* Set family type in the ip mesg*/ *pp_ip_message = ipsec_create_ip_vi_message (*pp_memory_buffer, header_length, *pp_ip_header); if (*pp_ip_message == NULL) { wrSecTrace(WRS_TRACE_IPSEC_DIR(direction), L1, "%s(): ipsec_create_ip_vi_message returned NULL\n",__FUNCTION__); WRN_M_FREEM (*pp_memory_buffer); wrSecTrace( TRACE_ALL, L1, "PACKET DROPPED!! 'function::%s'\n", __FUNCTION__); return (ERROR); } #if STACK_NAME != STACK_NAME_V4_V6 if (direction == INBOUND) { /* Tor22 and T202 stack sends ip_id in host format. But * ipsec_create_ip_vi_message function assumes it in network * and converts to host order , which will be actually in network * order for this case, so we need to convert in host order here. */ NTOHS (((IP_V4_MESSAGE *) *pp_ip_message)->datagram_identifier); } #endif if (ipsec_bundle_processing (direction, p_sa_bundle, *pp_ip_message, p_tunnel_packet) == FALSE) { n = packetMBufExtract((*pp_ip_message)->pPayload); if (n != NULL) { WRN_M_FREEM (n); wrSecTrace( TRACE_ALL, L1, "PACKET DROPPED!! 'function::%s'\n", __FUNCTION__); } wrSecFree (*pp_ip_message); wrSecTrace(WRS_TRACE_IPSEC_DIR(direction),L1, "%s(): ipsec_bundle_processing returned FALSE\n",__FUNCTION__); return (ERROR); } else { return (REINSERT); } }/******************************************************************************** ipsecReinsert - * * Incase of an outbound tunneled packet, this function handovers the * packet to ip_output, while an inbound tunneled packet is added to* ip job queue.* Incase of a transport packet, the ip header is restored from ip_vi_message.* An inbound transport packet is passed to upper layer. But we just return* OK for an outbound transport packet.** NOMANUAL* * RETURNS: OK, ERROR if packet is dropped, EMSGSIZE if packet size > mtu* TUNNELED if it is tunneled ( either inbound or outbound )*/int ipsecReinsert ( TRAFFIC_DIRECTION direction, BOOL tunnel_packet, struct mbuf ** pp_memory_buffer, struct ip ** pp_ip_header, int header_length, IP_VI_MESSAGE ** pp_ip_message, BOOL wakeup ) { int return_value; UINT ip_version; return_value = OK; ip_version = (*pp_ip_message)->version; if (tunnel_packet == TRUE) { ipsecProcessTunnelmBlk (pp_memory_buffer, *pp_ip_message, direction); ((struct mbuf *) *pp_memory_buffer)->m_flags |= M_SECURE_PKT; wrSecFree (*pp_ip_message); *pp_ip_message = NULL; if (direction == OUTBOUND) { if (ip_version == IP_V4) { struct ip *p_outer_ip_header; p_outer_ip_header = mtod (*pp_memory_buffer, struct ip *); p_outer_ip_header->ip_sum = 0; NTOHS (p_outer_ip_header->ip_len); NTOHS (p_outer_ip_header->ip_off); return_value = ip_output(*pp_memory_buffer, NULL, NULL, IP_FORWARDING, NULL); } #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6) else if (ip_version == IP_V6) { ip6_output (*pp_memory_buffer, NULL, NULL, 0, NULL, NULL); } #endif /* #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6) */ #if (STACK_NAME == STACK_NAME_V4_V6) /* For Router Stack, this pointer must NOT be cleared. It will cause * crashes during tunnel mode IPsec traffic. */ *pp_memory_buffer = NULL; #endif } else { if (ipsecTunnelEndDriver (((struct mbuf *) *pp_memory_buffer)->m_pkthdr.rcvif, *pp_memory_buffer, wakeup) == ERROR) { WRN_M_FREEM (*pp_memory_buffer); } } /* We need to pass EMSGSIZE returned from ip_output. */ if (return_value != EMSGSIZE) { return_value = TUNNELED; } } else { ipsecRestoremBlk (pp_memory_buffer, header_length, pp_ip_header, *pp_ip_message); wrSecFree (*pp_ip_message); *pp_ip_message = NULL; if (direction == INBOUND) { #if defined (__IPSEC_QUEUING__) #if defined (__IPSEC_PROTOSW__) #if STACK_NAME == STACK_NAME_V4_V6 if ((*pp_ip_header)->ip_v == IP_V4) { int nxt = ((struct ip *) *pp_ip_header)->ip_p; (*inetsw[ip_protox[nxt]].pr_input) (*pp_memory_buffer, header_length, nxt); } #if STACK_NAME == STACK_NAME_V4_V6 && defined (INET6) else { int nxt, off = sizeof (struct ip6_hdr); struct ip6_hdr *ip6 = mtod ((*pp_memory_buffer), struct ip6_hdr *); nxt = ip6->ip6_nxt; if (nxt == TRANSP⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -