11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * xfrm4_output.c - Common IPsec encapsulation code for IPv4. 31da177e4SLinus Torvalds * Copyright (c) 2004 Herbert Xu <herbert@gondor.apana.org.au> 41da177e4SLinus Torvalds * 51da177e4SLinus Torvalds * This program is free software; you can redistribute it and/or 61da177e4SLinus Torvalds * modify it under the terms of the GNU General Public License 71da177e4SLinus Torvalds * as published by the Free Software Foundation; either version 81da177e4SLinus Torvalds * 2 of the License, or (at your option) any later version. 91da177e4SLinus Torvalds */ 101da177e4SLinus Torvalds 1109b8f7a9SHerbert Xu #include <linux/if_ether.h> 1209b8f7a9SHerbert Xu #include <linux/kernel.h> 1336cf9acfSHerbert Xu #include <linux/module.h> 141da177e4SLinus Torvalds #include <linux/skbuff.h> 1516a6677fSPatrick McHardy #include <linux/netfilter_ipv4.h> 1636cf9acfSHerbert Xu #include <net/dst.h> 171da177e4SLinus Torvalds #include <net/ip.h> 181da177e4SLinus Torvalds #include <net/xfrm.h> 191da177e4SLinus Torvalds #include <net/icmp.h> 201da177e4SLinus Torvalds 211da177e4SLinus Torvalds static int xfrm4_tunnel_check_size(struct sk_buff *skb) 221da177e4SLinus Torvalds { 231da177e4SLinus Torvalds int mtu, ret = 0; 241da177e4SLinus Torvalds struct dst_entry *dst; 251da177e4SLinus Torvalds 261da177e4SLinus Torvalds if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE) 271da177e4SLinus Torvalds goto out; 281da177e4SLinus Torvalds 29eddc9ec5SArnaldo Carvalho de Melo if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->local_df) 301da177e4SLinus Torvalds goto out; 311da177e4SLinus Torvalds 321da177e4SLinus Torvalds dst = skb->dst; 331da177e4SLinus Torvalds mtu = dst_mtu(dst); 341da177e4SLinus Torvalds if (skb->len > mtu) { 351da177e4SLinus Torvalds icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); 361da177e4SLinus Torvalds ret = -EMSGSIZE; 371da177e4SLinus Torvalds } 381da177e4SLinus Torvalds out: 391da177e4SLinus Torvalds return ret; 401da177e4SLinus Torvalds } 411da177e4SLinus Torvalds 4236cf9acfSHerbert Xu int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb) 431da177e4SLinus Torvalds { 441da177e4SLinus Torvalds int err; 451da177e4SLinus Torvalds 461da177e4SLinus Torvalds err = xfrm4_tunnel_check_size(skb); 471da177e4SLinus Torvalds if (err) 4836cf9acfSHerbert Xu return err; 4936cf9acfSHerbert Xu 5060d5fcfbSHerbert Xu XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol; 5160d5fcfbSHerbert Xu 5236cf9acfSHerbert Xu return xfrm4_extract_header(skb); 531da177e4SLinus Torvalds } 541da177e4SLinus Torvalds 5536cf9acfSHerbert Xu int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb) 5636cf9acfSHerbert Xu { 5736cf9acfSHerbert Xu int err; 5836cf9acfSHerbert Xu 5936cf9acfSHerbert Xu err = x->inner_mode->afinfo->extract_output(x, skb); 6036cf9acfSHerbert Xu if (err) 6136cf9acfSHerbert Xu return err; 6236cf9acfSHerbert Xu 6336cf9acfSHerbert Xu memset(IPCB(skb), 0, sizeof(*IPCB(skb))); 64862b82c6SHerbert Xu IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED; 6536cf9acfSHerbert Xu 6636cf9acfSHerbert Xu skb->protocol = htons(ETH_P_IP); 6736cf9acfSHerbert Xu 6836cf9acfSHerbert Xu return x->outer_mode->output2(x, skb); 6936cf9acfSHerbert Xu } 7036cf9acfSHerbert Xu EXPORT_SYMBOL(xfrm4_prepare_output); 7136cf9acfSHerbert Xu 7209b8f7a9SHerbert Xu static int xfrm4_output_finish(struct sk_buff *skb) 7309b8f7a9SHerbert Xu { 7409b8f7a9SHerbert Xu #ifdef CONFIG_NETFILTER 7509b8f7a9SHerbert Xu if (!skb->dst->xfrm) { 7609b8f7a9SHerbert Xu IPCB(skb)->flags |= IPSKB_REROUTED; 7709b8f7a9SHerbert Xu return dst_output(skb); 7809b8f7a9SHerbert Xu } 79862b82c6SHerbert Xu 80862b82c6SHerbert Xu IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; 8109b8f7a9SHerbert Xu #endif 8209b8f7a9SHerbert Xu 8309b8f7a9SHerbert Xu skb->protocol = htons(ETH_P_IP); 84862b82c6SHerbert Xu return xfrm_output(skb); 8509b8f7a9SHerbert Xu } 8609b8f7a9SHerbert Xu 8716a6677fSPatrick McHardy int xfrm4_output(struct sk_buff *skb) 8816a6677fSPatrick McHardy { 896e23ae2aSPatrick McHardy return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, 906e23ae2aSPatrick McHardy NULL, skb->dst->dev, xfrm4_output_finish, 9148d5cad8SPatrick McHardy !(IPCB(skb)->flags & IPSKB_REROUTED)); 9216a6677fSPatrick McHardy } 93