11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * xfrm4_output.c - Common IPsec encapsulation code for IPv4. 31da177e4SLinus Torvalds * Copyright (c) 2004 Herbert Xu <herbert@gondor.apana.org.au> 41da177e4SLinus Torvalds * 51da177e4SLinus Torvalds * This program is free software; you can redistribute it and/or 61da177e4SLinus Torvalds * modify it under the terms of the GNU General Public License 71da177e4SLinus Torvalds * as published by the Free Software Foundation; either version 81da177e4SLinus Torvalds * 2 of the License, or (at your option) any later version. 91da177e4SLinus Torvalds */ 101da177e4SLinus Torvalds 1109b8f7a9SHerbert Xu #include <linux/if_ether.h> 1209b8f7a9SHerbert Xu #include <linux/kernel.h> 1336cf9acfSHerbert Xu #include <linux/module.h> 141da177e4SLinus Torvalds #include <linux/skbuff.h> 1516a6677fSPatrick McHardy #include <linux/netfilter_ipv4.h> 1636cf9acfSHerbert Xu #include <net/dst.h> 171da177e4SLinus Torvalds #include <net/ip.h> 181da177e4SLinus Torvalds #include <net/xfrm.h> 191da177e4SLinus Torvalds #include <net/icmp.h> 201da177e4SLinus Torvalds 211da177e4SLinus Torvalds static int xfrm4_tunnel_check_size(struct sk_buff *skb) 221da177e4SLinus Torvalds { 231da177e4SLinus Torvalds int mtu, ret = 0; 241da177e4SLinus Torvalds 251da177e4SLinus Torvalds if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE) 261da177e4SLinus Torvalds goto out; 271da177e4SLinus Torvalds 2860ff7467SWANG Cong if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->ignore_df) 291da177e4SLinus Torvalds goto out; 301da177e4SLinus Torvalds 315a25cf1eSHannes Frederic Sowa mtu = dst_mtu(skb_dst(skb)); 32d77e38e6SSteffen Klassert if ((!skb_is_gso(skb) && skb->len > mtu) || 3380f5974dSDaniel Axtens (skb_is_gso(skb) && 3480f5974dSDaniel Axtens !skb_gso_validate_network_len(skb, ip_skb_dst_mtu(skb->sk, skb)))) { 35ca064bd8SSteffen Klassert skb->protocol = htons(ETH_P_IP); 36ca064bd8SSteffen Klassert 37b00897b8SSteffen Klassert if (skb->sk) 38628e341fSHannes Frederic Sowa xfrm_local_error(skb, mtu); 39b00897b8SSteffen Klassert else 40b00897b8SSteffen Klassert icmp_send(skb, ICMP_DEST_UNREACH, 41b00897b8SSteffen Klassert ICMP_FRAG_NEEDED, htonl(mtu)); 421da177e4SLinus Torvalds ret = -EMSGSIZE; 431da177e4SLinus Torvalds } 441da177e4SLinus Torvalds out: 451da177e4SLinus Torvalds return ret; 461da177e4SLinus Torvalds } 471da177e4SLinus Torvalds 4836cf9acfSHerbert Xu int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb) 491da177e4SLinus Torvalds { 501da177e4SLinus Torvalds int err; 511da177e4SLinus Torvalds 521da177e4SLinus Torvalds err = xfrm4_tunnel_check_size(skb); 531da177e4SLinus Torvalds if (err) 5436cf9acfSHerbert Xu return err; 5536cf9acfSHerbert Xu 5660d5fcfbSHerbert Xu XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol; 5760d5fcfbSHerbert Xu 5836cf9acfSHerbert Xu return xfrm4_extract_header(skb); 591da177e4SLinus Torvalds } 601da177e4SLinus Torvalds 6136cf9acfSHerbert Xu int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb) 6236cf9acfSHerbert Xu { 6336cf9acfSHerbert Xu int err; 6436cf9acfSHerbert Xu 65df9dcb45SKazunori MIYAZAWA err = xfrm_inner_extract_output(x, skb); 6636cf9acfSHerbert Xu if (err) 6736cf9acfSHerbert Xu return err; 6836cf9acfSHerbert Xu 695596732fSSteffen Klassert IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE; 70044a832aSSteffen Klassert skb->protocol = htons(ETH_P_IP); 7136cf9acfSHerbert Xu 7236cf9acfSHerbert Xu return x->outer_mode->output2(x, skb); 7336cf9acfSHerbert Xu } 7436cf9acfSHerbert Xu EXPORT_SYMBOL(xfrm4_prepare_output); 7536cf9acfSHerbert Xu 767026b1ddSDavid Miller int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb) 7709b8f7a9SHerbert Xu { 785596732fSSteffen Klassert memset(IPCB(skb), 0, sizeof(*IPCB(skb))); 79862b82c6SHerbert Xu 805596732fSSteffen Klassert #ifdef CONFIG_NETFILTER 81862b82c6SHerbert Xu IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; 8209b8f7a9SHerbert Xu #endif 8309b8f7a9SHerbert Xu 847026b1ddSDavid Miller return xfrm_output(sk, skb); 8509b8f7a9SHerbert Xu } 8609b8f7a9SHerbert Xu 870c4b51f0SEric W. Biederman static int __xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb) 885596732fSSteffen Klassert { 895596732fSSteffen Klassert struct xfrm_state *x = skb_dst(skb)->xfrm; 905596732fSSteffen Klassert 915596732fSSteffen Klassert #ifdef CONFIG_NETFILTER 925596732fSSteffen Klassert if (!x) { 935596732fSSteffen Klassert IPCB(skb)->flags |= IPSKB_REROUTED; 9413206b6bSEric W. Biederman return dst_output(net, sk, skb); 955596732fSSteffen Klassert } 965596732fSSteffen Klassert #endif 975596732fSSteffen Klassert 987026b1ddSDavid Miller return x->outer_mode->afinfo->output_finish(sk, skb); 995596732fSSteffen Klassert } 1005596732fSSteffen Klassert 101ede2059dSEric W. Biederman int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb) 10216a6677fSPatrick McHardy { 10329a26a56SEric W. Biederman return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, 10429a26a56SEric W. Biederman net, sk, skb, NULL, skb_dst(skb)->dev, 10529a26a56SEric W. Biederman __xfrm4_output, 10648d5cad8SPatrick McHardy !(IPCB(skb)->flags & IPSKB_REROUTED)); 10716a6677fSPatrick McHardy } 108628e341fSHannes Frederic Sowa 109628e341fSHannes Frederic Sowa void xfrm4_local_error(struct sk_buff *skb, u32 mtu) 110628e341fSHannes Frederic Sowa { 111628e341fSHannes Frederic Sowa struct iphdr *hdr; 112628e341fSHannes Frederic Sowa 113628e341fSHannes Frederic Sowa hdr = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb); 114628e341fSHannes Frederic Sowa ip_local_error(skb->sk, EMSGSIZE, hdr->daddr, 115628e341fSHannes Frederic Sowa inet_sk(skb->sk)->inet_dport, mtu); 116628e341fSHannes Frederic Sowa } 117