11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * xfrm4_output.c - Common IPsec encapsulation code for IPv4. 31da177e4SLinus Torvalds * Copyright (c) 2004 Herbert Xu <herbert@gondor.apana.org.au> 41da177e4SLinus Torvalds * 51da177e4SLinus Torvalds * This program is free software; you can redistribute it and/or 61da177e4SLinus Torvalds * modify it under the terms of the GNU General Public License 71da177e4SLinus Torvalds * as published by the Free Software Foundation; either version 81da177e4SLinus Torvalds * 2 of the License, or (at your option) any later version. 91da177e4SLinus Torvalds */ 101da177e4SLinus Torvalds 1109b8f7a9SHerbert Xu #include <linux/if_ether.h> 1209b8f7a9SHerbert Xu #include <linux/kernel.h> 1336cf9acfSHerbert Xu #include <linux/module.h> 141da177e4SLinus Torvalds #include <linux/skbuff.h> 1516a6677fSPatrick McHardy #include <linux/netfilter_ipv4.h> 1636cf9acfSHerbert Xu #include <net/dst.h> 171da177e4SLinus Torvalds #include <net/ip.h> 181da177e4SLinus Torvalds #include <net/xfrm.h> 191da177e4SLinus Torvalds #include <net/icmp.h> 201da177e4SLinus Torvalds 211da177e4SLinus Torvalds static int xfrm4_tunnel_check_size(struct sk_buff *skb) 221da177e4SLinus Torvalds { 231da177e4SLinus Torvalds int mtu, ret = 0; 241da177e4SLinus Torvalds 251da177e4SLinus Torvalds if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE) 261da177e4SLinus Torvalds goto out; 271da177e4SLinus Torvalds 2860ff7467SWANG Cong if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->ignore_df) 291da177e4SLinus Torvalds goto out; 301da177e4SLinus Torvalds 315a25cf1eSHannes Frederic Sowa mtu = dst_mtu(skb_dst(skb)); 32d77e38e6SSteffen Klassert if ((!skb_is_gso(skb) && skb->len > mtu) || 3380f5974dSDaniel Axtens (skb_is_gso(skb) && 3480f5974dSDaniel Axtens !skb_gso_validate_network_len(skb, ip_skb_dst_mtu(skb->sk, skb)))) { 35ca064bd8SSteffen Klassert skb->protocol = htons(ETH_P_IP); 36ca064bd8SSteffen Klassert 37b00897b8SSteffen Klassert if (skb->sk) 38628e341fSHannes Frederic Sowa xfrm_local_error(skb, mtu); 39b00897b8SSteffen Klassert else 40b00897b8SSteffen Klassert icmp_send(skb, ICMP_DEST_UNREACH, 41b00897b8SSteffen Klassert ICMP_FRAG_NEEDED, htonl(mtu)); 421da177e4SLinus Torvalds ret = -EMSGSIZE; 431da177e4SLinus Torvalds } 441da177e4SLinus Torvalds out: 451da177e4SLinus Torvalds return ret; 461da177e4SLinus Torvalds } 471da177e4SLinus Torvalds 4836cf9acfSHerbert Xu int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb) 491da177e4SLinus Torvalds { 501da177e4SLinus Torvalds int err; 511da177e4SLinus Torvalds 521da177e4SLinus Torvalds err = xfrm4_tunnel_check_size(skb); 531da177e4SLinus Torvalds if (err) 5436cf9acfSHerbert Xu return err; 5536cf9acfSHerbert Xu 5660d5fcfbSHerbert Xu XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol; 5760d5fcfbSHerbert Xu 5836cf9acfSHerbert Xu return xfrm4_extract_header(skb); 591da177e4SLinus Torvalds } 601da177e4SLinus Torvalds 617026b1ddSDavid Miller int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb) 6209b8f7a9SHerbert Xu { 635596732fSSteffen Klassert memset(IPCB(skb), 0, sizeof(*IPCB(skb))); 64862b82c6SHerbert Xu 655596732fSSteffen Klassert #ifdef CONFIG_NETFILTER 66862b82c6SHerbert Xu IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; 6709b8f7a9SHerbert Xu #endif 6809b8f7a9SHerbert Xu 697026b1ddSDavid Miller return xfrm_output(sk, skb); 7009b8f7a9SHerbert Xu } 7109b8f7a9SHerbert Xu 720c4b51f0SEric W. Biederman static int __xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb) 735596732fSSteffen Klassert { 745596732fSSteffen Klassert struct xfrm_state *x = skb_dst(skb)->xfrm; 75733a5facSFlorian Westphal const struct xfrm_state_afinfo *afinfo; 76733a5facSFlorian Westphal int ret = -EAFNOSUPPORT; 775596732fSSteffen Klassert 785596732fSSteffen Klassert #ifdef CONFIG_NETFILTER 795596732fSSteffen Klassert if (!x) { 805596732fSSteffen Klassert IPCB(skb)->flags |= IPSKB_REROUTED; 8113206b6bSEric W. Biederman return dst_output(net, sk, skb); 825596732fSSteffen Klassert } 835596732fSSteffen Klassert #endif 845596732fSSteffen Klassert 85733a5facSFlorian Westphal rcu_read_lock(); 86c9500d7bSFlorian Westphal afinfo = xfrm_state_afinfo_get_rcu(x->outer_mode.family); 87733a5facSFlorian Westphal if (likely(afinfo)) 88733a5facSFlorian Westphal ret = afinfo->output_finish(sk, skb); 89733a5facSFlorian Westphal else 90733a5facSFlorian Westphal kfree_skb(skb); 91733a5facSFlorian Westphal rcu_read_unlock(); 92733a5facSFlorian Westphal 93733a5facSFlorian Westphal return ret; 945596732fSSteffen Klassert } 955596732fSSteffen Klassert 96ede2059dSEric W. Biederman int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb) 9716a6677fSPatrick McHardy { 9829a26a56SEric W. Biederman return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, 9929a26a56SEric W. Biederman net, sk, skb, NULL, skb_dst(skb)->dev, 10029a26a56SEric W. Biederman __xfrm4_output, 10148d5cad8SPatrick McHardy !(IPCB(skb)->flags & IPSKB_REROUTED)); 10216a6677fSPatrick McHardy } 103628e341fSHannes Frederic Sowa 104628e341fSHannes Frederic Sowa void xfrm4_local_error(struct sk_buff *skb, u32 mtu) 105628e341fSHannes Frederic Sowa { 106628e341fSHannes Frederic Sowa struct iphdr *hdr; 107628e341fSHannes Frederic Sowa 108628e341fSHannes Frederic Sowa hdr = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb); 109628e341fSHannes Frederic Sowa ip_local_error(skb->sk, EMSGSIZE, hdr->daddr, 110628e341fSHannes Frederic Sowa inet_sk(skb->sk)->inet_dport, mtu); 111628e341fSHannes Frederic Sowa } 112