1 /* 2 * xfrm4_output.c - Common IPsec encapsulation code for IPv4. 3 * Copyright (c) 2004 Herbert Xu <herbert@gondor.apana.org.au> 4 * 5 * This program is free software; you can redistribute it and/or 6 * modify it under the terms of the GNU General Public License 7 * as published by the Free Software Foundation; either version 8 * 2 of the License, or (at your option) any later version. 9 */ 10 11 #include <linux/compiler.h> 12 #include <linux/skbuff.h> 13 #include <linux/spinlock.h> 14 #include <linux/netfilter_ipv4.h> 15 #include <net/ip.h> 16 #include <net/xfrm.h> 17 #include <net/icmp.h> 18 19 static int xfrm4_tunnel_check_size(struct sk_buff *skb) 20 { 21 int mtu, ret = 0; 22 struct dst_entry *dst; 23 struct iphdr *iph = skb->nh.iph; 24 25 if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE) 26 goto out; 27 28 IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE; 29 30 if (!(iph->frag_off & htons(IP_DF)) || skb->local_df) 31 goto out; 32 33 dst = skb->dst; 34 mtu = dst_mtu(dst); 35 if (skb->len > mtu) { 36 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); 37 ret = -EMSGSIZE; 38 } 39 out: 40 return ret; 41 } 42 43 static int xfrm4_output_one(struct sk_buff *skb) 44 { 45 struct dst_entry *dst = skb->dst; 46 struct xfrm_state *x = dst->xfrm; 47 int err; 48 49 if (skb->ip_summed == CHECKSUM_HW) { 50 err = skb_checksum_help(skb, 0); 51 if (err) 52 goto error_nolock; 53 } 54 55 if (x->props.mode) { 56 err = xfrm4_tunnel_check_size(skb); 57 if (err) 58 goto error_nolock; 59 } 60 61 do { 62 spin_lock_bh(&x->lock); 63 err = xfrm_state_check(x, skb); 64 if (err) 65 goto error; 66 67 err = x->mode->output(skb); 68 if (err) 69 goto error; 70 71 err = x->type->output(x, skb); 72 if (err) 73 goto error; 74 75 x->curlft.bytes += skb->len; 76 x->curlft.packets++; 77 78 spin_unlock_bh(&x->lock); 79 80 if (!(skb->dst = dst_pop(dst))) { 81 err = -EHOSTUNREACH; 82 goto error_nolock; 83 } 84 dst = skb->dst; 85 x = dst->xfrm; 86 } while (x && !x->props.mode); 87 88 IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; 89 err = 0; 90 91 out_exit: 92 return err; 93 error: 94 spin_unlock_bh(&x->lock); 95 error_nolock: 96 kfree_skb(skb); 97 goto out_exit; 98 } 99 100 static int xfrm4_output_finish(struct sk_buff *skb) 101 { 102 int err; 103 104 #ifdef CONFIG_NETFILTER 105 if (!skb->dst->xfrm) { 106 IPCB(skb)->flags |= IPSKB_REROUTED; 107 return dst_output(skb); 108 } 109 #endif 110 while (likely((err = xfrm4_output_one(skb)) == 0)) { 111 nf_reset(skb); 112 113 err = nf_hook(PF_INET, NF_IP_LOCAL_OUT, &skb, NULL, 114 skb->dst->dev, dst_output); 115 if (unlikely(err != 1)) 116 break; 117 118 if (!skb->dst->xfrm) 119 return dst_output(skb); 120 121 err = nf_hook(PF_INET, NF_IP_POST_ROUTING, &skb, NULL, 122 skb->dst->dev, xfrm4_output_finish); 123 if (unlikely(err != 1)) 124 break; 125 } 126 127 return err; 128 } 129 130 int xfrm4_output(struct sk_buff *skb) 131 { 132 return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev, 133 xfrm4_output_finish, 134 !(IPCB(skb)->flags & IPSKB_REROUTED)); 135 } 136