xref: /linux/net/ipv4/xfrm4_output.c (revision 48d5cad87c3a4998d0bda16ccfb5c60dfe4de5fb) 
11da177e4SLinus Torvalds /*
21da177e4SLinus Torvalds  * xfrm4_output.c - Common IPsec encapsulation code for IPv4.
31da177e4SLinus Torvalds  * Copyright (c) 2004 Herbert Xu <herbert@gondor.apana.org.au>
41da177e4SLinus Torvalds  *
51da177e4SLinus Torvalds  * This program is free software; you can redistribute it and/or
61da177e4SLinus Torvalds  * modify it under the terms of the GNU General Public License
71da177e4SLinus Torvalds  * as published by the Free Software Foundation; either version
81da177e4SLinus Torvalds  * 2 of the License, or (at your option) any later version.
91da177e4SLinus Torvalds  */
101da177e4SLinus Torvalds 
1116a6677fSPatrick McHardy #include <linux/compiler.h>
121da177e4SLinus Torvalds #include <linux/skbuff.h>
131da177e4SLinus Torvalds #include <linux/spinlock.h>
1416a6677fSPatrick McHardy #include <linux/netfilter_ipv4.h>
151da177e4SLinus Torvalds #include <net/inet_ecn.h>
161da177e4SLinus Torvalds #include <net/ip.h>
171da177e4SLinus Torvalds #include <net/xfrm.h>
181da177e4SLinus Torvalds #include <net/icmp.h>
191da177e4SLinus Torvalds 
201da177e4SLinus Torvalds /* Add encapsulation header.
211da177e4SLinus Torvalds  *
221da177e4SLinus Torvalds  * In transport mode, the IP header will be moved forward to make space
231da177e4SLinus Torvalds  * for the encapsulation header.
241da177e4SLinus Torvalds  *
251da177e4SLinus Torvalds  * In tunnel mode, the top IP header will be constructed per RFC 2401.
261da177e4SLinus Torvalds  * The following fields in it shall be filled in by x->type->output:
271da177e4SLinus Torvalds  *	tot_len
281da177e4SLinus Torvalds  *	check
291da177e4SLinus Torvalds  *
301da177e4SLinus Torvalds  * On exit, skb->h will be set to the start of the payload to be processed
311da177e4SLinus Torvalds  * by x->type->output and skb->nh will be set to the top IP header.
321da177e4SLinus Torvalds  */
331da177e4SLinus Torvalds static void xfrm4_encap(struct sk_buff *skb)
341da177e4SLinus Torvalds {
351da177e4SLinus Torvalds 	struct dst_entry *dst = skb->dst;
361da177e4SLinus Torvalds 	struct xfrm_state *x = dst->xfrm;
371da177e4SLinus Torvalds 	struct iphdr *iph, *top_iph;
38dd87147eSHerbert Xu 	int flags;
391da177e4SLinus Torvalds 
401da177e4SLinus Torvalds 	iph = skb->nh.iph;
411da177e4SLinus Torvalds 	skb->h.ipiph = iph;
421da177e4SLinus Torvalds 
431da177e4SLinus Torvalds 	skb->nh.raw = skb_push(skb, x->props.header_len);
441da177e4SLinus Torvalds 	top_iph = skb->nh.iph;
451da177e4SLinus Torvalds 
461da177e4SLinus Torvalds 	if (!x->props.mode) {
471da177e4SLinus Torvalds 		skb->h.raw += iph->ihl*4;
481da177e4SLinus Torvalds 		memmove(top_iph, iph, iph->ihl*4);
491da177e4SLinus Torvalds 		return;
501da177e4SLinus Torvalds 	}
511da177e4SLinus Torvalds 
521da177e4SLinus Torvalds 	top_iph->ihl = 5;
531da177e4SLinus Torvalds 	top_iph->version = 4;
541da177e4SLinus Torvalds 
551da177e4SLinus Torvalds 	/* DS disclosed */
561da177e4SLinus Torvalds 	top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
57dd87147eSHerbert Xu 
58dd87147eSHerbert Xu 	flags = x->props.flags;
59dd87147eSHerbert Xu 	if (flags & XFRM_STATE_NOECN)
601da177e4SLinus Torvalds 		IP_ECN_clear(top_iph);
611da177e4SLinus Torvalds 
62dd87147eSHerbert Xu 	top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
63dd87147eSHerbert Xu 		0 : (iph->frag_off & htons(IP_DF));
641da177e4SLinus Torvalds 	if (!top_iph->frag_off)
651da177e4SLinus Torvalds 		__ip_select_ident(top_iph, dst, 0);
661da177e4SLinus Torvalds 
671da177e4SLinus Torvalds 	top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
681da177e4SLinus Torvalds 
691da177e4SLinus Torvalds 	top_iph->saddr = x->props.saddr.a4;
701da177e4SLinus Torvalds 	top_iph->daddr = x->id.daddr.a4;
711da177e4SLinus Torvalds 	top_iph->protocol = IPPROTO_IPIP;
721da177e4SLinus Torvalds 
731da177e4SLinus Torvalds 	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
741da177e4SLinus Torvalds }
751da177e4SLinus Torvalds 
761da177e4SLinus Torvalds static int xfrm4_tunnel_check_size(struct sk_buff *skb)
771da177e4SLinus Torvalds {
781da177e4SLinus Torvalds 	int mtu, ret = 0;
791da177e4SLinus Torvalds 	struct dst_entry *dst;
801da177e4SLinus Torvalds 	struct iphdr *iph = skb->nh.iph;
811da177e4SLinus Torvalds 
821da177e4SLinus Torvalds 	if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE)
831da177e4SLinus Torvalds 		goto out;
841da177e4SLinus Torvalds 
851da177e4SLinus Torvalds 	IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
861da177e4SLinus Torvalds 
871da177e4SLinus Torvalds 	if (!(iph->frag_off & htons(IP_DF)) || skb->local_df)
881da177e4SLinus Torvalds 		goto out;
891da177e4SLinus Torvalds 
901da177e4SLinus Torvalds 	dst = skb->dst;
911da177e4SLinus Torvalds 	mtu = dst_mtu(dst);
921da177e4SLinus Torvalds 	if (skb->len > mtu) {
931da177e4SLinus Torvalds 		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
941da177e4SLinus Torvalds 		ret = -EMSGSIZE;
951da177e4SLinus Torvalds 	}
961da177e4SLinus Torvalds out:
971da177e4SLinus Torvalds 	return ret;
981da177e4SLinus Torvalds }
991da177e4SLinus Torvalds 
10016a6677fSPatrick McHardy static int xfrm4_output_one(struct sk_buff *skb)
1011da177e4SLinus Torvalds {
1021da177e4SLinus Torvalds 	struct dst_entry *dst = skb->dst;
1031da177e4SLinus Torvalds 	struct xfrm_state *x = dst->xfrm;
1041da177e4SLinus Torvalds 	int err;
1051da177e4SLinus Torvalds 
1061da177e4SLinus Torvalds 	if (skb->ip_summed == CHECKSUM_HW) {
1071da177e4SLinus Torvalds 		err = skb_checksum_help(skb, 0);
1081da177e4SLinus Torvalds 		if (err)
1091da177e4SLinus Torvalds 			goto error_nolock;
1101da177e4SLinus Torvalds 	}
1111da177e4SLinus Torvalds 
1121da177e4SLinus Torvalds 	if (x->props.mode) {
1131da177e4SLinus Torvalds 		err = xfrm4_tunnel_check_size(skb);
1141da177e4SLinus Torvalds 		if (err)
1151da177e4SLinus Torvalds 			goto error_nolock;
1161da177e4SLinus Torvalds 	}
1171da177e4SLinus Torvalds 
11816a6677fSPatrick McHardy 	do {
1191da177e4SLinus Torvalds 		spin_lock_bh(&x->lock);
1201da177e4SLinus Torvalds 		err = xfrm_state_check(x, skb);
1211da177e4SLinus Torvalds 		if (err)
1221da177e4SLinus Torvalds 			goto error;
1231da177e4SLinus Torvalds 
1241da177e4SLinus Torvalds 		xfrm4_encap(skb);
1251da177e4SLinus Torvalds 
1261da177e4SLinus Torvalds 		err = x->type->output(x, skb);
1271da177e4SLinus Torvalds 		if (err)
1281da177e4SLinus Torvalds 			goto error;
1291da177e4SLinus Torvalds 
1301da177e4SLinus Torvalds 		x->curlft.bytes += skb->len;
1311da177e4SLinus Torvalds 		x->curlft.packets++;
1321da177e4SLinus Torvalds 
1331da177e4SLinus Torvalds 		spin_unlock_bh(&x->lock);
1341da177e4SLinus Torvalds 
1351da177e4SLinus Torvalds 		if (!(skb->dst = dst_pop(dst))) {
1361da177e4SLinus Torvalds 			err = -EHOSTUNREACH;
1371da177e4SLinus Torvalds 			goto error_nolock;
1381da177e4SLinus Torvalds 		}
13916a6677fSPatrick McHardy 		dst = skb->dst;
14016a6677fSPatrick McHardy 		x = dst->xfrm;
14116a6677fSPatrick McHardy 	} while (x && !x->props.mode);
14216a6677fSPatrick McHardy 
1433e3850e9SPatrick McHardy 	IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
14416a6677fSPatrick McHardy 	err = 0;
1451da177e4SLinus Torvalds 
1461da177e4SLinus Torvalds out_exit:
1471da177e4SLinus Torvalds 	return err;
1481da177e4SLinus Torvalds error:
1491da177e4SLinus Torvalds 	spin_unlock_bh(&x->lock);
1501da177e4SLinus Torvalds error_nolock:
1511da177e4SLinus Torvalds 	kfree_skb(skb);
1521da177e4SLinus Torvalds 	goto out_exit;
1531da177e4SLinus Torvalds }
15416a6677fSPatrick McHardy 
155*48d5cad8SPatrick McHardy static int xfrm4_output_finish(struct sk_buff *skb)
15616a6677fSPatrick McHardy {
15716a6677fSPatrick McHardy 	int err;
15816a6677fSPatrick McHardy 
159*48d5cad8SPatrick McHardy #ifdef CONFIG_NETFILTER
160*48d5cad8SPatrick McHardy 	if (!skb->dst->xfrm) {
161*48d5cad8SPatrick McHardy 		IPCB(skb)->flags |= IPSKB_REROUTED;
162*48d5cad8SPatrick McHardy 		return dst_output(skb);
163*48d5cad8SPatrick McHardy 	}
164*48d5cad8SPatrick McHardy #endif
16516a6677fSPatrick McHardy 	while (likely((err = xfrm4_output_one(skb)) == 0)) {
16616a6677fSPatrick McHardy 		nf_reset(skb);
16716a6677fSPatrick McHardy 
16816a6677fSPatrick McHardy 		err = nf_hook(PF_INET, NF_IP_LOCAL_OUT, &skb, NULL,
16916a6677fSPatrick McHardy 			      skb->dst->dev, dst_output);
17016a6677fSPatrick McHardy 		if (unlikely(err != 1))
17116a6677fSPatrick McHardy 			break;
17216a6677fSPatrick McHardy 
17316a6677fSPatrick McHardy 		if (!skb->dst->xfrm)
17416a6677fSPatrick McHardy 			return dst_output(skb);
17516a6677fSPatrick McHardy 
17616a6677fSPatrick McHardy 		err = nf_hook(PF_INET, NF_IP_POST_ROUTING, &skb, NULL,
17716a6677fSPatrick McHardy 			      skb->dst->dev, xfrm4_output_finish);
17816a6677fSPatrick McHardy 		if (unlikely(err != 1))
17916a6677fSPatrick McHardy 			break;
18016a6677fSPatrick McHardy 	}
18116a6677fSPatrick McHardy 
18216a6677fSPatrick McHardy 	return err;
18316a6677fSPatrick McHardy }
18416a6677fSPatrick McHardy 
18516a6677fSPatrick McHardy int xfrm4_output(struct sk_buff *skb)
18616a6677fSPatrick McHardy {
187*48d5cad8SPatrick McHardy 	return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
188*48d5cad8SPatrick McHardy 			    xfrm4_output_finish,
189*48d5cad8SPatrick McHardy 			    !(IPCB(skb)->flags & IPSKB_REROUTED));
19016a6677fSPatrick McHardy }
191