1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * xfrm_output.c - Common IPsec encapsulation code. 4 * 5 * Copyright (c) 2007 Herbert Xu <herbert@gondor.apana.org.au> 6 */ 7 8 #include <linux/errno.h> 9 #include <linux/module.h> 10 #include <linux/netdevice.h> 11 #include <linux/netfilter.h> 12 #include <linux/skbuff.h> 13 #include <linux/slab.h> 14 #include <linux/spinlock.h> 15 #include <net/dst.h> 16 #include <net/icmp.h> 17 #include <net/inet_ecn.h> 18 #include <net/xfrm.h> 19 20 #if IS_ENABLED(CONFIG_IPV6) 21 #include <net/ip6_route.h> 22 #include <net/ipv6_stubs.h> 23 #endif 24 25 #include "xfrm_inout.h" 26 27 static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff *skb); 28 static int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb); 29 30 static int xfrm_skb_check_space(struct sk_buff *skb) 31 { 32 struct dst_entry *dst = skb_dst(skb); 33 int nhead = dst->header_len + LL_RESERVED_SPACE(dst->dev) 34 - skb_headroom(skb); 35 int ntail = dst->dev->needed_tailroom - skb_tailroom(skb); 36 37 if (nhead <= 0) { 38 if (ntail <= 0) 39 return 0; 40 nhead = 0; 41 } else if (ntail < 0) 42 ntail = 0; 43 44 return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC); 45 } 46 47 /* Children define the path of the packet through the 48 * Linux networking. Thus, destinations are stackable. 49 */ 50 51 static struct dst_entry *skb_dst_pop(struct sk_buff *skb) 52 { 53 struct dst_entry *child = dst_clone(xfrm_dst_child(skb_dst(skb))); 54 55 skb_dst_drop(skb); 56 return child; 57 } 58 59 /* Add encapsulation header. 60 * 61 * The IP header will be moved forward to make space for the encapsulation 62 * header. 63 */ 64 static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb) 65 { 66 struct iphdr *iph = ip_hdr(skb); 67 int ihl = iph->ihl * 4; 68 69 skb_set_inner_transport_header(skb, skb_transport_offset(skb)); 70 71 skb_set_network_header(skb, -x->props.header_len); 72 skb->mac_header = skb->network_header + 73 offsetof(struct iphdr, protocol); 74 skb->transport_header = skb->network_header + ihl; 75 __skb_pull(skb, ihl); 76 memmove(skb_network_header(skb), iph, ihl); 77 return 0; 78 } 79 80 /* Add encapsulation header. 81 * 82 * The IP header and mutable extension headers will be moved forward to make 83 * space for the encapsulation header. 84 */ 85 static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb) 86 { 87 #if IS_ENABLED(CONFIG_IPV6) 88 struct ipv6hdr *iph; 89 u8 *prevhdr; 90 int hdr_len; 91 92 iph = ipv6_hdr(skb); 93 skb_set_inner_transport_header(skb, skb_transport_offset(skb)); 94 95 hdr_len = x->type->hdr_offset(x, skb, &prevhdr); 96 if (hdr_len < 0) 97 return hdr_len; 98 skb_set_mac_header(skb, 99 (prevhdr - x->props.header_len) - skb->data); 100 skb_set_network_header(skb, -x->props.header_len); 101 skb->transport_header = skb->network_header + hdr_len; 102 __skb_pull(skb, hdr_len); 103 memmove(ipv6_hdr(skb), iph, hdr_len); 104 return 0; 105 #else 106 WARN_ON_ONCE(1); 107 return -EAFNOSUPPORT; 108 #endif 109 } 110 111 /* Add route optimization header space. 112 * 113 * The IP header and mutable extension headers will be moved forward to make 114 * space for the route optimization header. 115 */ 116 static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb) 117 { 118 #if IS_ENABLED(CONFIG_IPV6) 119 struct ipv6hdr *iph; 120 u8 *prevhdr; 121 int hdr_len; 122 123 iph = ipv6_hdr(skb); 124 125 hdr_len = x->type->hdr_offset(x, skb, &prevhdr); 126 if (hdr_len < 0) 127 return hdr_len; 128 skb_set_mac_header(skb, 129 (prevhdr - x->props.header_len) - skb->data); 130 skb_set_network_header(skb, -x->props.header_len); 131 skb->transport_header = skb->network_header + hdr_len; 132 __skb_pull(skb, hdr_len); 133 memmove(ipv6_hdr(skb), iph, hdr_len); 134 135 x->lastused = ktime_get_real_seconds(); 136 137 return 0; 138 #else 139 WARN_ON_ONCE(1); 140 return -EAFNOSUPPORT; 141 #endif 142 } 143 144 /* Add encapsulation header. 145 * 146 * The top IP header will be constructed per draft-nikander-esp-beet-mode-06.txt. 147 */ 148 static int xfrm4_beet_encap_add(struct xfrm_state *x, struct sk_buff *skb) 149 { 150 struct ip_beet_phdr *ph; 151 struct iphdr *top_iph; 152 int hdrlen, optlen; 153 154 hdrlen = 0; 155 optlen = XFRM_MODE_SKB_CB(skb)->optlen; 156 if (unlikely(optlen)) 157 hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4); 158 159 skb_set_network_header(skb, -x->props.header_len - hdrlen + 160 (XFRM_MODE_SKB_CB(skb)->ihl - sizeof(*top_iph))); 161 if (x->sel.family != AF_INET6) 162 skb->network_header += IPV4_BEET_PHMAXLEN; 163 skb->mac_header = skb->network_header + 164 offsetof(struct iphdr, protocol); 165 skb->transport_header = skb->network_header + sizeof(*top_iph); 166 167 xfrm4_beet_make_header(skb); 168 169 ph = __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdrlen); 170 171 top_iph = ip_hdr(skb); 172 173 if (unlikely(optlen)) { 174 if (WARN_ON(optlen < 0)) 175 return -EINVAL; 176 177 ph->padlen = 4 - (optlen & 4); 178 ph->hdrlen = optlen / 8; 179 ph->nexthdr = top_iph->protocol; 180 if (ph->padlen) 181 memset(ph + 1, IPOPT_NOP, ph->padlen); 182 183 top_iph->protocol = IPPROTO_BEETPH; 184 top_iph->ihl = sizeof(struct iphdr) / 4; 185 } 186 187 top_iph->saddr = x->props.saddr.a4; 188 top_iph->daddr = x->id.daddr.a4; 189 190 return 0; 191 } 192 193 /* Add encapsulation header. 194 * 195 * The top IP header will be constructed per RFC 2401. 196 */ 197 static int xfrm4_tunnel_encap_add(struct xfrm_state *x, struct sk_buff *skb) 198 { 199 struct dst_entry *dst = skb_dst(skb); 200 struct iphdr *top_iph; 201 int flags; 202 203 skb_set_inner_network_header(skb, skb_network_offset(skb)); 204 skb_set_inner_transport_header(skb, skb_transport_offset(skb)); 205 206 skb_set_network_header(skb, -x->props.header_len); 207 skb->mac_header = skb->network_header + 208 offsetof(struct iphdr, protocol); 209 skb->transport_header = skb->network_header + sizeof(*top_iph); 210 top_iph = ip_hdr(skb); 211 212 top_iph->ihl = 5; 213 top_iph->version = 4; 214 215 top_iph->protocol = xfrm_af2proto(skb_dst(skb)->ops->family); 216 217 /* DS disclosing depends on XFRM_SA_XFLAG_DONT_ENCAP_DSCP */ 218 if (x->props.extra_flags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP) 219 top_iph->tos = 0; 220 else 221 top_iph->tos = XFRM_MODE_SKB_CB(skb)->tos; 222 top_iph->tos = INET_ECN_encapsulate(top_iph->tos, 223 XFRM_MODE_SKB_CB(skb)->tos); 224 225 flags = x->props.flags; 226 if (flags & XFRM_STATE_NOECN) 227 IP_ECN_clear(top_iph); 228 229 top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ? 230 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF)); 231 232 top_iph->ttl = ip4_dst_hoplimit(xfrm_dst_child(dst)); 233 234 top_iph->saddr = x->props.saddr.a4; 235 top_iph->daddr = x->id.daddr.a4; 236 ip_select_ident(dev_net(dst->dev), skb, NULL); 237 238 return 0; 239 } 240 241 #if IS_ENABLED(CONFIG_IPV6) 242 static int xfrm6_tunnel_encap_add(struct xfrm_state *x, struct sk_buff *skb) 243 { 244 struct dst_entry *dst = skb_dst(skb); 245 struct ipv6hdr *top_iph; 246 int dsfield; 247 248 skb_set_inner_network_header(skb, skb_network_offset(skb)); 249 skb_set_inner_transport_header(skb, skb_transport_offset(skb)); 250 251 skb_set_network_header(skb, -x->props.header_len); 252 skb->mac_header = skb->network_header + 253 offsetof(struct ipv6hdr, nexthdr); 254 skb->transport_header = skb->network_header + sizeof(*top_iph); 255 top_iph = ipv6_hdr(skb); 256 257 top_iph->version = 6; 258 259 memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl, 260 sizeof(top_iph->flow_lbl)); 261 top_iph->nexthdr = xfrm_af2proto(skb_dst(skb)->ops->family); 262 263 if (x->props.extra_flags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP) 264 dsfield = 0; 265 else 266 dsfield = XFRM_MODE_SKB_CB(skb)->tos; 267 dsfield = INET_ECN_encapsulate(dsfield, XFRM_MODE_SKB_CB(skb)->tos); 268 if (x->props.flags & XFRM_STATE_NOECN) 269 dsfield &= ~INET_ECN_MASK; 270 ipv6_change_dsfield(top_iph, 0, dsfield); 271 top_iph->hop_limit = ip6_dst_hoplimit(xfrm_dst_child(dst)); 272 top_iph->saddr = *(struct in6_addr *)&x->props.saddr; 273 top_iph->daddr = *(struct in6_addr *)&x->id.daddr; 274 return 0; 275 } 276 277 static int xfrm6_beet_encap_add(struct xfrm_state *x, struct sk_buff *skb) 278 { 279 struct ipv6hdr *top_iph; 280 struct ip_beet_phdr *ph; 281 int optlen, hdr_len; 282 283 hdr_len = 0; 284 optlen = XFRM_MODE_SKB_CB(skb)->optlen; 285 if (unlikely(optlen)) 286 hdr_len += IPV4_BEET_PHMAXLEN - (optlen & 4); 287 288 skb_set_network_header(skb, -x->props.header_len - hdr_len); 289 if (x->sel.family != AF_INET6) 290 skb->network_header += IPV4_BEET_PHMAXLEN; 291 skb->mac_header = skb->network_header + 292 offsetof(struct ipv6hdr, nexthdr); 293 skb->transport_header = skb->network_header + sizeof(*top_iph); 294 ph = __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdr_len); 295 296 xfrm6_beet_make_header(skb); 297 298 top_iph = ipv6_hdr(skb); 299 if (unlikely(optlen)) { 300 if (WARN_ON(optlen < 0)) 301 return -EINVAL; 302 303 ph->padlen = 4 - (optlen & 4); 304 ph->hdrlen = optlen / 8; 305 ph->nexthdr = top_iph->nexthdr; 306 if (ph->padlen) 307 memset(ph + 1, IPOPT_NOP, ph->padlen); 308 309 top_iph->nexthdr = IPPROTO_BEETPH; 310 } 311 312 top_iph->saddr = *(struct in6_addr *)&x->props.saddr; 313 top_iph->daddr = *(struct in6_addr *)&x->id.daddr; 314 return 0; 315 } 316 #endif 317 318 /* Add encapsulation header. 319 * 320 * On exit, the transport header will be set to the start of the 321 * encapsulation header to be filled in by x->type->output and the mac 322 * header will be set to the nextheader (protocol for IPv4) field of the 323 * extension header directly preceding the encapsulation header, or in 324 * its absence, that of the top IP header. 325 * The value of the network header will always point to the top IP header 326 * while skb->data will point to the payload. 327 */ 328 static int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb) 329 { 330 int err; 331 332 err = xfrm_inner_extract_output(x, skb); 333 if (err) 334 return err; 335 336 IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE; 337 skb->protocol = htons(ETH_P_IP); 338 339 switch (x->outer_mode.encap) { 340 case XFRM_MODE_BEET: 341 return xfrm4_beet_encap_add(x, skb); 342 case XFRM_MODE_TUNNEL: 343 return xfrm4_tunnel_encap_add(x, skb); 344 } 345 346 WARN_ON_ONCE(1); 347 return -EOPNOTSUPP; 348 } 349 350 static int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb) 351 { 352 #if IS_ENABLED(CONFIG_IPV6) 353 int err; 354 355 err = xfrm_inner_extract_output(x, skb); 356 if (err) 357 return err; 358 359 skb->ignore_df = 1; 360 skb->protocol = htons(ETH_P_IPV6); 361 362 switch (x->outer_mode.encap) { 363 case XFRM_MODE_BEET: 364 return xfrm6_beet_encap_add(x, skb); 365 case XFRM_MODE_TUNNEL: 366 return xfrm6_tunnel_encap_add(x, skb); 367 default: 368 WARN_ON_ONCE(1); 369 return -EOPNOTSUPP; 370 } 371 #endif 372 WARN_ON_ONCE(1); 373 return -EAFNOSUPPORT; 374 } 375 376 static int xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb) 377 { 378 switch (x->outer_mode.encap) { 379 case XFRM_MODE_BEET: 380 case XFRM_MODE_TUNNEL: 381 if (x->outer_mode.family == AF_INET) 382 return xfrm4_prepare_output(x, skb); 383 if (x->outer_mode.family == AF_INET6) 384 return xfrm6_prepare_output(x, skb); 385 break; 386 case XFRM_MODE_TRANSPORT: 387 if (x->outer_mode.family == AF_INET) 388 return xfrm4_transport_output(x, skb); 389 if (x->outer_mode.family == AF_INET6) 390 return xfrm6_transport_output(x, skb); 391 break; 392 case XFRM_MODE_ROUTEOPTIMIZATION: 393 if (x->outer_mode.family == AF_INET6) 394 return xfrm6_ro_output(x, skb); 395 WARN_ON_ONCE(1); 396 break; 397 default: 398 WARN_ON_ONCE(1); 399 break; 400 } 401 402 return -EOPNOTSUPP; 403 } 404 405 #if IS_ENABLED(CONFIG_NET_PKTGEN) 406 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb) 407 { 408 return xfrm_outer_mode_output(x, skb); 409 } 410 EXPORT_SYMBOL_GPL(pktgen_xfrm_outer_mode_output); 411 #endif 412 413 static int xfrm_output_one(struct sk_buff *skb, int err) 414 { 415 struct dst_entry *dst = skb_dst(skb); 416 struct xfrm_state *x = dst->xfrm; 417 struct net *net = xs_net(x); 418 419 if (err <= 0) 420 goto resume; 421 422 do { 423 err = xfrm_skb_check_space(skb); 424 if (err) { 425 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); 426 goto error_nolock; 427 } 428 429 skb->mark = xfrm_smark_get(skb->mark, x); 430 431 err = xfrm_outer_mode_output(x, skb); 432 if (err) { 433 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEMODEERROR); 434 goto error_nolock; 435 } 436 437 spin_lock_bh(&x->lock); 438 439 if (unlikely(x->km.state != XFRM_STATE_VALID)) { 440 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID); 441 err = -EINVAL; 442 goto error; 443 } 444 445 err = xfrm_state_check_expire(x); 446 if (err) { 447 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEEXPIRED); 448 goto error; 449 } 450 451 err = x->repl->overflow(x, skb); 452 if (err) { 453 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR); 454 goto error; 455 } 456 457 x->curlft.bytes += skb->len; 458 x->curlft.packets++; 459 460 spin_unlock_bh(&x->lock); 461 462 skb_dst_force(skb); 463 if (!skb_dst(skb)) { 464 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); 465 err = -EHOSTUNREACH; 466 goto error_nolock; 467 } 468 469 if (xfrm_offload(skb)) { 470 x->type_offload->encap(x, skb); 471 } else { 472 /* Inner headers are invalid now. */ 473 skb->encapsulation = 0; 474 475 err = x->type->output(x, skb); 476 if (err == -EINPROGRESS) 477 goto out; 478 } 479 480 resume: 481 if (err) { 482 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEPROTOERROR); 483 goto error_nolock; 484 } 485 486 dst = skb_dst_pop(skb); 487 if (!dst) { 488 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); 489 err = -EHOSTUNREACH; 490 goto error_nolock; 491 } 492 skb_dst_set(skb, dst); 493 x = dst->xfrm; 494 } while (x && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL)); 495 496 return 0; 497 498 error: 499 spin_unlock_bh(&x->lock); 500 error_nolock: 501 kfree_skb(skb); 502 out: 503 return err; 504 } 505 506 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err) 507 { 508 struct net *net = xs_net(skb_dst(skb)->xfrm); 509 510 while (likely((err = xfrm_output_one(skb, err)) == 0)) { 511 nf_reset_ct(skb); 512 513 err = skb_dst(skb)->ops->local_out(net, sk, skb); 514 if (unlikely(err != 1)) 515 goto out; 516 517 if (!skb_dst(skb)->xfrm) 518 return dst_output(net, sk, skb); 519 520 err = nf_hook(skb_dst(skb)->ops->family, 521 NF_INET_POST_ROUTING, net, sk, skb, 522 NULL, skb_dst(skb)->dev, xfrm_output2); 523 if (unlikely(err != 1)) 524 goto out; 525 } 526 527 if (err == -EINPROGRESS) 528 err = 0; 529 530 out: 531 return err; 532 } 533 EXPORT_SYMBOL_GPL(xfrm_output_resume); 534 535 static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff *skb) 536 { 537 return xfrm_output_resume(sk, skb, 1); 538 } 539 540 static int xfrm_output_gso(struct net *net, struct sock *sk, struct sk_buff *skb) 541 { 542 struct sk_buff *segs, *nskb; 543 544 BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_GSO_CB_OFFSET); 545 BUILD_BUG_ON(sizeof(*IP6CB(skb)) > SKB_GSO_CB_OFFSET); 546 segs = skb_gso_segment(skb, 0); 547 kfree_skb(skb); 548 if (IS_ERR(segs)) 549 return PTR_ERR(segs); 550 if (segs == NULL) 551 return -EINVAL; 552 553 skb_list_walk_safe(segs, segs, nskb) { 554 int err; 555 556 skb_mark_not_on_list(segs); 557 err = xfrm_output2(net, sk, segs); 558 559 if (unlikely(err)) { 560 kfree_skb_list(nskb); 561 return err; 562 } 563 } 564 565 return 0; 566 } 567 568 int xfrm_output(struct sock *sk, struct sk_buff *skb) 569 { 570 struct net *net = dev_net(skb_dst(skb)->dev); 571 struct xfrm_state *x = skb_dst(skb)->xfrm; 572 int err; 573 574 switch (x->outer_mode.family) { 575 case AF_INET: 576 memset(IPCB(skb), 0, sizeof(*IPCB(skb))); 577 IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED; 578 break; 579 case AF_INET6: 580 memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); 581 582 IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED; 583 break; 584 } 585 586 secpath_reset(skb); 587 588 if (xfrm_dev_offload_ok(skb, x)) { 589 struct sec_path *sp; 590 591 sp = secpath_set(skb); 592 if (!sp) { 593 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); 594 kfree_skb(skb); 595 return -ENOMEM; 596 } 597 skb->encapsulation = 1; 598 599 sp->olen++; 600 sp->xvec[sp->len++] = x; 601 xfrm_state_hold(x); 602 603 if (skb_is_gso(skb)) { 604 if (skb->inner_protocol) 605 return xfrm_output_gso(net, sk, skb); 606 607 skb_shinfo(skb)->gso_type |= SKB_GSO_ESP; 608 goto out; 609 } 610 611 if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM) 612 goto out; 613 } else { 614 if (skb_is_gso(skb)) 615 return xfrm_output_gso(net, sk, skb); 616 } 617 618 if (skb->ip_summed == CHECKSUM_PARTIAL) { 619 err = skb_checksum_help(skb); 620 if (err) { 621 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); 622 kfree_skb(skb); 623 return err; 624 } 625 } 626 627 out: 628 return xfrm_output2(net, sk, skb); 629 } 630 EXPORT_SYMBOL_GPL(xfrm_output); 631 632 static int xfrm4_tunnel_check_size(struct sk_buff *skb) 633 { 634 int mtu, ret = 0; 635 636 if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE) 637 goto out; 638 639 if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->ignore_df) 640 goto out; 641 642 mtu = dst_mtu(skb_dst(skb)); 643 if ((!skb_is_gso(skb) && skb->len > mtu) || 644 (skb_is_gso(skb) && 645 !skb_gso_validate_network_len(skb, ip_skb_dst_mtu(skb->sk, skb)))) { 646 skb->protocol = htons(ETH_P_IP); 647 648 if (skb->sk) 649 xfrm_local_error(skb, mtu); 650 else 651 icmp_send(skb, ICMP_DEST_UNREACH, 652 ICMP_FRAG_NEEDED, htonl(mtu)); 653 ret = -EMSGSIZE; 654 } 655 out: 656 return ret; 657 } 658 659 static int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb) 660 { 661 int err; 662 663 if (x->outer_mode.encap == XFRM_MODE_BEET && 664 ip_is_fragment(ip_hdr(skb))) { 665 net_warn_ratelimited("BEET mode doesn't support inner IPv4 fragments\n"); 666 return -EAFNOSUPPORT; 667 } 668 669 err = xfrm4_tunnel_check_size(skb); 670 if (err) 671 return err; 672 673 XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol; 674 675 xfrm4_extract_header(skb); 676 return 0; 677 } 678 679 #if IS_ENABLED(CONFIG_IPV6) 680 static int xfrm6_tunnel_check_size(struct sk_buff *skb) 681 { 682 int mtu, ret = 0; 683 struct dst_entry *dst = skb_dst(skb); 684 685 if (skb->ignore_df) 686 goto out; 687 688 mtu = dst_mtu(dst); 689 if (mtu < IPV6_MIN_MTU) 690 mtu = IPV6_MIN_MTU; 691 692 if ((!skb_is_gso(skb) && skb->len > mtu) || 693 (skb_is_gso(skb) && 694 !skb_gso_validate_network_len(skb, ip6_skb_dst_mtu(skb)))) { 695 skb->dev = dst->dev; 696 skb->protocol = htons(ETH_P_IPV6); 697 698 if (xfrm6_local_dontfrag(skb->sk)) 699 ipv6_stub->xfrm6_local_rxpmtu(skb, mtu); 700 else if (skb->sk) 701 xfrm_local_error(skb, mtu); 702 else 703 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); 704 ret = -EMSGSIZE; 705 } 706 out: 707 return ret; 708 } 709 #endif 710 711 static int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb) 712 { 713 #if IS_ENABLED(CONFIG_IPV6) 714 unsigned int ptr = 0; 715 int err; 716 717 if (x->outer_mode.encap == XFRM_MODE_BEET && 718 ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL, NULL) >= 0) { 719 net_warn_ratelimited("BEET mode doesn't support inner IPv6 fragments\n"); 720 return -EAFNOSUPPORT; 721 } 722 723 err = xfrm6_tunnel_check_size(skb); 724 if (err) 725 return err; 726 727 XFRM_MODE_SKB_CB(skb)->protocol = ipv6_hdr(skb)->nexthdr; 728 729 xfrm6_extract_header(skb); 730 return 0; 731 #else 732 WARN_ON_ONCE(1); 733 return -EAFNOSUPPORT; 734 #endif 735 } 736 737 static int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb) 738 { 739 const struct xfrm_mode *inner_mode; 740 741 if (x->sel.family == AF_UNSPEC) 742 inner_mode = xfrm_ip2inner_mode(x, 743 xfrm_af2proto(skb_dst(skb)->ops->family)); 744 else 745 inner_mode = &x->inner_mode; 746 747 if (inner_mode == NULL) 748 return -EAFNOSUPPORT; 749 750 switch (inner_mode->family) { 751 case AF_INET: 752 return xfrm4_extract_output(x, skb); 753 case AF_INET6: 754 return xfrm6_extract_output(x, skb); 755 } 756 757 return -EAFNOSUPPORT; 758 } 759 760 void xfrm_local_error(struct sk_buff *skb, int mtu) 761 { 762 unsigned int proto; 763 struct xfrm_state_afinfo *afinfo; 764 765 if (skb->protocol == htons(ETH_P_IP)) 766 proto = AF_INET; 767 else if (skb->protocol == htons(ETH_P_IPV6) && 768 skb->sk->sk_family == AF_INET6) 769 proto = AF_INET6; 770 else 771 return; 772 773 afinfo = xfrm_state_get_afinfo(proto); 774 if (afinfo) { 775 afinfo->local_error(skb, mtu); 776 rcu_read_unlock(); 777 } 778 } 779 EXPORT_SYMBOL_GPL(xfrm_local_error); 780