]> Git Repo - linux.git/blame - net/xfrm/xfrm_output.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
[linux.git] / net / xfrm / xfrm_output.c
CommitLineData
2874c5fd 1// SPDX-License-Identifier: GPL-2.0-or-later
406ef77c
HX		 2/*
3 * xfrm_output.c - Common IPsec encapsulation code.
4 *
5 * Copyright (c) 2007 Herbert Xu <[email protected]>
406ef77c
HX		 6 */
7
8#include <linux/errno.h>
9#include <linux/module.h>
10#include <linux/netdevice.h>
862b82c6 11#include <linux/netfilter.h>
406ef77c 12#include <linux/skbuff.h>
5a0e3ad6 13#include <linux/slab.h>
406ef77c 14#include <linux/spinlock.h>
406ef77c 15#include <net/dst.h>
6d64be3d 16#include <net/icmp.h>
1de70830 17#include <net/inet_ecn.h>
406ef77c
HX		 18#include <net/xfrm.h>
19
f3075f48
FW		 20#if IS_ENABLED(CONFIG_IPV6)
21#include <net/ip6_route.h>
22#include <net/ipv6_stubs.h>
23#endif
24
1de70830
FW		 25#include "xfrm_inout.h"
26
0c4b51f0 27static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff *skb);
0c620e97 28static int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
c6581a45 29
26b2072e 30static int xfrm_skb_check_space(struct sk_buff *skb)
83815dea 31{
adf30907 32 struct dst_entry *dst = skb_dst(skb);
550ade84 33 int nhead = dst->header_len + LL_RESERVED_SPACE(dst->dev)
83815dea 34 - skb_headroom(skb);
f5184d26 35 int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);
83815dea 36
d01dbeb6
HX		 37 if (nhead <= 0) {
38 if (ntail <= 0)
39 return 0;
40 nhead = 0;
41 } else if (ntail < 0)
42 ntail = 0;
43
44 return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
83815dea
HX		 45}
46
9449c3cd
YX		 47/* Children define the path of the packet through the
48 * Linux networking. Thus, destinations are stackable.
49 */
50
51static struct dst_entry *skb_dst_pop(struct sk_buff *skb)
52{
b92cf4aa 53 struct dst_entry *child = dst_clone(xfrm_dst_child(skb_dst(skb)));
9449c3cd
YX		 54
55 skb_dst_drop(skb);
56 return child;
57}
58
0c620e97
FW		 59/* Add encapsulation header.
60 *
61 * The IP header will be moved forward to make space for the encapsulation
62 * header.
63 */
64static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
65{
0c620e97
FW		 66 struct iphdr *iph = ip_hdr(skb);
67 int ihl = iph->ihl * 4;
68
69 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
70
71 skb_set_network_header(skb, -x->props.header_len);
72 skb->mac_header = skb->network_header +
73 offsetof(struct iphdr, protocol);
74 skb->transport_header = skb->network_header + ihl;
75 __skb_pull(skb, ihl);
76 memmove(skb_network_header(skb), iph, ihl);
77 return 0;
0c620e97
FW		 78}
79
37b9e7eb 80#if IS_ENABLED(CONFIG_IPV6_MIP6)
3ca5ca83 81static int mip6_rthdr_offset(struct sk_buff *skb, u8 **nexthdr, int type)
37b9e7eb 82{
37b9e7eb 83 const unsigned char *nh = skb_network_header(skb);
3ca5ca83
FW		 84 unsigned int offset = sizeof(struct ipv6hdr);
85 unsigned int packet_len;
37b9e7eb
FW		 86 int found_rhdr = 0;
87
3ca5ca83 88 packet_len = skb_tail_pointer(skb) - nh;
37b9e7eb
FW		 89 *nexthdr = &ipv6_hdr(skb)->nexthdr;
90
3ca5ca83
FW		 91 while (offset <= packet_len) {
92 struct ipv6_opt_hdr *exthdr;
93
37b9e7eb
FW		 94 switch (**nexthdr) {
95 case NEXTHDR_HOP:
96 break;
97 case NEXTHDR_ROUTING:
3ca5ca83
FW		 98 if (type == IPPROTO_ROUTING && offset + 3 <= packet_len) {
99 struct ipv6_rt_hdr *rt;
100
101 rt = (struct ipv6_rt_hdr *)(nh + offset);
102 if (rt->type != 0)
103 return offset;
104 }
37b9e7eb
FW		 105 found_rhdr = 1;
106 break;
107 case NEXTHDR_DEST:
108 /* HAO MUST NOT appear more than once.
109 * XXX: It is better to try to find by the end of
110 * XXX: packet if HAO exists.
111 */
112 if (ipv6_find_tlv(skb, offset, IPV6_TLV_HAO) >= 0) {
113 net_dbg_ratelimited("mip6: hao exists already, override\n");
114 return offset;
115 }
116
117 if (found_rhdr)
118 return offset;
119
120 break;
121 default:
122 return offset;
123 }
124
3ca5ca83
FW		 125 if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
126 return -EINVAL;
848b18fb 127
3ca5ca83
FW		 128 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
129 offset);
848b18fb 130 offset += ipv6_optlen(exthdr);
3ca5ca83
FW		 131 if (offset > IPV6_MAXPLEN)
132 return -EINVAL;
848b18fb 133 *nexthdr = &exthdr->nexthdr;
848b18fb
FW		 134 }
135
3ca5ca83 136 return -EINVAL;
848b18fb 137}
37b9e7eb
FW		 138#endif
139
30ad6a84 140#if IS_ENABLED(CONFIG_IPV6)
9acf4d3b
FW		 141static int xfrm6_hdr_offset(struct xfrm_state *x, struct sk_buff *skb, u8 **prevhdr)
142{
37b9e7eb
FW		 143 switch (x->type->proto) {
144#if IS_ENABLED(CONFIG_IPV6_MIP6)
145 case IPPROTO_DSTOPTS:
848b18fb 146 case IPPROTO_ROUTING:
3ca5ca83 147 return mip6_rthdr_offset(skb, prevhdr, x->type->proto);
37b9e7eb
FW		 148#endif
149 default:
150 break;
151 }
152
d1002d24 153 return ip6_find_1stfragopt(skb, prevhdr);
9acf4d3b 154}
30ad6a84 155#endif
9acf4d3b 156
0c620e97
FW		 157/* Add encapsulation header.
158 *
159 * The IP header and mutable extension headers will be moved forward to make
160 * space for the encapsulation header.
161 */
162static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
163{
4c145dce 164#if IS_ENABLED(CONFIG_IPV6)
0c620e97
FW		 165 struct ipv6hdr *iph;
166 u8 *prevhdr;
167 int hdr_len;
168
169 iph = ipv6_hdr(skb);
170 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
171
9acf4d3b 172 hdr_len = xfrm6_hdr_offset(x, skb, &prevhdr);
0c620e97
FW		 173 if (hdr_len < 0)
174 return hdr_len;
175 skb_set_mac_header(skb,
176 (prevhdr - x->props.header_len) - skb->data);
177 skb_set_network_header(skb, -x->props.header_len);
178 skb->transport_header = skb->network_header + hdr_len;
179 __skb_pull(skb, hdr_len);
180 memmove(ipv6_hdr(skb), iph, hdr_len);
181 return 0;
182#else
183 WARN_ON_ONCE(1);
4c145dce 184 return -EAFNOSUPPORT;
0c620e97
FW		 185#endif
186}
187
188/* Add route optimization header space.
189 *
190 * The IP header and mutable extension headers will be moved forward to make
191 * space for the route optimization header.
192 */
193static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb)
194{
4c145dce 195#if IS_ENABLED(CONFIG_IPV6)
0c620e97
FW		 196 struct ipv6hdr *iph;
197 u8 *prevhdr;
198 int hdr_len;
199
200 iph = ipv6_hdr(skb);
201
9acf4d3b 202 hdr_len = xfrm6_hdr_offset(x, skb, &prevhdr);
0c620e97
FW		 203 if (hdr_len < 0)
204 return hdr_len;
205 skb_set_mac_header(skb,
206 (prevhdr - x->props.header_len) - skb->data);
207 skb_set_network_header(skb, -x->props.header_len);
208 skb->transport_header = skb->network_header + hdr_len;
209 __skb_pull(skb, hdr_len);
210 memmove(ipv6_hdr(skb), iph, hdr_len);
211
212 x->lastused = ktime_get_real_seconds();
213
214 return 0;
215#else
216 WARN_ON_ONCE(1);
4c145dce 217 return -EAFNOSUPPORT;
0c620e97
FW		 218#endif
219}
220
1de70830
FW		 221/* Add encapsulation header.
222 *
223 * The top IP header will be constructed per draft-nikander-esp-beet-mode-06.txt.
224 */
225static int xfrm4_beet_encap_add(struct xfrm_state *x, struct sk_buff *skb)
226{
227 struct ip_beet_phdr *ph;
228 struct iphdr *top_iph;
229 int hdrlen, optlen;
230
231 hdrlen = 0;
232 optlen = XFRM_MODE_SKB_CB(skb)->optlen;
233 if (unlikely(optlen))
234 hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4);
235
236 skb_set_network_header(skb, -x->props.header_len - hdrlen +
237 (XFRM_MODE_SKB_CB(skb)->ihl - sizeof(*top_iph)));
238 if (x->sel.family != AF_INET6)
239 skb->network_header += IPV4_BEET_PHMAXLEN;
240 skb->mac_header = skb->network_header +
241 offsetof(struct iphdr, protocol);
242 skb->transport_header = skb->network_header + sizeof(*top_iph);
243
244 xfrm4_beet_make_header(skb);
245
246 ph = __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdrlen);
247
248 top_iph = ip_hdr(skb);
249
250 if (unlikely(optlen)) {
251 if (WARN_ON(optlen < 0))
252 return -EINVAL;
253
254 ph->padlen = 4 - (optlen & 4);
255 ph->hdrlen = optlen / 8;
256 ph->nexthdr = top_iph->protocol;
257 if (ph->padlen)
258 memset(ph + 1, IPOPT_NOP, ph->padlen);
259
260 top_iph->protocol = IPPROTO_BEETPH;
261 top_iph->ihl = sizeof(struct iphdr) / 4;
262 }
263
264 top_iph->saddr = x->props.saddr.a4;
265 top_iph->daddr = x->id.daddr.a4;
266
267 return 0;
268}
269
270/* Add encapsulation header.
271 *
272 * The top IP header will be constructed per RFC 2401.
273 */
274static int xfrm4_tunnel_encap_add(struct xfrm_state *x, struct sk_buff *skb)
275{
276 struct dst_entry *dst = skb_dst(skb);
277 struct iphdr *top_iph;
278 int flags;
279
280 skb_set_inner_network_header(skb, skb_network_offset(skb));
281 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
282
283 skb_set_network_header(skb, -x->props.header_len);
284 skb->mac_header = skb->network_header +
285 offsetof(struct iphdr, protocol);
286 skb->transport_header = skb->network_header + sizeof(*top_iph);
287 top_iph = ip_hdr(skb);
288
289 top_iph->ihl = 5;
290 top_iph->version = 4;
291
292 top_iph->protocol = xfrm_af2proto(skb_dst(skb)->ops->family);
293
294 /* DS disclosing depends on XFRM_SA_XFLAG_DONT_ENCAP_DSCP */
295 if (x->props.extra_flags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP)
296 top_iph->tos = 0;
297 else
298 top_iph->tos = XFRM_MODE_SKB_CB(skb)->tos;
299 top_iph->tos = INET_ECN_encapsulate(top_iph->tos,
300 XFRM_MODE_SKB_CB(skb)->tos);
301
302 flags = x->props.flags;
303 if (flags & XFRM_STATE_NOECN)
304 IP_ECN_clear(top_iph);
305
306 top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
307 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF));
308
309 top_iph->ttl = ip4_dst_hoplimit(xfrm_dst_child(dst));
310
311 top_iph->saddr = x->props.saddr.a4;
312 top_iph->daddr = x->id.daddr.a4;
313 ip_select_ident(dev_net(dst->dev), skb, NULL);
314
315 return 0;
316}
317
318#if IS_ENABLED(CONFIG_IPV6)
319static int xfrm6_tunnel_encap_add(struct xfrm_state *x, struct sk_buff *skb)
320{
321 struct dst_entry *dst = skb_dst(skb);
322 struct ipv6hdr *top_iph;
323 int dsfield;
324
325 skb_set_inner_network_header(skb, skb_network_offset(skb));
326 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
327
328 skb_set_network_header(skb, -x->props.header_len);
329 skb->mac_header = skb->network_header +
330 offsetof(struct ipv6hdr, nexthdr);
331 skb->transport_header = skb->network_header + sizeof(*top_iph);
332 top_iph = ipv6_hdr(skb);
333
334 top_iph->version = 6;
335
336 memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl,
337 sizeof(top_iph->flow_lbl));
338 top_iph->nexthdr = xfrm_af2proto(skb_dst(skb)->ops->family);
339
340 if (x->props.extra_flags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP)
341 dsfield = 0;
342 else
343 dsfield = XFRM_MODE_SKB_CB(skb)->tos;
344 dsfield = INET_ECN_encapsulate(dsfield, XFRM_MODE_SKB_CB(skb)->tos);
345 if (x->props.flags & XFRM_STATE_NOECN)
346 dsfield &= ~INET_ECN_MASK;
347 ipv6_change_dsfield(top_iph, 0, dsfield);
348 top_iph->hop_limit = ip6_dst_hoplimit(xfrm_dst_child(dst));
349 top_iph->saddr = *(struct in6_addr *)&x->props.saddr;
350 top_iph->daddr = *(struct in6_addr *)&x->id.daddr;
351 return 0;
352}
353
354static int xfrm6_beet_encap_add(struct xfrm_state *x, struct sk_buff *skb)
355{
356 struct ipv6hdr *top_iph;
357 struct ip_beet_phdr *ph;
358 int optlen, hdr_len;
359
360 hdr_len = 0;
361 optlen = XFRM_MODE_SKB_CB(skb)->optlen;
362 if (unlikely(optlen))
363 hdr_len += IPV4_BEET_PHMAXLEN - (optlen & 4);
364
365 skb_set_network_header(skb, -x->props.header_len - hdr_len);
366 if (x->sel.family != AF_INET6)
367 skb->network_header += IPV4_BEET_PHMAXLEN;
368 skb->mac_header = skb->network_header +
369 offsetof(struct ipv6hdr, nexthdr);
370 skb->transport_header = skb->network_header + sizeof(*top_iph);
371 ph = __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdr_len);
372
373 xfrm6_beet_make_header(skb);
374
375 top_iph = ipv6_hdr(skb);
376 if (unlikely(optlen)) {
377 if (WARN_ON(optlen < 0))
378 return -EINVAL;
379
380 ph->padlen = 4 - (optlen & 4);
381 ph->hdrlen = optlen / 8;
382 ph->nexthdr = top_iph->nexthdr;
383 if (ph->padlen)
384 memset(ph + 1, IPOPT_NOP, ph->padlen);
385
386 top_iph->nexthdr = IPPROTO_BEETPH;
387 }
388
389 top_iph->saddr = *(struct in6_addr *)&x->props.saddr;
390 top_iph->daddr = *(struct in6_addr *)&x->id.daddr;
391 return 0;
392}
393#endif
394
395/* Add encapsulation header.
396 *
397 * On exit, the transport header will be set to the start of the
398 * encapsulation header to be filled in by x->type->output and the mac
399 * header will be set to the nextheader (protocol for IPv4) field of the
400 * extension header directly preceding the encapsulation header, or in
401 * its absence, that of the top IP header.
402 * The value of the network header will always point to the top IP header
403 * while skb->data will point to the payload.
404 */
0c620e97
FW		 405static int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
406{
407 int err;
408
409 err = xfrm_inner_extract_output(x, skb);
410 if (err)
411 return err;
412
413 IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
414 skb->protocol = htons(ETH_P_IP);
415
c9500d7b 416 switch (x->outer_mode.encap) {
1de70830
FW		 417 case XFRM_MODE_BEET:
418 return xfrm4_beet_encap_add(x, skb);
419 case XFRM_MODE_TUNNEL:
420 return xfrm4_tunnel_encap_add(x, skb);
421 }
422
423 WARN_ON_ONCE(1);
424 return -EOPNOTSUPP;
0c620e97
FW		 425}
426
427static int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
428{
429#if IS_ENABLED(CONFIG_IPV6)
430 int err;
431
432 err = xfrm_inner_extract_output(x, skb);
433 if (err)
434 return err;
435
436 skb->ignore_df = 1;
437 skb->protocol = htons(ETH_P_IPV6);
438
c9500d7b 439 switch (x->outer_mode.encap) {
1de70830
FW		 440 case XFRM_MODE_BEET:
441 return xfrm6_beet_encap_add(x, skb);
442 case XFRM_MODE_TUNNEL:
443 return xfrm6_tunnel_encap_add(x, skb);
444 default:
445 WARN_ON_ONCE(1);
446 return -EOPNOTSUPP;
447 }
0c620e97 448#endif
1de70830
FW		 449 WARN_ON_ONCE(1);
450 return -EAFNOSUPPORT;
0c620e97
FW		 451}
452
453static int xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb)
454{
c9500d7b 455 switch (x->outer_mode.encap) {
0c620e97
FW		 456 case XFRM_MODE_BEET:
457 case XFRM_MODE_TUNNEL:
c9500d7b 458 if (x->outer_mode.family == AF_INET)
0c620e97 459 return xfrm4_prepare_output(x, skb);
c9500d7b 460 if (x->outer_mode.family == AF_INET6)
0c620e97
FW		 461 return xfrm6_prepare_output(x, skb);
462 break;
463 case XFRM_MODE_TRANSPORT:
c9500d7b 464 if (x->outer_mode.family == AF_INET)
0c620e97 465 return xfrm4_transport_output(x, skb);
c9500d7b 466 if (x->outer_mode.family == AF_INET6)
0c620e97
FW		 467 return xfrm6_transport_output(x, skb);
468 break;
469 case XFRM_MODE_ROUTEOPTIMIZATION:
c9500d7b 470 if (x->outer_mode.family == AF_INET6)
0c620e97
FW		 471 return xfrm6_ro_output(x, skb);
472 WARN_ON_ONCE(1);
473 break;
474 default:
475 WARN_ON_ONCE(1);
476 break;
477 }
478
479 return -EOPNOTSUPP;
480}
481
482#if IS_ENABLED(CONFIG_NET_PKTGEN)
483int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb)
484{
485 return xfrm_outer_mode_output(x, skb);
486}
487EXPORT_SYMBOL_GPL(pktgen_xfrm_outer_mode_output);
488#endif
489
c6581a45 490static int xfrm_output_one(struct sk_buff *skb, int err)
406ef77c 491{
adf30907 492 struct dst_entry *dst = skb_dst(skb);
406ef77c 493 struct xfrm_state *x = dst->xfrm;
a6483b79 494 struct net *net = xs_net(x);
406ef77c 495
c6581a45
HX		 496 if (err <= 0)
497 goto resume;
406ef77c
HX		 498
499 do {
26b2072e 500 err = xfrm_skb_check_space(skb);
b15c4bcd 501 if (err) {
59c9940e 502 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
910ef70a 503 goto error_nolock;
b15c4bcd 504 }
910ef70a 505
9b42c1f1 506 skb->mark = xfrm_smark_get(skb->mark, x);
077fbac4 507
0c620e97 508 err = xfrm_outer_mode_output(x, skb);
b15c4bcd 509 if (err) {
59c9940e 510 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEMODEERROR);
910ef70a 511 goto error_nolock;
b15c4bcd 512 }
a2deb6d2 513
406ef77c 514 spin_lock_bh(&x->lock);
bb65a9cb
LR		 515
516 if (unlikely(x->km.state != XFRM_STATE_VALID)) {
517 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
497574c7 518 err = -EINVAL;
fa8599db 519 goto error;
bb65a9cb
LR		 520 }
521
910ef70a 522 err = xfrm_state_check_expire(x);
b15c4bcd 523 if (err) {
59c9940e 524 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEEXPIRED);
406ef77c 525 goto error;
b15c4bcd 526 }
406ef77c 527
b5a1d1fe 528 err = xfrm_replay_overflow(x, skb);
9fdc4883
SK		 529 if (err) {
530 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
531 goto error;
436a0a40
HX		 532 }
533
406ef77c
HX		 534 x->curlft.bytes += skb->len;
535 x->curlft.packets++;
536
406ef77c
HX		 537 spin_unlock_bh(&x->lock);
538
3bc07321 539 skb_dst_force(skb);
9e143793
SK		 540 if (!skb_dst(skb)) {
541 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
533555e5 542 err = -EHOSTUNREACH;
9e143793
SK		 543 goto error_nolock;
544 }
3bc07321 545
d77e38e6
SK		 546 if (xfrm_offload(skb)) {
547 x->type_offload->encap(x, skb);
548 } else {
73b9fc49
SK		 549 /* Inner headers are invalid now. */
550 skb->encapsulation = 0;
551
d77e38e6
SK		 552 err = x->type->output(x, skb);
553 if (err == -EINPROGRESS)
554 goto out;
555 }
c6581a45
HX		 556
557resume:
0aa64774 558 if (err) {
59c9940e 559 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEPROTOERROR);
b7c6538c 560 goto error_nolock;
0aa64774 561 }
b7c6538c 562
8764ab2c 563 dst = skb_dst_pop(skb);
adf30907 564 if (!dst) {
59c9940e 565 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
406ef77c
HX		 566 err = -EHOSTUNREACH;
567 goto error_nolock;
568 }
e433430a 569 skb_dst_set(skb, dst);
406ef77c 570 x = dst->xfrm;
c9500d7b 571 } while (x && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL));
406ef77c 572
ebd4687a 573 return 0;
406ef77c 574
406ef77c
HX		 575error:
576 spin_unlock_bh(&x->lock);
862b82c6
HX		 577error_nolock:
578 kfree_skb(skb);
ebd4687a
JS		 579out:
580 return err;
862b82c6
HX		 581}
582
9ab1265d 583int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err)
862b82c6 584{
29a26a56 585 struct net *net = xs_net(skb_dst(skb)->xfrm);
be10de0a 586
c6581a45 587 while (likely((err = xfrm_output_one(skb, err)) == 0)) {
895b5c9f 588 nf_reset_ct(skb);
862b82c6 589
9ab1265d 590 err = skb_dst(skb)->ops->local_out(net, sk, skb);
862b82c6 591 if (unlikely(err != 1))
c6581a45 592 goto out;
862b82c6 593
adf30907 594 if (!skb_dst(skb)->xfrm)
9ab1265d 595 return dst_output(net, sk, skb);
862b82c6 596
adf30907 597 err = nf_hook(skb_dst(skb)->ops->family,
9ab1265d 598 NF_INET_POST_ROUTING, net, sk, skb,
adf30907 599 NULL, skb_dst(skb)->dev, xfrm_output2);
862b82c6 600 if (unlikely(err != 1))
c6581a45 601 goto out;
862b82c6
HX		 602 }
603
c6581a45
HX		 604 if (err == -EINPROGRESS)
605 err = 0;
606
607out:
862b82c6
HX		 608 return err;
609}
c6581a45 610EXPORT_SYMBOL_GPL(xfrm_output_resume);
862b82c6 611
0c4b51f0 612static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
862b82c6 613{
9ab1265d 614 return xfrm_output_resume(sk, skb, 1);
c6581a45 615}
862b82c6 616
0c4b51f0 617static int xfrm_output_gso(struct net *net, struct sock *sk, struct sk_buff *skb)
c6581a45 618{
c3b18e0d 619 struct sk_buff *segs, *nskb;
862b82c6 620
a08e7fd9
CZ		 621 BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_GSO_CB_OFFSET);
622 BUILD_BUG_ON(sizeof(*IP6CB(skb)) > SKB_GSO_CB_OFFSET);
862b82c6
HX		 623 segs = skb_gso_segment(skb, 0);
624 kfree_skb(skb);
801678c5 625 if (IS_ERR(segs))
862b82c6 626 return PTR_ERR(segs);
330966e5
FW		 627 if (segs == NULL)
628 return -EINVAL;
862b82c6 629
c3b18e0d 630 skb_list_walk_safe(segs, segs, nskb) {
862b82c6
HX		 631 int err;
632
a8305bff 633 skb_mark_not_on_list(segs);
0c4b51f0 634 err = xfrm_output2(net, sk, segs);
862b82c6
HX		 635
636 if (unlikely(err)) {
46cfd725 637 kfree_skb_list(nskb);
862b82c6
HX		 638 return err;
639 }
c3b18e0d 640 }
862b82c6
HX		 641
642 return 0;
406ef77c 643}
c6581a45 644
fa453523
HN		 645/* For partial checksum offload, the outer header checksum is calculated
646 * by software and the inner header checksum is calculated by hardware.
647 * This requires hardware to know the inner packet type to calculate
648 * the inner header checksum. Save inner ip protocol here to avoid
649 * traversing the packet in the vendor's xmit code.
650 * If the encap type is IPIP, just save skb->inner_ipproto. Otherwise,
651 * get the ip protocol from the IP header.
652 */
653static void xfrm_get_inner_ipproto(struct sk_buff *skb)
654{
655 struct xfrm_offload *xo = xfrm_offload(skb);
656 const struct ethhdr *eth;
657
658 if (!xo)
659 return;
660
661 if (skb->inner_protocol_type == ENCAP_TYPE_IPPROTO) {
662 xo->inner_ipproto = skb->inner_ipproto;
663 return;
664 }
665
666 if (skb->inner_protocol_type != ENCAP_TYPE_ETHER)
667 return;
668
669 eth = (struct ethhdr *)skb_inner_mac_header(skb);
670
671 switch (ntohs(eth->h_proto)) {
672 case ETH_P_IPV6:
673 xo->inner_ipproto = inner_ipv6_hdr(skb)->nexthdr;
674 break;
675 case ETH_P_IP:
676 xo->inner_ipproto = inner_ip_hdr(skb)->protocol;
677 break;
678 }
679}
680
7026b1dd 681int xfrm_output(struct sock *sk, struct sk_buff *skb)
c6581a45 682{
adf30907 683 struct net *net = dev_net(skb_dst(skb)->dev);
d77e38e6 684 struct xfrm_state *x = skb_dst(skb)->xfrm;
c6581a45
HX		 685 int err;
686
2ab6096d
FW		 687 switch (x->outer_mode.family) {
688 case AF_INET:
689 memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
2ab6096d 690 IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
2ab6096d
FW		 691 break;
692 case AF_INET6:
693 memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
694
2ab6096d 695 IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
2ab6096d
FW		 696 break;
697 }
698
d77e38e6
SK		 699 secpath_reset(skb);
700
701 if (xfrm_dev_offload_ok(skb, x)) {
702 struct sec_path *sp;
703
a84e3f53 704 sp = secpath_set(skb);
d77e38e6
SK		 705 if (!sp) {
706 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
707 kfree_skb(skb);
708 return -ENOMEM;
709 }
d77e38e6
SK		 710
711 sp->olen++;
a84e3f53 712 sp->xvec[sp->len++] = x;
d77e38e6
SK		 713 xfrm_state_hold(x);
714
fa453523
HN		 715 if (skb->encapsulation)
716 xfrm_get_inner_ipproto(skb);
717 skb->encapsulation = 1;
718
d77e38e6 719 if (skb_is_gso(skb)) {
a204aef9
XL		 720 if (skb->inner_protocol)
721 return xfrm_output_gso(net, sk, skb);
d77e38e6 722
a204aef9
XL		 723 skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
724 goto out;
d77e38e6
SK		 725 }
726
727 if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM)
728 goto out;
a204aef9
XL		 729 } else {
730 if (skb_is_gso(skb))
731 return xfrm_output_gso(net, sk, skb);
d77e38e6
SK		 732 }
733
c6581a45
HX		 734 if (skb->ip_summed == CHECKSUM_PARTIAL) {
735 err = skb_checksum_help(skb);
736 if (err) {
59c9940e 737 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
c6581a45
HX		 738 kfree_skb(skb);
739 return err;
740 }
741 }
742
d77e38e6 743out:
0c4b51f0 744 return xfrm_output2(net, sk, skb);
c6581a45 745}
fc68086c 746EXPORT_SYMBOL_GPL(xfrm_output);
df9dcb45 747
6d64be3d
FW		 748static int xfrm4_tunnel_check_size(struct sk_buff *skb)
749{
750 int mtu, ret = 0;
751
752 if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE)
753 goto out;
754
755 if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->ignore_df)
756 goto out;
757
758 mtu = dst_mtu(skb_dst(skb));
759 if ((!skb_is_gso(skb) && skb->len > mtu) ||
760 (skb_is_gso(skb) &&
761 !skb_gso_validate_network_len(skb, ip_skb_dst_mtu(skb->sk, skb)))) {
762 skb->protocol = htons(ETH_P_IP);
763
764 if (skb->sk)
765 xfrm_local_error(skb, mtu);
766 else
767 icmp_send(skb, ICMP_DEST_UNREACH,
768 ICMP_FRAG_NEEDED, htonl(mtu));
769 ret = -EMSGSIZE;
770 }
771out:
772 return ret;
773}
774
775static int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb)
776{
777 int err;
778
68dc022d
XL		 779 if (x->outer_mode.encap == XFRM_MODE_BEET &&
780 ip_is_fragment(ip_hdr(skb))) {
781 net_warn_ratelimited("BEET mode doesn't support inner IPv4 fragments\n");
782 return -EAFNOSUPPORT;
783 }
784
6d64be3d
FW		 785 err = xfrm4_tunnel_check_size(skb);
786 if (err)
787 return err;
788
789 XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol;
790
791 xfrm4_extract_header(skb);
792 return 0;
793}
794
f3075f48
FW		 795#if IS_ENABLED(CONFIG_IPV6)
796static int xfrm6_tunnel_check_size(struct sk_buff *skb)
797{
798 int mtu, ret = 0;
799 struct dst_entry *dst = skb_dst(skb);
800
801 if (skb->ignore_df)
802 goto out;
803
804 mtu = dst_mtu(dst);
805 if (mtu < IPV6_MIN_MTU)
806 mtu = IPV6_MIN_MTU;
807
808 if ((!skb_is_gso(skb) && skb->len > mtu) ||
809 (skb_is_gso(skb) &&
810 !skb_gso_validate_network_len(skb, ip6_skb_dst_mtu(skb)))) {
811 skb->dev = dst->dev;
812 skb->protocol = htons(ETH_P_IPV6);
813
814 if (xfrm6_local_dontfrag(skb->sk))
815 ipv6_stub->xfrm6_local_rxpmtu(skb, mtu);
816 else if (skb->sk)
817 xfrm_local_error(skb, mtu);
818 else
819 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
820 ret = -EMSGSIZE;
821 }
822out:
823 return ret;
824}
825#endif
826
827static int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb)
828{
829#if IS_ENABLED(CONFIG_IPV6)
830 int err;
831
832 err = xfrm6_tunnel_check_size(skb);
833 if (err)
834 return err;
835
836 XFRM_MODE_SKB_CB(skb)->protocol = ipv6_hdr(skb)->nexthdr;
837
838 xfrm6_extract_header(skb);
839 return 0;
840#else
841 WARN_ON_ONCE(1);
842 return -EAFNOSUPPORT;
843#endif
844}
845
0c620e97 846static int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
df9dcb45 847{
4c145dce 848 const struct xfrm_mode *inner_mode;
733a5fac 849
df9dcb45
KM		 850 if (x->sel.family == AF_UNSPEC)
851 inner_mode = xfrm_ip2inner_mode(x,
adf30907 852 xfrm_af2proto(skb_dst(skb)->ops->family));
df9dcb45 853 else
c9500d7b 854 inner_mode = &x->inner_mode;
df9dcb45
KM		 855
856 if (inner_mode == NULL)
857 return -EAFNOSUPPORT;
733a5fac 858
6d64be3d
FW		 859 switch (inner_mode->family) {
860 case AF_INET:
861 return xfrm4_extract_output(x, skb);
f3075f48
FW		 862 case AF_INET6:
863 return xfrm6_extract_output(x, skb);
6d64be3d 864 }
733a5fac 865
f3075f48 866 return -EAFNOSUPPORT;
df9dcb45
KM		 867}
868
628e341f
HFS		 869void xfrm_local_error(struct sk_buff *skb, int mtu)
870{
844d4874 871 unsigned int proto;
628e341f
HFS		 872 struct xfrm_state_afinfo *afinfo;
873
844d4874
HFS		 874 if (skb->protocol == htons(ETH_P_IP))
875 proto = AF_INET;
f6a23d85
XL		 876 else if (skb->protocol == htons(ETH_P_IPV6) &&
877 skb->sk->sk_family == AF_INET6)
844d4874
HFS		 878 proto = AF_INET6;
879 else
880 return;
881
882 afinfo = xfrm_state_get_afinfo(proto);
46c0ef6e 883 if (afinfo) {
af5d27c4 884 afinfo->local_error(skb, mtu);
46c0ef6e
TY		 885 rcu_read_unlock();
886 }
628e341f 887}
628e341f 888EXPORT_SYMBOL_GPL(xfrm_local_error);
Empty description
This page took 0.992266 seconds and 4 git commands to generate.