0001
0002
0003
0004
0005
0006
0007
0008 #include <linux/errno.h>
0009 #include <linux/module.h>
0010 #include <linux/netdevice.h>
0011 #include <linux/netfilter.h>
0012 #include <linux/skbuff.h>
0013 #include <linux/slab.h>
0014 #include <linux/spinlock.h>
0015 #include <net/dst.h>
0016 #include <net/icmp.h>
0017 #include <net/inet_ecn.h>
0018 #include <net/xfrm.h>
0019
0020 #if IS_ENABLED(CONFIG_IPV6)
0021 #include <net/ip6_route.h>
0022 #include <net/ipv6_stubs.h>
0023 #endif
0024
0025 #include "xfrm_inout.h"
0026
0027 static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff *skb);
0028 static int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb);
0029
0030 static int xfrm_skb_check_space(struct sk_buff *skb)
0031 {
0032 struct dst_entry *dst = skb_dst(skb);
0033 int nhead = dst->header_len + LL_RESERVED_SPACE(dst->dev)
0034 - skb_headroom(skb);
0035 int ntail = dst->dev->needed_tailroom - skb_tailroom(skb);
0036
0037 if (nhead <= 0) {
0038 if (ntail <= 0)
0039 return 0;
0040 nhead = 0;
0041 } else if (ntail < 0)
0042 ntail = 0;
0043
0044 return pskb_expand_head(skb, nhead, ntail, GFP_ATOMIC);
0045 }
0046
0047
0048
0049
0050
0051 static struct dst_entry *skb_dst_pop(struct sk_buff *skb)
0052 {
0053 struct dst_entry *child = dst_clone(xfrm_dst_child(skb_dst(skb)));
0054
0055 skb_dst_drop(skb);
0056 return child;
0057 }
0058
0059
0060
0061
0062
0063
0064 static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
0065 {
0066 struct iphdr *iph = ip_hdr(skb);
0067 int ihl = iph->ihl * 4;
0068
0069 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
0070
0071 skb_set_network_header(skb, -x->props.header_len);
0072 skb->mac_header = skb->network_header +
0073 offsetof(struct iphdr, protocol);
0074 skb->transport_header = skb->network_header + ihl;
0075 __skb_pull(skb, ihl);
0076 memmove(skb_network_header(skb), iph, ihl);
0077 return 0;
0078 }
0079
0080 #if IS_ENABLED(CONFIG_IPV6_MIP6)
0081 static int mip6_rthdr_offset(struct sk_buff *skb, u8 **nexthdr, int type)
0082 {
0083 const unsigned char *nh = skb_network_header(skb);
0084 unsigned int offset = sizeof(struct ipv6hdr);
0085 unsigned int packet_len;
0086 int found_rhdr = 0;
0087
0088 packet_len = skb_tail_pointer(skb) - nh;
0089 *nexthdr = &ipv6_hdr(skb)->nexthdr;
0090
0091 while (offset <= packet_len) {
0092 struct ipv6_opt_hdr *exthdr;
0093
0094 switch (**nexthdr) {
0095 case NEXTHDR_HOP:
0096 break;
0097 case NEXTHDR_ROUTING:
0098 if (type == IPPROTO_ROUTING && offset + 3 <= packet_len) {
0099 struct ipv6_rt_hdr *rt;
0100
0101 rt = (struct ipv6_rt_hdr *)(nh + offset);
0102 if (rt->type != 0)
0103 return offset;
0104 }
0105 found_rhdr = 1;
0106 break;
0107 case NEXTHDR_DEST:
0108
0109
0110
0111
0112 if (ipv6_find_tlv(skb, offset, IPV6_TLV_HAO) >= 0) {
0113 net_dbg_ratelimited("mip6: hao exists already, override\n");
0114 return offset;
0115 }
0116
0117 if (found_rhdr)
0118 return offset;
0119
0120 break;
0121 default:
0122 return offset;
0123 }
0124
0125 if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
0126 return -EINVAL;
0127
0128 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
0129 offset);
0130 offset += ipv6_optlen(exthdr);
0131 if (offset > IPV6_MAXPLEN)
0132 return -EINVAL;
0133 *nexthdr = &exthdr->nexthdr;
0134 }
0135
0136 return -EINVAL;
0137 }
0138 #endif
0139
0140 #if IS_ENABLED(CONFIG_IPV6)
0141 static int xfrm6_hdr_offset(struct xfrm_state *x, struct sk_buff *skb, u8 **prevhdr)
0142 {
0143 switch (x->type->proto) {
0144 #if IS_ENABLED(CONFIG_IPV6_MIP6)
0145 case IPPROTO_DSTOPTS:
0146 case IPPROTO_ROUTING:
0147 return mip6_rthdr_offset(skb, prevhdr, x->type->proto);
0148 #endif
0149 default:
0150 break;
0151 }
0152
0153 return ip6_find_1stfragopt(skb, prevhdr);
0154 }
0155 #endif
0156
0157
0158
0159
0160
0161
0162 static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
0163 {
0164 #if IS_ENABLED(CONFIG_IPV6)
0165 struct ipv6hdr *iph;
0166 u8 *prevhdr;
0167 int hdr_len;
0168
0169 iph = ipv6_hdr(skb);
0170 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
0171
0172 hdr_len = xfrm6_hdr_offset(x, skb, &prevhdr);
0173 if (hdr_len < 0)
0174 return hdr_len;
0175 skb_set_mac_header(skb,
0176 (prevhdr - x->props.header_len) - skb->data);
0177 skb_set_network_header(skb, -x->props.header_len);
0178 skb->transport_header = skb->network_header + hdr_len;
0179 __skb_pull(skb, hdr_len);
0180 memmove(ipv6_hdr(skb), iph, hdr_len);
0181 return 0;
0182 #else
0183 WARN_ON_ONCE(1);
0184 return -EAFNOSUPPORT;
0185 #endif
0186 }
0187
0188
0189
0190
0191
0192
0193 static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb)
0194 {
0195 #if IS_ENABLED(CONFIG_IPV6)
0196 struct ipv6hdr *iph;
0197 u8 *prevhdr;
0198 int hdr_len;
0199
0200 iph = ipv6_hdr(skb);
0201
0202 hdr_len = xfrm6_hdr_offset(x, skb, &prevhdr);
0203 if (hdr_len < 0)
0204 return hdr_len;
0205 skb_set_mac_header(skb,
0206 (prevhdr - x->props.header_len) - skb->data);
0207 skb_set_network_header(skb, -x->props.header_len);
0208 skb->transport_header = skb->network_header + hdr_len;
0209 __skb_pull(skb, hdr_len);
0210 memmove(ipv6_hdr(skb), iph, hdr_len);
0211
0212 x->lastused = ktime_get_real_seconds();
0213
0214 return 0;
0215 #else
0216 WARN_ON_ONCE(1);
0217 return -EAFNOSUPPORT;
0218 #endif
0219 }
0220
0221
0222
0223
0224
0225 static int xfrm4_beet_encap_add(struct xfrm_state *x, struct sk_buff *skb)
0226 {
0227 struct ip_beet_phdr *ph;
0228 struct iphdr *top_iph;
0229 int hdrlen, optlen;
0230
0231 hdrlen = 0;
0232 optlen = XFRM_MODE_SKB_CB(skb)->optlen;
0233 if (unlikely(optlen))
0234 hdrlen += IPV4_BEET_PHMAXLEN - (optlen & 4);
0235
0236 skb_set_network_header(skb, -x->props.header_len - hdrlen +
0237 (XFRM_MODE_SKB_CB(skb)->ihl - sizeof(*top_iph)));
0238 if (x->sel.family != AF_INET6)
0239 skb->network_header += IPV4_BEET_PHMAXLEN;
0240 skb->mac_header = skb->network_header +
0241 offsetof(struct iphdr, protocol);
0242 skb->transport_header = skb->network_header + sizeof(*top_iph);
0243
0244 xfrm4_beet_make_header(skb);
0245
0246 ph = __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdrlen);
0247
0248 top_iph = ip_hdr(skb);
0249
0250 if (unlikely(optlen)) {
0251 if (WARN_ON(optlen < 0))
0252 return -EINVAL;
0253
0254 ph->padlen = 4 - (optlen & 4);
0255 ph->hdrlen = optlen / 8;
0256 ph->nexthdr = top_iph->protocol;
0257 if (ph->padlen)
0258 memset(ph + 1, IPOPT_NOP, ph->padlen);
0259
0260 top_iph->protocol = IPPROTO_BEETPH;
0261 top_iph->ihl = sizeof(struct iphdr) / 4;
0262 }
0263
0264 top_iph->saddr = x->props.saddr.a4;
0265 top_iph->daddr = x->id.daddr.a4;
0266
0267 return 0;
0268 }
0269
0270
0271
0272
0273
0274 static int xfrm4_tunnel_encap_add(struct xfrm_state *x, struct sk_buff *skb)
0275 {
0276 bool small_ipv6 = (skb->protocol == htons(ETH_P_IPV6)) && (skb->len <= IPV6_MIN_MTU);
0277 struct dst_entry *dst = skb_dst(skb);
0278 struct iphdr *top_iph;
0279 int flags;
0280
0281 skb_set_inner_network_header(skb, skb_network_offset(skb));
0282 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
0283
0284 skb_set_network_header(skb, -x->props.header_len);
0285 skb->mac_header = skb->network_header +
0286 offsetof(struct iphdr, protocol);
0287 skb->transport_header = skb->network_header + sizeof(*top_iph);
0288 top_iph = ip_hdr(skb);
0289
0290 top_iph->ihl = 5;
0291 top_iph->version = 4;
0292
0293 top_iph->protocol = xfrm_af2proto(skb_dst(skb)->ops->family);
0294
0295
0296 if (x->props.extra_flags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP)
0297 top_iph->tos = 0;
0298 else
0299 top_iph->tos = XFRM_MODE_SKB_CB(skb)->tos;
0300 top_iph->tos = INET_ECN_encapsulate(top_iph->tos,
0301 XFRM_MODE_SKB_CB(skb)->tos);
0302
0303 flags = x->props.flags;
0304 if (flags & XFRM_STATE_NOECN)
0305 IP_ECN_clear(top_iph);
0306
0307 top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) || small_ipv6 ?
0308 0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF));
0309
0310 top_iph->ttl = ip4_dst_hoplimit(xfrm_dst_child(dst));
0311
0312 top_iph->saddr = x->props.saddr.a4;
0313 top_iph->daddr = x->id.daddr.a4;
0314 ip_select_ident(dev_net(dst->dev), skb, NULL);
0315
0316 return 0;
0317 }
0318
0319 #if IS_ENABLED(CONFIG_IPV6)
0320 static int xfrm6_tunnel_encap_add(struct xfrm_state *x, struct sk_buff *skb)
0321 {
0322 struct dst_entry *dst = skb_dst(skb);
0323 struct ipv6hdr *top_iph;
0324 int dsfield;
0325
0326 skb_set_inner_network_header(skb, skb_network_offset(skb));
0327 skb_set_inner_transport_header(skb, skb_transport_offset(skb));
0328
0329 skb_set_network_header(skb, -x->props.header_len);
0330 skb->mac_header = skb->network_header +
0331 offsetof(struct ipv6hdr, nexthdr);
0332 skb->transport_header = skb->network_header + sizeof(*top_iph);
0333 top_iph = ipv6_hdr(skb);
0334
0335 top_iph->version = 6;
0336
0337 memcpy(top_iph->flow_lbl, XFRM_MODE_SKB_CB(skb)->flow_lbl,
0338 sizeof(top_iph->flow_lbl));
0339 top_iph->nexthdr = xfrm_af2proto(skb_dst(skb)->ops->family);
0340
0341 if (x->props.extra_flags & XFRM_SA_XFLAG_DONT_ENCAP_DSCP)
0342 dsfield = 0;
0343 else
0344 dsfield = XFRM_MODE_SKB_CB(skb)->tos;
0345 dsfield = INET_ECN_encapsulate(dsfield, XFRM_MODE_SKB_CB(skb)->tos);
0346 if (x->props.flags & XFRM_STATE_NOECN)
0347 dsfield &= ~INET_ECN_MASK;
0348 ipv6_change_dsfield(top_iph, 0, dsfield);
0349 top_iph->hop_limit = ip6_dst_hoplimit(xfrm_dst_child(dst));
0350 top_iph->saddr = *(struct in6_addr *)&x->props.saddr;
0351 top_iph->daddr = *(struct in6_addr *)&x->id.daddr;
0352 return 0;
0353 }
0354
0355 static int xfrm6_beet_encap_add(struct xfrm_state *x, struct sk_buff *skb)
0356 {
0357 struct ipv6hdr *top_iph;
0358 struct ip_beet_phdr *ph;
0359 int optlen, hdr_len;
0360
0361 hdr_len = 0;
0362 optlen = XFRM_MODE_SKB_CB(skb)->optlen;
0363 if (unlikely(optlen))
0364 hdr_len += IPV4_BEET_PHMAXLEN - (optlen & 4);
0365
0366 skb_set_network_header(skb, -x->props.header_len - hdr_len);
0367 if (x->sel.family != AF_INET6)
0368 skb->network_header += IPV4_BEET_PHMAXLEN;
0369 skb->mac_header = skb->network_header +
0370 offsetof(struct ipv6hdr, nexthdr);
0371 skb->transport_header = skb->network_header + sizeof(*top_iph);
0372 ph = __skb_pull(skb, XFRM_MODE_SKB_CB(skb)->ihl - hdr_len);
0373
0374 xfrm6_beet_make_header(skb);
0375
0376 top_iph = ipv6_hdr(skb);
0377 if (unlikely(optlen)) {
0378 if (WARN_ON(optlen < 0))
0379 return -EINVAL;
0380
0381 ph->padlen = 4 - (optlen & 4);
0382 ph->hdrlen = optlen / 8;
0383 ph->nexthdr = top_iph->nexthdr;
0384 if (ph->padlen)
0385 memset(ph + 1, IPOPT_NOP, ph->padlen);
0386
0387 top_iph->nexthdr = IPPROTO_BEETPH;
0388 }
0389
0390 top_iph->saddr = *(struct in6_addr *)&x->props.saddr;
0391 top_iph->daddr = *(struct in6_addr *)&x->id.daddr;
0392 return 0;
0393 }
0394 #endif
0395
0396
0397
0398
0399
0400
0401
0402
0403
0404
0405
0406 static int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
0407 {
0408 int err;
0409
0410 err = xfrm_inner_extract_output(x, skb);
0411 if (err)
0412 return err;
0413
0414 IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
0415 skb->protocol = htons(ETH_P_IP);
0416
0417 switch (x->outer_mode.encap) {
0418 case XFRM_MODE_BEET:
0419 return xfrm4_beet_encap_add(x, skb);
0420 case XFRM_MODE_TUNNEL:
0421 return xfrm4_tunnel_encap_add(x, skb);
0422 }
0423
0424 WARN_ON_ONCE(1);
0425 return -EOPNOTSUPP;
0426 }
0427
0428 static int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
0429 {
0430 #if IS_ENABLED(CONFIG_IPV6)
0431 int err;
0432
0433 err = xfrm_inner_extract_output(x, skb);
0434 if (err)
0435 return err;
0436
0437 skb->ignore_df = 1;
0438 skb->protocol = htons(ETH_P_IPV6);
0439
0440 switch (x->outer_mode.encap) {
0441 case XFRM_MODE_BEET:
0442 return xfrm6_beet_encap_add(x, skb);
0443 case XFRM_MODE_TUNNEL:
0444 return xfrm6_tunnel_encap_add(x, skb);
0445 default:
0446 WARN_ON_ONCE(1);
0447 return -EOPNOTSUPP;
0448 }
0449 #endif
0450 WARN_ON_ONCE(1);
0451 return -EAFNOSUPPORT;
0452 }
0453
0454 static int xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb)
0455 {
0456 switch (x->outer_mode.encap) {
0457 case XFRM_MODE_BEET:
0458 case XFRM_MODE_TUNNEL:
0459 if (x->outer_mode.family == AF_INET)
0460 return xfrm4_prepare_output(x, skb);
0461 if (x->outer_mode.family == AF_INET6)
0462 return xfrm6_prepare_output(x, skb);
0463 break;
0464 case XFRM_MODE_TRANSPORT:
0465 if (x->outer_mode.family == AF_INET)
0466 return xfrm4_transport_output(x, skb);
0467 if (x->outer_mode.family == AF_INET6)
0468 return xfrm6_transport_output(x, skb);
0469 break;
0470 case XFRM_MODE_ROUTEOPTIMIZATION:
0471 if (x->outer_mode.family == AF_INET6)
0472 return xfrm6_ro_output(x, skb);
0473 WARN_ON_ONCE(1);
0474 break;
0475 default:
0476 WARN_ON_ONCE(1);
0477 break;
0478 }
0479
0480 return -EOPNOTSUPP;
0481 }
0482
0483 #if IS_ENABLED(CONFIG_NET_PKTGEN)
0484 int pktgen_xfrm_outer_mode_output(struct xfrm_state *x, struct sk_buff *skb)
0485 {
0486 return xfrm_outer_mode_output(x, skb);
0487 }
0488 EXPORT_SYMBOL_GPL(pktgen_xfrm_outer_mode_output);
0489 #endif
0490
0491 static int xfrm_output_one(struct sk_buff *skb, int err)
0492 {
0493 struct dst_entry *dst = skb_dst(skb);
0494 struct xfrm_state *x = dst->xfrm;
0495 struct net *net = xs_net(x);
0496
0497 if (err <= 0)
0498 goto resume;
0499
0500 do {
0501 err = xfrm_skb_check_space(skb);
0502 if (err) {
0503 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
0504 goto error_nolock;
0505 }
0506
0507 skb->mark = xfrm_smark_get(skb->mark, x);
0508
0509 err = xfrm_outer_mode_output(x, skb);
0510 if (err) {
0511 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEMODEERROR);
0512 goto error_nolock;
0513 }
0514
0515 spin_lock_bh(&x->lock);
0516
0517 if (unlikely(x->km.state != XFRM_STATE_VALID)) {
0518 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEINVALID);
0519 err = -EINVAL;
0520 goto error;
0521 }
0522
0523 err = xfrm_state_check_expire(x);
0524 if (err) {
0525 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEEXPIRED);
0526 goto error;
0527 }
0528
0529 err = xfrm_replay_overflow(x, skb);
0530 if (err) {
0531 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
0532 goto error;
0533 }
0534
0535 x->curlft.bytes += skb->len;
0536 x->curlft.packets++;
0537
0538 spin_unlock_bh(&x->lock);
0539
0540 skb_dst_force(skb);
0541 if (!skb_dst(skb)) {
0542 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
0543 err = -EHOSTUNREACH;
0544 goto error_nolock;
0545 }
0546
0547 if (xfrm_offload(skb)) {
0548 x->type_offload->encap(x, skb);
0549 } else {
0550
0551 skb->encapsulation = 0;
0552
0553 err = x->type->output(x, skb);
0554 if (err == -EINPROGRESS)
0555 goto out;
0556 }
0557
0558 resume:
0559 if (err) {
0560 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATEPROTOERROR);
0561 goto error_nolock;
0562 }
0563
0564 dst = skb_dst_pop(skb);
0565 if (!dst) {
0566 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
0567 err = -EHOSTUNREACH;
0568 goto error_nolock;
0569 }
0570 skb_dst_set(skb, dst);
0571 x = dst->xfrm;
0572 } while (x && !(x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL));
0573
0574 return 0;
0575
0576 error:
0577 spin_unlock_bh(&x->lock);
0578 error_nolock:
0579 kfree_skb(skb);
0580 out:
0581 return err;
0582 }
0583
0584 int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err)
0585 {
0586 struct net *net = xs_net(skb_dst(skb)->xfrm);
0587
0588 while (likely((err = xfrm_output_one(skb, err)) == 0)) {
0589 nf_reset_ct(skb);
0590
0591 err = skb_dst(skb)->ops->local_out(net, sk, skb);
0592 if (unlikely(err != 1))
0593 goto out;
0594
0595 if (!skb_dst(skb)->xfrm)
0596 return dst_output(net, sk, skb);
0597
0598 err = nf_hook(skb_dst(skb)->ops->family,
0599 NF_INET_POST_ROUTING, net, sk, skb,
0600 NULL, skb_dst(skb)->dev, xfrm_output2);
0601 if (unlikely(err != 1))
0602 goto out;
0603 }
0604
0605 if (err == -EINPROGRESS)
0606 err = 0;
0607
0608 out:
0609 return err;
0610 }
0611 EXPORT_SYMBOL_GPL(xfrm_output_resume);
0612
0613 static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
0614 {
0615 return xfrm_output_resume(sk, skb, 1);
0616 }
0617
0618 static int xfrm_output_gso(struct net *net, struct sock *sk, struct sk_buff *skb)
0619 {
0620 struct sk_buff *segs, *nskb;
0621
0622 BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_GSO_CB_OFFSET);
0623 BUILD_BUG_ON(sizeof(*IP6CB(skb)) > SKB_GSO_CB_OFFSET);
0624 segs = skb_gso_segment(skb, 0);
0625 kfree_skb(skb);
0626 if (IS_ERR(segs))
0627 return PTR_ERR(segs);
0628 if (segs == NULL)
0629 return -EINVAL;
0630
0631 skb_list_walk_safe(segs, segs, nskb) {
0632 int err;
0633
0634 skb_mark_not_on_list(segs);
0635 err = xfrm_output2(net, sk, segs);
0636
0637 if (unlikely(err)) {
0638 kfree_skb_list(nskb);
0639 return err;
0640 }
0641 }
0642
0643 return 0;
0644 }
0645
0646
0647
0648
0649
0650
0651
0652
0653
0654
0655
0656 static void xfrm_get_inner_ipproto(struct sk_buff *skb, struct xfrm_state *x)
0657 {
0658 struct xfrm_offload *xo = xfrm_offload(skb);
0659 const struct ethhdr *eth;
0660
0661 if (!xo)
0662 return;
0663
0664 if (x->outer_mode.encap == XFRM_MODE_TUNNEL) {
0665 switch (x->outer_mode.family) {
0666 case AF_INET:
0667 xo->inner_ipproto = ip_hdr(skb)->protocol;
0668 break;
0669 case AF_INET6:
0670 xo->inner_ipproto = ipv6_hdr(skb)->nexthdr;
0671 break;
0672 default:
0673 break;
0674 }
0675
0676 return;
0677 }
0678
0679
0680 if (!skb->encapsulation)
0681 return;
0682
0683 if (skb->inner_protocol_type == ENCAP_TYPE_IPPROTO) {
0684 xo->inner_ipproto = skb->inner_ipproto;
0685 return;
0686 }
0687
0688 if (skb->inner_protocol_type != ENCAP_TYPE_ETHER)
0689 return;
0690
0691 eth = (struct ethhdr *)skb_inner_mac_header(skb);
0692
0693 switch (ntohs(eth->h_proto)) {
0694 case ETH_P_IPV6:
0695 xo->inner_ipproto = inner_ipv6_hdr(skb)->nexthdr;
0696 break;
0697 case ETH_P_IP:
0698 xo->inner_ipproto = inner_ip_hdr(skb)->protocol;
0699 break;
0700 }
0701 }
0702
0703 int xfrm_output(struct sock *sk, struct sk_buff *skb)
0704 {
0705 struct net *net = dev_net(skb_dst(skb)->dev);
0706 struct xfrm_state *x = skb_dst(skb)->xfrm;
0707 int err;
0708
0709 switch (x->outer_mode.family) {
0710 case AF_INET:
0711 memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
0712 IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
0713 break;
0714 case AF_INET6:
0715 memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
0716
0717 IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
0718 break;
0719 }
0720
0721 secpath_reset(skb);
0722
0723 if (xfrm_dev_offload_ok(skb, x)) {
0724 struct sec_path *sp;
0725
0726 sp = secpath_set(skb);
0727 if (!sp) {
0728 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
0729 kfree_skb(skb);
0730 return -ENOMEM;
0731 }
0732
0733 sp->olen++;
0734 sp->xvec[sp->len++] = x;
0735 xfrm_state_hold(x);
0736
0737 xfrm_get_inner_ipproto(skb, x);
0738 skb->encapsulation = 1;
0739
0740 if (skb_is_gso(skb)) {
0741 if (skb->inner_protocol)
0742 return xfrm_output_gso(net, sk, skb);
0743
0744 skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
0745 goto out;
0746 }
0747
0748 if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM)
0749 goto out;
0750 } else {
0751 if (skb_is_gso(skb))
0752 return xfrm_output_gso(net, sk, skb);
0753 }
0754
0755 if (skb->ip_summed == CHECKSUM_PARTIAL) {
0756 err = skb_checksum_help(skb);
0757 if (err) {
0758 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
0759 kfree_skb(skb);
0760 return err;
0761 }
0762 }
0763
0764 out:
0765 return xfrm_output2(net, sk, skb);
0766 }
0767 EXPORT_SYMBOL_GPL(xfrm_output);
0768
0769 static int xfrm4_tunnel_check_size(struct sk_buff *skb)
0770 {
0771 int mtu, ret = 0;
0772
0773 if (IPCB(skb)->flags & IPSKB_XFRM_TUNNEL_SIZE)
0774 goto out;
0775
0776 if (!(ip_hdr(skb)->frag_off & htons(IP_DF)) || skb->ignore_df)
0777 goto out;
0778
0779 mtu = dst_mtu(skb_dst(skb));
0780 if ((!skb_is_gso(skb) && skb->len > mtu) ||
0781 (skb_is_gso(skb) &&
0782 !skb_gso_validate_network_len(skb, ip_skb_dst_mtu(skb->sk, skb)))) {
0783 skb->protocol = htons(ETH_P_IP);
0784
0785 if (skb->sk)
0786 xfrm_local_error(skb, mtu);
0787 else
0788 icmp_send(skb, ICMP_DEST_UNREACH,
0789 ICMP_FRAG_NEEDED, htonl(mtu));
0790 ret = -EMSGSIZE;
0791 }
0792 out:
0793 return ret;
0794 }
0795
0796 static int xfrm4_extract_output(struct xfrm_state *x, struct sk_buff *skb)
0797 {
0798 int err;
0799
0800 if (x->outer_mode.encap == XFRM_MODE_BEET &&
0801 ip_is_fragment(ip_hdr(skb))) {
0802 net_warn_ratelimited("BEET mode doesn't support inner IPv4 fragments\n");
0803 return -EAFNOSUPPORT;
0804 }
0805
0806 err = xfrm4_tunnel_check_size(skb);
0807 if (err)
0808 return err;
0809
0810 XFRM_MODE_SKB_CB(skb)->protocol = ip_hdr(skb)->protocol;
0811
0812 xfrm4_extract_header(skb);
0813 return 0;
0814 }
0815
0816 #if IS_ENABLED(CONFIG_IPV6)
0817 static int xfrm6_tunnel_check_size(struct sk_buff *skb)
0818 {
0819 int mtu, ret = 0;
0820 struct dst_entry *dst = skb_dst(skb);
0821
0822 if (skb->ignore_df)
0823 goto out;
0824
0825 mtu = dst_mtu(dst);
0826 if (mtu < IPV6_MIN_MTU)
0827 mtu = IPV6_MIN_MTU;
0828
0829 if ((!skb_is_gso(skb) && skb->len > mtu) ||
0830 (skb_is_gso(skb) &&
0831 !skb_gso_validate_network_len(skb, ip6_skb_dst_mtu(skb)))) {
0832 skb->dev = dst->dev;
0833 skb->protocol = htons(ETH_P_IPV6);
0834
0835 if (xfrm6_local_dontfrag(skb->sk))
0836 ipv6_stub->xfrm6_local_rxpmtu(skb, mtu);
0837 else if (skb->sk)
0838 xfrm_local_error(skb, mtu);
0839 else
0840 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
0841 ret = -EMSGSIZE;
0842 }
0843 out:
0844 return ret;
0845 }
0846 #endif
0847
0848 static int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb)
0849 {
0850 #if IS_ENABLED(CONFIG_IPV6)
0851 int err;
0852
0853 err = xfrm6_tunnel_check_size(skb);
0854 if (err)
0855 return err;
0856
0857 XFRM_MODE_SKB_CB(skb)->protocol = ipv6_hdr(skb)->nexthdr;
0858
0859 xfrm6_extract_header(skb);
0860 return 0;
0861 #else
0862 WARN_ON_ONCE(1);
0863 return -EAFNOSUPPORT;
0864 #endif
0865 }
0866
0867 static int xfrm_inner_extract_output(struct xfrm_state *x, struct sk_buff *skb)
0868 {
0869 const struct xfrm_mode *inner_mode;
0870
0871 if (x->sel.family == AF_UNSPEC)
0872 inner_mode = xfrm_ip2inner_mode(x,
0873 xfrm_af2proto(skb_dst(skb)->ops->family));
0874 else
0875 inner_mode = &x->inner_mode;
0876
0877 if (inner_mode == NULL)
0878 return -EAFNOSUPPORT;
0879
0880 switch (inner_mode->family) {
0881 case AF_INET:
0882 return xfrm4_extract_output(x, skb);
0883 case AF_INET6:
0884 return xfrm6_extract_output(x, skb);
0885 }
0886
0887 return -EAFNOSUPPORT;
0888 }
0889
0890 void xfrm_local_error(struct sk_buff *skb, int mtu)
0891 {
0892 unsigned int proto;
0893 struct xfrm_state_afinfo *afinfo;
0894
0895 if (skb->protocol == htons(ETH_P_IP))
0896 proto = AF_INET;
0897 else if (skb->protocol == htons(ETH_P_IPV6) &&
0898 skb->sk->sk_family == AF_INET6)
0899 proto = AF_INET6;
0900 else
0901 return;
0902
0903 afinfo = xfrm_state_get_afinfo(proto);
0904 if (afinfo) {
0905 afinfo->local_error(skb, mtu);
0906 rcu_read_unlock();
0907 }
0908 }
0909 EXPORT_SYMBOL_GPL(xfrm_local_error);
