/net/ipv6/xfrm6_output.c

  1// SPDX-License-Identifier: GPL-2.0-or-later
  2/*
  3 * xfrm6_output.c - Common IPsec encapsulation code for IPv6.
  4 * Copyright (C) 2002 USAGI/WIDE Project
  5 * Copyright (c) 2004 Herbert Xu <herbert@gondor.apana.org.au>
  6 */
  7
  8#include <linux/if_ether.h>
  9#include <linux/kernel.h>
 10#include <linux/module.h>
 11#include <linux/skbuff.h>
 12#include <linux/icmpv6.h>
 13#include <linux/netfilter_ipv6.h>
 14#include <net/dst.h>
 15#include <net/ipv6.h>
 16#include <net/ip6_route.h>
 17#include <net/xfrm.h>
 18
 19int xfrm6_find_1stfragopt(struct xfrm_state *x, struct sk_buff *skb,
 20			  u8 **prevhdr)
 21{
 22	return ip6_find_1stfragopt(skb, prevhdr);
 23}
 24EXPORT_SYMBOL(xfrm6_find_1stfragopt);
 25
 26static int xfrm6_local_dontfrag(struct sk_buff *skb)
 27{
 28	int proto;
 29	struct sock *sk = skb->sk;
 30
 31	if (sk) {
 32		if (sk->sk_family != AF_INET6)
 33			return 0;
 34
 35		proto = sk->sk_protocol;
 36		if (proto == IPPROTO_UDP || proto == IPPROTO_RAW)
 37			return inet6_sk(sk)->dontfrag;
 38	}
 39
 40	return 0;
 41}
 42
 43static void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu)
 44{
 45	struct flowi6 fl6;
 46	struct sock *sk = skb->sk;
 47
 48	fl6.flowi6_oif = sk->sk_bound_dev_if;
 49	fl6.daddr = ipv6_hdr(skb)->daddr;
 50
 51	ipv6_local_rxpmtu(sk, &fl6, mtu);
 52}
 53
 54void xfrm6_local_error(struct sk_buff *skb, u32 mtu)
 55{
 56	struct flowi6 fl6;
 57	const struct ipv6hdr *hdr;
 58	struct sock *sk = skb->sk;
 59
 60	hdr = skb->encapsulation ? inner_ipv6_hdr(skb) : ipv6_hdr(skb);
 61	fl6.fl6_dport = inet_sk(sk)->inet_dport;
 62	fl6.daddr = hdr->daddr;
 63
 64	ipv6_local_error(sk, EMSGSIZE, &fl6, mtu);
 65}
 66
 67static int xfrm6_tunnel_check_size(struct sk_buff *skb)
 68{
 69	int mtu, ret = 0;
 70	struct dst_entry *dst = skb_dst(skb);
 71
 72	if (skb->ignore_df)
 73		goto out;
 74
 75	mtu = dst_mtu(dst);
 76	if (mtu < IPV6_MIN_MTU)
 77		mtu = IPV6_MIN_MTU;
 78
 79	if ((!skb_is_gso(skb) && skb->len > mtu) ||
 80	    (skb_is_gso(skb) &&
 81	     !skb_gso_validate_network_len(skb, ip6_skb_dst_mtu(skb)))) {
 82		skb->dev = dst->dev;
 83		skb->protocol = htons(ETH_P_IPV6);
 84
 85		if (xfrm6_local_dontfrag(skb))
 86			xfrm6_local_rxpmtu(skb, mtu);
 87		else if (skb->sk)
 88			xfrm_local_error(skb, mtu);
 89		else
 90			icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
 91		ret = -EMSGSIZE;
 92	}
 93out:
 94	return ret;
 95}
 96
 97int xfrm6_extract_output(struct xfrm_state *x, struct sk_buff *skb)
 98{
 99	int err;
100
101	err = xfrm6_tunnel_check_size(skb);
102	if (err)
103		return err;
104
105	XFRM_MODE_SKB_CB(skb)->protocol = ipv6_hdr(skb)->nexthdr;
106
107	return xfrm6_extract_header(skb);
108}
109
110int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb)
111{
112	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
113
114	IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
115
116	return xfrm_output(sk, skb);
117}
118
119static int __xfrm6_output_state_finish(struct xfrm_state *x, struct sock *sk,
120				       struct sk_buff *skb)
121{
122	const struct xfrm_state_afinfo *afinfo;
123	int ret = -EAFNOSUPPORT;
124
125	rcu_read_lock();
126	afinfo = xfrm_state_afinfo_get_rcu(x->outer_mode.family);
127	if (likely(afinfo))
128		ret = afinfo->output_finish(sk, skb);
129	else
130		kfree_skb(skb);
131	rcu_read_unlock();
132
133	return ret;
134}
135
136static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
137{
138	struct xfrm_state *x = skb_dst(skb)->xfrm;
139
140	return __xfrm6_output_state_finish(x, sk, skb);
141}
142
143static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
144{
145	struct dst_entry *dst = skb_dst(skb);
146	struct xfrm_state *x = dst->xfrm;
147	int mtu;
148	bool toobig;
149
150#ifdef CONFIG_NETFILTER
151	if (!x) {
152		IP6CB(skb)->flags |= IP6SKB_REROUTED;
153		return dst_output(net, sk, skb);
154	}
155#endif
156
157	if (x->props.mode != XFRM_MODE_TUNNEL)
158		goto skip_frag;
159
160	if (skb->protocol == htons(ETH_P_IPV6))
161		mtu = ip6_skb_dst_mtu(skb);
162	else
163		mtu = dst_mtu(skb_dst(skb));
164
165	toobig = skb->len > mtu && !skb_is_gso(skb);
166
167	if (toobig && xfrm6_local_dontfrag(skb)) {
168		xfrm6_local_rxpmtu(skb, mtu);
169		kfree_skb(skb);
170		return -EMSGSIZE;
171	} else if (!skb->ignore_df && toobig && skb->sk) {
172		xfrm_local_error(skb, mtu);
173		kfree_skb(skb);
174		return -EMSGSIZE;
175	}
176
177	if (toobig || dst_allfrag(skb_dst(skb)))
178		return ip6_fragment(net, sk, skb,
179				    __xfrm6_output_finish);
180
181skip_frag:
182	return __xfrm6_output_state_finish(x, sk, skb);
183}
184
185int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
186{
187	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
188			    net, sk, skb,  skb->dev, skb_dst(skb)->dev,
189			    __xfrm6_output,
190			    !(IP6CB(skb)->flags & IP6SKB_REROUTED));
191}