]> err.no Git - linux-2.6/commitdiff
[IPSEC]: Handle GSO packets
authorHerbert Xu <herbert@gondor.apana.org.au>
Thu, 22 Jun 2006 10:08:03 +0000 (03:08 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Fri, 23 Jun 2006 09:07:38 +0000 (02:07 -0700)
This patch segments GSO packets received by the IPsec stack.  This can
happen when a NIC driver injects GSO packets into the stack which are
then forwarded to another host.

The primary application of this is going to be Xen where its backend
driver may inject GSO packets into dom0.

Of course this also can be used by other virtualisation schemes such as
VMWare or UML since the tap device could be modified to inject GSO packets
received through splice.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/xfrm4_output.c
net/ipv6/xfrm6_output.c

index ac9d91d4bb0563c2e471bfa5483c901ac38bac64..193363e22932ce19f84a60df94d8bfbdaac471d6 100644 (file)
@@ -9,6 +9,8 @@
  */
 
 #include <linux/compiler.h>
+#include <linux/if_ether.h>
+#include <linux/kernel.h>
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <linux/netfilter_ipv4.h>
@@ -97,16 +99,10 @@ error_nolock:
        goto out_exit;
 }
 
-static int xfrm4_output_finish(struct sk_buff *skb)
+static int xfrm4_output_finish2(struct sk_buff *skb)
 {
        int err;
 
-#ifdef CONFIG_NETFILTER
-       if (!skb->dst->xfrm) {
-               IPCB(skb)->flags |= IPSKB_REROUTED;
-               return dst_output(skb);
-       }
-#endif
        while (likely((err = xfrm4_output_one(skb)) == 0)) {
                nf_reset(skb);
 
@@ -119,7 +115,7 @@ static int xfrm4_output_finish(struct sk_buff *skb)
                        return dst_output(skb);
 
                err = nf_hook(PF_INET, NF_IP_POST_ROUTING, &skb, NULL,
-                             skb->dst->dev, xfrm4_output_finish);
+                             skb->dst->dev, xfrm4_output_finish2);
                if (unlikely(err != 1))
                        break;
        }
@@ -127,6 +123,48 @@ static int xfrm4_output_finish(struct sk_buff *skb)
        return err;
 }
 
+static int xfrm4_output_finish(struct sk_buff *skb)
+{
+       struct sk_buff *segs;
+
+#ifdef CONFIG_NETFILTER
+       if (!skb->dst->xfrm) {
+               IPCB(skb)->flags |= IPSKB_REROUTED;
+               return dst_output(skb);
+       }
+#endif
+
+       if (!skb_shinfo(skb)->gso_size)
+               return xfrm4_output_finish2(skb);
+
+       skb->protocol = htons(ETH_P_IP);
+       segs = skb_gso_segment(skb, 0);
+       kfree_skb(skb);
+       if (unlikely(IS_ERR(segs)))
+               return PTR_ERR(segs);
+
+       do {
+               struct sk_buff *nskb = segs->next;
+               int err;
+
+               segs->next = NULL;
+               err = xfrm4_output_finish2(segs);
+
+               if (unlikely(err)) {
+                       while ((segs = nskb)) {
+                               nskb = segs->next;
+                               segs->next = NULL;
+                               kfree_skb(segs);
+                       }
+                       return err;
+               }
+
+               segs = nskb;
+       } while (segs);
+
+       return 0;
+}
+
 int xfrm4_output(struct sk_buff *skb)
 {
        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
index 16e84254a252e60daeb29821acc12429fd66520b..48fccb1eca08ad31eae996995600924e1f491537 100644 (file)
@@ -94,7 +94,7 @@ error_nolock:
        goto out_exit;
 }
 
-static int xfrm6_output_finish(struct sk_buff *skb)
+static int xfrm6_output_finish2(struct sk_buff *skb)
 {
        int err;
 
@@ -110,7 +110,7 @@ static int xfrm6_output_finish(struct sk_buff *skb)
                        return dst_output(skb);
 
                err = nf_hook(PF_INET6, NF_IP6_POST_ROUTING, &skb, NULL,
-                             skb->dst->dev, xfrm6_output_finish);
+                             skb->dst->dev, xfrm6_output_finish2);
                if (unlikely(err != 1))
                        break;
        }
@@ -118,6 +118,41 @@ static int xfrm6_output_finish(struct sk_buff *skb)
        return err;
 }
 
+static int xfrm6_output_finish(struct sk_buff *skb)
+{
+       struct sk_buff *segs;
+
+       if (!skb_shinfo(skb)->gso_size)
+               return xfrm6_output_finish2(skb);
+
+       skb->protocol = htons(ETH_P_IP);
+       segs = skb_gso_segment(skb, 0);
+       kfree_skb(skb);
+       if (unlikely(IS_ERR(segs)))
+               return PTR_ERR(segs);
+
+       do {
+               struct sk_buff *nskb = segs->next;
+               int err;
+
+               segs->next = NULL;
+               err = xfrm6_output_finish2(segs);
+
+               if (unlikely(err)) {
+                       while ((segs = nskb)) {
+                               nskb = segs->next;
+                               segs->next = NULL;
+                               kfree_skb(segs);
+                       }
+                       return err;
+               }
+
+               segs = nskb;
+       } while (segs);
+
+       return 0;
+}
+
 int xfrm6_output(struct sk_buff *skb)
 {
        return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL, skb->dst->dev,